JP6151218B2 - Application execution device, method and program - Google Patents

Description

  The present invention relates to an apparatus, a method, and a program for executing an application using an API (Application Programming Interface) and an API hook.

  Digital information can be easily replicated. For this reason, there is a problem that a material sent to the other party by e-mail attachment or the like is sent to a third party without permission, or partially duplicated and distributed as other information. Circulation and information leakage beyond the range intended by the original authors and corporations who have the rights to information can easily occur. Various techniques have been developed to prevent such a situation from occurring.

  As represented by IRM (Information Rights Management) as a means of information distribution control, digital information is encrypted and distributed in a form that cannot be read by those who do not have a key, and the key is passed only to the application of the other party that wants to deliver the information. There is a way to make it open. This method is used as a means for distributing valuable information.

  In this case, the digital information can be opened only for the permitted partner application. However, depending on the creation of the application, for example, it is possible to make a copy of the information that has not been encrypted easily by the user operation in the form of “save the file with a different name”, etc. The meaning of is lost. Since distribution control for the entire general application is difficult in this way, for example, a part of the mechanism of the application as represented by Rights Management Services (hereinafter also referred to as RMS) of Microsoft (registered trademark) in Non-Patent Document 1. As a general rule, an information protection function is incorporated for protection.

  However, not all applications implement the information protection function, and the functions and setting methods differ depending on the application, and thus have difficult aspects.

  As a technique for solving this problem, an information protection technique using an API hook has been devised (see Non-Patent Document 2). API (Application Programming Interface) is a convention that defines the procedure and data format for calling and using functions of a computer program (software) from other external programs. is there. An API hook is a process that intercepts an API call, stops the function that the API should perform, executes a different process, or executes an additional process before or after the original API process when a predetermined condition is met. It is. It is assumed that an application is operated under a general-purpose mechanism that bypasses input / output of a file by using an API hook, and can be read from the application only when the encrypted content is decrypted and read. In addition, when an application tries to write, a method to prevent information leakage by using API hooks to intercept API calls and write them in another place, or do not write with errors. Was devised. In this case, it is important that it can be realized without modifying the application. In other words, since it can be applied to all applications including applications developed by third parties, it is possible to take measures without holes.

  A typical prior art is realized in the form of an API hook for a file input / output API as shown in FIG. There are API hooks, for example, in the form of filtering by drivers, and implementations using virtualization technology. However, in practice, any implementation method can be used in terms of intercepting the functions that the API should perform. It is equivalent even if it exists.

  For example, if the API hook condition is "input / output to a file with a specific path name (or file name)" and this condition is met, a normal API for a file with a specific path name when reading the file For example, a process (API hook process) different from the file input / output using.

On the memory 91, an application 93, an API hook unit 94, and a protection / protection release unit 95 are executed. The API hook means 94 is given an API hook condition Con in advance. In the storage 92, protected data that cannot be read / written by a third party (hereinafter, also referred to as “protected data”) _Denc and normal data (unprotected data that can be read / written by a third party) D Is stored.

For example, when the API hook condition Con is “all write” or “the path name of the file to be read matches a specific path name”, and the API hook condition 94 matches any of the conditions, the API hook means 94 performs API hook processing. Realize by doing. If the path name of the file to be read is other than a specific path name, the API hook means 94 does not perform the API hook process, and the application 93 calls the API and performs the normal read process. When the application 93 calls the API to perform “write” or “the path name of the file to be read matches a specific path name”, the API hook means 94 executes API hook processing to protect / unprotect File processing is performed via the conversion means 95. For example, in the case of writing, the protection / deprotection means 95 encrypts the written data and stores the encrypted data in the storage 92 as protected data _Denc . If “the path name of the file to be read matches the specific path name”, the protection / deprotection means 95 retrieves the file with the specific path name from the storage 92, decrypts it, and decrypts the decrypted data. (Hereinafter also referred to as “deactivation data”). As a result, it is possible to read and write transparently in a state where only a specific file is protected by only the API hook by the API hook means 94 without modifying the application 93.

For example, a state where the path name of the protected data D _enc is fixedly given is set as the initial value of the API hook condition.

  When reading data, the API hook means 94 executes the API hook depending on the path name. Note that after opening the data, API hooks are executed for processing performed via the corresponding file handle.

When data is written, the API hook means 94 executes all API hooks, and the protection / protection release means 95 encrypts the written data and stores it in the storage 92 as protected data _Denc . However, when writing to a file with a path name in the API hook condition “the path name of the file to be read matches a specific path name”, the protection condition of the original file that became the API hook condition is inherited.

For example, there is an encrypted file (protected data D _enc ) called important.txt.enc. When the application 93 is activated with an argument so as to open “important.txt”, “important.txt” is designated as the API hook condition and activated.

  When the application 93 tries to open “important.txt”, the API hook is activated by the API hook means 94, and “important.txt.enc” with “.enc” added is opened and protected. The decryption processing is transparently performed by the conversion / protection canceling means 95 and read into the application 93.

“What can I do with RMS / IRM?” [Online], Microsoft, [Search May 19, 2014], Internet <URL: http: //www.microsoft.com/en-us/business/enterprise /ecc/article/rms1012_3.aspx> “2nd encryption technology transition and the latest trend Transparent encryption mechanism”, [online], IMPRESS BUSINESS MEDIA CORPORATION, an Impress Group company., [May 19, 2014 search], Internet <URL: http: //thinkit.co.jp/story/2010/11/22/1883>

  However, in the information distribution control according to the prior art represented by API hooks, the application hook conditions are fixed. In this method, the writing file is encrypted without omission, but the setting file and irrelevant writing are all encrypted in addition to the data to be originally protected. In order not to encrypt configuration files and irrelevant writes, it is necessary to set exceptions for API hook conditions in detail according to the operation specifications of each application, and a lot of operations are required for investigation and adjustment. To do. In addition, the API hook conditions are complicated, and errors are likely to occur in the settings. If there is an error in the API hook condition setting, there is a risk of information leakage. In addition, by encrypting all the write files, there is a problem that even when a new file completely unrelated to the input data is edited and saved at the same time, it is erroneously encrypted.

  An object of the present invention is to provide an application execution apparatus, method, and program that do not require complicated setting of API hook conditions.

  In order to solve the above problem, according to one aspect of the present invention, an application execution device stores a memory in which data is stored and a taint indicating that the data stored in the memory is data to be protected. Shadow memory, API hook means for executing an API hook when the API hook condition is satisfied, and taint information propagation means for propagating a taint corresponding to the data when processing the data stored in the memory. Including. The API hook condition includes a condition that “the taint is stored in the shadow memory corresponding to the data to be processed”.

In order to solve the above problems, according to another aspect of the present invention, the application execution method should store data in the memory, and the shadow memory should protect the data stored in the memory. It is assumed that a taint indicating data is stored, and an API hook step for executing an API hook when the API hook means satisfies an API hook condition;
The taint information propagation means includes a taint propagation step of propagating a taint corresponding to the data when processing the data stored in the memory. The API hook condition includes a condition that “the taint is stored in the shadow memory corresponding to the data to be processed”.

  According to the present invention, there is an effect that complicated setting of API hook conditions is not required.

The figure for demonstrating the prior art API hook. The functional block diagram of an application execution apparatus. The figure for demonstrating the example of a taint propagation using a memory, a shadow memory, and a taint information propagation means. The figure which shows the example of the processing flow of an API hook. The figure which shows the initial state of a memory, shadow memory, storage, and shadow storage. The figure which shows the state after the read file of memory, shadow memory, storage, and shadow storage is opened. The figure which shows the state after reading the file contents of memory, shadow memory, storage, and shadow storage. The figure which shows the state after the read file of memory, shadow memory, storage, and shadow storage is closed. The figure which shows the state after the write file of memory, shadow memory, storage, and shadow storage is opened. The figure which shows the state after writing the content of the buffer area | region to the write file of memory, shadow memory, storage, and shadow storage. The figure which shows the state after the write file of memory, shadow memory, storage, and shadow storage is closed. The figure for demonstrating the state of the memory, shadow memory, storage, and shadow storage until it opens a protection file and saves the newly created file unrelated to the protection file. The figure for demonstrating the state of the memory at the time of closing the newly created file unrelated to a protection file, shadow memory, storage, and shadow storage. The figure which shows the state after closing the newly created file unrelated to the protection file of memory, shadow memory, storage, and shadow storage. The figure for demonstrating the API hook of socket API. The figure for demonstrating the API hook of shared memory API. FIG. 17A is a diagram showing an example in which a file that appears as one file from the application and the encrypted file correspond to 1: 1, and FIG. 17B shows a portion that appears as one file from the application, which is actually one large container. The figure which shows the example in the case of becoming a data area in a file.

  Hereinafter, embodiments of the present invention will be described. In the drawings used for the following description, constituent parts having the same function and steps for performing the same process are denoted by the same reference numerals, and redundant description is omitted.

<First embodiment>
FIG. 2 shows a functional block diagram of the application execution apparatus 100.

  The application execution apparatus 100 includes a memory 101, an application 103, a shadow memory 111, an API hook unit 104, a taint information propagation unit 113, a socket system 106, a forced disconnection unit 107, a forced error generation unit 108, a storage 102, a shadow storage 112, and a protection / protection release means 105.

  First, an outline of the processing of each unit will be described, and file read / write and the like will be described.

<Memory 101>
Data is temporarily stored in the memory 101. Further, the application program 103, the API hook unit 104, the socket system 106, the forced disconnection unit 107, the forced error generation unit 108, and the protection / protection release unit 105 are read and expanded in the memory 101. The Although not shown in FIG. 2, API execution means for executing the API is read and expanded.

<Shadow memory 111>
The shadow memory 111 stores a taint indicating that the data stored in the memory is data to be protected. Details of the taint will be described later.

<Storage 102>
The storage 102 stores protected data D _enc . The storage 102 may store unprotected data (hereinafter also referred to as “normal data”) D.

<Shadow storage 112>
The shadow storage 112 stores a taint indicating that the data stored in the storage 102 is data to be protected. For example, a taint corresponding to the protected data _Denc stored in the storage 102 is stored in the shadow storage 112.

  In other words, the shadow memory 111 and the shadow storage 112 are used to add marks to arbitrary positions of the corresponding memory 101 and storage 102. This mark is called “Taint”.

  In the simplest implementation, the memory 101 (or storage 102) and the shadow memory 111 (or shadow storage 112) have a size of 1: 1. If the content of the shadow memory 111 (or shadow storage 112) is “0”, there is no taint (hereinafter, the state without taint is also referred to as “taint clear”). It is also called “set”. Note that 1 bit (“0” or “1”) of the shadow memory 111 (or shadow storage 112) may be associated with a predetermined block (for example, a block of data of 1 MB) of the memory 101 (or storage 102). Good. Further, it is assumed that data to be continuously protected is stored in the memory 101 (or storage 102), and the start address and end address of the data to be protected are stored in the shadow memory 111 (or shadow storage 112). It is good also as a structure to be made. In short, by referring to the shadow memory 111 (or shadow storage 112), it is only necessary to know in which storage area in the memory 101 (or storage 102) the data to be protected and the position of the data. The mark indicating is a taint.

<API hook means 104>
The API hook means 104 executes the API hook when the API hook condition is satisfied. However, the API hook condition includes that the taint is stored in the shadow memory 111 corresponding to the data to be processed. The processing flow of the API hook unit 104 will be described later.

<Application 103>
The application 103 is a program that uses (calls) at least an API. In the present embodiment, when the API hook means 104 described above satisfies the API hook condition, the API call is intercepted and the API hook is executed. By combining the API hook unit 104 and the protection / protection release unit 105 described later, it is possible to transparently read and write in a state in which only a specific file is protected without modifying the application 103.

<Taint information propagation means 113>
The taint information propagation unit 113 propagates a taint corresponding to the data when processing the data stored in the memory 101 and the storage 102. For example, the taint information propagation unit 113 sets a taint in an area of the shadow memory 111 corresponding to data stored in an area of the memory 101. Hereinafter, this processing is also simply referred to as “setting a taint to data in the memory 101”. Similarly, the taint information propagation unit 113 sets a taint in an area of the shadow storage 112 corresponding to data stored in an area of the storage 102. Hereinafter, this processing is also simply referred to as “setting a taint to data in the storage 102”. Further, the taint information propagation unit 113 clears the taint in the area of the shadow memory 111 corresponding to the data stored in the area of the memory 101. Hereinafter, this processing is also simply referred to as “clearing the taint of data in the memory 101”. Similarly, the taint information propagation unit 113 clears the taint in the area of the shadow storage 112 corresponding to the data stored in an area of the storage 102. Hereinafter, this processing is also simply referred to as “clearing the taint of data in the storage 102”.

<Socket system 106>
The socket system 106 manages sockets that are virtual interfaces used for communication. “Management” means creation, modification, deletion, and the like.

<Forced cutting means 107>
The forcible disconnecting means 107 satisfies the API hook condition and uses data stored in the memory 101 corresponding to the tain stored in the shadow memory 111 using a socket (hereinafter, such data is set as “ The data stored in the storage 102 corresponding to the taint stored in the shadow storage 112 is also referred to as “data in which the taint is set”). Forcibly disconnect communication by.

<Forced error generation means 108>
The forced error means 108 returns an error as an API execution result when an API hook is executed.

<Protection / protection release means 105>
The protection / protection release means 105 reads / writes protected data that cannot be read / written by a third party when the API hook condition is satisfied, or between the protected data and the released data that has been released from the protected state. The conversion operation is performed.

<Points of this embodiment>
In the present embodiment, when executing the application 103, “shadow memory 111” as another memory corresponding to the original memory 101, “shadow storage 112” as another storage corresponding to the original storage 102, The problem is solved by using the taint information propagation means 113 and the API hook means 104.

In general, shadow memory and shadow storage are used in technical fields such as malware analysis, and are used as a technique for accurately tracking the flow of harmful information brought in from outside (for example, references). 1). This is used, for example, as a means for monitoring a situation in which an infection spreads to a memory or other files via an application when a file accidentally infected with malware is opened by the application. In this embodiment, this technique is used in combination with an API hook.
(Reference 1) JP 2013-232113 A

  When the application 103 operates and changes the contents of the memory 101 and the storage 102, the taint information propagation unit 113 checks the shadow memory 111 and the shadow storage 112 and propagates the corresponding portion of taint. The propagation at this time is to propagate the taint when the contents of a certain memory 101 or storage 102 are transmitted to another memory 101 or storage 102. For example, when an instruction to copy the contents of the address A in the memory 101 to the address B is executed, the taint value at the A address in the shadow memory 111 is copied to the taint value at the B address. On the contrary, when the contents of the address B in the memory 101 are cleared to zero, the taint at the address B in the shadow memory 111 is regarded as propagation from the taint of the instruction word of the application, and is cleared because the application itself is not a protection target.

  With this configuration, taints are set for the shadow memory 111 and the shadow storage 112 corresponding to the protected data that is the data to be protected in the memory 101 and the storage 102, and the other shadow memory 111 and shadow storage are set. Execution of the application 103 is started in a state where the taint 112 is cleared. While the application 103 is being executed, the taint information propagation unit 113 sequentially propagates the taint. When the API hook means 104 executes an API hook, API hook processing is performed in addition to whether or not a taint is included in the data processed by the API. Furthermore, all writing to the storage 102 is protected by hooking, and when the file is closed, if there is a taint in the shadow storage 112 corresponding to the write data in the storage 102, it is protected if there is no taint. By canceling, the protection condition imposed on the input protected data can be imposed on the output protected data.

  Hereinafter, the processing content of this embodiment is demonstrated using figures.

<Processing level at machine language level>
FIG. 3 is a diagram for explaining an example of taint propagation using the memory 101, the shadow memory 111, and the taint information propagation means 113. This is an example at the machine language level.

  The center of FIG. 3 shows the contents of the memory 101 and the right side shows the contents of the shadow memory 111. Although a CPU register also appears here, it is regarded as a kind of the memory 101. As a means for realizing the shadow memory 111, for example, there is a method of taking a memory area different from the original memory 101 or a different register. Here, the relationship between the memory 101 and the shadow memory 111 is as follows. Mem_B vs. shadow memory 111Sh_Mem_B. It is assumed that the immediate value 0 is predetermined by the application 103 and does not correspond to the protected data. Mem_A corresponds to protected data.

First, the application 103 is expanded on the memory 101. Instructions included in the original application 103 are
(1) mov eax, 0
(2) mov eax, [Mem_A]
(3) mov [Mem_B], eax
And The application 103 executes the instructions (1) to (3) and outputs the instructions to the taint information propagation unit 113.

The taint information propagation means 113 receives the commands (1) to (3) and immediately after each command.
(1S) mov [Sh_eax], [Sh_imm0]
(2S) mov [Sh_eax], [Sh_Mem_A]
(3S) mov [Sh_Mem_B], [Sh_eax]
Insert a special instruction for shadow memory operations.

  (1) is an instruction “mov eax, 0”, that is, an instruction to assign an immediate value “0” to the register “eax”. If this instruction is executed with the taint of the immediate value “0” cleared, whether the taint of the register “eax” is cleared or set, the state of taint clear corresponding to the immediate value “0” is overwritten, and the register “ The taint value of the shadow memory 111 corresponding to “eax” is cleared. The operation of the shadow memory 111 is realized by the instruction mov [Sh_eax], [Sh_imm0] of (1S). Note that “Sh_imm0” is a taint value with an immediate value “0” and represents taint clear.

  (2) is an instruction “mov eax, [Mem_A]”, that is, an instruction to substitute the contents of “Mem_A” in the memory 101 into the register “eax” in the memory 101. The value of “Mem_A” in the memory 101 is assigned to the register “eax” in the memory 101, and at the same time, the corresponding taint is assigned by the instruction (2S). That is, the value of “Sh_Mem_A” in the shadow memory 111 is assigned to “Sh_eax” in the shadow memory 111.

  (3) is an instruction “mov [Mem_B], eax”, that is, an instruction to substitute the contents of the register “eax” in the memory 101 for “Mem_B” in the memory 101. The value of the register “eax” in the memory 101 is assigned to “Mem_B” in the memory 101, and at the same time, the corresponding taint is assigned by the instruction (3S). That is, the value of “Sh_eax” in the shadow memory 111 is assigned to “Sh_Mem_B” in the shadow memory 111.

  By executing a series of these instructions, the value of “Mem_A” in the memory 101 is substituted for “Mem_B” in the memory 101, and at the same time, the corresponding taint value is also propagated on the shadow memory 111.

  The embodiment of the taint information propagation means 113 is not limited to this, and a shadow memory 111 having the same size as the memory 101 is secured when the operation of the machine language is virtually realized by using the virtualization technology. There is also a method of operating the shadow memory 111 corresponding to the machine language.

  By performing the taint propagation as described above over the entire application 103, the taint assigned to the input data is propagated at the same time as the input data is output while being processed. Further, it is possible to determine which input the output data corresponds to.

<API hook>
FIG. 4 shows an example of the API hook processing flow.

  The API hook is executed by the API hook means 104 and is executed in parallel with the previous instruction execution and the taint propagation process of the taint information propagation means 113.

  The API hook means 104 determines whether the instruction execution is API execution (S1).

  If the instruction execution is not API execution, for example, based on the method shown in FIG. 3, the application 103 executes the instruction, and the taint information propagation unit 113 executes taint propagation processing (S6).

  The API hook means 104 performs the following processing when the instruction execution is API execution. When the instruction execution is API execution writing (S2), or when a taint is set in the API argument or data to be processed (in other words, “the taint is stored in the shadow memory 111 corresponding to the data to be processed” (S3), the API hook means 104 executes API hook processing, and the taint information propagation means 113 executes taint propagation processing (S5). When API hook processing is unnecessary (in other words, when instruction execution is not API execution writing and no taint is set in the API argument or processing target data (S2, S3)), API execution means (not shown) Executes the called API, and the taint information propagation means 113 executes taint propagation processing (S4).

  In the following, an example of processing for handling a taint at a more macro level will be described on the premise that the processing of the taint information propagation unit 113 and the API hook unit 104 is performed for the memory 101 and the storage 102 in accordance with the execution of the application 103.

<Load file>
5 to 11 show execution examples in the application 103 that reads and writes files.

  FIG. 5 shows an initial state. An application 103 is expanded on the memory 101. This represents a state where a taint is set only in the file “important.txt.enc” in the storage 102. This file is input to the application 103. Although omitted in FIG. 5, when the application 103 does not include data to be protected, the taint corresponding to the application 103 in the shadow memory 111 may be cleared.

  FIG. 6 shows a state in which the application 103 has opened an input file. In this case, the application 103 tries to execute an API “open file”. The application 103 generates a file handle corresponding to the file to be opened. The API hook means 104 determines whether or not a taint is set in a file to be opened when this file is opened (S3). In this example, since the taint is set, the API hook means 104 performs API hook processing (S5). The taint information propagation unit 113 sets the taint on the file handle that is output from the API (S5).

  As a result, the API hook means 104 applies API hook processing to API execution executed thereafter using this file handle (as an API argument) (S3, S5).

  FIG. 7 shows processing for reading the contents of the opened file into the buffer area.

  The application 103 uses a file handle when calling an API to read data from a file on the storage 102. Since a taint is set in this file handle, the API hook means 104 executes API hook processing. (S3, S5). Decryption processing is automatically inserted as API hook processing. The decryption process itself is executed by the protection / protection canceling means 105. The API hook unit 104 generates a buffer area in the memory 101. On the other hand, the taint information propagation unit 113 generates an area corresponding to the buffer area in the shadow memory 111 and clears the taint.

  The protection / protection canceling means 105 decrypts a part of the protected data and stores the decrypted data (hereinafter also referred to as “released data”) in a part of the buffer area in the memory 101. On the other hand, the taint information propagation unit 113 sets a taint in the shadow memory 111 corresponding to a part of the buffer area in the memory 101 (S5).

  Note that the taint information propagation unit 113 generates an area for performing the decoding process in the memory 101, and clears the taint in that area. Furthermore, since the taint is set in the data to be subjected to the decoding process when performing the decoding process, the taint information propagation unit 113 sets the area in the shadow memory 111 corresponding to the area in the memory 101 where the decoding process is performed. Set the taint.

  FIG. 8 shows a state after the read file is closed.

  The application 103 closes the file handle, but the input file remains in the buffer area in the memory 101, and the corresponding area in the shadow memory 111 is also partially set to taint.

<Write file>
FIG. 9 is a diagram showing a state in which a file is newly opened for writing in the state of FIG.

  The application 103 calls an API for creating a new file for writing and creates a file handle. At the time of new creation, nothing is entered in the initial state, so the corresponding taint is cleared, and the corresponding file handle taint is also cleared. Therefore, the taint information propagation unit 113 taint clears the areas in the shadow storage 112 and the shadow memory 111 corresponding to the areas in which the write file in the storage 102 and the file handle in the memory 101 are stored. Since it is writing, API hook processing is executed (S2, S5). The protection / deprotection means 105 encrypts the writing file and stores it in the storage 102 as protected data.

  FIG. 10 shows a state in which data from the buffer area on the memory 101 is written to a write file on the storage 102.

  When writing from API, API hook processing is performed to satisfy all API hook conditions. Therefore, the API hook unit 104 performs API hook processing on the data from the buffer area on the memory 101, and the protection / protection cancellation unit 105 encrypts the write data in the buffer area and stores it as protected data in the storage 102 To store. An encryption process is performed on the memory 101. Note that the write data in the buffer area has a taint set in a part thereof, so that the taint is set in the data to be encrypted, and the taint information propagation means 113 is an area where the encryption process is performed. A taint is set in the shadow memory 111 corresponding to. In addition, since the file handle handles data in which a taint is set, the taint information propagation unit 113 also sets a taint in the file handle. Note that the taint information propagation unit 113 taint sets an area in the shadow storage 112 corresponding to the protected data. In other words, the application 103 writes the data in which the taint is set in the file in the storage 102. At the stage where the data in which the taint is set is written, the application 103 outputs the data with the taint. In addition to setting the taint of the area in the shadow storage 112 corresponding to the file, the taint is set in the shadow storage 112 corresponding to the open file handle.

  FIG. 11 shows a state after the write file is closed.

  For the output file, when the application 103 performs the closing process, the API hook means 104 sets “whether there is a portion in which the taint is set in the file to be closed” as an API hook condition, and sets It is determined that the API hook condition is satisfied when there is no part that is marked. The API hook means 104 determines whether or not there is a part in which the taint is set in the file to be closed. If there is a part that is set, the API hook is not executed and the API hook is not executed. The file is closed as it is by the execution means. Therefore, in this example, since there is a set portion, the API execution means closes the file while encrypting the data. If there is no set portion, the API hook means 104 executes the API hook, intercepts the API, and the protection / protection release means 105 releases the protected data for which no taint is set. Is converted into digitized data and stored in the storage 102. When the amount of data changes during conversion, the taint information propagation unit 113 clears the taint in the corresponding area of the shadow storage 112.

<File read / write when the buffer area is divided into two or more>
The execution example of FIG. 12 is similar to FIGS. 5 to 11, but the buffer area is divided into two. One buffer area is set with a taint as described in the file reading in FIGS. 5 to 7, and the other buffer area is cleared with a taint as described in the file writing in FIG.

  In this case, there is no portion in which the taint is set in the written file.

The execution example of FIG. 13 shows an example of processing by the API hook means 104 when closing a newly created file unrelated to the file in which the taint is set in the state of FIG.
The API hook means 104 determines whether or not there is a portion where the taint is set in the file to be closed. Since there is no portion that is set, the API hook is executed and the API is intercepted. Then, the protection / protection canceling means 105 converts the protection data for which no taint is set into the cancellation data (decryption process) and stores it in the storage 102. FIG. 14 shows final states of the memory 101, the shadow memory 111, the storage 102, and the shadow storage 112. As shown in FIG. 14, the protection / protection release means 105 decrypts and deletes the protected data new.txt.enc.

<When performing network transmission>
In this example, the API hook means 104 uses “trying to transmit data with a taint set” as an API hook condition.

  The execution example of FIG. 15 is an execution example of API hook processing when data read from an input file is about to be transmitted to the network via the socket API.

  Reading to the buffer and taint setting are the same as in FIGS.

  After that, when trying to send the data read into the buffer via the socket API, the API hook means 104 satisfies the API hook condition of “trying to send data with a taint set”. The hook is executed, and the forced disconnection means 107 forcibly disconnects the communication by the socket, and at the same time, the forced error means 108 returns an error as an API execution result.

<When using shared memory>
In this example, the API hook means 104 sets “to try to store (write) the data in which the taint is set in the shared memory” as an API hook condition.

  The execution example of FIG. 16 is an execution example of API hook processing when data read from an input file is to be written to the shared memory via the shared memory API.

  Reading to the buffer and taint setting are the same as in FIGS.

  After that, when trying to write the data read into the buffer via the shared memory API, to satisfy the API hook condition of "Let's store (write) the data with the taint set in the shared memory" The API hook means 104 executes the API hook and makes API processing an error, and at the same time, the forced error means 108 returns an error as an API execution result. With such a configuration, it is possible to prevent data including input file data from being written to the shared memory.

<Processing Example of Protecting / Protecting Canceling Means 105>
The execution example of FIG. 17 is an execution example of the protection / protection release means 105.

  The example of FIG. 17A is an example in which encryption is used as protection, and a file that appears as one file from the application 103 and the encrypted file correspond to 1: 1.

  The example of FIG. 17B is an example in which encryption is used as protection, and the portion that appears as one file from the application 103 is actually a data area in one large container file. In this case, the identification information is fixed identification information indicating that the container file is a file having an internal structure, and the management information is information for specifying the encryption key of the container file, and at which position. This data is composed of (but is not limited to) position information such as which encrypted data is included. Although it appears to the application 103 as an independent file that actually exists, the area in the container file just looks as if it were one file by the processing by the API hook.

<Effect>
With such a configuration, there is an effect that complicated setting of API hook conditions is not required.

  Also, by combining the API hooking means and the protection / deprotection means, it is possible to track the distribution process of digital information (log acquisition) and prevent unintentional secondary distribution without modifying the application 103. Can do. In other words, only the input protected data or the processed data of the written data is finally stored as the protected data, so that it does not depend on the operation difference for each application 103. In addition, only data to be protected can be stored as protected data. In addition, data that should not be protected, such as setting files, can be put in a non-protected state.

<Modification>
As long as at least the memory 101, the shadow memory 111, the API hook means 104, and the taint information propagation means 113 are included, there is an effect that complicated setting of API hook conditions is not required even if other configurations are not provided. . For example, the data stored in the memory 101 does not necessarily need to be stored in the storage 102 and need not be encrypted. For example, data stored in the memory 101 may be transmitted over the network without being stored in the storage 102 and encrypted. In that case, the socket system 106 and the forced disconnection means 107 are required.

  Further, if it is not necessary to return an error as an API execution result, the forced error generating means 108 may not be included.

  Further, in the embodiments of FIGS. 5 to 11 and FIGS. 12 to 14, the API hook condition is set to “all writes”, all write data is protected, and protection is performed when a taint is not set. However, as a modified example, API hook is not used for writing unless data with taint set is written, and API hook is used when data with taint set is first written. It is also possible to consider an embodiment in which all the data to which the taint written before that is not set is protected again and API hooking is performed thereafter. For example, the API hook condition is “to try to write the data in the memory in which taint is set to the storage”, and the API execution means (not shown) from the start of writing until this condition is satisfied (taint Data in the memory 101 is written into the storage 102. On the other hand, when the API hook condition is satisfied, that is, when the data on the memory 101 in which the taint is first set is to be written to the storage, the protection / deprotection means 105 has previously stored the storage 102 All the data written to the file and the data written before the file is closed are converted to protected data, stored in the storage 102, and protected until that time (until the API hook condition is satisfied). Data that has not been deleted is deleted from the storage 102.

<Other variations>
The present invention is not limited to the above-described embodiments and modifications. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

<Program and recording medium>
In addition, various processing functions in each device described in the above embodiments and modifications may be realized by a computer. In that case, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage unit. When executing the process, this computer reads the program stored in its own storage unit and executes the process according to the read program. As another embodiment of this program, a computer may read a program directly from a portable recording medium and execute processing according to the program. Further, each time a program is transferred from the server computer to the computer, processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program includes information provided for processing by the electronic computer and equivalent to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In addition, although each device is configured by executing a predetermined program on a computer, at least a part of these processing contents may be realized by hardware.

Claims (8)

Memory for storing data;
A shadow memory storing a taint indicating that the data stored in the memory is data to be protected;
When the API hook condition is satisfied, API hook means for executing the API hook,
Taint information propagation means for propagating a taint corresponding to the data when processing the data stored in the memory,
The API hook condition includes a condition that “a taint is stored in a shadow memory corresponding to data to be processed”,
Application execution device. The application execution device according to claim 1,
A socket system for managing sockets, which are virtual interfaces used for communication;
Forcibly disconnecting means for forcibly disconnecting communication by the socket when attempting to transmit the data stored in the memory corresponding to the taint stored in the shadow memory using the socket ,
Application execution device. The application execution device according to claim 1 or 2,
When the API hook is executed, it further includes a forced error generating means for returning an error as an API execution result.
Application execution device. The application execution device according to any one of claims 1 to 3,
Storage where data is stored;
A shadow storage for storing a taint indicating that the data stored in the storage is data to be protected;
Protection / protection that reads / writes protected data that cannot be read / written by a third party when the API hook condition is satisfied, or performs conversion operation between protected data and released data whose protected state has been released And a release means,
The data stored in the storage corresponding to the taint stored in the shadow storage is stored as protected data;
Application execution device. The application execution device according to claim 4,
When writing data to the storage, the protection / deprotection means converts the data into protected data, stores it in the storage,
Of the protected data stored in the storage at the time of closing the file, the protected / unprotected means releases the protected data for which the taint is not stored in the shadow storage. Converted into data and stored in the storage,
Application execution device. The application execution device according to claim 4,
When writing data on the memory to the storage, unless the taint corresponding to the data is stored in the shadow memory, the data on the memory is written to the storage as it is,
The taint is first stored in the shadow memory, and when the data on the memory is to be written to the storage, the protection / deprotection means has the data written to the storage so far, and All data written before closing the file is converted to protected data and stored in the storage.
Application execution device. It is assumed that data is stored in the memory, and that the taint indicating that the data stored in the memory is data to be protected is stored in the shadow memory,
When the API hook means satisfies the API hook condition, an API hook step for executing the API hook; and
The taint information propagation means includes a taint propagation step of propagating a taint corresponding to the data when processing the data stored in the memory,
The API hook condition includes a condition that “a taint is stored in a shadow memory corresponding to data to be processed”,
Application execution method.   The program for functioning a computer as an application execution apparatus in any one of Claims 1-6.