JP6957311B2 - Information leakage prevention device and information leakage prevention program - Google Patents

Description

The present invention relates to a technique for preventing information leakage from a computer.

Computer behavior may be restricted from a security standpoint. For example, access to external media, networks, or output devices, types of programs that can be executed, locations where files can be written, etc. may be restricted. The criteria for limiting the behavior of this computer are referred to as security policies in the present specification, and the state of the computer to which the security policy is applied is referred to as security mode.
Normally, only one type of security policy is applied on the computer in use, and when applying a different security policy, it is common to end the state of use and log on again.

JP-A-2007-286905 Japanese Unexamined Patent Publication No. 2005-166051 Japanese Unexamined Patent Publication No. 2011-39953 Japanese Unexamined Patent Publication No. 2010-97550 Japanese Unexamined Patent Publication No. 2011-113361

However, if the security policy of the computer can be changed flexibly and immediately according to the usage situation of the user without logging on to the computer again in this way, it is highly convenient and more preferable from the viewpoint of security.
For example, it would be very useful if the security policy of a computer could be changed to various contents according to the situation when a user accesses a specific file, network, or file server.

Therefore, the present inventor has studied diligently, and when a specific type of application program interface (API) is called, the call processing is intercepted and the operation of the computer is controlled based on the security policy according to the situation. , Succeeded in making it possible to change the security mode of a computer flexibly and instantly.

As a technique for utilizing such API call processing interception, Patent Document 1 discloses that file access from an application is intercepted to prevent a user from unintentionally transferring a file. .. Further, Patent Document 2 discloses that an API hook is used to prevent unauthorized access of a process in a computer system.
However, neither of these documents describes changing the security mode of a computer to various contents depending on the situation by intercepting the API call processing.

Further, the present inventor has a technique (Patent Document 3) of temporarily restricting access to peripheral devices and the like to make a computer a pseudo thin client by using an API hook, and an API. By detecting whether or not the file to be processed by is infected with a virus, it is determined whether or not the file name contains a specific character string, which is a technique for preventing the spread of the virus (Patent Document 4). As a result, a technique (Patent Document 5) that enables the file to be encrypted or decrypted has already been developed.
However, none of these made it possible to change the security mode of the computer to various contents depending on the situation.

Furthermore, the present inventor has come up with the idea that the computer can be used more safely and conveniently by applying a different security policy to each application program while the user is using the computer.
Specifically, if the browser can connect to the Internet but other programs cannot connect to the Internet, for example, even if the virus software is hidden and running, the information can be taken out via the Internet using the virus software. This can be prevented, and the Internet can be browsed by a browser.

Therefore, the present inventor has made further diligent research and succeeded in developing an information leakage prevention device that can simultaneously apply a plurality of different security policies for each application on one computer.
No prior literature has been found that describes such an information leakage prevention device.

The present invention is based on the above circumstances, and is an information leakage prevention device and information that can change the security mode of a computer to various contents according to the situation without restarting or logging on to the computer. The purpose is to provide a leak prevention program.
Another object of the present invention is to provide an information leakage prevention device and an information leakage prevention program that can simultaneously apply a plurality of different security policies for each application on one computer.

In order to achieve the above object, the information leakage prevention device of the present invention is an information leakage prevention device that prevents information leakage by changing the security mode, and stores the mode corresponding to each condition for switching the mode. When a specific type of application program interface call processing is performed from the switching condition storage unit, the setting mode storage unit that stores the mode to be set by switching the mode, and the application program, the call processing is intercepted and the switching is performed. When there is a condition that matches the content to be executed by the application program with reference to the switching condition of the condition storage unit, the interception processing unit that acquires the mode corresponding to the condition and the mode from the interception processing unit. When a predetermined application program interface of the same or different from the specific type is called from the application program, the interception processing unit includes a mode switching unit that acquires and sets the setting mode storage unit. By intercepting the call process, referring to the setting mode storage unit, and permitting or prohibiting the process by the application program interface according to the mode content corresponding to the mode, the operation inside the information leakage prevention device is performed. And / or the operation of the information leakage prevention device to the outside is controlled.

Further, the information leakage prevention device of the present invention is provided with two or more API hooks as the interception processing unit for each application program, and two or more separate security storage units corresponding to the API hooks. , The security content is stored in the security storage unit, the API hooks used for the application program are set, and all the API hooks are sequentially executed and used for the application program. It is also possible that only the API hook to be used acquires the security content from the corresponding security storage unit, and the API hook allows or prohibits processing by the application program interface according to the security content. preferable.

Further, the information leakage prevention device of the present invention is provided with the DLL injection as the interception processing unit for each application program, and two or more separate security storage units are provided, and the security storage unit is provided with security. The contents are stored, the security to be used for the application program is set, the DLL injection is executed, the contents of the security corresponding to the application program are acquired from the security storage unit, and the said It is also preferable that the DLL injection allows or prohibits processing by the application program interface according to the content of the security.

Further, the information leakage prevention program of the present invention is an information leakage prevention program for preventing information leakage from a computer by changing the security mode, and stores the mode corresponding to each condition for switching the mode. When a specific type of application program interface is called from an application program on a computer equipped with a switching condition storage unit and a setting mode storage unit that stores a mode to be set by switching modes, the call processing is performed. If there is a condition that matches the content to be executed by the application program by intercepting and referring to the switching condition of the switching condition storage unit, the mode corresponding to the condition is acquired and the setting mode storage unit is made to acquire the mode. When the application program performs a call process of a predetermined application program interface that is the same as or different from the specific type, the call process is intercepted and the setting mode storage unit is referred to to perform a mode corresponding to the mode. By permitting or prohibiting processing by the application program interface according to the content, the operation of the information leakage prevention device is controlled and / or the operation of the information leakage prevention device is controlled to the outside. be.

Further, the information leakage prevention device program of the present invention is provided with two or more API hooks for each application program, and two or more separate security storage units corresponding to the API hooks for storing the contents of security. Further, the computer in which the API hook used for the application program is set is made to execute all the API hooks in sequence, and only the API hook used for the application program is provided. It is also preferable that the security content is acquired from the corresponding security storage unit, and the API hook allows or prohibits processing by the application program interface according to the security content.

Further, the information leakage prevention device program of the present invention is provided with DLL injection for each of the application programs, and is further provided with two or more separate security storage units for storing the contents of security, and for the application program. The computer in which the security to be used is set is made to execute the DLL injection to acquire the security content corresponding to the application program from the security storage unit, and the DLL injection is used to obtain the security content. Therefore, it is also preferable to configure the configuration to allow or prohibit the processing by the application program interface.

According to the present invention, it is possible to change the security mode of a computer to various contents according to a situation without restarting or logging on to the computer.
It is also possible to apply a plurality of different security policies to each application at the same time on one computer.

It is a block diagram which shows the structure of the information leakage prevention apparatus of 1st Embodiment of this invention. It is a figure which shows the structure of the data used in the information leakage prevention apparatus of the 1st Embodiment of this invention. It is a flowchart which shows the processing procedure (mode switching) of the information leakage prevention apparatus of 1st Embodiment of this invention. It is a flowchart which shows the processing procedure (execution of a setting mode) of the information leakage prevention apparatus of 1st Embodiment of this invention. It is a block diagram which shows the structure of the information leakage prevention apparatus of the 2nd Embodiment of this invention. It is a figure which shows the structure of the data used in the information leakage prevention apparatus of the 2nd Embodiment of this invention. It is a flowchart which shows the processing procedure (security setting switching (1) for every execution program) of the information leakage prevention apparatus of the 2nd Embodiment of this invention. It is a flowchart which shows the processing procedure (security setting switching (2) for each execution program) of the information leakage prevention apparatus of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the information leakage prevention apparatus of the 3rd Embodiment of this invention. It is a figure which shows the structure of the data used in the information leakage prevention apparatus of the 3rd Embodiment of this invention. It is a flowchart which shows the processing procedure (security setting switching (3) for each execution program) of the information leakage prevention apparatus of the 3rd Embodiment of this invention. It is a flowchart which shows the processing procedure (security setting switching (4) for every execution program) of the information leakage prevention apparatus of the 3rd Embodiment of this invention.

Hereinafter, a preferred embodiment of the information leakage prevention device and the information leakage prevention program of the present invention will be described with reference to the drawings.

[First Embodiment]
First, the first embodiment of the present invention will be described with reference to FIGS. 1 to 4. FIG. 1 is a block diagram showing the configuration of the information leakage prevention device of the present embodiment, and FIG. 2 is a diagram showing the configuration of data used in the information leakage prevention device of the present embodiment. Further, FIG. 3 is a flowchart showing a processing procedure (mode switching) of the information leakage prevention device of the present embodiment, and FIG. 4 shows a processing procedure (execution of the setting mode) of the information leakage prevention device of the present embodiment. It is a flowchart.

The information leakage prevention device 1 of the present embodiment is a computer (information processing device) such as a personal computer or a tablet used by a user. The information leakage prevention device 1 also includes a device having the same function as a computer such as a smartphone. The specific use of the information leakage prevention device 1 is not particularly limited, but the information leakage prevention device 1 can be suitably used in a company, a school, or the like.

The information leakage prevention device 1 includes a memory area 10 used by the execution program 11, a mode switching unit 20, and a shared memory 30 for storing various data used in the information leakage prevention device 1.
Further, the information leakage prevention device 1 includes an application program interface (API) 40, an environment for executing the API 40 and the execution program 11, for example, an operating system (OS) 50, a storage device driver 60, a printer driver 70, and a network driver. It has 80. In the information leakage prevention device 1, the driver may be configured to include not only these drivers but also various other drivers. Further, the driver may be configured to be provided inside the OS 50.

The execution program 11 is an application program (AP), and its type and function are not particularly limited. For example, various application programs such as a browser program, a word processor program, an e-mail program, a spreadsheet program, and a drawing program can be used as the execution program 11.

Further, the interception processing unit 12 is provided by being read into the memory area 10 used by the execution program 11. The interception processing unit 12 can be configured by, for example, an API hook (DLL) or a DLL injection.
When the API hook is used as the interception processing unit 12, it is read and provided in the memory area 10 together with the execution program 11 when the OS is started.

Further, when the DLL injection is used as the interception processing unit 12, it is read into the memory area 10 and provided when the execution program 11 is started.
When the execution program 11 calls the API 40, the interception processing unit 12 can execute various operations based on the setting mode stored in the shared memory 30 instead of the API 40. In addition, the execution of API40 can be permitted or prohibited.

The interception processing unit 12 is provided with a switching detection unit 12-1 and a mode execution unit 12-2.
The switching detection unit 12-1 determines whether or not the processing content called by the execution program 11 matches the switching condition stored in the shared memory 30. Then, if they match, the switching mode corresponding to the switching condition is output to the mode switching unit 20.
The mode execution unit 12-2 executes an operation based on the setting mode stored in the shared memory 30.

When the switching mode is input from the switching detection unit 12-1, the mode switching unit 20 stores this switching mode in the shared memory 30 as a setting mode.
Further, the mode switching unit 20 performs specific switching based on input of mode switching instruction information input by the user, information indicating that a specific application program is started, or information indicating that the user authentication has been successful. The mode can also be stored in the shared memory 30 as a setting mode.

The shared memory 30 includes a switching condition storage unit 31, a setting mode storage unit 32, and a mode content storage unit 33.
As shown in FIG. 2, the switching condition storage unit 31 stores the switching mode for each switching condition. For example, memorize switching to mode (1) when "access to confidential file A" is performed, switching to mode (2) when "access to network B" is performed, and the like. do.
It is also possible to have the mode switching unit 20 set the data in the switching condition storage unit 31.

The setting mode storage unit 32 stores the mode set in the information leakage prevention device 1. For example, the mode (1) is stored as the setting mode.
As shown in FIG. 2, the mode content storage unit 33 stores the mode content for each mode. For example, as mode (1), "write to hard disk (HD): not possible, access to the Internet: not possible, print: not possible, etc.", and as mode (2), "write to hard disk (HD): not possible, to the Internet". Access: Yes, Print: Yes, etc. "

Here, the reason why the information leakage prevention device 1 of the present embodiment includes the switching condition storage unit 31, the setting mode storage unit 32, and the mode content storage unit 33 as the shared memory 30 is as follows.
That is, in general, in a normal personal computer, more than several tens of execution programs 11 are operating. Further, in a computer such as a server, there are cases where more than several hundred execution programs 11 are operating. Then, each of the above storage units is used by the interception processing unit 12 corresponding to all of these execution programs 11. Therefore, if these storage units are provided for each of the interception processing units 12, it is necessary to provide each of the number of execution programs 11. Further, when it is attempted to change the contents of these storage units, it is necessary to change all the storage units, so that there is a concern that it may take time to change the settings.

Therefore, in the present embodiment, the switching condition storage unit 31, the setting mode storage unit 32, and the mode content storage unit 33 are provided as the shared memory 30. In addition, this also has the effect of saving storage capacity.
Further, the shared memory 30 is preferably configured in a high-speed accessible storage area such as a semiconductor memory. On the other hand, when the execution speed of the program is not emphasized, the shared memory 30 can be realized as a storage device that can be shared by all programs such as a hard disk.

The API (application program interface) 40 is an API to be called by the execution program 11. That is, the API 40 is an API that should be originally called by the execution program 11, but the interception processing unit 12 intercepts the processing, and the execution of the API processing is permitted or prohibited according to the contents of the setting mode, for example. Or

The type of the API 40 is not particularly limited, and may be, for example, an access to a specific file, an access to a specific network, an access to a specific file server, or the like. It can also write to a hard disk drive, write to a desktop, launch a specific application, process access to a specific device, access a specific output device, and so on.

The operating system 50 controls the storage device driver 60, the printer driver 70, the network driver 80, and the like according to the instructions from the API 40, and writes to the storage device 2 and outputs to the printer 3, respectively. Or, the access process to the network device 4 is executed.
The operating system 50 is not particularly limited, and various OSs such as WINDOWS (registered trademark), macOS (registered trademark), Linux (registered trademark), ORACLE (registered trademark), and FREEBSD (registered trademark) can be used. ..

Next, a processing procedure for mode switching by the information leakage prevention device 1 of the present embodiment will be described with reference to FIG.
First, the execution program 11 performs a call process for a specific type of API (step 10). For example, the execution program 11 calls the corresponding API in order to perform the process of "opening the confidential file A".

The interception processing unit 12 intercepts the API call processing (step 11).
Further, the interception processing unit 12 refers to the switching condition storage unit 31 by the switching detection unit 12-1 (step 12), and determines whether or not the processing attempted by the execution program 11 matches the switching condition. (Step 13).

Here, the switching detection unit 12-1 determines whether or not the file that the execution program 11 tried to open corresponds to "confidential file A", for example, the file name, the file extension, and the file are saved. It can be performed based on the location (address of a directory, server, etc.), the medium in which the file is stored (USB memory, SD card, etc.), the contents of the file, and the like.

When the process attempted by the execution program 11 is "open confidential file A", the condition exists in the switching condition storage unit 31 (Yes in step 13), and the switching detection unit 12-1 corresponds to this. The switching mode (in this case, mode (1)) to be switched is acquired from the switching condition storage unit 31 and output to the mode switching unit 20.
Then, the mode switching unit 20 sets (changes) the security mode in the information leakage prevention device 1 by storing the input switching mode in the setting mode storage unit 32 (step 14).

Next, a processing procedure for executing the setting mode by the information leakage prevention device 1 of the present embodiment will be described with reference to FIG.
First, the execution program 11 performs a call process for a specific type of API (step 20). Then, the interception processing unit 12 intercepts the API call processing (step 21).
At this time, the specific type of API may include the same API as the one to be determined for the mode switching condition, or a different API may be the target of interception. Here, it is assumed that the execution program 11 calls the API that "writes to the hard disk".

Next, the interception processing unit 12 acquires the setting mode from the setting mode storage unit 32 by the mode execution unit 12-2. Further, the mode content corresponding to the setting mode acquired by the mode execution unit 12-2 is acquired from the mode content storage unit 33, and control is executed according to the mode content (step 23).

For example, the mode execution unit 12-2 acquires the "mode (1)" from the setting mode storage unit 32, and acquires the corresponding mode content from the mode content storage unit 33. In the example of FIG. 2, a security policy of "write to hard disk: not possible" is set in the mode content corresponding to the mode (1).
Therefore, the interception processing unit 12 returns the information indicating that the processing is not permitted to the execution program 11 without calling the API 40. As a result, it is controlled so that "writing to the hard disk" by the execution program 11 is not performed.

Further, for example, it is assumed that the execution program 11 calls the API for "accessing the Internet" and the "mode (2)" is set in the setting mode storage unit 32.
In this case, the mode execution unit 12-2 acquires the "mode (2)" from the setting mode storage unit 32 and the corresponding mode content from the mode content storage unit 33. In the example of FIG. 2, a security policy of "access to the Internet: possible" is set in the mode content corresponding to the mode (2).
Therefore, the interception processing unit 12 calls the API 40 and permits its execution. As a result, the execution program 11 is controlled to perform "access to the Internet".

As described above, according to the information leakage prevention device 1 of the present embodiment, the mode switching unit 20, the switching condition storage unit 31, the setting mode storage unit 32, and the mode content storage unit 33 are provided, and various application programs are provided. By providing the interception processing unit 12 in the memory area 10 to be used, it is possible to change the security mode of the information leakage prevention device 1 to various contents according to the situation without restarting or logging on. ing.

[Second Embodiment]
Next, the second embodiment of the present invention will be described with reference to FIGS. 5 to 8. FIG. 5 is a block diagram showing the configuration of the information leakage prevention device of the present embodiment, and FIG. 6 is a diagram showing the configuration of data used in the information leakage prevention device of the present embodiment. Further, FIG. 7 is a flowchart showing a processing procedure of the information leakage prevention device of the present embodiment (security setting switching (1) for each execution program), and FIG. 8 is a processing procedure of the information leakage prevention device of the present embodiment. It is a flowchart which shows (security setting switching (2) for every execution program).

The information leakage prevention device 1-2 of the present embodiment has a configuration in which a different security policy can be applied to each application program in addition to the configuration of the information leakage prevention device 1 of the first embodiment. Different from the embodiment. Other points may be the same as in the first embodiment.

Further, the information leakage prevention device 1-2 of the present embodiment can be used in the switching detection unit 12-1, the mode execution unit 12-2, the mode switching unit 20, the switching condition storage unit 31, and the setting mode storage unit 32 in the first embodiment. , And the mode content storage unit 33 may not be provided. The same applies to the third embodiment described later.

The information leakage prevention device 1-2 of the present embodiment displays the memory area 10a used by the execution program 11a, the memory area 10b used by the execution program 11b, and various data used in the information leakage prevention device 1-2. It is provided with a shared memory 30-2 for storing (not shown in FIG. 5 and only the internal storage portion is shown).

The memory area 10a used by the execution program 11a and the memory area 10b used by the execution program 11b are provided with an API hook (DLL) 121 and an API hook (DLL) 122 as interception processing units. Is executed sequentially.
Further, each memory area used by the execution program may be provided with more API hooks so that they can be executed sequentially.
Further, the information leakage prevention device 1-2 of the present embodiment may include a memory area used by a larger number of execution programs.

Further, the shared memory 30-2 is provided with a use interception processing storage unit 34, a security 1 storage unit 35, and a security 2 storage unit 36.
The use interception process storage unit 34 stores the interception process (API hook) to be used for each execution program. For example, it is stored that the API hook 121 is used for the execution program 11a (browser) and the API hook 122 is used for the execution program 11b (word processor, etc.).
By changing the information of the interception process to be used stored in the use interception process storage unit 34, the security policy applied to each execution program can be changed.

The security 1 storage unit 35 and the security 2 storage unit 36 store the security contents for each security policy, and are accessed by the API hook 121 and the API hook 122, respectively.
For example, the security 1 storage unit 35 can store a security policy such as "write to hard disk (HD): not possible, access to the Internet: possible, etc." as security 1. Further, the security 2 storage unit 36 can store a security policy such as "write to hard disk (HD): possible, access to the Internet: not possible, etc." as security 2.

Further, in the security 1 storage unit 35 and the security 2 storage unit 36, "write to the hard disk (HD) after encrypting the file: possible" and "read from the hard disk (HD) after decrypting the file: possible: It is also possible to store a security policy such as "OK". Further, in these security policies, instead of the hard disk, writing to a memory area or another storage device such as a USB memory can be performed.
In this case, in the memory area used by the execution program, an encryption processing unit and a decryption processing unit are further provided as the interception processing unit, and these are executed by the API hook 121 or the API hook 122. , API hook 121 and API hook 122 can be used to perform file encryption processing and decryption processing. It is also possible to apply the configuration to the DLL injection in the third embodiment.

The API hook 121 intercepts the call processing of a specific type of API 40 by the execution program 11a. The API hook 121 can acquire information about the API hook used for the execution program 11a from the use interception processing storage unit 34. The API hook 121 can acquire information about the API hook to be used when the API hook 121 is read into the memory. It can also be performed at the timing called from the execution program 11a. This also applies to the following.
For example, in the use interception processing storage unit 34, when the API hook 121 is associated with the execution program 11a and stored, the content of the security 1 stored in the security 1 storage unit 35 corresponding to the API hook 121 is used. The operation of the execution program 11a is controlled.

In the example of FIG. 6, "write to hard disk: not possible, access to the Internet: possible" is stored as the content of security 1 corresponding to the API hook 121. Therefore, when the execution program 11a calls the API for writing to the hard disk, the API hook 121 returns the information indicating that the execution program 11a is not allowed to call the API without calling the API 40. .. Thereby, the operation of the execution program 11a can be controlled.

Next, the API hook 121 causes the API hook 122 to be executed.
The API hook 122 can acquire information about the API hook used for the execution program 11a from the use interception processing storage unit 34. It should be noted that the API hook 122 can acquire information about the API hook to be used when the API hook 122 is read into the memory. It can also be performed at the timing called from the execution program 11a. This also applies to the following.
In the case of FIG. 6, as described above, since the API hook 121 is associated with and stored in the execution program 11a in the use interception processing storage unit 34, the API hook 122 ends the processing without doing anything as it is.

On the other hand, in the memory area 10b used by the execution program 11b, the API hook 121 intercepts the call processing of the specific type API 40 by the execution program 11b. The API hook 121 can acquire information about the API used for the execution program 11b from the use interception processing storage unit 34.
In the example of FIG. 6, in the use interception processing storage unit 34, since the API hook 122 is associated with the execution program 11b and stored, the API hook 121 ends the processing without doing anything as it is, and the API hook 122 To execute.

The API hook 122 can acquire information about the API used for the execution program 11b from the use interception processing storage unit 34. In this case, since the API hook 122 is associated with the execution program 11b and stored in the use interception processing storage unit 34, the content of the security 2 stored in the security 2 storage unit 36 corresponding to the API hook 122 is included. Therefore, the operation of the execution program 11b is controlled.

In the example of FIG. 6, as the security content corresponding to the API hook 122, "write to hard disk: possible, access to the Internet: not possible" is stored. Therefore, when the execution program 11b calls the API for writing to the hard disk, the API hook 122 can call the API 40 and permit the execution. Thereby, the operation of the execution program 11b can be controlled.

In the present embodiment, which of the API hook 121 and the API hook 122 is used for each execution program is controlled at the timing when each DLL is called (at the time of initialization), based on the information of the use interception processing storage unit 34. You can make a judgment.
Further, instead of the information of the use interception processing storage unit 34, the API hook 121 and the API hook for each executable program are based on, for example, the storage location of the file to be executed, the file name, and the information embedded in the executable file. It is also possible to configure the configuration to determine which of 122 is used for control.
Further, if the executable program corresponds to the child process of the executable program already controlled by API hook 121 or API hook 122, it is possible to have the same API hook selected as the parent process. ..

Next, the security setting switching (1) processing procedure for each execution program by the information leakage prevention device 1-2 of the present embodiment will be described with reference to FIG. 7. Here, it is assumed that the execution program 11a is a browser program (browser).

First, the browser performs a call process for a specific type of API, for example, "access to the Internet" (step 30). Then, the API hook 121 intercepts the API call process (step 31).

The API hook used in the browser is the API hook 121 as stored in the use interception processing storage unit 34.
Therefore, the API hook 121 controls the operation of the execution program 11a according to the contents of the security 1 stored in the corresponding security 1 storage unit 35 (step 32).

At this time, since the API is "access to the Internet" and the security 1 storage unit 35 stores "access to the Internet: possible" as the content of the security 1, the API hook 121 calls the API 40. , Allow its operation.

Next, the API hook 121 causes the API hook 122 to be executed (step 33).
Since the API hook used for the browser is the API hook 121, the API hook 122 ends the operation without doing anything as it is.

On the other hand, it is assumed that the browser calls the API for "writing to the hard disk" (step 30). The API hook 121 intercepts the API call process (step 31).

Since the API hook used for the browser is the API hook 121, the API hook 121 controls the operation of the execution program 11a according to the contents of the security 1 stored in the corresponding security 1 storage unit 35 (step 32). ).

At this time, since the API is "write to the hard disk" and the security 1 storage unit 35 stores "write to the hard disk: not possible" as the content of the security 1, the API hook 121 calls the API 40. The information indicating that the processing cannot be permitted to the execution program 11a is returned.

Next, the API hook 121 causes the API hook 122 to be executed (step 33).
Since the API hook used for the browser is the API hook 121, the API hook 122 ends the process without doing anything as it is.

Next, the security setting switching (2) processing procedure for each execution program by the information leakage prevention device 1-2 of the present embodiment will be described with reference to FIG. Here, it is assumed that the execution program 11b is an application program other than the browser, for example, a word processor program (word processor).

First, the word processor performs a call process for accessing a specific type of API, for example, the Internet (step 40). Then, the API hook 121 intercepts the API call process (step 41).

The API hook used in the word processor is the API hook 122 as stored in the use interception processing storage unit 34.
Therefore, the API hook 121 causes the API hook 122 to be executed without performing any processing (step 42).

Since the API hook used for the word processor is the API hook 122, the API hook 122 controls the operation of the execution program 11b according to the contents of the security 2 stored in the corresponding security 2 storage unit 36 (step 43). ).

At this time, since the API is "access to the Internet" and the security 2 storage unit 36 stores "access to the Internet: Impossible" as the content of the security 2, the API hook 122 calls the API 40. It returns the information indicating that the processing cannot be permitted to the execution program 11b.

On the other hand, it is assumed that the word processor calls the API for "writing to the hard disk" (step 40). The API hook 121 intercepts the API call process (step 41).

Since the API hook used in the word processor is the API hook 122, the API hook 121 causes the API hook 122 to be executed without performing any processing (step 42).

Since the API hook used for the word processor is the API hook 122, the API hook 122 controls the operation of the execution program 11b according to the contents of the security 2 stored in the corresponding security 2 storage unit 36 (step 43). ).

At this time, since the API is "write to the hard disk" and the security 2 storage unit 36 stores "write to the hard disk: OK" as the content of the security 2, the API hook 122 calls the API 40. , Allow its operation.

Here, the setting of which security policy is applied to each execution program (for example, the setting in the use interception processing storage unit 34) can be made based on various conditions.
For example, apply the contents of security 2 only to executable programs that use executable files in a specific location (directory) (using API hook 122), and apply the contents of security 1 to other executable programs. Can be applied (API hook 121).
Further, the content of security 2 can be applied to a child process started from a specific program.

Further, a program that accesses a specific file can be set to apply the contents of Security 2 as soon as the specific file is accessed. In this case, for example, if a specific file is treated as a file classified as confidential information, the contents of Security 2 can be applied to the opened program as soon as the confidential information file is opened. can.
Here, the contents of security 2 are set so that the information of the opened file cannot be leaked to the outside, such as the file can be opened but cannot be saved, access to the network is prohibited, or printing is prohibited. This makes it possible to flexibly and finely set the content of information leakage prevention.

As described above, according to the information leakage prevention device 1-2 of the present embodiment, the API hooks corresponding to this execution program are used by sequentially executing the API hooks in the memory area used by the execution program. The operation can be controlled according to the information stored in the shared memory.
Therefore, according to the information leakage prevention device of the present embodiment, it is possible to apply a different security policy for each application program.

This allows, for example, the browser to access the Internet, but not to download files, and other programs, such as word processors, allow you to write a manuscript and save it to a file while looking at the browser display. You can apply a security policy that the content cannot be sent over the net. By doing so, it is possible to obtain an excellent effect that the edited word processor file can be safely connected to the Internet and at the same time, the risk of accidentally leaking the edited word processor file to the Internet can be avoided.

Depending on the OS, there may be a function to directly send and receive data between each program (interprocess communication function, etc.), which is used to send word processor data to the browser, and the word processor data is sent from the browser. It is possible to send. However, since each program also executes these functions using the API, it can be controlled by the API hook 121 and the API hook 122 in the present embodiment.

[Third Embodiment]
Next, the third embodiment of the present invention will be described with reference to FIGS. 9 to 12. FIG. 9 is a block diagram showing the configuration of the information leakage prevention device of the present embodiment, and FIG. 10 is a diagram showing the configuration of data used in the information leakage prevention device of the present embodiment. Further, FIG. 11 is a flowchart showing a processing procedure of the information leakage prevention device of the present embodiment (security setting switching (3) for each execution program), and FIG. 12 is a processing procedure of the information leakage prevention device of the present embodiment. It is a flowchart which shows (security setting switching (4) for every execution program).

The information leakage prevention device 1-3 of the present embodiment has a configuration in which a different security policy can be applied to each application program in addition to the configuration of the information leakage prevention device 1 of the first embodiment. Different from the embodiment. Further, the information leakage prevention device 1-3 of the present embodiment is the second embodiment in that it realizes a configuration in which a different security policy can be applied to each application program by using DLL injection instead of the API hook. Different from the form. Other points may be the same as in the first embodiment.

The information leakage prevention device 1-3 of the present embodiment is used in the memory area 10a'used by the execution program 11a', the memory area 10b'used by the execution program 11b', and the information leakage prevention device 1-3. It is provided with a shared memory 30-3 (which is omitted in FIG. 9 and shows only the internal storage portion) for storing various types of data. The information leakage prevention device 1-3 of the present embodiment can also be provided with a memory area used by a larger number of execution programs.

The shared memory 30-3 includes a use security storage unit 37, a security 1 storage unit 35, and a security 2 storage unit 36.
The use security storage unit 37 stores the security to be used for each execution program. For example, it is stored that security 1 is used for the execution program 11a (browser) and security 2 is used for the execution program 11b (word processor, etc.).
By changing the security information to be used stored in the security storage unit 37, the security policy applied to each execution program can be changed.

The security 1 storage unit 35 and the security 2 storage unit 36 store the security contents for each security policy, and are accessed by the DLL injection 13a'or the DLL injection 13b' in the present embodiment.
For example, the security 1 storage unit 35 can store a security policy of "write to hard disk (HD): not possible, access to the Internet: possible, etc." as security 1. Further, the security 2 storage unit 36 can store a security policy of "write to hard disk (HD) not possible, access to the Internet: not possible, etc." as security 2.

As the interception processing unit, the memory area 10a'used by the execution program 11a'is provided with the DLL injection 13a', and the memory area 10b'used by the execution program 11b'is provided with the DLL injection 13b'. ing.

Note that the DLL injection is a mechanism in which the DLL that intercepts the API call is read when the normal execution program is started, and is executed together with the execution program. Therefore, by letting the execution program select which DLL to read when the execution program is started, it is possible to select a specific DLL injection at the start of execution of the execution program.

The DLL injection 13a'interprets the call processing of a specific type of API 40 by the execution program 11a'. The DLL injection 13a'can acquire information about the security used for the execution program 11a' from the usage security storage unit 37. The acquisition of information about the security to be used by the DLL injection 13a'can be performed at the time of reading the DLL injection 13a' into the memory. It can also be performed at the timing called from the execution program 11a'. This also applies to the DLL injection 13b'.
For example, in the usage security storage unit 37, when the security 1 is associated with the execution program 11a'and stored, the execution program 11a'is stored based on the contents of the security 1 stored in the security 1 storage unit 35. Control the operation.

In the example of FIG. 10, as the content of the security 1, "write to the hard disk: not possible, access to the Internet: possible" is stored in the security 1 storage unit 35. Therefore, when the execution program 11a'calls the API for writing to the hard disk, the DLL injection 13a'indicates that the execution program 11a'is not allowed to call the API without calling the API 40. Will be returned. Thereby, the operation of the execution program 11a'can be controlled.

Further, the DLL injection 13b'interprets the call processing of the specific type of API 40 by the execution program 11b'. When the execution program 11b'is stored in association with the security 2 in the used security storage unit 37, the operation of the execution program 11b'is performed based on the contents of the security 2 stored in the security 2 storage unit 36. Control.

In the example of FIG. 10, as the content of the security 2 corresponding to the DLL injection 13b', "write to the hard disk: possible, access to the Internet: not possible" is stored in the security 2 storage unit 36. Therefore, when the execution program 11b'calls the API for writing to the hard disk, the DLL injection 13b'calls the API 40 and permits the execution. Thereby, the operation of the execution program 11b'can be controlled.

Next, the security setting switching (3) processing procedure for each execution program by the information leakage prevention device 1-3 of the present embodiment will be described with reference to FIG. Here, it is assumed that the execution program 11a'is a browser.

First, the browser performs a call process for accessing a specific type of API, for example, the Internet (step 50). Then, the DLL injection 13a'intercepts the calling process of this API (step 51).
The security used by the browser is security 1, as stored in the usage security storage unit 37.
Therefore, the DLL injection 13a'controls the operation of the execution program 11a' according to the contents of the security 1 stored in the security 1 storage unit 35 (step 52).

At this time, the API is "access to the Internet", and the security 1 storage unit 35 stores "access to the Internet: possible" as the content of the security 1, so the DLL injection 13a'calls the API 40. And allow the operation.

On the other hand, it is assumed that the browser calls the API for writing to the hard disk (step 50). The DLL injection 13a'interprets the API call process (step 51).
Since the security used for the browser is security 1, the DLL injection 13a'controls the operation of the execution program 11a' according to the contents of the security 1 stored in the security 1 storage unit 35 (step 52). ..

At this time, the API is "write to the hard disk", and the security 1 storage unit 35 stores "write to the hard disk: not possible" as the content of the security 1, so the DLL injection 13a'calls the API 40. Without doing so, the information indicating that the processing cannot be permitted to the execution program 11a'is returned.

Next, the security setting switching (4) processing procedure for each execution program by the information leakage prevention device 1-3 of the present embodiment will be described with reference to FIG. Here, it is assumed that the execution program 11b'is an application program other than the browser, for example, a word processor.

First, the word processor performs a call process for accessing a specific type of API, for example, the Internet (step 60). Then, the DLL injection 13b'intercepts the calling process of this API (step 61).
The security used in the word processor is security 2, as stored in the usage security storage unit 37.
Therefore, the DLL injection 13b'controls the operation of the execution program 11b' according to the contents of the security 2 stored in the security 2 storage unit 36 (step 62).

At this time, the API is "access to the Internet", and the security 2 storage unit 36 stores "access to the Internet: Impossible" as the content of the security 2, so the DLL injection 13b'calls the API 40. Without doing so, the information indicating that the processing cannot be permitted to the execution program 11b'is returned.

On the other hand, it is assumed that the word processor calls the API for writing to the hard disk (step 60). The DLL injection 13b'intercepts the calling process of this API (step 61).
Since the security used in the word processor is security 2, the DLL injection 13b'controls the operation of the execution program 11b' according to the contents of the security 2 stored in the security 2 storage unit 36 (step 62). ..

At this time, the API is "write to the hard disk", and the security 2 storage unit 36 stores "write to the hard disk: OK" as the content of the security 2, so the DLL injection 13b'calls the API 40. And allow the operation.

As described above, according to the information leakage prevention device 1-3 of the present embodiment, the DLL injection is executed in the memory area used by the execution program, and the operation is controlled according to the security policy corresponding to the execution program. It is possible to apply different security policies to each application program.

Further, according to each of the above embodiments, by configuring the interception processing unit in the portion where the application program such as the API hook or the DLL injection calls the API, the application can be applied without modifying the OS or the driver inside the OS. It is possible to control the movement of the program (execution program). Moreover, there is no need to modify the application program.
If a mechanism is used to control the operation of the application program by modifying the inside of the OS or the driver, if a mechanism such as API hook or DLL injection is set by a third party, the application program and the OS There is a risk that the exchange of information between them will be intercepted or tampered with.
Therefore, it is considered preferable from the viewpoint of security to configure the interception processing unit in the portion where the application program calls the API.

Further, in each of the above embodiments, when the encryption processing unit and the decryption processing unit are further provided as the interception processing unit, if these are realized inside the OS or in the driver, between the application program and the OS. Unencrypted data will be exchanged with. On the other hand, according to each of the above embodiments, encryption or decryption can be performed immediately after the API is called by the application program, so that the risk of eavesdropping / interception can be reduced.

Furthermore, from the viewpoint of completely controlling the movement of the application, it is easier to control the movement by intercepting the API directly called by the application rather than completely constructing the mechanism inside the OS. That is, since all calls to the outside of the application are made by the API, it is possible to control the calls to the outside of the application without exception by controlling the movement of the API.

The information leakage prevention device of each of the above embodiments can be realized by using a computer controlled by the information leakage prevention program of the present invention. The CPU of the computer sends a command to each component of the computer based on the information leakage prevention program, and predetermined processing required for the operation of the information leakage prevention device, for example, mode switching processing, setting mode execution processing, execution program. Have each security setting switching process performed. As described above, each process and operation in the information leakage prevention device of the present invention can be realized by specific means in which the program and the computer cooperate.

The program is stored in a recording medium such as ROM or RAM in advance, and the program is read by the computer from the recording medium mounted on the computer and executed. However, the program can also be read by the computer via a communication line, for example.
Further, the recording medium for storing the program can be configured by, for example, a semiconductor memory, a magnetic disk, an optical disk, or any other recording means that can be read by any computer.

As described above, according to the information leakage prevention device and the information leakage prevention program according to the embodiment of the present invention, various security modes of the computer can be set according to the situation without restarting or logging on to the computer. It is possible to change the content.
It is also possible to apply a plurality of different security policies to each application at the same time on one computer.

It goes without saying that the present invention is not limited to the above embodiments, and various modifications can be made within the scope of the present invention.
For example, it is possible to appropriately change the configuration such that each of the first to third embodiments is combined in various ways.

The present invention can be suitably used when, for example, a company, a school, or the like wants to easily suppress information leakage.

1,1-2,1-3 Information leakage prevention device 10,10a, 10b, 10a', 10b' Execution program used memory area 11, 11a, 11b, 11a', 11b' Execution program 12 Pre-emption processing unit 12-1 Switching Detection unit 12-2 Mode execution unit 121,122 API hook (DLL)
13a', 13b' DLL injection 20 Mode switching unit 30 Shared memory 31 Switching condition storage unit 32 Setting mode storage unit 33 Mode content storage unit 34 Use interception processing storage unit 35 Security 1 storage unit 36 Security 2 storage unit 37 Use security storage unit 40 API (what is originally called)
50 Operating system 60 Storage device driver 70 Printer driver 80 Network driver 2 Storage device 3 Printer 4 Network device

Claims (11)

An information leakage prevention device that prevents information leakage by changing the security mode.
A switching condition storage unit that stores the corresponding mode for each condition for switching the mode, and a switching condition storage unit.
A setting mode storage unit that stores the mode to be set by switching the mode,
When a specific type of application program interface call processing is performed from the application program, the call processing is intercepted, the switching condition of the switching condition storage unit is referred to, and the content matches the content to be executed by the application program. If a condition exists, the interception processing unit that acquires the mode corresponding to the condition and
A mode switching unit that acquires the mode from the interception processing unit and sets it in the setting mode storage unit is provided.
When a predetermined application program interface call process of the same or different from the specific type is performed from the application program, the interception processing unit intercepts the call processing, refers to the setting mode storage unit, and switches to the mode. By permitting or prohibiting processing by the application program interface according to the corresponding mode content, the operation inside the information leakage prevention device is controlled and / or the operation outside the information leakage prevention device is controlled. An information leakage prevention device characterized by this. The information leakage prevention device according to claim 1, wherein the interception processing unit is an API hook and / or a DLL injection in various OSs. The information according to claim 1 or 2, wherein the specific type of application program interface provides access to a specific file, access to a specific network, or access to a specific file server. Leakage prevention device. The mode switching unit is set by switching modes based on the mode switching instruction information input by the user, the information indicating that a specific application program is started, or the information indicating that the user authentication has been successful. The information leakage prevention device according to any one of claims 1 to 3, wherein the mode to be input is stored in the setting mode storage unit. Two or more API hooks are provided for each application program as the interception processing unit, and two or more separate security storage units corresponding to the API hooks are provided.
The contents of security are stored in the security storage unit.
The API hook used for the application program is set and
All the API hooks are executed sequentially, and only the API hook used for the application program acquires the security content from the corresponding security storage unit.
The information leakage prevention device according to claim 2 , wherein processing by the application program interface is permitted or prohibited by the API hook according to the security content. The DLL injection is provided as the interception processing unit for each application program, and two or more separate security storage units are provided.
The contents of security are stored in the security storage unit.
The security used for the application program is set
The DLL injection is executed to acquire the security content corresponding to the application program from the security storage unit.
The information leakage prevention device according to claim 2 , wherein processing by the application program interface is permitted or prohibited by the DLL injection according to the content of the security. A claim characterized in that the control of the operation inside the information leakage prevention device is write-protection to a hard disk drive, write-protection to a desktop, and / or startup prohibition of a specific application in the information leakage prevention device. The information leakage prevention device according to any one of 1 to 6. The control of the external operation of the information leakage prevention device prohibits access to a specific network, prohibits access to a specific file server, prohibits access to a specific device, and / or prohibits access to a specific output device. The information leakage prevention device according to any one of claims 1 to 7, wherein the information leakage prevention device is characterized by the above. An information leakage prevention program to prevent information leakage from a computer by changing the security mode.
A computer provided with a switching condition storage unit that stores a mode corresponding to each of the mode switching conditions and a setting mode storage unit that stores a mode to be set by switching the mode.
When a specific type of application program interface call processing is performed from the application program, the call processing is intercepted and the switching condition of the switching condition storage unit is referred to, which matches the content to be executed by the application program. If a condition exists, get the mode corresponding to the condition and
Set in the setting mode storage unit
When a predetermined application program interface call process of the same or different from the specific type is performed from the application program, the call process is intercepted, the setting mode storage unit is referred to, and the mode content corresponding to the mode is followed. by enabling or disabling the processing by the application program interface, control of the operation in the interior of the computer, and / or, information leakage prevention program for executing that causes the control behavior for the outside of the computer. Two or more API hooks are provided for each application program, and two or more separate security storage units corresponding to the API hooks for storing the contents of security are further provided, and the API hooks are used for the application program. To the computer to which the API hook is set
All the API hooks are sequentially executed, and only the API hooks used for the application program are made to acquire the contents of the security from the corresponding security storage unit.
The information leakage prevention program according to claim 9, wherein the API hook allows or prohibits processing by the application program interface according to the content of the security. The computer is provided with DLL injection for each application program, is further provided with two or more separate security storage units for storing security contents, and is set with security used for the application program. ,
The DLL injection is executed to acquire the security content corresponding to the application program from the security storage unit.
The information leakage prevention program according to claim 9 or 10, wherein the DLL injection enables or prohibits processing by the application program interface according to the content of the security.

Images