TW201333748A - Method of managing information processing space, external device, and information processing apparatus - Google Patents

Abstract

A method of managing information processing space includes: an exclusive loader loading step for loading an exclusive loader 123 from PCI 2 to an area of 0 MB to 1MB of a RAM 12 in response to BIOS startup; a management file loading step for setting DPL ''0'' in an area of 1 MB to 100 MB(first region) of the RAM 12 and for loading a management file 125 from the PCI 2 to an area of 1 MB to 100 MB by the exclusive loader 123, the management file 125 being used for monitoring access to an area of 1 MB to 100 MB of OS loaded to an area of 101 MB to 4 GB (second region) of the RAM 12; and an access protection information setting step for setting DPL ''2'' or DPL ''3'' to an area of 101 MB to 4 GB between loading of the management file 125 and loading of OS, so that a secure region is constructed in the first region in the RAM 12 as a main memory in response to the BIOS startup and the secure region is ensured in the main memory by making the access protection information variable and invalidating unauthorized access from the second region.

Description

Information processing space management method, external device and information processing device

The present invention relates to a high-security information processing space management technology for an information processing device built in a computer such as a terminal for processing information and a server.

In recent years, various viruses have invaded or lurked in information processing devices such as servers or terminals (personal computers) connected to networks such as the Internet, thereby causing data theft, theft, tampering, leakage, and attacks. In response to the virus, in order to prevent the invasion of the virus as much as possible, countermeasures such as improvement or development of the software for discovering and removing the virus, and setting of the line restriction (address restriction) are taken. However, it is very difficult to reliably prevent the invasion of viruses if the time delay from the discovery of the new virus to the development of the removal software is considered. In addition, there is also a virus infection during the period when the power is turned on until the information processing device is started. Therefore, it is expected to be able to respond to virus countermeasures that are effective during the period.

Patent Document 1 describes an operating system (OS; Operation System) starting method stored in a hard disk of an information processing device. In more detail, if it is detected that the power of the information processing device is turned on, the basic input/output system (BIOS; Basic Input/Output System) stored in the flash memory is started and the bootable boot device is searched for, and the boot is stored in the universal string. In the USB (Universal Serial Bus) memory boot OS, first, the display means displays the password input screen. Second, make the input screen accept from the input The input of the password of the means. If the password is entered, the input password is linked with the information inherent in the USB memory and converted into a hash value to generate an unlock password for the hard disk to be booted. Moreover, when it is determined that the activated hard disk is in the completed security setting, the unlocking password is used to unlock the locked state of the hard disk, and on the other hand, when the hard disk is determined to be incomplete security setting, the setting is set. The security of the above-mentioned hard disk, the main boot record (MBR; Master Boot Record) of the hard disk that has been unlocked is activated, and the boot loader of the OS is started, thereby starting the OS. Thereby, the security authentication at the time of OS startup can be performed. Further, in Patent Document 1, it is described that in the state in which the locked state of the hard disk is released, the virus can be checked by performing a virus check using the virus check function on the USB memory.

Further, Patent Document 2 describes a method of executing an activation program. In more detail, the execution method of the startup program has a pre-boot processing step for reading the hard disk initial reading request from the personal computer, and reading out the boot sector of the memory medium storing the startup program. Stores a temporary boot sector of any program such as security and executes the arbitrary program. Moreover, after executing any program such as this security, the original startup program is executed to start the OS. Thereby, it is possible to execute an arbitrary program such as security before the OS is started without changing the boot sector of the personal computer or the boot sector of the memory medium ((LBA; Logical Block Address) 0).

Patent Document 3 describes a computer device in which a working system is provided The operating system privileged mode is set, and the user privilege mode is set for the user application, and the virus countermeasure is implemented by the virtual machine (VM; Virtual Machine) and the privileged mode. The computer device further includes a virtual machine monitor (VMM; Virtual Machine Monitor) configured with a virtual machine monitor privileged mode and a protection agent (VM) configured with a protection agent (Protection Agent) privileged mode, and the privilege level is The strength of the access rights is set in the order of virtual machine monitor privileged mode, protected agent privileged mode, operating system privileged mode, and user privileged mode. Therefore, even if a malicious software created by a malicious person and sent to the operating system (malware) accesses the protection agent with the privileged mode as the upper level, the access will not be accepted, thereby preventing the change protection. The content of the agent. Moreover, if a resource in the operating system due to malicious software is detected (System Service Descriptor Table (SSDT), Global Descriptor Table (GDT), Interrupt Descriptor Table (IDT; Interrupt) A change in the Descriptor Table, etc., or a change in the resources of the protection agent, will be reset by causing the system to shut down and reboot.

[Previous Technical Literature] [Patent Literature]

[Patent Document 1] Japanese Patent Laid-Open Publication No. 2007-66123

[Patent Document 2] Japanese Patent Laid-Open Publication No. 2006-236193

[Patent Document 3] Japanese Patent Laid-Open Publication No. 2010-517164

Patent Document 1 is a personal authentication technique in which a password is stolen in order to input a password to a password input screen. Therefore, a hash value is established in association with the inherent information of the USB memory as an unlock. News. Further, Patent Document 1 discloses that a virus can be inspected by performing a virus check using a virus check function stored in a USB memory, but there is no specific description.

On the other hand, in Patent Document 2, even if any program of the temporary boot sector in the hard disk is a virus check program, a virus program having a form such as a rootkit can be started before the program is executed. It is possible to hide itself (virus programs) from any program, so there is a limit to the reliability of virus checking. Further, Patent Document 2 does not describe a specific method for monitoring a virus before starting the OS. Even if you can find a virus that has been lurking since the power was turned on, since the virus check is not performed after restarting (starting the OS), the virus that was invaded during the restart is still unprepared. Further, since Patent Documents 1 and 2 are general aspects of processing on the personal computer side, there is a limit to ensuring high reliability in this respect.

Further, Patent Document 3 is a virtual machine monitor and a protection agent who block invalid access of malicious software invaded from the operating system by using a privilege level having a different setting order. However, in Patent Document 3, only the use of a virtual machine The access prevention of the difference between the device and the privilege level is not described, and the memory map of the computer device memory is not described. Therefore, the configuration including the change of the detectable content is not disclosed. Further, although the patent document 3 is targeted at malicious software of the operating system, other types are mainly lurking in the case of, for example, a BIOS or an MBR before the start of the computer device, for example, a part of the upper part of the operating system may be The startup was changed by the latent malicious software, but there was no disclosure about the countermeasures in this case. In particular, there is no description of the installation method of the virtual machine monitor and the protection agent, and the security of such security itself is not clear. In addition, even if the internal resources are changed, the shutdown and restart can be performed, so that the problem can not be completely improved.

It is an object of the present invention to provide a high security information that is loaded into a local area of a main memory in conjunction with the activation of an information processing apparatus, and which restricts access to the operating system from being high and improperly accesses the local area. Handling space management techniques.

The information processing space management method of the present invention is characterized in that: a dedicated load program loading step is provided, which loads a dedicated load program from an external device to a boot memory area of the main memory in response to activation of the BIOS. a management file loading step of setting a protection privilege on the first area of one of the main memory blocks, and using the dedicated loader program to monitor the loading into the main memory and the first area and Start the second memory area differently a management file for accessing the first area by the OS (Operating System) is loaded from the external device to the first area; and an access protection information setting step is performed from the loading of the management file to the above During the period of loading of the OS, the access protection information whose access authority is lower than the protection privilege is set in the second area.

Moreover, the external device of the present invention is a file loader for the connected information processing device, and is characterized in that it comprises: a dedicated load program: it is loaded into the boot memory of the main memory corresponding to the activation of the BIOS. a management file that sets a protection privilege on a first region of a portion of the main memory and monitors a second region that is loaded into the main memory and different from the first region and the boot memory region. The OS (Operating System) accesses the first area and loads into the first area; and accesses the protection information setting file during the loading from the management file to the loading of the OS Loading, and setting access protection information whose access authority is lower than the protection privilege in the second area.

Moreover, the information processing device of the present invention has a working memory, that is, a main memory, and loads a predetermined file from the connected external device to the main memory, and is characterized in that: a dedicated loader is loaded. And loading the dedicated loader from the external device to the boot memory area of the main memory corresponding to the activation of the BIOS; managing the file loading processing means, which is part of the main memory 1 area sets the protection privilege, and is loaded into the above main memory by the dedicated loader. The management file for accessing the first area by the OS (Operating System) of the first area and the second area of the boot memory area is loaded from the external device to the first area; and the access protection information setting means And the access protection information whose access authority is lower than the protection privilege is set in the second area from the loading of the management file to the loading of the OS.

According to these inventions, if the power of the information processing device is turned on, the BIOS will be activated. Corresponding to the activation of the BIOS, the dedicated loader is loaded from the external device connected to the information processing device to the boot memory area of the main memory. Next, a protection privilege is set for the first region of one of the main memories. Further, when an OS (Operating System) loaded in the second region different from the first region and the boot memory region of the main memory is infected by, for example, a malicious software, the dedicated loader is used. A management file for monitoring whether or not there is access to the first area from the second area is loaded from the external device to the first area. Further, during the period from the loading of the management file to the loading of the OS, access protection information having an access authority lower than the protection privilege is set in the second area. That is, since the present invention loads a dedicated loading program from an external device in response to the activation of the BIOS, the behavior of the malicious software in the BIOS or the MBR that is lurking in the information processing device can be suppressed, and the dedicated loading program is The status of the cleanup is downloaded to the boot memory area. Moreover, since the management file is loaded from the same external device by the dedicated loader for cleaning, the protection privilege is ensured. Proper monitoring of settings and improper access. Therefore, even if the program of the OS that has infected the malicious software invades from the second area to the first area for the purpose of copying for the purpose of copying, etc., it is possible to perform the interception (detection) by accessing the difference of the protection information. To invalidate the improper access.

Further, the information processing space management method of the present invention is characterized in that the dedicated load program loading step updates the dedicated load program to the boot memory area. According to this configuration, even if a malicious software is lurking in the boot memory area, or an address that is useful for interception is described, it is possible to suppress the behavior of the malicious software by overwriting the dedicated load program or the like. .

Further, the information processing space management method of the present invention is characterized in that the loading of the dedicated loader program is forcibly performed on the entire boot memory area of the main memory. According to this configuration, since the dedicated loader is forcibly loaded into the entire area of the boot memory area, the behavior of the latent malicious software can be suppressed.

Further, in the information processing space management method of the present invention, the first area and the boot memory area are set to have the same protection privilege. According to this configuration, a higher protection privilege can also be set for the dedicated loader.

Further, the information processing space management method of the present invention is characterized in that the boot memory area is 0 MB to 1 MB. According to this configuration, the present technology is not limited to a dedicated information processing device, and can be applied to a general-purpose information processing device (a personal computer or a server).

Further, the information processing space management method of the present invention is characterized in that the management file system has a GDT (Global Descriptor Table) in which access protection information of each program in the OS is registered, and includes the following processing, that is, from the above The program in the OS that accesses the first area in the second area refers to the access protection information registered in the GDT, and issues the general protection fault. According to this configuration, a general protection error can be issued by referring to the access protection information of the segment descriptor of the GDT corresponding to the program in the OS being accessed, thereby invalidating the inappropriate access. Chemical.

Further, the information processing space management method according to the present invention is characterized in that the management file includes access to a program in the OS from the second area to the first area, and the above-mentioned general protection error is issued via the IDT ( Interrupt Descriptor Table), and the processing of invalidating the above access by interrupting the processor. According to this configuration, the access of the OS to the first area is uniformly invalidated.

Moreover, the information processing space management method of the present invention is characterized in that the linear address generated in the GDT is converted into a physical address by using a page table entry (PTE; Page Table Entry), and the PTE system is set to The linear address generated in the GDT is added to at least the address value in the second region. According to this configuration, since the physical address is necessarily in the second area by paging, the access to the first area from the second area cannot be performed by itself.

Moreover, the information processing space management method of the present invention is characterized in that: The PTE is configured to access the access level attribute information for each of the programs of the OS, and access the program from the OS of the second area, issue a page fault via the PTE, and use the interrupt processor via the IDT. The above access is invalidated. According to this configuration, the program of the OS accessed from the second area issues a page fault due to a difference from the access level attribute information of the segment descriptor in the PTE corresponding to the program, and the IDT and the interrupt processor are transmitted. Make this access invalid.

Further, the information processing space management method of the present invention is characterized in that the access protection information sets a value of 0 for the first area, and has a value of 2 for the OS, and an application (AP; Application Program) is set to 3. According to this configuration, access to the first area from the OS and the AP is invalidated by the difference in access protection. As a result, the first area can be maintained as a safe area.

Further, the information processing space management method of the present invention is characterized in that after the loading of the OS, a general protection error is issued for accessing the program of the OS from the second area, and the access is invalidated. Invalid access corresponding step. According to this configuration, even after the OS is loaded, even if the program of the OS that infects or lurks the malicious software improperly accesses the first area, the first area is appropriately managed as the security area, and a general protection error is inevitably issued. .

According to the present invention, it can be activated in the main memory by booting with the BIOS. The first area constructs a secure area, and the access protection information is differentiated, and the improper access from the second area is invalidated, and the secure area can be secured in the main memory.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a schematic view showing an embodiment of a network communication system to which an external device of the present invention is applied. Fig. 2 is a block diagram showing an example of a hardware configuration of the external device shown in Fig. 1. Fig. 3 is a block diagram showing an example of a functional unit related to power-on and management of a terminal and an external device. 4 is a view showing an example of a memory map of a random access memory (RAM) of a terminal in a real mode at the time of booting of a dedicated loader. Fig. 5 is a view showing an example of a memory map of a RAM of a terminal in a protection mode at the time of booting of a dedicated loader.

The network communication system shown in FIG. 1 is provided with an example of an information processing device including, for example, a personal computer, and an external device 2 such as a Peripheral Component Interconnect (PCI) that can be connected to the terminal 1. And Internet 3 such as the Internet. The terminal 1 is connected to the network 3 via an Internet Service Provider 4 (ISP). The PCI system, which is an example of the external device 2, has a box-shaped casing having a predetermined size, and has an input/output (I/O; Input/Output) for external connection to the terminal 1, and is internally provided as follows. A central processing unit (CPU; Central Processing Unit), a memory extension BIOS, and the like, and a network interface card (NIC; Network Interface) that can communicate with the network 3. Card). In the present embodiment, the terminal 1 has a configuration in which it is directly connected to the network 3, and in the state in which the external device 2 is mounted, the external device 2 is connected to the network 3 via the external device 2 as follows. A plurality of ISPs 4 are arranged on the network 3, and one or a plurality of terminals 1 are connected to each ISP 4 or a web site providing various information is omitted. The external device 2 is provided, for example, as a member having the authority to receive the provision of the specific service through the operation of the terminal 1, and is accepted at the time of registration. The external device 2 records information useful for identifying members and other information in the internal memory unit.

The terminal 1 has a computer, and as shown in FIGS. 3, 4, and 5, has a CPU (Central Processing Unit) 10 as a control means. The CPU 10 is connected to a ROM (Read Only Memory) 11 and a RAM (Random Access Memory) 12. The ROM 11 includes a flash ROM of rewritable material. In the present embodiment, the ROM 11 includes the flash ROM or a complementary metal oxide semiconductor (CMOS), and a BIOS (Basic Input/Output System) is written in the flash ROM 11A. Further, in the present embodiment, the BIOS is also stored in the external device 2 as follows. Therefore, the BIOS of the terminal 1 is referred to as a system BIOS, and the BIOS of the external device 2 is referred to as an extended BIOS. Make a distinction between the two.

Further, as shown in FIG. 3, an operation unit 13 including a keyboard or a mouse having a numeric keypad for inputting a command or information by an operator, and a display unit 14 for displaying an image are connected to the CPU 10. The display unit 14 is used to confirm the input. Display of information or display of communication content. Furthermore, the system BIOS is set in such a manner as to preferentially designate the external device 2 which is a device having an extended BIOS. The RAM 12 has a predetermined memory capacity and, in general, has a memory capacity of 4 GB (B:byte; byte) in the 32-bit state. In the RAM 4 with 4 GB, for example, 1 MB in 16-bit mode (correctly 1 MB + 64 KB, but 1 MB for convenience of explanation) becomes the boot memory in the real mode at startup. Body region 120. Further, in the present embodiment, the predetermined area in which the following management files (management programs, etc.) for managing the OS are developed, the present embodiment is 1 MB to 100 MB, and the remaining area is after the execution is started. The work area when the situation is usually handled. In the present embodiment, 0 MB to 100 MB is set as the first area, and the boot memory area 120 of 0 MB to 1 MB is set as one of the first areas, and 100 MB to 4 GB is set as the first. 2 areas. In addition, as part of other memory, there are hard disks (HD; Hard Disk) 12A and the like that store various other programs or data types of the system BIOS.

Further, in the terminal 1, for example, as shown in Figs. 4 and 5, a wafer group 15 is provided. The chipset 15 is a main component of the motherboard which is omitted from the drawing, and is used to control the CPU or various memories, other hard disks (HD) or the readable optical disc memory (CD-ROM; compact disk read only). Memory) Exchange of data between all parts connected to the motherboard. The details will be described later.

In the network 3, one or a predetermined number of member servers 5 and a plurality of transaction object terminals 6 are connected via the ISP 4. Member server 5 is a member list The memory owns the terminal 1 and even appropriate information related to the member of the disposable operation, such as the member's name, name, email address, address and other member information. The transaction target terminal 6 performs processing of transaction requests from the user terminal, that is, each terminal 1, for example, processing of electronic settlement, memorizing transaction information, and performing information management. In addition to being able to memorize (storage and manage) the member information, the member server 5 can also memorize (storage and manage) the information that can be provided to the terminal 1 as needed, for example, to execute the processing software required for the service provided by the member, For example, a file creation program for creating a required file, or a further large-capacity server can memorize (storage and manage) the transaction content and history information of each terminal 1.

Furthermore, the network communication system of FIG. 1 can take the following aspects as an example. The terminal 1 can be set as a dedicated terminal that can be connected only to a dedicated network, or can be a general-purpose terminal that can be connected to other networks by switching with the Internet. In the case of the HD 12A of the terminal 1, for example, in the case of a general-purpose terminal, the establishment, processing, and memory of information for executing software that uses ordinary documents or graphics are stored, and the information of the software for communication is further utilized. Each processed program file (hereinafter referred to as AP (application program)). Further, in the external device 2, a program file (referred to as a specific AP) for performing processing related to execution of a specific application software is stored as needed. The general AP system can be activated by using the OS read by the OS loading program in the terminal 1. The specific AP can use the loading program in the external device 2 (or the loading program started by the restart program). ) Read the OS and move the author. More specifically, In the terminal 1 of the member, that is, the consumer, the store, and the enterprise, as the specific AP, it is loaded from the external device 2 after the power-on to be related to the sale, the quotation or the payment of the goods or services, and the payment (for so-called commercial transactions). The establishment of each of the documents and the software of the communication, as well as the software for the certification process as required. That is, the terminal 1 can perform settlement in an ordinary commercial transaction by a specific AP, for example, issue, collect, or issue an account of a contractual financial institution that issues a request form from the purchaser side. The payment (ie payment) instructions, the issuance of their receipts, and the ability to send and receive mail to various electronic mails regardless of the electronic settlement. A specific AP can create various files in text form or binary form. This electronic file is transferred between the terminals 1 via the external device 2, for example, relayed (or in parallel) via the member server 5. The terminal 1 of each financial institution is also equipped with a specific AP that performs settlement instruction processing (instructions for settlement processing between financial institutions, etc.) in accordance with the financial settlement written by the terminal 1 of the consumer or the company. An external device 2 that writes intrinsic information is issued for each registered member. In the case of receiving the service, the member inserts the external device 2 into the terminal 1a of the terminal 1, and at least receives the authentication process of the appropriateness of the external device 2, preferably further receives the personal authentication (suitable for the external device 2) The condition of the holder's certification) is conditional.

The member server 5 is provided with a storage unit for managing and storing the file transmission/reception history of each member or its file type. The member server 5 can also have an authentication function. In this case, the authentication function can also be set as follows, that is, browsing The file that is sent between the member server 5 and the terminal 1 is a packet, and the member is authenticated by the member.

Moreover, the network communication system shown in FIG. 1 can consider various other application examples. As an example, it may be applied to, for example, between terminals 1 other than a group organization (including a state, a local government, an association, a guild, etc.) that is an official or quasi-official (including civil) organization that establishes and maintains management secret information. Information communication and management system. As information communication with terminals existing outside the group organization, for example, distribution of documents, transmission of an application, and the like are known. Moreover, the same can be applied to a local area network (LAN) system.

Furthermore, when the file file is sent and received by the packet formed by the transmission control protocol/internet protocol (TCP/IP), the received packet is returned to the original File, or replace the file to be sent as a packet for transmission. In addition, the header of each packet to be transmitted includes the IP address of the entire domain of the sender, that is, the IP address of the entire terminal and the member server, and the IP address of the member server.

The NIC 26 shown in FIG. 2 is equipped with a router that omits the drawing or is connected in series with the router. The router is configured to set address information (routing table or address resolution protocol (ARP)), and the address information is used to identify, for example, each of the signals as a transmission signal or a reception signal. The address information of the transmitting object attached to the predetermined location of the packet is a global IP address according to the rules used by the Internet, or The private network of the domain IP address is different (identified as the form of the global IP address), and the dedicated network IP address (for example, based on Ethernet (registered trademark) or the like (for example) Media Access Control (MAC) address. The packet is compared with the table and sent only to the route with the same address, whereby the transmission path can be switched by software via the Internet or a dedicated network.

In FIG. 2, the external device 2 is provided with a mother board (illustration omitted) in the housing, and various circuit elements and semiconductor elements are mounted on the mother board. The external device 2 is provided with a CPU 20 as a control means. A ROM 21 and a RAM 22 are connected to the CPU 20. Further, the CPU 20 is connected to an extended BIOS storage unit 23 such as a ROM of a memory expansion BIOS mounted on the motherboard, and a direct memory access controller (DMAC), and is also connected to the ROM. There are flash ROM25 and NIC26. The I/O interface 27 is provided in the input/output portion of the external device 2, and is detachable from the terminal 1a of the terminal 1. In the mounted state, communication and power supply can be performed via a predetermined number of lines. Further, although the extended BIOS storage unit 23 and the DMAC 24 are connected to the I/O interface 27, communication with the CPU 20 is possible. The external device 2 is used to perform loading of a management file and monitoring of an OS for monitoring the OS in the activated terminal 1. Moreover, the extended BIOS can also be stored in the flash ROM 25.

As shown in FIG. 3, the ROM 21 is provided with various processing programs to be executed as the external device 2 and various processing programs to be executed as external devices. The processing program storage unit 211 stores at least the member information storage unit 212 for identifying the information of the member, and the reference time storage unit 213 for storing the reference time information for monitoring the presence or absence of the malicious software. The RAM 22 temporarily stores data in the process of processing or transmits data.

The CPU 20 reads out the necessary processing program from the ROM 21 and executes it at the time of startup and operation of the terminal 1. When the CPU 10 turns on the power, it will start the system BIOS, and after performing the required self-diagnosis processing, it will transfer to the processing before the booting, that is, the booting of the available peripherals (POST; Power On Self) Test) The execution of the process. In the POST process, the connected external device can be searched for the presence or absence of a so-called extended BIOS. Moreover, if an external device storing the extended BIOS is found, the extended BIOS of the external device is taken in.

The extended BIOS is read into the terminal 1, and is transferred to the control and then started. The predetermined information is transmitted between the external device and the external device 2. In the present embodiment, the program for taking the following dedicated load program is taken.

DMAC24 refers to a bus master controller (circuit) that is controlled by the CPU 10 and controls the bus between the terminal 1 and the external device 2 to forcibly transmit information. . Here, the operation status of the CPU 20 in the external device 2 from the request of the CPU 10 is monitored, and the DMA transmitter is performed between the two devices based on the monitoring result.

In FIG. 2, the flash ROM 25 stores various kinds of information read into the terminal 1. The dedicated load program storage unit 251 is in the real mode as described below in the RAM 12. In the state, the program loaded by the DMAC 24 and read into the RAM 12, that is, the dedicated loader (R) is stored. The dedicated load program storage unit 252 stores a dedicated load program (P) which is a program which is restored to the real mode and transferred by the DMAC 24 and read into the RAM 12 as described below when the RAM 12 is in the protection mode. At the time of reading the dedicated loader (P), since the interrupt vector table (Interrupt Descriptor Table Register) of the Interrupt Vector Table (Interrupt Descriptor Table Register) becomes the protection mode, When the dedicated loader (P) is expanded without being restored to the real mode, the interrupt vector table in real mode cannot be used. Therefore, the extended BIOS first performs the real mode recovery process in rewriting the scratchpad IDTR to the interrupt vector table for the real mode.

Furthermore, the dedicated loader (R) has a 1 MB amount of information and is expanded in the boot memory area 120. The dedicated loader (P) is a 4 GB piece of information, and is overwritten by the RAM 12 as a whole. The program contents of the load program command part of the dedicated load programs (R) and (P) are common. The contents of other information parts are used to overwrite (reset) the information of the boot memory area 120 and the RAM 12, such as data. "0" and so on. Furthermore, the information content of the dedicated loader (R) can also be made common to the dedicated loader (P).

The management file storage unit 253 is a program that memorizes the following improper actions of the OS (or AP) contaminated with malicious software and invalidates the operation. The system table storage unit 254 memorizes an IDT (Interrupt Descriptor Table), a GDT (Global Descriptor Table), and a task status as resources for managing files. Segment (TSS; Task State Segment), etc. The Initial Program Loader (IPL), which is the OS loader memory unit 255 of the OS loader, is a program for loading the OS from the HD12A to the RAM 12. The system BIOS memory unit 256 is the same program as the system BIOS stored in the flash ROM 11A. The system BIOS stored in the system BIOS memory unit 256 is loaded with the dedicated loader and loaded into the boot memory area 120 due to the possibility that the system BIOS stored in the HD12A is contaminated by malicious software. The specific OS and AP storage unit 257 is a storage program, that is, an OS or the like (including an I/O control driver and a specific AP of each I/O device). Each of the I/O devices is a peripheral device such as the operation unit 13, the display unit 14, and a printer that omits the drawing.

In addition, when the dedicated loader (P) is a file having a size of 1 MB and a logic of clearing 1 MB or more in the dedicated loader (P), and executing a dedicated loader (P), A method of performing a read processing and a clearing process of 1 MB by the CPU 10 of the terminal 1 can also be employed. According to this method, an improvement in performance can be expected compared to a 4 GB transmission.

The NIC 26 performs information processing in a case where communication with another terminal 1 or the like is performed via the network 3, and has a ROM that stores a predetermined processing program for executing the above processing and a RAM that temporarily stores processing contents (all of which are omitted). Further, as described above, the NIC 26 that manages the connection with the network 3 is connected to the public communication line up to the ISP 4 by the router of the drawing, and the communication controller of the network and the network 3 is performed.

The I/O interface 27 has not only a line for transmitting information to and from the external device 2 via the 埠1a, but also a line for supplying power. The terminal 1 has a power supply circuit in which the drawing is omitted, and when the external device 2 is mounted on the terminal 1, the charging circuit is omitted from the charging circuit via the I/O interface 27 of the external device 2, and the external device 2 is omitted. The charging circuit supplies a current, thereby starting the power of the external device 2.

In FIG. 3, the CPU 10 of the terminal 1 functions as a processing program that reads out the processing program from the ROM 11, the flash ROM 11A, the HD 12A, and the flash ROM 25 to the RAM 12, and functions as a dedicated load program loading processing unit 101. Execution of the extended BIOS from the startup of the system BIOS; the dedicated loader processing unit 102 executes the loaded dedicated loader; the managed file action environment establishing unit 103 is established by executing the dedicated loader The loaded management file and its action environment; the OS loader loading processing unit 104 loads the OS loader (IPL) after the preparation of the management file; the OS loader processing unit 105, which is built and built The OS loading program and its operating environment; the OS operation monitoring unit 106 monitors the OS booting of the OS loading program and the operation after the booting in the management file; the information processing unit 107 uses the specific AP or the general AP. The file communication processing unit 108 performs communication with the normal terminal 1 or the web site server via the network 3 from the terminal 1, and from the NIC 26 via the network 3 to other members. Terminal 1 Member server for transactions between 5 and 6 target terminal information received to the; switching unit 109 and the operating environment, based on Example The specific operating operation from the operating unit 13 switches the operating environment between the general-purpose OS environment and the specific OS environment.

The dedicated load program loading processing unit 101 performs self-diagnosis processing after the power of the terminal 1 is turned on, and then checks the state of the memory or peripheral devices by the POST processing. Then, the device set as the BIOS, in the present embodiment, the external device 2 storing the extended BIOS, activates the extended BIOS.

The dedicated load program loading processing unit 101 performs processing for reading the extended area read by the dedicated load program loaded in the processing unit 201 on the external device 2 side into the predetermined area in the boot memory area 120 of the RAM 12. By. Further, when the external device 2 is not mounted, the program of the MBR (Master Boot Record) is sequentially read from, for example, the ROM in the order of priority order, and then the control is transferred to the main boot program that is read.

The dedicated load program loading processing unit 101 is configured to read the extended BIOS into the boot memory area 120 of the RAM 12, and after the system BIOS hands over the control, executes the extended BIOS. The extended BIOS reads various command codes from the external device 2 to the boot memory area 120 of the RAM 12, and transfers the control to each command. Here, as the command code, a predetermined plurality of numbers are set. That is, the initialization process is performed on the driver of the desired device by a command code to prepare an environment in which the specific AP can be executed in the terminal 1. The required device is the display unit 14, a keyboard or a mouse constituting the operation unit 13. Moreover, the interrupt request (IRQ; Interrupt Request) and the interrupt of the external device 2 are performed by a certain command code. The meter (INT) is registered to the redirection table 1501 of the I/O Advanced Programmable Interrupt Controller (APIC) (refer to FIG. 4). Furthermore, the number of the IRQ at the time of registration is referred to as an interrupt number. Further, the I/OA PIC 150 is capable of coping with a multiprocessor, and can use an interrupt controller for notifying the CPU 10 of the received interrupt redirection table 1501 with a priority order in the case of a hardware interrupt. Here, the term "IRQ" refers to an interrupt request, and the term "interrupt number" refers to the order information indicating the priority order when a hardware interrupt is generated at the same time.

Further, a command code is used by the external device 2 to transmit a data transmission request signal for accepting data transmission using the DMAC 24. The data required to be transmitted by the data transmission request signal is a load program of approximately 1 MB (including an interrupt vector table). In the loader processing of the dedicated loader executed by the extended BIOS, at least the participation of the CPU 10 is excluded by using the DMA bus master transfer mode, and even if it is assumed that the CPU 10 is occupied by malicious software during this period, The transmission of the data itself can be carried out normally. Therefore, while deleting the previous data, that is, the dedicated loader (R) is forcibly (not controlled by the CPU 10) overwritten to the boot memory area 120 of the RAM 12, thereby causing the pair to be caused by malicious software. The virus or the like is copied in the boot memory area 120, and these can be surely deleted. Furthermore, it is also possible to set the system management RAM (SMRAM; System Management RAM) to control the D_LCK bit of the scratchpad as needed, and to disable the SMRAM from writing (disabling access) of the command code. In this way, by implementing a lock to prohibit access, The privileged mode such as System Management Mode (SMM) is avoided by improper use of the highest authority that can freely access all memory.

In addition, it can be considered that when the operating state of the protected mode is detected during the startup of the system BIOS, it is considered that the malicious software is highly likely to exist, and the startup action is suspended. In this case, consider rewriting the system BIOS or using a vaccine to remove the virus that is lurking in the system BIOS. In this way, the danger of information processing in the environment of malicious software is avoided. On the other hand, if the activation is interrupted as described above, there is a problem that the activation of the terminal 1 cannot be performed during the period before the response, and the use environment of the specific AP cannot be smoothly provided to the member or the like, and thus there is no problem. Therefore, when a situation in which the protection mode is abnormal is generated, the reset processing is executed and reset to the real mode.

The dedicated load program loading processing unit 101 is executed by transferring the control to the extended BIOS and then transmitting the command command from the external device 2 to perform the setting of the real mode. In the startup operation of the system BIOS, after receiving the command command for determining the setting of the real mode generated when the terminal 1 is set to the protection mode or is determined to be set to the real mode, the dedicated loading program is loaded. The input processing section 101 performs a part of processing for resetting the mode to the real mode. In this embodiment, the temporary register IDTR is restored to the processing in the interrupt vector table of the real mode, and the IRQ and the interrupt number of the external device 2 are registered to the I/OAPIC 150. The processing in the redirection table 1501 and the output processing of the data transfer request signal. This mode determination processing is performed on the external device 2 side in the following manner to avoid the influence of malicious software.

Next, in FIG. 3, the CPU 20 functions as the following part by executing the program stored in the ROM 21: the dedicated load program loading processing unit 201 performs an extended BIOS pair terminal for loading the dedicated load program. The reading unit 202 monitors the loading operation of the dedicated loading program and issues an instruction corresponding to the monitoring content; the management file loading processing unit 203 performs the management file to the terminal 1 side; The program loading processing unit 204 reads out the loading portion of the terminal 1 from the external device 2 side as part of the OS loading program, and the network communication processing unit 205, after the external booting is started, The file created by the specific AP or the like is transmitted between the other terminal 1, the member server 5, and the transaction target terminal 6 via the NIC 26 and the network 3. The monitoring unit 202 includes the following three aspects of the monitoring method, the monitoring mode of the timing means, the monitoring mode of the mode determining means for determining the mode mode of the real mode or the protection mode, and the mode checking means of the checking mode. Monitoring aspect.

The dedicated load program loading processing unit 201 receives the read instruction by the POST process in the terminal 1, and executes the read processing of the extended BIOS on the RAM 12. Further, the dedicated load program loading processing unit 201 activates the DMAC 24 (transmits the instruction) based on the monitoring content of the monitoring unit 202, and transmits the load program (R) in the real mode state, and causes the DMAC 24 on the other hand. Start up The line transfer request (instruction)) transfers the load program (P) to the RAM 12 in the protection mode state.

The timing means of the monitoring unit 202 starts counting from the time when the power supply from the terminal 1 is received and reaches the level at which the external device 2 is activated, and the system BIOS of the terminal 1 transfers the control to the extended BIOS and sends the command code to After the external device 2, the timing operation is stopped. Thereby, the time required for the period is measured.

The mode determination means of the monitoring unit 202 compares the time obtained by the timekeeping means with the size (length) of the reference time information stored in the reference time storage unit 213 of the ROM 21, and when the time count exceeds the reference time, As a result of the malicious software, the mode becomes the protection mode, and the command code for performing the resetting (overwriting) of the real mode is sent to the terminal 1. Furthermore, the reference time is set as follows. That is, first, the power is turned on for the terminal 1, the system BIOS is started, the POST processing is executed, the extended BIOS is expanded in the RAM 12, and the time required to transfer the control to the extended BIOS becomes substantially normal when the malicious software does not operate normally. Pre-set time.

On the other hand, when there is a malicious software lurking in the system BIOS, or a malicious software intrusion during the system BIOS startup process, when the protection mode environment is constructed on the RAM 12, it takes a longer time than the set time in the above normal situation. Therefore, the external device is activated by the activation of the terminal 1, that is, the elapsed time from the activation of the external device 2 to the control of the extended BIOS. The 2 side judges that the RAM 12 is located in the real mode space or in the protected mode space, and is not used in the method of directly determining the mode content on the terminal 1 side.

4 is the content of the RAM 12 in the real mode, and FIG. 5 is the content of the RAM 12 in the protected mode. As shown in FIG. 4, the chip set 15 includes, in each CPU 10, an area APIC 151, a flag register register (EFLAGS), or a general-purpose register in the presence of not only the I/OA PIC 150 but also a plurality of CPUs 10. The chipsets 15a-15n of the register group 152 of the various registers are wait. Further, in the boot memory area 120 of 0 MB to 1 MB in the RAM 12, the system BIOS 121, the extended BIOS 122, the dedicated load program 123 including the interrupt vector table, and the temporary GDT 124 are developed. Further, the dedicated loader 123 is developed in the global area of the boot memory area 120, and appropriately includes a program portion that functions as a loader and virtual data that is added to create a transfer data equivalent to 1 MB. Moreover, the temporary GDT 124 is created by the dedicated loader 123 and is used to download the management file into the unreal mode (Unreal mode) to the address of 1 MB to 100 MB by the dedicated loader 123. . Here, the non-authentic mode means that the access restriction of the data segment register of the omitted pattern in the chip set 15 is changed to 4 GB in the real mode environment, and only the data access is 1 MB or more. A special state that can be accessed outside the boot memory area 120.

On the other hand, the protection mode is as shown in FIG. 5. In each of the chip sets 15a-15n, the register group 152 also includes an address in which an interrupt descriptor table (IDT) is stored. The address and the register IDTR (Interrupt Descriptor Table Register) referred to by the CPU 10. In addition, in any area of the 4 GB RAM 12, the interrupt vector table 123' in the dedicated load program, the system BIOS 121, and the extended BIOS 122 are expanded. Further, in any area, the IDT (Interrupt) for forming the protection mode is formally established. Descriptor Table), GDT (Global Descriptor Table), further program (PGM; Program) 1~i, and each management table of TSS (Task State Segment) of PGM1~i (except PGM). That is, FIG. 5 is a result of setting the environment setting for the external device 2 established by the malicious software in the RAM 12 as if there is the same space as that of FIG.

During the operation of the system BIOS, the malicious soft system establishes the programs shown in FIG. 5 for the protection mode environment to be expanded on the RAM 12, and expands at the appropriate position on the RAM 12, and then transfers the control. In the expansion of the BIOS. In addition, it is necessary to develop the host program of the malicious software in the RAM 12, and the data must be obtained mainly from a hard disk (HD12A) as an external medium. Therefore, the time required from the start of the terminal 1 to the control transfer to the extended BIOS 122 is inevitably time-consuming compared to the case of FIG. Therefore, the appropriate time between the time required in the case of the real mode of FIG. 4 and the time required in the case of the protection mode of FIG. 5 is taken as the reference time.

Returning to Fig. 3, the mode checking means of the monitoring unit 202 will be described. The mode checking means of the monitoring unit 202 performs monitoring by using a method different from the monitoring mode of the time measuring means or the monitoring mode of the mode determining means. kind. That is, after the system BIOS transfers control to the extended BIOS, the external device 2 issues a command code. The DMAC 24 is activated by the command code, and the contents of the RAM 12 are all read by the CPU 10 without being controlled by the transmission, and are taken in to the external device 2. The mode checking means of the monitoring unit 202 checks the contents of the read RAM 12 and determines whether or not it is in the protected mode environment. The judging method may also use the information inherent to the protection mode in the data of the RAM 12, such as the above-mentioned management table such as GDT, IDT or TSS as the judgment material. In this way, it is determined whether or not the device is in the protection mode space on the side of the external device 2, and is not used in the method of determining the terminal 1 side.

Further, when the mode checking means of the monitoring unit 202 determines that the mode is the protected mode due to the malicious software, the command code for resetting the real mode is sent to the terminal 1.

Next, the startup processing of the CPU 10 and the CPU 20 will be described with reference to Figs. 6 to 10 . Fig. 6 is a flow chart showing the flow of the startup process of the system BIOS executed by the CPU 10 of the terminal 1. First, after the power of the terminal 1 is turned on, the system BIOS is checked (step S1), and second, the POST process is performed (step S3). Then, it is judged whether or not the reading of the extended BIOS from the external device 2 by the POST processing is completed (step S5). If the reading of the extended BIOS is not completed, the reading is continued, and if the reading is completed, the control is transferred to the extended BIOS (step S7).

In addition, the following description will be made before the PCI 1 is installed as an example of the external device 2 in the terminal 1a of the terminal 1. That is, if the terminal 1 is 1a The external device 2, which is equipped as a PCI, is read by the POST, and the extended BIOS is read into the RAM 12 by the booting routine of the system BIOS.

Fig. 7 is a flow chart showing the flow of the POST processing (step S3) of the system BIOS executed by the CPU 10 of the terminal 1. First, it is judged whether or not the PCI is installed as the device connected to the terminal 1 (step S11). If the PCI is not installed, the system BIOS executes the normal startup process (step S13). On the other hand, if the PCI is installed, the BIOS of the search device, that is, the extended BIOS (step S15) is loaded, and the extended BIOS is loaded into the RAM 12 (step S17). Next, if the loading is completed, the loading end signal is output by the system BIOS (step S19).

FIG. 8 is a flow chart showing the flow of the monitoring process 1 performed by the CPU 20 of the external device 2. First, it is judged whether or not the power of the external device 2 is turned on, and if it is turned on (step #1), the timer operation is started by the timing means of the monitoring unit 202 (step #3). Next, the system waits until the command code is received from the system BIOS (NO in step #5), and if the command code is received, the timer operation is stopped (step #7).

Next, it is judged whether or not the measured time of the measurement is shorter than the reference time (timing time <reference time) (step #9). If the timing is shorter than the reference time, it is determined that the terminal 1 is not set to the protection mode environment, that is, the CPU 10 of the terminal 1 is set to the protection mode due to at least the malicious software, and the flow is exited. On the other hand, if the timing is longer than or equal to the reference time, it is determined that there is a possibility that the CPU 10 of the terminal 1 is set to the protection mode environment, that is, at least the environment of the CPU 10 of the terminal 1 is set to be protected due to malicious software. The possibility of protecting the mode, thereby replying to the command code for resetting the CPU 10 of the terminal 1 to the real mode (step #11), exits the flow.

FIG. 9 is a flow chart showing the flow of the monitoring process II performed by the CPU 20 of the external device 2. First, (on the terminal 1 side, the control of the CPU 10 is transferred from the system BIOS to the extended BIOS), it is judged whether or not the above command code is received from the extended BIOS (step #21). If the command code is not received, the process is completed. On the other hand, when the command code is received, it is determined that the control of the terminal 1 is located in the extended BIOS, and the activation of the DMAC 24 and the designation of the RAM 12 which is the transfer destination of the DMAC 24 are performed (step #23). Thereby, the contents of the RAM 12 are taken into the RAM 22 of the external device 2 via the DMAC 24. Also at this point in time, out of the control of the CPU 10 of the terminal 1, the entire contents of the RAM 12 (here, 4 GB) are taken in, regardless of the mode of the CPU 10.

Next, it is checked whether or not there is a content unique to the protection mode, specifically, a management table unique to the IDT, GDT, TSS, or the like (step #25). If the content inherent to the protection mode is not included in the RAM 12, it is determined to be the real mode, and the flow is exited.

On the other hand, when the content of the protection mode is included in the RAM 12, it is determined that there is a possibility that the CPU 10 of the terminal 1 is set to the protection mode environment, that is, at least the environment of the CPU 10 of the terminal 1 is set to be due to malicious software. The possibility of protecting the mode, thereby replying to the command code for resetting the CPU 10 of the terminal 1 to the real mode (step #29), exits the flow.

FIG. 10 is a flow chart showing the flow of extended BIOS processing performed by the CPU 10 of the terminal 1. The extended BIOS forwarded by the control of the CPU 10 first judges whether or not the command code for performing the resetting of the real mode is received from the external device 2 (step S31). If the command code is not received within a predetermined time for preparation for reception, the predetermined device (the display unit 14, the keyboard, the mouse) connected to the terminal 1 is subjected to POST processing for initialization (step S33). Next, I/OAPIC processing (step S35) and data transfer request signal output processing (step S37) are executed. Then, the DMAC 24 is started, and the load program (R) is transferred from the dedicated load program storage unit 251 to the terminal 1 side, and overwritten to the boot memory area 120 of the RAM 12 (step S39). Then, if it is confirmed by the transfer end signal whether or not the transfer is completed (YES in step S41), a hardware interrupt is generated, and the control of the CPU 10 is transferred to the load program (step S43), thereby exiting the flow.

On the other hand, if the command code for resetting the real mode is received in step S31, the real mode recovery process (step S45) and I/OAPIC processing (step S45) of rewriting the scratchpad IDTR to the interrupt vector table are performed. Step S47), data transfer request signal output processing (step S49). Then, the DMAC 24 is started, and the load program (P) is transferred from the dedicated load program storage unit 252 to the terminal 1 side, and overwritten to the entire area of the RAM 12 (step S51). Then, if it is confirmed by the transfer completion signal whether or not the transfer is completed (YES in step S53), a hardware interrupt is generated, and the control of the CPU 10 is transferred to the load program (step S55), thereby exiting the flow. Furthermore, following the loading of the dedicated loader (R), (P) After the bundle, the appropriate system BIOS is overwritten from the system BIOS memory 256 to the area that does not affect the loader portion of the dedicated loader. Alternatively, the system BIOS of the system BIOS memory unit 256 may be included in a part of the dedicated loader (R), (P), and the dedicated loader (R), (P) may be utilized. The load is overwritten to the boot memory area 120. The system BIOS is used when loading the OS as described below.

Further, in the loading process of the dedicated loader, the monitoring processes I and II may be replaced by the aspects shown in FIGS. 11 to 13. Fig. 11 is an explanatory diagram showing the flow of the monitoring process III executed by the CPU 20 of the external device 2 and the extended BIOS. Moreover, FIG. 12 is a flowchart for explaining a part of the flow of the monitoring process III executed by the CPU 10 on the terminal 1 side, and FIG. 13 is a flowchart showing a part of the flow of the monitoring process III executed by the CPU 20 on the external device 2 side.

In order to execute the monitoring process III shown in Fig. 11, the external device 2 must have the following configuration. The ROM 21 or the flash ROM 25 of the CPU 20 functions as a memory means for memorizing the IOAPIC. When the POST processing is performed, the IOAPIC 150 registers with the terminal 1 side by the hardware interrupt IRQ set in the register of the external device 2, and automatically sets the interrupt number associated with the IRQ number. Similarly, the ROM 21 or the flash ROM 25 of the CPU 20 functions as a memory interrupt vector table and a memory means for interrupting the contents of the processor. Further, the DMAC 24 executes the process of transmitting the contents of the interrupt vector table 123' and the interrupt processor 124' to the terminal 1 side without CPU10 control. Further, the monitoring unit 206 has the effect of monitoring the presence or absence of the interrupt processor 124' described below. The function of the signal. Further, the monitoring unit 206 includes a functional unit that associates the interrupt vector table 123' with the predetermined vector of the interrupt vector table 123' by the bus bar master by the DMAC 24 after the transfer request is issued. The interrupt processor 124' transmits to the boot memory area, and further determines whether or not the execution result signal from the interrupt processor 124' is present.

Moreover, the extended BIOS performs the following process. Further, in the redirection table 1501 of the IOAPIC 150, for example, INT0 is set for the hardware interrupt (IRQ10). Here, the hardware interrupt is set to IRQ10 here, but the IRQ is not limited to "10", and it is only necessary to establish a contact in advance to specify the number of the device. Further, the interrupt processor 124' refers to a program that stands by on the memory for executing the interrupt processing. Further, in the INT0 of the interrupt vector table 123', the top address of the program as the interrupt handler 124' is set, and in the example of Fig. 11, the address is 1000.

Next, in FIG. 12, first, it is judged whether or not the control has been transferred from the system BIOS to the extended BIOS (step S61), and if the control is not transferred to the extended BIOS, the flow is completed. On the other hand, if the control has been transferred to the extended BIOS, the request signal for controlling the transfer to the extended BIOS is transmitted to the external device 2 (step S63, referring to the arrow [1] of Fig. 11). Next, it is judged whether or not the hardware interrupt (IRQ10) command is issued (step S65). If, for example, the hardware interrupt (IRQ10) command is issued within a predetermined time from the transmission time of the request signal, INT0 is issued, and the INT0 is issued. The INT0 command executes the interrupt handler 124' of the address (step S67, referring to the arrow [4] of FIG. 11). and, The execution result signal of the interrupt processor 124' is returned to the external device 2 (step S69, referring to the arrow [5] of Fig. 11). Furthermore, in terms of privacy, it is more preferable to change the execution result signal of the interrupt processor 124' each time. The execution result signal is established in accordance with a predetermined rule, for example, by using the date information of the power-on or the member information of the member information storage unit 212 of the external device 2.

In Fig. 13, first, it is judged whether or not the request signal is received (step #41), and if the request signal is not received, the flow is completed. On the other hand, when the request signal is received, the activation of the DMAC 24 and the designation processing of the memory area to be transferred (step #43, referring to the arrow [2] of FIG. 11) are performed by the block transfer. The information of the transfer target is transmitted to the terminal 1 side under the control of the CPU 10. Here, the information of the transfer target refers to each content of the IOAPIC 150 (redirection table 1501), the interrupt vector table 123', and the interrupt processor 124'.

Next, it is determined whether or not the transfer completion signal output from the CPU 20 after the transfer operation is completed (step #45), and if the transfer end signal is confirmed, the hardware interrupt (IRQ10) command is issued and transmitted to the terminal 1 (step #47). Refer to arrow line [3] in Figure 11. Next, as the monitoring processing, it is judged whether or not the reception of the processor execution result signal is received within a predetermined time from the issuance time of the hardware interrupt (IRQ10) command (step #49). If the monitoring result is received by the interrupt processor, it is determined that the CPU 10 is in the real mode state, and the power is turned on normally, thereby ending the flow.

On the other hand, the CPU 10 becomes a protected mode state due to malicious software. In this case, since the bus is transferred by the bus master of the DMAC 24, the CPU 10 cannot know the address of the INT0 of the interrupt vector table 123' and the top address of the interrupt processor 124' before the transfer, and thus cannot The address of INT0 set by the malicious software is made to correspond to the top address of the interrupt handler 124'. Preferably, each time the power-on process is performed, the content of the INT0 and the top address of the interrupt handler 124' are randomly set by using the predetermined rule on the external device 2 side or by causing the random number generating unit to operate.

Therefore, when in the state of the protection mode, the interrupt processor 124' is not executed, and the monitoring result determines that the interrupt processor execution result signal is not generated, that is, the possibility that the power is not normally turned on is high, and the reply is used to After the CPU 10 of the terminal 1 is reset to the command code of the real mode (step #51), the flow is exited. After exiting the processing of FIG. 13, the terminal 1 performs the processing of FIG.

As described above, when the DMAC is set to the terminal 1 side, there is a case where the startup of the DMAC 24 or the designation of the transfer target content is managed by the CPU 10 which is occupied by the malicious software (that is, for example, although some processing is not performed, only the virtual ground is used. The processing of generating and outputting the content as a processed signal is performed, but by setting the DMAC 24 to the external device 2 side, the control by the CPU 10 can be excluded.

Next, FIG. 4 and FIG. 14 to FIG. 17 are diagrams showing changes in the memory map of the RAM 12 from the loading of the dedicated loader to the OS. As described above, FIG. 4 shows the creation of the temporary GDT 124 from the loading of the dedicated loader 123, that is, the creation of data in the boot memory area 120. status. Furthermore, the system BIOS 121 is temporarily deleted by the loading of the dedicated loader 123, and is reloaded from the external device 2 as described above. Alternatively, it may be included in the dedicated loader 123 in advance, and loaded at the same time when the dedicated loader is loaded. The reason for this is that the dedicated loader 123 and the system BIOS 121 are required to load the OS afterwards. In this sense, it is not necessary to load the extended BIOS 122 again. Further, in FIG. 4, the loading of the system BIOS from the external device 2 is overwritten to the virtual data portion in the dedicated loader 123.

Fig. 14 is a memory map in which the management file 125, the management GDT 126, and the management IDT 127 are expanded in an area of 1 MB to 100 MB. The dedicated loader processing unit 102 of FIG. 3 is a loader executed by transferring the control of the CPU 10 to the dedicated loader 123 in response to the generation of a hardware interrupt from the external device 2 that has received the request to expand the BIOS 122. deal with. As shown in FIG. 14, the dedicated loader processing unit 102 reads the management file 125 in the management file storage unit 253 of the external device 2 read by the management file loading processing unit 203 into the RAM of the terminal 12 of 1 MB~ The processing of a given location of 100 MB and the processing associated therewith. More specifically, the dedicated loader processing unit 102 first performs processing for accessing 1 MB to 100 MB of the RAM 12, for example, establishment of the temporary GDT 124 shown in FIG. 4, and various temporary settings in the chipset. The settings of the memory. The temporary GDT 124 is used as a descriptor privilege level as a privilege level by all the programs or management tables (segment descriptors) constituting the management file 125. (DPL; Description Privilege Level) sets "0" (so-called ring "0"), and can load the management file 125 to a predetermined position of 1 MB to 100 MB at the highest privilege level, and, in addition, is set in the area. Information, all implemented with DPL "0" loading. The DPL is a privileged level that describes the memory space as is well known, and has four levels from DPL "0" to DPL "3". The smaller the DPL value, the higher the privilege level. For example, a program operating in a space described by a value having a relatively large DPL value cannot access a space side described by a value whose DPL value is smaller than the value. That is, in this case, as a violation privilege level, the following general protection error (# GP) or page fault (# PF) is issued to invalidate the access. On the other hand, a program that operates in a space described by a value having a relatively small DPL value can be accessed or browsed on a space side described by a value whose DPL value is larger than the value. Thereby, it can be determined in advance whether or not it is an inappropriate access.

Further, the dedicated loader processing unit 102 performs not only the flag of the control register (CR; Control Register) 0 in the management register but also the area of 1 MB to 100 MB in the protected mode. Access, and in addition to the real mode, the temporary GDT 124 segment limit is set to 1 M or more, here 4 G, whereby the operation in the non-authentic mode can be realized. In the non-authentic mode, the management file 125 and the interrupt handler 130 are loaded, and then the management GDT 126 is loaded, and the management IDT (management interrupt vector table) 127 (see FIG. 14) is loaded. Each segment descriptor of the management GDT 126 and the management IDT 127 is pre-established up to the table portion required at the time point, and Loading is performed by the loader processing unit 102. The dedicated loader processing unit 102 transfers the control of the CPU 10 to the (jump) management file 125 after loading the required information.

Fig. 15 is a memory map in which the state of the TSS 128, the PTE (Page Table Entry) 129, and the management interrupt processor 130 is established in an area of 1 MB to 100 MB. Further, although not shown in the figure, an LDT (Local Descriptor Table) for each task is created as needed. The management file operation environment creating unit 103 establishes a TSS 128, a PTE (Page Table Entry) 129, a management interrupt processor 130, and a required LDT by managing the program of the file 125. Further, as described below, the TSS128 and the PTE 129 include a table for managing (protection) mode for monitoring tasks of 101 MB or more (mainly loading from an OS of HD12A), and monitoring at 100 MB to 101 MB. The VM8086 mode for the task of action. By appropriately switching the mode by using the task switch of the omitting pattern, the process of loading the respective programs constituting the OS and the segment descriptors of the respective programs of the OS to the management GDT and IDT can be performed.

The TSS 128 is created in association with each of the management programs (tasks) in the management file 125. That is, the TSS 128 is configured to operate the program corresponding to the action state, and the task switch is used to transfer the execution state to the required program, and the processing content of the previous program is established with the corresponding TSS, thereby achieving The status is restored. The PTE 129 is used to convert the linear address established in the GDT 126 into a physical address, and is set corresponding to each piece of information (code, data, and stack).

Here, the relationship between the GDT 126 and the PTE 129 and the conversion from the linear address to the physical address will be described with reference to FIGS. 18 to 21 . First, in the real mode of the terminal 1 startup mode, that is, in the real mode of the 16-bit program action, the segment value and the offset value are used to determine the address. As is well known, the segment value can be offset by 4 bits. The value (16 times the value) plus the offset value directly calculates the address (linear address) up to the maximum (1 MB+64 KB) as the physical address. On the other hand, for the above address, the protection mode is adopted. For example, in the case of a 32-bit program, the address can be specified up to 4 GB. Furthermore, since the virtual address space can be set by setting different addresses for each information (task), the information (tasks) can be separately stored in units of required data.

Figure 18 is a summary of the GDT 126 indicating the location where the information is stored, corresponding to the information storage aspect. The GDT 126 is a list of segment descriptors that manage the storage locations of the various information, for example, in 8-bit units. Each segment descriptor has 4 attributes. The attributes are the "category" (code, data, stack), "base address", "limit", and "DPL" of the information. The "base address" is the storage reference (start) address in the RAM 12 of the information. "Restriction" means the access scope of the information. The DPL indicates the above privilege level. The segment descriptor used in the addressing is selected based on the information of the segment selector used in the conversion from the linear address. Also, whether the accessor of the allowed task is required to access the current privilege level (CPL; Current) in any of the registers CS, DS, SS written to the chipset. Privilege Level) and requirements The priority level (RPL; Requested Privilege Level) is determined in comparison with the segment descriptor corresponding to GDT126.

Figure 19 shows the memory map of the PTE. Each page data is divided into a predetermined amount of data, for example, 4 KB, and each page data is set with a physical address and an access attribute. The information of each page includes the code, data, and type of stacking. The physical address is used to move the linear address to a predetermined location within RAM 12. The access attribute is equivalent to the privilege level and includes "supervisor" and "user". The "supervisor" is equivalent to the privilege level DPL "0" to DPL "2", and the "user" is equivalent to the privilege level DPL "3". Further, a non-execution bit (NX-Bit; Non eXecute Bit) is held in the page corresponding to the data, and the command code cannot be issued to the CPU 10 from the page. Further, when the access from the CPU 10 violates the privilege level, a general protection error (# GP) of an exception interrupt is issued, and on the other hand, a paging error is issued when the access attribute is violated (# PF). In either case, the process of invalidating the access via the interrupt handler 130 is performed. Furthermore, the invalidation of the access includes the aspect of stopping the access itself and rewriting the changed privilege level value to the correct value.

Figure 20 is a diagram showing a conversion method from a linear address to a physical address using a graph. The linear address established by the CPU 10 for accessing certain information is converted into a physical address by using the segment selector of the GDT 126 and the base address, and even the physical address of the PTE 129. Fig. 21 is a diagram showing an example of the relationship between a linear address and a physical address in the protected mode. First, in real mode, the linear address is 0. MB~1 MB corresponds to 0 MB~1 MB of the physical address. This range is a 16-bit specification and the two are identical. In addition, the PTE 129 is used for management (area of 100 MB or less) and VM8086 (area of 100 MB to 101 MB) as follows. Here, the address for management in the protection mode will be described. That is, 0 MB to 1 MB of the linear address corresponds to 100 MB to 101 MB of the physical address. Thus, the predetermined value of 100 MB (or 101 MB) or more of the physical address is set as the physical address of each task of the management side table in the PTE 129. By the setting of the physical address, the task of the PTE 129 (represented by the loading of the OS or the execution of the OS) is all loaded or expanded into a set address of 100 MB (or 101 MB) or more. In other words, the PTE 129 page is an address of 100 MB (or 101 MB) or more, and as a result, the management file 125 and the GDT 126, the IDT 127, the TSS 128, the PTE 129, and the interrupt processor 130 are not accessed for 100 MB or less. Therefore, it is impossible to change the contents of other tables of GDT 126, and it is equivalent to not presenting (not present) 100 MB or less.

Figure 16 shows the status of copying 0 MB~1 MB (essentially the dedicated loader and the system BIOS reloaded from the external device 2) in the area of 100 MB to 101 MB, and the status in the area. The location is created with a memory map of the state of the OS loader 131. The OS loader 131 is overwritten to, for example, a position where virtual data is written or a position where an extended BIOS is written. The writing of the information from 100 MB to 101 MB is performed in the VM8086 mode. Furthermore, the so-called VM8086 mode is in the process of In the process of the line protection mode, if the process of switching to the real mode is performed, the efficiency is lowered when considering the complexity of management, etc., so the VM bit of the EFLAGS register is switched, and the real mode address calculation is performed. Execute a 16-bit program. During this period, access to information from 0 MB to 100 MB from the area is invalidated by paging.

The OS loader loading processing unit 104 loads 100 MB of the contents of 0 MB to 1 MB copied by the OS loading program loading processing unit 204 on the external device 2 side and read on the terminal 1 side into the RAM 12 of 100 MB. Processing of 101 MB, and loading of the OS loader. The OS loading program is established based on the MBR read from the HD12A and the following boot code read from the external device 2. More specifically, the OS loader loading processing unit 104 reads the load and start of the OS in the management file 125 and based on the partition table of the MBR read from the 0th sector of the HD12A. The program is the Partition Boot Record (PBR) and the storage address information of the OS in HD12A. In addition, the PBR includes a BIOS Parameter Block (BPB) and a boot code. Among them, BPB is used to read the information of the OS from HD12A, so there is no possibility of change, and it is directly used. On the other hand, since the boot code is fixed and common, and there is a possibility of change, it is loaded and The boot code prepared in advance in the external device 2 is used. Further, the OS loader loading processing unit 104 combines the BPB with the boot code loaded from the external device 2 to create an OS load program (also referred to as an IPL (Initial Program Loader)) 131. After that, the dedicated loader The processing unit 102 transfers the control of the CPU 10 to the (jump) OS loader processing unit 105.

Fig. 17 is a view showing a memory map in a state in which an OS is loaded in an area of 101 MB or more. In addition, in FIG. 17, the OS GDT132 and the OS IDT133 shown by the broken line indicate the state in which the OS wants to establish a table for describing self-behavior.

The OS loader processing unit 105 first sets the physical address in the control register CR3 in the state of being set to the VM8086 mode (that is, CPL "3"), and causes the OS loader to be started. The HD12A will constitute the OS. The program is sequentially loaded into the area of 101 MB or more of RAM12. The OS loaded from the HD12A issues an LGDT request to rewrite the contents of the scratchpad GDTR of the chipset to establish a GDT132 for the OS describing the self-action. On the other hand, only the access of the chip group to the register GDTR (rewrite request) is permitted by the CPL "0", and the OS operation monitoring unit 106 issues a general protection error (# GP) as an abnormality interrupt for the access. . Moreover, this general protection error is transferred via IDT 127 to the interrupt handler within management file 125. The OS operation monitoring unit 106 uses the program counter to refer to the temporary register EIP indicating the storage location of the command (program) to be executed by the CPU 10 via the interrupt counter 2, and determines the access of the program requiring improper access, and disables the temporary register. The GDTR is rewritten, and the interrupt program processing that rewrites the changed privilege level to the original value or the like is performed on the inappropriate program. Further, the OS operation monitoring unit 106 adds the inappropriate program to the GDT 126 as a new segment descriptor for the privilege level item. The DPL "2" is set, and a new page table is added to the management table of the PTE 129, and at least 101 M (or 100 M) or more of the address value is set as the physical address. In this way, by setting the access right of the GDT 126 to DPL "2", the access from 0 to 100 MB from the OS side is invalidated and the PTE 129 cannot be utilized. Perform physical address conversion from OS to 100 M or less.

Furthermore, the management file 125 loads the specific AP pre-stored by the external device 2 into 1 MB to 100 MB with DPL "0". The specific AP can control the device driver of the operation unit 13, the device driver of the display unit 14, perform an information processing operation in a specific mode environment, and control the device driver of the NIC 26 of the external device 2 as needed to communicate with a specific member. Furthermore, in the case where the terminal 1 is a server, it is sufficient to perform at least the device driver of the NIC 26 of the external device 2.

The information processing unit 107 switches the device driver to execute the processing in the general AP mode and the processing in the specific AP mode. The network communication processing unit 108 uses the device driver to switch and control communication between the communication from the terminal 1 and the members of the NIC 26 from the external device 2 and the specific server. The operation environment switching processing unit 109 switches the processing in the general OS environment and the processing in the specific OS environment. The switching indication may be performed on a specific operation of the terminal 1, and may be, for example, a mode in which a mode switching instruction may be cyclically performed by pressing a specific key (one or plural) on the keyboard, or separately. Each operation is used to indicate each environment.

Next, the processing procedure of the terminal 1 will be described with reference to FIGS. 22 to 27. Fig. 22 is a flow chart showing the processing of the dedicated loader 123 executed by the CPU 10. First, it is judged whether or not there is a hardware interrupt corresponding to the end of the loading of the dedicated loader 123 (step S101), and if there is no hardware interrupt, the flow is exited. On the other hand, if there is a hardware interrupt, the initialization of the register group is performed, and the control register CR0 is set to the real mode (step S103).

Further, first, the temporary GDT 124 is established by the dedicated loader 123 (step S105), and second, the control register CR0 is set to the protected mode (step S107). Further, the content of the descriptor whose temporary GDT 124 has a segment limit value of 4 GB is registered in the segment register of the chip group (step S109). Therefore, it is assumed that the address of 1 MB or more can be specified. Then, the control register CR0 is set to the real mode (step S111). That is, the control register CR0 can be changed to the real mode, and the non-authentic mode that can access 1 MB or more is set in the real mode in accordance with the case where the segment limit value of the temporary GDT 124 is set to 4 G.

Then, the management file 125 and the management interrupt processor (which may also be included in the management file) are loaded from the external device 2 to the area of 1 MB to 100 MB by the dedicated load program 123 (step S113). ). Thereafter, the management GDT 126 is loaded from the external device 2 (step S115). When the processing is completed, the CPU 10 sets the control register CR0 to the protection mode (step S117), then jumps to the management file 125, and the management file 125 is started.

Figure 23 is a flowchart showing the processing of the management file 125 executed by the CPU 10. Figure. First, the GDT 126, the IDT 127, and the TSS 128 are established at a predetermined position of 1 MB to 100 MB with the privilege level DPL being "0" (step S131). As described above, the TSS128 is used for management (area of 100 MB or more) and VM8086 (area of 100 MB to 101 MB). Next, the PTE 129 is established (step S133). PTE 129 is also used for management and VM8086 as described above.

Next, the content of the area of 0 MB to 1 MB is copied to 100 MB to 101 MB (step S135). In this way, the OS is loaded into the required system BIOS load. Further, an OS loader is created at an appropriate position of 100 MB to 101 MB (step S137). Thereafter, the CPU 10 jumps to a program for processing (monitoring and managing) the loading of the OS in the management file 125 (step S139).

In Fig. 24, the MBR is loaded from the top sector of the HD 12A to a predetermined position of 100 MB to 101 MB (step S151). Next, the storage address of the OS (the programs constituting the OS) is obtained from the activity partition table in the MBR (step S153).

Moreover, the PBR is loaded from the HD12A to 100 MB to 101 MB (step S155), and second, the part of the PBR boot code is rewritten as the boot code loaded from the external device 2 (step S157), so that the PBR is BPB is combined with the rewritten boot code (step S159). Create the OS loader as above. Furthermore, the OS loader is equivalent to the so-called IPL, and the IPL is known to download the loader that loads the part of the OS onto the real mode in advance. Moreover, by loading the loader of the OS body, The OS main body is loaded after, for example, division or the like. Here, the OS load program is described as a program that sequentially loads the OS onto the OS.

Fig. 25 is a flow chart showing the processing of the management file 125 after the OS load program is executed by the CPU 10. When the OS file is created, the management file 125 is directly set to monitor and manage the VM8086 mode of the OS loading, that is, the privilege level is automatically set to DPL "3" (step S171). Therefore, the information for accessing the area of 101 MB or more in this state (here, the program of the loaded OS) is processed under the privilege level CPL "3".

Next, it is judged whether or not the OS GDT, IDT, and PTE establishment command is used to access the chipset register GDTR or the like (the GDTR rewrite request LGDT or the like) (step S173). If there is an access to the scratchpad GDTR or the like, the appropriateness of the access control access right is an access from the CPL "3", so a general protection error is issued (step S175), and execution is performed. The management IDT 127 jumps to the interrupt handler 130 corresponding to the general protection error (step S177). As a result, the interrupt processor 130 performs a process of temporarily loading a next jump object to the EIP (step S179). Further, by the task, the access to the temporary register GDTR or the like is denied, and the so-called invalidation processing is executed.

Next, a segment descriptor corresponding to the program of the OS loaded this time is added to the management GDT 126 and the management PTE 129 (step S181). Further, the privilege level DPL "0" of the management GDT 126 and the management PTE 129 is rewritten to DPL "2", and the item of the physical address of the management PTE 129 is set to a predetermined value larger than 101 M (or 100 M). For example, offsetting 100 M to set the error The address received is received by mistake (step S183).

Next, it is judged whether or not a program constituting the OS is loaded from the HD 12A (step S185), and if there is no program that constitutes a program under the OS, the flow is exited. On the other hand, if a program under the constituent OS is loaded, the process returns to step S173, and the same processing is repeated to create a new segment descriptor, which is added to the management GDT 126 and the management PTE 129.

On the other hand, if there is an access in step S189, the process proceeds to step S157, a general protection error is issued, and the interrupt handler as described above is executed in accordance with this (steps S159, S161). Furthermore, the same procedure is used for the case where the program of the AP is loaded by the OS program. Further, since the AP system is set to the privilege level DPL "3", the privilege level of the newly added segment descriptor does not need to be rewritten, but the DPL "3" can be actively written. Also, for the loaded AP, the item of the physical address of the management PTE 129 is also set by the management file 125 to a predetermined value greater than 101 M (or 100 M).

Fig. 26 is a flow chart showing the processing of the management file 125 after the OS is turned on by the CPU 10. First, it is determined whether or not the management GDT 126 is accessed from the OS (or AP) program in 0 MB to 100 MB (step S201). If there is no access in the management GDT126, the process is exited. On the other hand, if there is access in the management GDT 126, a general protection error is issued by comparing the privilege level of the accessed OS with the privilege level of the scratchpad GDTR (step S203). Then, the self-administration IDT 127 is executed to jump to the interrupt handler 130 corresponding to the general protection error (step S205). Its knot If so, the processing of the interrupt processor 130 is executed (step S207). The processing of the interrupt processor 130 herein can also be considered to reject or have been processed to rewrite the normal content by accessing the management GDT 126.

Fig. 27 is a flow chart showing the switching process of the processing environment executed by the CPU 10. The switching of the processing environment refers to the switching between jobs in a general OS environment and jobs in a specific OS environment. During the operation of the terminal 1, it is determined whether there is a switching instruction for a specific OS environment (step S221), and if there is no switching instruction, the process proceeds to step S227. Furthermore, step S221 may also be an interrupt processing in an allowed state. Further, in step S227, it is determined whether or not there is a switching instruction to the general-purpose OS, and if there is no switching instruction, the flow is exited.

On the other hand, in step S221, if there is a switching instruction for the specific OS environment, it is determined whether the current usage environment is a general-purpose OS environment (step S223), and if the current usage environment is a general-purpose OS environment, the switching is performed to be specific. Processing of the OS environment (step S225). Thereby, the operation for information processing and the control of the device driver in a specific OS environment are performed within 0 MB to 100 MB. In this way, unlike the general-purpose OS environment, malicious software does not invade. Conversely, if the current usage environment is already a specific OS environment, the handover indication is ignored and the process ends.

Moreover, if there is a switching instruction to the general-purpose OS environment in step S227, it is determined whether the current usage environment is a specific OS environment (step S229), and if the current usage environment is a specific OS environment, performing switching to the general-purpose OS environment Processing (step S231). Conversely, if the current usage environment is already generic In the OS environment, the switching instruction is ignored and the process ends.

The present invention can adopt the following aspects.

(1) Although the present embodiment has been described using a PCI as an external device, the present invention is not limited thereto, and at least a CPU, a ROM, and a RAM may be built in. Further, it is only required to be a device having a DMAC. For example, it may be a modified USB (Universal Serial Bus) memory chip, an integrated circuit (IC) integrated circuit card, or a built-in portable communication device.

(2) Although the present embodiment has been described with PCI as an external device, the present invention is not limited thereto, and the loading method of the dedicated loading program of 0 MB to 1 MB is not limited to the implementation of the DMAC. Morphology (PCT/JP2010/58552 proposed by the inventors). For example, it is also possible to apply the dedicated loader to the boot memory area PCT/JP2009/57962, PCT/JP2010/68346, and Japanese Patent Application No. 2011-235386, which are hereby incorporated by reference.

In the above, an external booting method that is installed in an information processing device having a CPU and that activates the information processing device by an external device such as a USB memory has been disclosed in PCT/JP2009/57962. The method stores the following MBR in the memory means of the external device, and the MBR is used to read and map the load program set by the BIOS of the information processing device to the main memory of the information processing device. The body of the boot memory area (0 MB ~ 1 MB), and includes the start of the information processing device The interrupt vector table in the memory region is a program that positions the stacked regions in a manner that has a predetermined overlapping relationship. Moreover, the loading program is divided into the number set in advance before the MBR is started by the decentralized processing means of the external device, and the mapping information when the split loader loads the boot memory area is established.

For example, description will be made with reference to FIG. 28, which is a diagram for explaining a method of superimposing the stacked region 1203 on the interrupt vector table 1202. The EFLAG, CS, and Instruction Pointer (IP, Instruction Pointer) related to the content of the command before the interruption are written from the Base Pointer (BP, Base Pointer) to the stacking area 1203. Therefore, the position of the stacked region 1203 is set such that the position of the base index BP coincides with the position of the upper bit of the vector 2 of the interrupt vector table 1202 as indicated by the arrow line of the figure. Therefore, the writing of the EFLAG, CS, and IP pairs to the stacked area 1203 writes FLAG to the upper bit of the vector 2 of the interrupt vector table 1202, writes the CS to the lower bit of the vector 1, and writes the upper bit of the vector 1. Enter IP. On the other hand, the vector 1 indicates the address to be the external interrupt target. Therefore, if an interrupt is generated, the CPU 10 refers to the vector 1 and transfers the control to the program written to the address in the vector 1, as the content of the previous command. The EFLAG, CS, and IP are recalled and written to the stacking area 1203. That is, the address information of IP and CS is written to the vector 1 of the interrupt vector table 1202. Vector 1 writes IP to the upper bit and CS to the lower bit. Therefore, specifically, the address becomes IP × 16 + CS.

That is, it is now set to lurk in the BIOS (or during the BIOS boot process) External intrusion) There is malicious software, etc., and the malicious software moves when the BIOS starts, and sets the flag TF of the EFLAGS of the chip group, assuming that the address of the virus body is written in the vector 1 of the interrupt vector table 1202. After the BIOS is booted, typically during the MBR boot process, a command is executed, after which it is assumed that the control of the CPU 10 is encroached by the malicious software (debug interrupt caused by the malicious software). At this time, the control migrates to the address written in the vector 1, and performs the action of the malicious software (copying of the malicious software, data tampering or destruction, etc.). On the other hand, due to the interruption of the malicious software, the information IP, CS indicating the contents of the previous command is written in the vector 1 of the interrupt vector table 1202 in the stack area 1203. Therefore, the address indicating the storage location of the malicious software originally written in the vector 1 is overwritten and deleted. According to this method, once the malicious software is set in the BIOS startup process, the MBR does not operate once after the startup, and the result is that the address of the latent object is lost, thereby suppressing the subsequent action. Next, the load program is mapped to the area in the boot memory area 120 in the RAM 12 excluding the areas 1202, 1203 and the MBR area. The split loader is decentralized (expanded) by the number of splits based on the mapped location information. Furthermore, it is also possible to add an appropriate amount of virtual data to the split loader. Each split load program is synthesized into the original load program after loading the program by, for example, writing the next mapped position information at the final bit position and sequentially referring to the mapped position information. In this case, if the information of the above content is written in the virtual material, the processing at the time of synthesis can be omitted. Loading the program in the above manner, that is, the specialization in the present invention Load it properly to 0 MB~1 MB with the loader.

Further, an external device installed in an information processing device including a CPU and turning on the information processing device described above is described in PCT/JP2010/68346. The external device includes an activation program memory unit that stores an activation program that sets the BIOS of the information processing device in a manner of being written to the activation memory area of the information processing device by the CPU, and includes: a first program, after being written, is executed based on a command from the CPU, and a dummy code corresponding to the number of positioning elements is overwritten into the interrupt vector table to generate a general protection error; and the second A program for setting a normal reset program for performing a normal reset process performed by the generation of the above-described general protection error as an interrupt handler.

For example, FIG. 29 is a diagram for explaining the overwrite processing of the virtual code to the interrupt vector table and the normal reset processing based on the general protection error. First, the meaning of overwriting a virtual code to a predetermined vector, especially vectors 0, 1, and 13 will be described. It can be considered that during the operation of the BIOS, the malicious software that temporarily controls the CPU 10 tampers with the data of the interrupt vector table, and particularly rewrites the data of the vector 1 defining INT1, thereby describing the latent position of the malicious software. Further, it is conceivable to arrange an abnormal program for starting the malicious software in the boot memory area 120 during the operation of the BIOS. Therefore, for the vector 1 of the interrupt vector table, it is necessary to rewrite the content of the possibility of being overwritten, and to suppress the behavior of the malicious software. Moreover, for the vector 13, it is necessary to delete the abnormal program on the boot memory area 120 by overwriting the predetermined data. The interrupt handler that performs the normal reset process is actually started. The process of causing the interrupt processor to be surely started is the process of writing the top address of the interrupt handler area 12031 into the vector 13, and the process of creating a structure that causes a general protection error as described below.

That is, the structure is automatically transferred from the vector 13 to the interrupt handler area 12031 by utilizing the general protection error of the vector 13. That is, (i) the flag DF of the EFLAGS of the chip set is set to 1 to read the write address of the virtual code in reverse order, and (ii) the write address generated in reverse order is lower than the left end of the interrupt vector table 12021. Invalid access to address "0x0000" caused a general protection fault. In addition, in order to perform (ii), the write address must be generated in reverse order from vector 1 to vector 0. Therefore, in order to include the vectors 0, 1, 13 and generate an address for invalid access, the number of bits of the virtual code is the vector of vectors 0, 1, 13 and the amount of at least 1 bit that generates invalid access. can. Furthermore, the presence vector 13 is not continuous with the vectors 1, 0 and the invalid access amount, and the virtual code tends to be clear about the overwrite position of the interrupt vector table. Therefore, as a better aspect, in the present embodiment, a virtual code having a data amount of at least one bit of the vector 13 to 0 and the invalid access is established, and the write address is started from a predetermined vector of the vector 13 or higher. The way in which invalid access is eventually generated is specified in reverse order.

Fig. 29 shows this state, the virtual code has both the number of positioning elements, here 512 bits, and the starting address is set to the 500th bit. Furthermore, the 512-bit data behavior USB memory 2 can utilize a series of actions (REP INS) The amount of data read. That is, if the address is continuously generated in reverse order as indicated by the arrow (A), an invalid access is generated at the 501st access (generated in this embodiment for each address), thereby causing a general protection error. . If a general protection error occurs, the CPU 10 moves to the vector 13 as indicated by the arrow (B). Here, the CPU 10 reads the memory content of the vector 13 and moves to the address of the boot memory region 120 that coincides with the read content, that is, the top address of the interrupt processor region 12031 as indicated by the arrow (C). . Moreover, the CPU 10 executes an interrupt handler to perform a normal reset process. The overwrite processing of the virtual code is performed by the REP INS processing by one command from the CPU 10, and the normal reset processing and the overwrite processing of the virtual code are continuously performed by the interrupt handler, and therefore, the CPU 10 is utilized. The secondary command completes the processing of both, and therefore, during this period, there is no chance that the malicious software is inserted into the CPU 10.

Now, it is set to be lurking in the BIOS (or intrusion from the outside during BIOS startup). There is malicious software. In the BIOS startup process, malicious software actions are assumed. The flag TF of EFLAGS is set, and the vector of the interrupt vector table 12021 is heavy. Write to the situation where there is an address of the malicious software body. After the BIOS is started, typically during the MBR boot process, a command is executed. Thereafter, it is assumed that the control of the CPU 10 is encroached by the malicious software (a debug interrupt caused by malicious software). At this time, the control shifts to the address written in the vector 1, and the action of the malicious software (copying of the malicious software, data tampering or destruction, etc.) is performed. Thereafter, if the control of the CPU 10 is transferred from the BIOS to the MBR, the content of the vector required for the normal reset in the vector of the interrupt vector table is rewritten by the virtual code. In this way, the address information of the malicious software body is deleted substantially. Further, the normal resetting process is also performed on the boot memory area 120 by the general protection error, and the temporarily lurking malicious software itself is also deleted. That is, even if the malicious software performs the setting for the behavior during the BIOS startup process, if the MBR is started, all the information for its behavior is deleted, and as a result, the subsequent behavior is suppressed.

Further, Japanese Patent Application No. 2011-235386 describes an external device including a CPU and a main memory for executing a program executed by the CPU, and writing data required for activation via the controller to The main memory is activated by an information processing device including a controller in the chipset for performing hardware data communication between the main memory and the outside.

The external device includes: a first memory unit that memorizes a load program that is preferentially read out to be part of the main memory by executing the BIOS of the information processing device by using the CPU; The boot memory area specified by the address is included, and includes information indicating the data transmission; the second memory unit memorizes the predetermined control data and the address data, and the control data is transmitted by receiving the above-mentioned data loading program. And instructing to sequentially read the split control data into the boot memory area, and at least include an interrupt vector table and a second load program, wherein the address data is to write the split control data to the boot memory. a data transfer unit that receives an instruction to transmit the data from the one-time load program that is activated after the read-to-memory memory area is activated, and the divided control data is sent from the second memory unit According to the corresponding address data, The controller sequentially reads the main memory; and the hardware interrupt instructing unit receives the end of the data transfer process, and transfers the hardware interrupt instruction signal to the interrupt read into the boot memory area. The vector table is issued with a hardware interrupt to enable the above 2 load programs to start.

For example, FIG. 30 is a brief description of the process of booting. The flow of information at startup and its sequence are indicated by arrows in Figure 30. First, after the power of the information processing device (terminal) 1 is turned on, the CPU 10 activates the BIOS, and the external MBR 1211 is taken in from the USB memory 2 by the processing of the BIOS. If the acquisition of the external MBR 1211 is completed, the processing of the CPU 10 is forwarded to the external MBR 1211, and the main boot record of the external MBR 1211 functions as a single loader. First, the first divided TD data table TD[1] 1212 (arrow line (1) of Fig. 30) is established. Next, the external MBR 1211 performs a start instruction (command) for interrupt transmission to the USB host controller (arrow line (2) of Fig. 30). First, the address data of the first column of the divided TD data table TD[1] is obtained by the USB host controller, and the address data and the virtual data 1213 as the first transmitted divided data are passed through the memory control hub ( MCH; Memory Controller Hub), I/O Control Hub (ICH; I/O Controller Hub) is sent to RAM12 (arrow line (3) of Figure 30) and written to the address (arrow of Figure 30 (4) )). In the following, the divided data can be sequentially taken from the USB memory 2 between the USB host controller and the USB target controller without being controlled by the CPU 10, and the fifth column of the split TD data table TD[1] is obtained by the USB host controller. Address data, the address data and the segmentation TD as the fifth transmitted segmentation data The data table TD[2] is sent to the RAM 12 via the MCH and written to the address "0x40000" outside the boot memory area 120 (arrow line (5) of Fig. 30).

The divided data corresponding to the address data of each column of the divided TD data table TD[2] is sequentially read from the USB memory 2, and expanded in the boot memory area 120. The USB host controller temporarily stores the address data included in the divided TD data table each time the split TD data table TD is transmitted, and sends the address data to the MCH in association with the divided control data transmitted next. The MCH obtains the address data from the transmitted data, and writes the split control data 1215 to the address.

Here, the interrupt vector table 1214 is read and written from the USB memory 2 in correspondence with the address data of the first column of the divided TD data table TD[2] (arrow line (6) of FIG. 30). Moreover, the split TD data table TD[i] (arrow line (7) of FIG. 30) is sequentially expanded, and the divided data corresponding to the address data of the last divided TD data table TD[n] is selected from the USB. When the memory 2 is read in and expanded in the boot memory area 120, the hardware interrupt indication signal is simultaneously transmitted to the interrupt vector table INT "XX" via the MCH (not via the CPU 10) (the arrow line of FIG. 30 (8) )). The CPU 10 receives the hardware interrupt indication signal, and causes the interrupt instruction to jump to the reference address of the split control data (top) 1215 of the split data expansion at the top of the divided specific OS load program (the arrow line of FIG. 30 (9) )), thereby starting the execution of a specific OS loader. By the above processing, all malicious software and the like existing in the boot memory area 120 before the interruption of the transfer are deleted. Furthermore, the specific OS loader (control) in this embodiment The data) is equivalent to the dedicated loader in the present invention.

The loading method of each of the above dedicated load programs is performed from an external device. Moreover, for the boot memory area 120, even if the malicious software is lurking in the BIOS or the MBR, the malicious software can be deleted and the boot memory area 120 can be cleaned up, and the dedicated load can be used. The program (including the table required to load the dedicated loader, etc.) is loaded into the area 120 from the external device. Moreover, after loading the dedicated loader from the external device to the boot memory area 120, the configuration area of the management file loaded by the dedicated loader can be set to the highest or relatively highest (with OS, AP load). The privilege level of the privilege level set in the zone is compared to the case, and the management file is activated and maintained in the cleaned environment.

(3) In the present embodiment, the secure area (privilege level DPL "0") for storing the management file 125 or the like is set to 1 MB to 100 MB, but the present invention is not limited thereto, and is equivalent to the storage management file 125 and The memory capacity of other required management tables and the like may be, for example, a memory capacity of 1 MB to several MB. Further, by setting the area 0 MB to 1 MB as a secure area (privilege level DPL "0"), 0 MB to 100 MB can be handled as a homogeneous security area.

(4) According to the present embodiment, since a safe area is constructed in 0 MB to 100 MB, it is possible to effectively prevent the invasion of a so-called occult virus which is difficult to detect infection. In addition, a specific OS environment is set in the secure area so that specific information processing can be performed, but it can be replaced or not only In order to load anti-virus software for detecting malicious software, monitor the situation from 100 MB to 4 GB.

1‧‧‧ Terminal information processing device

1a‧‧‧埠

2‧‧‧PCI (external device)

3‧‧‧Network

4‧‧‧SP

5‧‧‧Member server

6‧‧‧Transaction target terminal

10, 20‧‧‧ CPU

11, 21‧‧‧ROM

11A, 25‧‧‧ flash ROM

12‧‧‧RAM (main memory)

12A‧‧‧ Hard Disk (HD)

13‧‧‧Operation Department

14‧‧‧Display Department

15, 15a~15n‧‧‧ chipset

22‧‧‧RAM

23‧‧‧Extended BIOS Memory

24‧‧‧DMAC (Dedicated Loader Loader)

26‧‧‧NIC

27‧‧‧I/O interface

101‧‧‧Special loader loading and processing unit

102‧‧‧Dedicated loader processing unit (management file loading processing means)

103‧‧‧Management File Action Environment Establishment Department (Management File Loading) Processing means)

104‧‧‧OS loader loading and processing unit

105‧‧‧OS Loader Processing Department

106‧‧‧OS Operation Monitoring Department

107‧‧‧Information Processing Department

108‧‧‧Network Communication Processing Department

109‧‧‧Action Environment Switching Department

110, 121‧‧‧ system BIOS

120‧‧‧Start memory area

122‧‧‧Extended BIOS

123‧‧‧Special loader

123', 1202, 1214, 12021‧‧‧ interrupt vector table

124‧‧‧ Temporary GDT

124'‧‧‧ interrupt processor

125‧‧‧Management files

126‧‧‧GDT for management

127‧‧‧Administrative IDT

128‧‧‧TSS

129‧‧‧PTE

130‧‧‧Management interrupt processor

131‧‧‧OS loader

132‧‧‧GDT for OS

133‧‧‧IDT for OS

150‧‧‧I/OAPIC

151‧‧‧Regional APIC

152‧‧‧storage group

201‧‧‧Special loader loading and processing unit

202‧‧‧Monitor

203‧‧‧Management File Loading and Processing Department

204‧‧‧OS loader loading and processing unit

205‧‧‧Network Communication Processing Department

211‧‧‧Processing Program Memory

212‧‧‧Member Information Memory Department

213‧‧‧ Benchmark Time Memory

251‧‧‧ dedicated load program memory

252‧‧‧ dedicated load program memory

253‧‧‧Management File Memory Department

254‧‧‧System Table Memory

255‧‧‧OS load program memory

256‧‧‧System BIOS Memory

257‧‧‧Special OS, AP Memory Department

1203‧‧‧Stacked area

1211‧‧‧External MBR

1212‧‧‧Divided TD Data Sheet TD[1]

1213‧‧‧virtual information

1215, 1415‧‧‧ Division control data

1501‧‧Redirection Table

12031‧‧‧Interrupt Processor Area

S1, S3, S5, S7, S11, S13, S15, S17, S19, S31, S33, S35, S37, S39, S41, S43, S45, S47, S49, S51, S53, S55, S61, S63, S65, S67, S69, S101, S103, S105, S107, S109, S111, S113, S115, S117, S119, S131, S133, S137, S139, S151, S153, S155, S157, S159, S171, S173, S175, S177, S179, S181, S183, S185, S201, S203, S205, S207, S211, S223, S225, S227, S229, S231, #1, #3, #5, #7, #9, #11, #21,# 23, #25, #27, #29, #41, #43, #45, #47, #49, #51‧‧‧ steps

[1]~[5], (A)~(C),(1)~(9)‧‧‧ Arrow

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a schematic view showing an embodiment of a network communication system to which an external device of the present invention is applied.

Fig. 2 is a block diagram showing an example of a hardware configuration of the external device shown in Fig. 1.

Fig. 3 is a block diagram showing an example of a functional unit related to activation of a terminal and an external device.

Fig. 4 is a view showing an example of a memory map of the RAM of the terminal in the real mode in the booting of the dedicated loader.

Fig. 5 is a view showing an example of a memory map of a RAM of a terminal in a protection mode at the time of booting of a dedicated loader.

Fig. 6 is a flow chart showing the flow of the startup process of the system BIOS executed by the CPU of the terminal.

Fig. 7 is a flow chart showing the flow of the POST processing (step S3) of the system BIOS executed by the CPU of the terminal.

Fig. 8 is a flow chart showing the flow of the monitoring process 1 performed by the CPU of the external device.

Fig. 9 is a flow chart showing the flow of the monitoring process II performed by the CPU of the external device.

Figure 10 is a diagram showing the flow of extended BIOS processing performed by the CPU of the terminal Flow chart.

Fig. 11 is an explanatory diagram showing the flow of the monitoring process III performed by the CPU of the external device and the extended BIOS.

Fig. 12 is a flow chart showing a part of the flow of the monitoring process III executed by the CPU on the terminal side.

Fig. 13 is a flow chart showing a part of the flow of the monitoring process III performed by the CPU on the external device side.

Fig. 14 is a memory map in which the management file 125, the management GDT 126, and the management IDT 127 are expanded in an area of 1 MB to 100 MB.

Fig. 15 is a memory map in which the state of the TSS 128, the PTE (Page Table Entry) 129, and the management interrupt processor 130 is established in an area of 1 MB to 100 MB.

Figure 16 is a diagram for copying the contents of 0 MB to 1 MB (essentially from the dedicated loader and the system BIOS reloaded by the external device 2) in an area of 100 MB to 101 MB, and establishing an OS at a predetermined location in the same area. The memory map of the state of the program 131 is loaded.

Fig. 17 is a view showing a memory map in a state in which an OS is loaded in an area of 101 MB or more.

Fig. 18 is a view showing an overall outline of the GDT 126 showing the storage portion of the information.

Fig. 19 is a view showing a memory map of a PTE.

Figure 20 is a diagram showing a conversion method from a linear address to a physical address Figure.

Figure 21 is a diagram showing an example of the relationship between a linear address and a physical address in the protected mode.

Fig. 22 is a flow chart showing the processing of the dedicated loader 123 executed by the CPU of the terminal.

Figure 23 is a flow chart showing the processing of the management file 125 executed by the CPU of the terminal.

Fig. 24 is a view showing the subroutine of the OS load program creation processing of the management file 125 executed by the CPU of the terminal.

Fig. 25 is a flow chart showing the processing of the management file 125 after the OS load program executed by the CPU of the terminal is established.

Fig. 26 is a flow chart showing the processing of the management file 125 after the OS is turned on by the CPU of the terminal.

Fig. 27 is a flow chart showing the switching process of the processing environment executed by the CPU of the terminal.

FIG. 28 is a diagram illustrating a method of superimposing the stacked region 1203 in the interrupt vector table 1202.

Fig. 29 is a view for explaining the overwrite processing of the virtual code pair interrupt vector table and the normal reset processing based on the general protection error.

Figure 30 is a diagram simply illustrating the flow of booting.

1a‧‧‧埠

10‧‧‧CPU

11‧‧‧ROM

11A‧‧‧Flash ROM

12‧‧‧RAM (main memory)

12A‧‧‧ Hard Disk (HD)

13‧‧‧Operation Department

14‧‧‧Display Department

20‧‧‧CPU

21‧‧‧ROM

22‧‧‧RAM

24‧‧‧DMAC (Dedicated Loader Loader)

25‧‧‧Flash ROM

26‧‧‧NIC

27‧‧‧I/O interface

101‧‧‧Special loader loading and processing unit

102‧‧‧Dedicated loader processing unit (management file loading processing means)

103‧‧‧Management file action environment establishment department (management file loading and processing means)

104‧‧‧OS loader loading and processing unit

105‧‧‧OS Loader Processing Department

106‧‧‧OS Operation Monitoring Department

107‧‧‧Information Processing Department

108‧‧‧Network Communication Processing Department

109‧‧‧Action Environment Switching Department

201‧‧‧Special loader loading and processing unit

202‧‧‧Monitor

203‧‧‧Management File Loading and Processing Department

204‧‧‧OS loader loading and processing unit

205‧‧‧Network Communication Processing Department

211‧‧‧Processing Program Memory

212‧‧‧Member Information Memory Department

213‧‧‧ Benchmark Time Memory

Claims (13)

An information processing space management method, comprising: a dedicated load program loading step, which loads a dedicated load program from an external device to a boot memory area of a main memory corresponding to activation of a BIOS; a management file loading step of setting a protection privilege on the first area of one of the main memories, and the dedicated loading program is used to monitor and load the main memory with the first area and a management file for accessing the first area by an OS (Operating System) of a second area having a different memory area, loaded from the external device to the first area; and an access protection information setting step During the period from the loading of the management file to the loading of the OS, the access protection information whose access authority is lower than the protection privilege is set in the second area. The information processing space management method of claim 1, wherein the dedicated loader loading step is to update the dedicated loader to the boot memory area. The information processing space management method of claim 2, wherein the loading of the dedicated loader is mandatory for the entire boot memory area of the main memory. The information processing space management method of claim 1, wherein the first area and the boot memory area are set to have the same protection privilege. For example, the information processing space management method of claim 1 of the patent scope is The boot memory area is 0 MB to 1 MB. The information processing space management method according to the first aspect of the invention, wherein the management file has a GDT (Global Descriptor Table) in which access protection information of each program in the OS is registered, and includes the second region from the second region The program in the OS that accesses the first area refers to the process of issuing the general protection error by referring to the access protection information registered in the GDT. The information processing space management method according to claim 6, wherein the management file includes accessing a program in the OS from the second area to the first area, and issuing the general protection error IDT (Interrupt Descriptor Table) and the process of invalidating the above access by interrupting the processor. For example, the information processing space management method of claim 1 is characterized in that the linear address generated by the GDT is converted into a physical address by using a page table entry (PTE; Page Table Entry), and the PTE system is set to be added. At least the second intra-area address value obtained from the linear address generated by the GDT. The information processing space management method of claim 8, wherein the PTE is configured to access access level attribute information for each of the OS programs, and access to the OS program from the second area via the above The PTE issues a page fault and invalidates the access via the IDT via the interrupt handler. The information processing space management method according to claim 1, wherein the access protection information sets a value of 0 to the first area, a value of 2 to the OS, and an AP operated by the OS. (Application Program) sets the value to 3. The information processing space management method according to any one of claims 1 to 10, wherein after the loading of the OS, a general protection error is issued for accessing the program of the OS from the second area. The invalid access corresponding step of invalidating the above access. An external device for loading a file to a connected information processing device, comprising: a dedicated load program: loaded into a boot memory area of the main memory corresponding to activation of the BIOS a management file that sets a protection privilege on the first area of one of the main memories, and monitors an OS loaded in the second area different from the first area and the boot memory area of the main memory (Operating System) accessing the first area and loading into the first area; and accessing the protection information setting file, which is from the loading of the management file to the loading of the OS In the second area, the access protection information whose access authority is lower than the protection privilege is set. An information processing device having a working memory, that is, a main memory, loads a predetermined file from the connected external device to the main memory, The utility model is characterized in that: a dedicated load program loading unit is configured to load a dedicated load program from the external device to a boot memory area of the main memory in response to activation of the BIOS; and manage file loading processing means And setting a protection privilege to the first area of the main memory, and using the dedicated loading program to monitor the loading into the main memory different from the first area and the boot memory area a management file for accessing the first area by an OS (Operating System) of the second area is loaded from the external device to the first area; and an access protection information setting means is provided from the management file During the period until the loading of the OS, the access protection information whose access authority is lower than the protection privilege is set in the second area.