TW201933165A - Security design apparatus, security design method, and security design program - Google Patents

Abstract

In a security design apparatus (10), a security database (22) defines a plurality of security processes to be executed for dealing with respective threats. When an input model (M1) that defines a program processing procedure is inputted, a countermeasure introduction unit (21) selects, from among the plurality of security processes defined by the security database (22), one or more security processes to be introduced, and outputs an output model (M3) that defines the program processing procedure to be performed after the selected security processes have been introduced. If two or more security processes, which have introduced portions overlapping each other and are to be executed for dealing with the same threat, are included in the security processes selected by the countermeasure introduction unit (21), a redundancy inspection unit (23) excludes at least one of the two or more security processes from the processes to be introduced.

Description

Safety design device, safety design method and safety design program product

The invention relates to a safety design device, a safety design method and a safety design program product.

It is common to connect the control system that controls the machine with an external network. With the increase of such cases, I am afraid that it will also increase the virtual attacks on the control system. Therefore, reduced vulnerability and attack detection are required. In addition, it is pointed out that there are not enough experts in safety design. Therefore, it is necessary to be able to install tools with appropriate safety functions even without professional knowledge in the future.

In program development, a "model library development technology" that automatically generates source code based on a program pattern described using block diagrams or models is proposed. As a countermeasure against a virtual attack, a technique for designing a security function of a system by using a model library development technology in a manner capable of automatically generating a code including the security function is proposed.

In Patent Document 1, a technology combining a model library development system and a threat analysis system is proposed. In this technology, the threat analysis system, based on the elements of each control model created using the model library development system, extracts data that matches the threat from the threat database, creates a threat list that displays multiple threats to the control model, and outputs .
Prior art literature patent literature

[Patent Document 1] Japanese Patent Laid-Open No. 2017-068825

Problems to be solved by the invention

In the technology described in Patent Document 1, even if an element of the control model can be used, that is, the position at which the safety function is to be introduced into the device level, the position to be introduced into the safety function cannot be specified by the processing level. In order to provide a tool capable of installing appropriate safety functions even without specialized knowledge, it is necessary to be able to effectively introduce safety functions using a processing level.

The purpose of the present invention is to enable efficient introduction of safety functions using processing levels.
Means to solve the problem

A safety design device related to one aspect of the present invention includes:
The countermeasure introduction unit, when inputting an input model that defines a processing sequence of a program, refers to a security database that defines a plurality of security processes to be executed to deal with each threat, and selects and imports from among the plurality of security processes to the input based on the input. One or more security processes in the processing order defined by the model, and an output model that defines the processing order of the aforementioned program after the selected security process is imported; and a redundancy check section that uses the selected by the countermeasure importing section. In the case of security processing, if the introduction of the processing sequence of the aforementioned program is duplicated and there are two or more security processings performed to deal with the same threat, at least one of the two or more security processings Safe processing is excluded from the import object for the processing sequence defined according to the aforementioned output model.
Invention effect

In the present invention, one or more security processes to be imported are selected from a plurality of security processes defined by a security database. Among the selected security processes, if the introduction level of the processing level is duplicated and the security process performed to deal with the same threat includes two or more, at least one of the two or more security processes 1 security process is excluded from the import object. Therefore, according to the present invention, it is possible to effectively introduce a safety function using a processing level.

Hereinafter, embodiments of the present invention will be described using drawings. The same symbols are assigned to the same or corresponding parts in each drawing. In the description of the embodiment, the same or equivalent parts will be appropriately omitted or simplified. The present invention is not limited to the embodiments described below, and various changes can be made as necessary. For example, among the embodiments described below, two or more embodiments may be combined and then implemented. Alternatively, among the embodiments described below, one embodiment or a combination of two or more embodiments may be partially implemented.

Embodiment 1.
This embodiment will be described using FIGS. 1 to 4.

*** Composition Explanation ***
The configuration of the safety design device 10 according to this embodiment will be described with reference to FIG. 1.

The security design device 10 is a computer. The security design device 10 includes a processor 11 and other hardware including a so-called memory 12, a communication device 13, an input device 14, and a display 15. The processor 11 is connected to other hardware through a signal line, and controls these other hardware.

The safety design device 10 includes a countermeasure introduction unit 21, a safety database 22, and a redundancy check unit 23. The functions of the countermeasure introduction unit 21 and the redundancy check unit 23 are realized by software. Although the security database 22 is structured on the memory 12 in this embodiment, it may be structured on an auxiliary memory device described later, or it may be structured outside the security design device 10.

The processor 11 is a device that executes a security design program. The safety design program is a program that realizes the functions of the countermeasure introduction unit 21 and the redundancy check unit 23. The processor 11 is, for example, a CPU. "CPU" is an abbreviation for Central Processing Unit.

The memory 12 is a device for designing a memory security program. The memory 12 is, for example, a RAM, a flash memory, or a combination thereof. "RAM" is short for Random Access Memory.

The communication device 13 includes a receiver that receives data input to the security design program, and a transmitter that transmits data output from the security design program. The communication device 13 is, for example, a communication chip or a NIC. "NIC" is short for Network Interface Card.

The input device 14 is a device for inputting data into a security design program and is operated by a user. The input device 14 is, for example, a mouse, a keyboard, a touch panel, or a combination of several or all of them.

The display 15 is a device that displays data output from the security design program on a screen. The display 15 is, for example, an LCD. "LCD" is an abbreviation for Liquid Crystal Display.

The security design program is read from the memory 12 to the processor 11 and executed by the processor 11. The memory 12 stores not only the security design program but also the OS. "OS" is an abbreviation for Operating System. The processor 11 executes an OS and executes a security design program. In addition, part or all of the security design program may be incorporated into the OS.

The safety design program and OS can also be stored in the auxiliary memory device. The auxiliary memory device is, for example, an HDD, a flash memory, or a combination thereof. "HDD" is short for Hard Disk Drive. When the security design program and the OS are stored in the auxiliary memory device, they are loaded into the memory 12 and executed by the processor 11.

The security design device 10 may include a plurality of processors instead of the processor 11. These multiple processors share the execution of the security design program. Each processor is, for example, a CPU.

According to the data, information, signal value and variable value used, processed or input by the security design program, it is stored in the memory 12, the auxiliary memory device, or the register or cache memory in the processor 11.

The safety design program is a program that executes the processing performed by the countermeasure introduction unit 21 and the redundancy check unit 23 as a countermeasure introduction process and a redundancy check process, respectively, and executes them on a computer. The security design program may be provided after being recorded in a computer-readable medium, or may be provided after being stored in a recording medium, or may be provided as a program product. The program product is not limited to an item in the form of eyes, it is a computer-readable program.

The security design device 10 may be configured by a single computer, or may be configured by a plurality of computers. In the case where the safety design device 10 is configured using a plurality of computers, the functions of the countermeasure introduction unit 21 and the redundancy check unit 23 may be realized by distributing the functions to the computers.

An example of the configuration of the security database 22 is shown in FIG. 2.

The security database 22 is a database defining a plurality of security processes performed to deal with various threats. The security database 22 is constructed to capture all predictive threats. Examples of threats include tampering and eavesdropping. Each security process becomes a countermeasure against threats and exerts its security function. Examples of the security function include tamper detection, encryption and decryption, and authentication. For each security function, the definition of the place where the threat to be dealt with and the level of handling are maintained. That is, the security database 22 defines a lead-in place for each of a plurality of security processes, and a threat handled by the security process introduced into the lead-in place.

In addition, although the illustration based on the definition of natural language is shown in FIG. 2, the definition based on the form which can be easily interpreted by a program or a model is also applicable.

*** Action description ***
The operation of the safety design device 10 according to this embodiment will be described with reference to FIG. 3. The operation of the safety design device 10 corresponds to the safety design method according to this embodiment.

Users can use models to design software without considering security.

In step S101, an input model M1 created by a user is input to the safety design device 10.

In step S102, the countermeasure import unit 21 stores the input model M1 as the update model M2 in the memory 12. The countermeasure introduction unit 21 uses the safety database 22 as a reference, and adds an importable safety function to the update model M2 at all positions.

In this way, the countermeasure introduction unit 21 automatically introduces a safety function to the input model M1 created by the user. However, the function added by the countermeasure introduction unit 21 is deleted when it is judged to be a redundant function by the inspection result of the redundancy inspection unit 23 described later. In addition, models such as the input model M1 and the update model M2 are models of a processing flow level such as a flowchart in this embodiment.

The safety database 22 stores information used by the countermeasure introduction unit 21 when introducing a safety function to the update model M2.

In step S103, the redundancy check unit 23 performs a model check. Specifically, the redundancy check unit 23 confirms the presence or absence of redundancy of the update model M2.

In step S104, if there is no redundancy, in step S105, the countermeasure introduction unit 21 outputs the update model M2 at that time as the output model M3. Then, the process ends.

If there is redundancy in step S104, the redundancy check unit 23 deletes one from the redundancy safety function in step S106. Next, in step S103, the redundancy check unit 23 performs a model check again.

In this way, the redundancy check unit 23 verifies the redundancy of the safety function with respect to the update model M2. As a verification method, in this embodiment, a method of confirming whether or not a plurality of security functions are continuously located at the same place with respect to a threat to be treated is repeated. In addition, it is also possible to confirm whether the same safety function includes the above-mentioned methods in the same model, a method of verifying the redundancy after converting the created model into a formal language, or other methods.

The above processing is repeated until it is confirmed that there is no redundancy at all, and the model in which the vulnerability countermeasure has been implemented is output as the output model M3 in the processing level.

A modification example of the processing model shown in FIG. 4 will be used to explain the procedure of adding and deleting the security function of this embodiment.

Here, it is assumed that a simple flowchart is created and output as a processing model. The user creates the input model M1 without considering the safety function. Among them, the input model M1 displayed as an example is a model of a simple control software of a field device. This input model M1 is a processing model in which the control software stops the machine when it receives a stop command as an input after starting the machine.

The countermeasure importing unit 21 compares the input model M1 and the safety database 22 in FIG. 2 to import all importable safety functions. Thereby, the update model M2 is obtained. The redundancy check unit 23 performs a model check on the update model M2. The redundancy check unit 23 determines a candidate to be deleted when it is confirmed that there is redundancy. Among them, as a verbose confirmation method, a method for confirming whether there is a duplication of a threat to be treated when multiple security functions are located at the same place is used.

In the safety database 22, each process is defined so that the introduction point is "after startup" and "before input". When the function is imported into the actual model, there may be a case where the update model M2 is added from the start to the input of the model, and the safety database 22 is different, but two or more are added in the same place. Functional condition.

In this example, the update model M2 has a security process P1 and a security process P2 before the input after the start, and a security process P3 and a security process P4 before the divergence after the input. Process P5 and securely process P6. The security processing P1, security processing P2, security processing P3, security processing P4, security processing P5, and security processing P6 are processings having functions of security 1, security 2, security 3, security 4, security 5, and security 6, respectively.

According to the security database 22 in FIG. 2, there are security 3, security 4 and security 6 as functions for countermeasures against threat 3. In this example, among the corresponding security processes P3, P4, and P6, the security process P3 and the security process P4 are continuous at the same position. Therefore, one side is considered unnecessary. The redundancy check unit 23 deletes the security process P4 from the update model M2. Thereby, an output model M3 is obtained.

Moreover, in this example, when comparing the two safety functions, the redundancy check unit 23 deletes the functions located below, but deletes the functions located above. Alternatively, when comparing the two safety functions, the redundancy check unit 23 may delete the execution order of the update model M2 as the first function, or delete the execution order of the update model M2 as the next function.

As described above, the countermeasure introduction unit 21 inputs an input model M1 that defines a processing procedure of a program. The countermeasure import unit 21 refers to the safety database 22 when inputting the input model M1, and selects and imports from one of a plurality of security processes defined by the safety database 22 into one or more of the processing sequences defined by the input model M1. Safe handling. The countermeasure importing unit 21 outputs an output model M3 that defines a processing sequence in which the selected security processing program is introduced. Although the "program" in this embodiment is a control program for a field device, it may be any type of program such as a control program for a vehicle-mounted device.

In the present embodiment, the “one or more security processes” are security processes in which the import location defined by the security database 22 exists in the processing sequence defined by the input model M1. In the example shown in FIG. 4, “one or more security processes” are security process P1, security process P2, security process P3, security process P4, security process P5, and security process P6.

The redundancy check unit 23 confirms whether the security processing selected by the countermeasure introduction unit 21 is duplicated in the processing sequence of the program, and includes two or more security processes executed to deal with the same threat. When two or more such security processes are included, the redundancy check unit 23 excludes at least one of the two or more security processes from the import target of the processing order defined by the output model M3. In the present embodiment, the redundancy check unit 23 excludes security processes other than one of the “two or more security processes” from the object of introduction as “at least one security process”.

In this embodiment, the "two or more security processes" are continuously executed in the processing sequence of the program, and are consistent security processes based on the threats defined by the security database 22. In the illustration in FIG. 4, the “two or more security processes” are the security process P3 and the security process P4 corresponding to threat 3 using the security database 22 in FIG. 2.

In the present embodiment, the redundancy check unit 23 determines whether or not to exclude each of the "two or more security processes" from the introduction target based on the registered position of "two or more security processes" in the security database 22. In the example shown in FIG. 4, the redundancy check unit 23 excludes the security process P4 that is located below the security database 22 in FIG. 2 among the security processes P3 and P4 from the import target.

In addition, the redundancy check unit 23 may determine whether or not to exclude each of the "two or more secure processes" from the object of introduction based on the execution order of the "two or more secure processes" in the processing order of the program. In the example shown in FIG. 4, it is considered that the redundancy check unit 23 may exclude the security process P4 that is executed later from the security process P3 and the security process P4 from the import target.

A modification of this embodiment will be described with reference to Figs. 5 and 6.

In the safety database 22 in FIG. 2, the safety introduction place is narrowly defined as “after startup” and “before stopping”, but in the safety database 22 in FIG. 5, the safety introduction place “ After the start-to-stop "method, the introduction can be broadly defined.

A modification example of the processing model shown in FIG. 6 will be used to explain the procedure of adding and deleting the security function of the modification example.

Similarly to the example illustrated in FIG. 4, when the function is introduced in all places for the input model M1, the update model M2 in FIG. 6 can be obtained. This update model M2 has a security process P1, a security process P2, and a security process P3a between startup and before input, and a security process P3b and security process P4 between input and before divergence. During this period, there are security processing P3c, security processing P5, and security processing P6. The security process P3a, the security process P3b, and the security process P3c are all processes having the function of security 3. The security process P1, security process P2, security process P4, security process P5, and security process P6 are the same processes as those illustrated in FIG. 4.

According to the security database 22 in FIG. 5, the countermeasures against threat 3 include security 3, security 4, and security 6. In this modification, among the corresponding security process P3a, security process P3b, security process P3c, security process P4, and security process 6, the security process P3b and the security process 4 are continuous at the same position. For this reason, one side is considered unnecessary. The redundancy check unit 23 deletes the security process 4 from the update model M2. The security process P3c and the security process 6 are continuous at the same position. For this reason, one side is considered unnecessary. The redundancy check unit 23 deletes the security process 6 from the update model M2. Thereby, the output model M3 of FIG. 6 is obtained.

*** Explanation of the effect of the implementation ***
In this embodiment, one or more security processes to be imported are selected from a plurality of security processes defined by the security database 22. In the selected security processing, if the introduction level of the processing level is duplicated and the security processing performed to deal with the same threat includes two or more, at least one of the two or more security processings This security process is excluded from the import object. Therefore, according to this embodiment, it is possible to effectively introduce the safety function using the processing level.

In the present embodiment, all the security functions that can be imported based on the security database 22 are imported into the input model M1, and the security function is repeatedly deleted based on the model check. According to this embodiment, by introducing a safety function at an unspecified vulnerability, an appropriate safety function can be introduced at an appropriate place without duplication in the level of the processing flow.

*** Other constructions **
In this embodiment, the functions of the countermeasure introduction unit 21 and the redundancy check unit 23 are implemented by software, but as another configuration example, the functions of the countermeasure introduction unit 21 and the redundancy check unit 23 are implemented by software and hardware. It is also possible to realize the combination of the bodies. That is, a part of the functions of the countermeasure introduction unit 21 and the redundancy check unit 23 may be realized by dedicated hardware, and the rest may be realized by software.

The dedicated hardware is, for example, a single circuit, a composite circuit, a programmable processor, a parallel programmable processor, a logic IC, a GA, an FPGA, an ASIC, or several or all combinations thereof. "IC" is an abbreviation for Integrated Circuit. "GA" is short for Gate Array. "FPGA" is short for Field-Programmable Gate Array. "ASIC" is an abbreviation for Application Specific Integrated Circuit.

The processor 11 and dedicated hardware are processing circuits. That is, regardless of whether the functions of the countermeasure introduction unit 21 and the redundancy check unit 23 are implemented by software or a combination of software and hardware, the operations of the countermeasure introduction unit 21 and the redundancy check unit 23 are used. The processing circuit proceeds.

Embodiment 2.
Regarding this embodiment, the differences from Embodiment 1 will be mainly described using FIGS. 7 to 9.

*** Composition Explanation ***
The configuration of the safety design device 10 according to this embodiment is the same as that of the first embodiment shown in FIG. 1, and therefore description thereof is omitted.

An example of the structure of the security database 22 is shown in FIG.

The security database 22 is the same as the first embodiment, and is a database defining a plurality of security processes performed to deal with each threat. In this embodiment, in addition to the definitions of the threats to be handled and the introduction points of the processing levels, the definitions of the priorities are maintained. That is, in the present embodiment, the security database 22 defines a priority order for at least a part of a plurality of security processes.

In addition, in FIG. 7, an example based on the definition of natural language is described, but the definition based on a form that can be easily interpreted by a program or a model is also applicable.

*** Action description ***
The operation of the safety design device 10 according to this embodiment will be described with reference to FIG. 8. The operation of the safety design device 10 corresponds to the safety design method according to this embodiment.

Since the processing from step S201 to step S205 is the same as the processing from step S101 to step S105 in the first embodiment, the description is omitted.

If there is redundancy in step S204, if there is only one safety function that is a candidate for deletion in step S206, the redundancy function check unit 23 deletes the safety function in step S207. Next, in step S203, the redundancy check unit 23 performs a model check again.

If there is redundancy in step S204, and if there are multiple safety functions that are candidates for deletion in step S206, then in step S208, the redundancy check unit 23 selects deletion candidates with a low priority. In step S207, the redundancy check unit 23 deletes the selected safety function. Next, in step S203, the redundancy check unit 23 performs a model check again.

The above processing is repeated until it is confirmed that there is no redundancy at all, and the model in which the vulnerability countermeasure has been implemented is output as the output model M3 in the processing level.

A modification example of the processing model shown in FIG. 9 will be used to explain the order of adding and deleting the security function of this embodiment.

Here, it is assumed that a safe model is created and introduced into the input model M1 which is the same as the example illustrated in FIG. 4.

The countermeasure introduction unit 21 compares the input model M1 and the safety database 22 in FIG. 7 and imports all safety functions that can be imported. Thereby, the update model M2 is obtained. The redundancy check unit 23 performs a model check on the update model M2. When the redundancy check unit 23 confirms that there is redundancy, the candidate for deletion is determined. Among them, as in the example shown in FIG. 4, as a method for confirming redundancy, a method for confirming whether there is a duplication of threats to be handled when a plurality of security functions are located at the same place is used.

In this example, similar to the illustration in FIG. 4, the update model M2 has a security process P1 and a security process P2 before the input after the start, and a security process P3 and a security process P4 between the inputs before the divergence. After the disagreement, there are security processing P5 and security processing P6. The security processing P1, security processing P2, security processing P3, security processing P4, security processing P5, and security processing P6 are processings having functions of security 1, security 2, security 3, security 4, security 5, and security 6, respectively.

According to the security database 22 in FIG. 7, there are security 3, security 4 and security 6 as functions of countermeasures against threat 3. In this example, among the corresponding security processes P3, P4, and P6, the security process P3 and the security process P4 are continuous at the same position. For this reason, one side is considered unnecessary. According to the security database 22 in FIG. 7, since the priority order of security 3 and security 4 is “2” and “1”, respectively, the priority order of security process 4 is high. Therefore, unlike the example illustrated in FIG. 4, the redundancy check unit 23 deletes the security process P3 from the update model M2. Thereby, an output model M3 is obtained.

In this way, in the case where multiple functions capable of dealing with the same threat are maintained in the security database 22, and these functions are added to the same position in processing, the security information is left in the illustration in FIG. 4 The upper security function in the library 22 is deleted, but in this example, the security function with a low priority is deleted.

As described above, in the present embodiment, the redundancy check unit 23 determines whether or not to exclude each of the "two or more safety functions" from the object of introduction based on the priority defined by the safety database 22. In the example shown in FIG. 9, the redundancy check unit 23 excludes the security process P3 that has a low priority from the security process P3 and the security process P4 using the security database 22 of FIG. 7 from the import target.

*** Explanation of the effect of the implementation ***
In this embodiment, all the security functions that can be imported according to the security database 22 are imported into the input model M1, and the security functions are repeatedly deleted based on the model check and priority order. According to this embodiment, by introducing a safety function at an unspecified vulnerability, an appropriate safety function can be introduced at an appropriate place without duplication in the level of the processing flow.

Embodiment 3.
Regarding this embodiment, the differences from Embodiment 1 will be mainly described using FIGS. 10 to 13.

*** Composition Explanation ***
The configuration of the safety design device 10 according to this embodiment will be described with reference to FIG. 10.

The safety design device 10 includes an evaluation unit 24 in addition to the countermeasure introduction unit 21, the safety database 22, and the redundancy check unit 23. The functions of the countermeasure introduction unit 21, the redundancy check unit 23, and the evaluation unit 24 are realized by software.

An example of the configuration of the security database 22 is shown in FIG. 11.

The security database 22 is the same as the first embodiment, and is a database defining a plurality of security processes performed to deal with each threat. In this embodiment, in addition to the definition of the introduction point in the threat to be handled and the processing level for each safety function, the definition of the cost required for the introduction of the energy can also be maintained. That is, in this embodiment, the security database 22 defines a cost for each of a plurality of security processes. Examples of costs include, for example, the encryption length and the time required for the security function to execute. In the security database 22, various types of cost definitions may be maintained.

In addition, in FIG. 11, although an example based on the definition of natural language is described, the definition based on a form that can be easily interpreted by a program or a model is also applicable.

*** Action description ***
The operation of the safety design device 10 according to this embodiment will be described with reference to FIG. 12. The operation of the safety design device 10 corresponds to the safety design method according to this embodiment.

In step S300, the evaluation unit 24 sets and defines an evaluation value calculated from the cost according to a user request in the design target model such as performance and safety, and registers the evaluation value in the safety database 22. The so-called performance is the overall processing speed.

Since the processing from step S301 to step S305 is the same as the processing from step S101 to step S105 in the first embodiment, the description is omitted.

If there is redundancy in step S304, and if there is only one safety function that is a candidate for deletion in step S306, the redundancy function check unit 23 deletes the safety function in step S307. Next, in step S303, the redundancy check unit 23 performs a model check again.

There is redundancy in step S304, and if there are multiple security functions that are candidates for deletion in step S306, the evaluation unit 24 calculates an evaluation value for deleting each candidate in step S308. Specifically, the evaluation unit 24 calculates an evaluation value of a model into which the safety function is introduced based on the cost definition held in the safety database 22. Examples of evaluation include confirmation of performance and safety strength. The evaluation value may be a simple addition value or a multiplication value of the cost, or a value obtained by a function independently defined by the user. The redundancy check unit 23 compares the evaluation values of the models calculated by the evaluation unit 24 and selects deletion candidates with low evaluation values. In step S307, the redundancy check unit 23 deletes the selected safety function. Next, in step S303, the redundancy check unit 23 performs a model check again.

The above processing is repeated until it is confirmed that there is no redundancy at all, and the model in which the vulnerability countermeasure has been implemented is output as the output model M3 in the processing level.

A modification example of the processing model shown in FIG. 13 will be used to explain the order of adding and deleting the security function of this embodiment.

Here, it is assumed that a safe model is created and introduced into the input model M1 which is the same as the example illustrated in FIG. 4.

The countermeasure introduction unit 21 compares the input model M1 and the safety database 22 in FIG. 11 and imports all safety functions that can be imported. Thereby, the update model M2 is obtained. The redundancy check unit 23 performs a model check on the update model M2. When the redundancy check unit 23 confirms that there is redundancy, it decides to delete the candidate. Among them, as in the example shown in FIG. 4, as a method for confirming redundancy, a method for confirming whether there is a duplication of threats to be handled when a plurality of security functions are located at the same place is used.

In this example, similar to the illustration in FIG. 4, the update model M2 has a security process P1 and a security process P2 before the input after the start, and a security process P3 and a security process P4 between the inputs before the divergence. After the disagreement, there are security processing P5 and security processing P6. The security processing P1, security processing P2, security processing P3, security processing P4, security processing P5, and security processing P6 are processings having functions of security 1, security 2, security 3, security 4, security 5, and security 6, respectively.

According to the security database 22 in FIG. 11, there are security 3, security 4 and security 6 as functions for countermeasures against threat 3. In this example, among the corresponding security process P3, security process P4, and security process P6, the security process P3 and security process P4 are continuous at the same position. For this reason, one side is considered unnecessary. Therefore, in terms of the obtained model, it is considered that there are an output model M3a for deleting the security process P4 and an output model M3b for deleting the security process P3. In this way, when there are a plurality of deletion candidates, the evaluation unit 24 calculates an evaluation value defined by the user for each candidate. The redundancy check unit 23 uses a model with a high evaluation value. If the user-defined evaluation value is the reciprocal of the sum of the cost of the safety functions of the model, the evaluation value of the output model M3a is 1 / (C1 + C2 + C3 + C5 + C6) and the evaluation value of the output model M3b is 1 / (C1 + C2 + C4 + C5 + C6). For this reason, the size of C3 and C4 is used to determine the function to be deleted. If C3 <C4, the redundancy check unit 23 deletes the security process P4 from the update model M2. Thereby, an output model M3a is obtained. If C3> C4, the redundancy check unit 23 deletes the security process P3 from the update model M2. Thereby, an output model M3b is obtained. If C3 = C4, the redundancy check unit 23 may delete the security process P4 from the update model M2, or delete the security process P3. In this way, when multiple candidates are used to make the evaluation value the same value, the function to be deleted is determined based on the position on the safety database 22 as the same as in the first embodiment. It is also possible to decide the function to be deleted based on the priority order.

As described above, in the present embodiment, the redundancy check unit 23 determines whether or not to exclude each of the “two or more security processes” from the introduction target based on the cost defined by the security database 22. In the example illustrated in FIG. 13, the redundancy check unit 23 excludes the security process using the security database 22 of FIG. 11 from the import target among the security processes P3 and P4.

*** Explanation of the effect of the implementation form ***
In this embodiment, the input model M1 is imported with all the security functions that can be imported based on the security database 22, and then the security function is repeatedly deleted based on the model check and the cost-based model evaluation. According to this embodiment, the safety function can be introduced while considering the user's requirements in terms of safety and performance. Security functions can be introduced at unspecified vulnerabilities, and the existence of vulnerabilities can be confirmed by model verification. At the same time, by confirming the user's requirements, appropriate security functions can be introduced at the appropriate level in the process flow level.

*** Other constructions **
In this embodiment, the functions of the countermeasure introduction unit 21, the redundancy check unit 23, and the evaluation unit 24 are implemented by software in the same manner as in the first embodiment. However, the countermeasure introduction unit is the same as the other configuration examples of the first embodiment. 21. The functions of the redundancy check section 23 and the evaluation section 24 may be realized by a combination of software and hardware.

Embodiment 4.
Regarding this embodiment, the differences from Embodiment 1 will be mainly described using FIGS. 14 to 20.

In this embodiment, according to the information assets used in the model, the processing in the grouping model, and the security function corresponding to the importance of the information assets included in each group is introduced in accordance with the security DB.
Among them, the so-called information assets are the elements that constitute the model. In the case of a model used in software design, the so-called information assets are variables, constants, processes, procedures, functions, or functions used in the model.
The so-called importance of information assets is the value of the information assets of the model. In addition, the so-called importance may be characteristics or attributes such as "security strength", "confidentiality", "integrity", "availability", and "fragility". In addition, characteristics or attributes such as performance (overall processing speed), execution frequency, frequency of use of resources (CPU, memory, etc.), time of use of resources, and amount of use of resources may be used.

In the present embodiment, there are a plurality of security DBs, and each security DB maintains a different security function and its introduction rule depending on the security strength.
In this embodiment, the security DB 22 is used separately according to the importance of information assets from threat defense.

*** Composition Explanation ***
Fig. 14 is a block diagram showing a safety design device 10 according to an embodiment of the present invention.
The safety design device 10 of FIG. 14 includes a processing classification unit 25 in addition to the same countermeasure introduction unit 21, safety DB 22, and redundancy check unit 23 as those in the first embodiment.

The processing classification unit 25 inputs information asset importance information L1 used in the model. Information asset importance information L1 is the importance of the information assets used in the model.
The processing classification unit 25 refers to the information asset importance information L1 and groups the processes in the model based on the information assets used in the model.
The security DB22 defines a security process according to the importance of information assets.
The countermeasure introduction unit 21 selects the security process to be imported from the plurality of security processes for the processing order grouped by the processing classification unit 25, and imports the selected security process for the grouped processing order.

The security DB 22A in FIG. 15 is a specific example of a security DB for a highly important information asset.
The security DB 22B in FIG. 16 is a specific example of a security DB for a low-importance information asset.
Most of the security DB22A suitable for high-importance information assets contains strong security functions.
Conversely, the security DB22B, which is suitable for information assets of low importance, contains relatively weak security functions.
It is also possible to repeatedly maintain the same function by using a plurality of safety DBs.

As the input to the processing classification unit 25, in addition to the model M1, the information asset importance information L1 is also input.
The information asset importance information L1 displays, for example, "command A: high importance", "command B: low importance", etc., and the information assets included in the input model M1 and their importance.
The importance of information is classified into a plurality of characteristics such as "confidentiality", "integrity", and "availability", and it is also possible to prepare corresponding security DBs. In addition, the vulnerability information in the model can be obtained beforehand, and it can also be used to judge the importance of information assets.

The processing classification unit 25 extracts processing that uses the same information assets in the input model and performs grouping.
As an example of a method for achieving grouping, for example, a method of extracting a process using the same variable, or a method of tracking using a data flow. The processing after grouping can be performed in the same manner as the model in the first embodiment or the like, and inputted to the countermeasure introduction unit 21 and the redundancy check unit 23 in the subsequent stage after collating with the safety DB 22.

However, in this embodiment, since a security function is introduced in accordance with the importance of each information asset, it is considered that the redundancy of the premise existing in Embodiments 1 to 3 or the absence of redundancy is also considered to be absent. Therefore, there is a possibility that the redundancy inspection unit 23 is not operated or unnecessary.

＊＊＊ Outline operation description **
Using the flowchart of the outline operation of the security setting device 10 in FIG. 17, the procedure for adding the security function in the fourth embodiment will be described.

Users use models to design software without considering security.

In step S401, the created input model M1 and the information asset importance information L1 are input to the security design device 10. That is, in addition to developing the control model of the object, the user also inputs the importance information of the information assets used in the model.

In step S402, the security design device 10 inputs the model to the processing classification unit 25. The processing classification unit 25 groups the processing included in the model according to the information assets used in the model, and outputs the grouped model as the update model M2.

In step S403, the countermeasure introduction unit 21 uses the safety DB 22 as a reference, and adds safety functions that can be introduced to each group of the update model M2 in all places.

Next, in step S404, the redundancy check unit 23 performs a model check to confirm the presence or absence of the redundancy of the update model M2.

In step S405, if it is determined that the update model M2 is not redundant, the update model M2 at this point in time is output as the output model M3, and the process proceeds to step S406 to end the process.

In step S405, if it is determined that the update model M2 is verbose, in step S407, the countermeasure introduction unit 21 deletes one of the redundant safety functions of the update model M2, and performs a model check again.

The safety design device 10 repeats the above processing until it can be confirmed that there is no redundancy at all, and outputs a model that applies a vulnerability countermeasure at the processing level.

**＊ Description of operation based on DB and model examples **
Using the example of the group-based model change shown in FIG. 18, the order of adding safety functions will be described.

Here, it is assumed that a simple process is input and output as a processing model.
The user creates the model M410 without considering the safety function. Among them, the model M410 shown as an example is assumed to be the control software of a field machine, which receives a plurality of instructions from the outside, namely, instruction A and instruction B, and then ends the processing model after transmitting each instruction to the outside. However, the importance of instruction A is set to be high, and the importance of instruction B is set to be low.
Information asset importance information L1 is information showing that the importance of instruction A is high and the importance of instruction B is low.

The user inputs a processing model M410 and information asset importance information L1.
The processing classification unit 25 groups each processing in accordance with the information assets used in each processing.
The model M410 includes a process using the instruction A and a process using the instruction B. Therefore, each process can be classified into two groups.

As shown in FIG. 18, the processing classifying unit 25 classifies the model 410 into two groups called a group G421 using a command A and a group G422 using a command B, and outputs it as a model M420.

Next, the countermeasure introduction unit 21 introduces a security function that can be imported into each group with respect to the grouped model M420 by referring to the security DB22A of FIG. 15 and the security DB22B of FIG. 16.

The countermeasure introduction unit 21 imports the safety function of the safety DB22A into the group G421 and the safety function of the safety DB22B into the group G422, and outputs the safety function as a model M430.

After that, as in the first embodiment, if necessary, a model check is performed on the model M430 to delete redundant functions. After deletion, check the model again to confirm the verbosity.

*** Explanation of the effect of the implementation form ***
According to this embodiment, a security function can be introduced in accordance with the importance of the information asset determined by the user.

According to this embodiment, the security function is introduced in the place where the vulnerability is not specified, and the existence of the vulnerability is confirmed based on the model verification. At the same time, the importance of the information asset can be confirmed, and it can be implemented in a non-repeated and appropriate number in the processing level Safety function.

*** Other operation instructions ***
In the foregoing examples, the same information assets are used for acquisition and grouping processing. However, in terms of processing and acquisition and grouping, other methods such as using data flow methods are also considered.

For example, in the variation example of the model based on grouping shown in FIG. 19, the processing content of information assets is emphasized. In the input model Ma410, the instruction A (importance: high) and the instruction B (importance: low) are used in the same manner as described above, but the instruction addition is performed using the processing Ma413 in the middle.
The processing classification unit 25 increases the importance of the so-called "C = A + B" addition processing Ma413 and the so-called "command C transmission" transmission processing Ma414 after the addition processing.

The processing classifying unit 25 classifies the model M420 into two groups called a group Ga421 and a group Ga422, and outputs it as the model Ma420.
In this way, when the calculation and operation results of information assets with different importance are included, they are included in the group of information assets with high importance.

Next, the countermeasure introduction unit 21 outputs the model Ma430 including the security function of each information asset by comparing the security DB22A of FIG. 15 and the security DB22B of FIG. 16 as described above.

*** Other operation instructions ***
The variation of the model based on grouping shown in Figure 20 focuses on the use of information assets.
In the input model Mb410, although the instruction A (importance: high) and instruction B (importance: low) are used in the same manner as described above, the instruction A is used as the control variable of the divergence using the processing Mb413 in the middle.

The processing classification unit 25 increases the importance of the branch processing Mb413 called "command A =?" And the transfer processing Mb414 and Mb415 after the branch processing.
In this way, when a high-importance information asset is used as a control variable, the post-processing of the result is also included in the high-importance group (the group Ga421 of the model Mb420).

Next, the countermeasure introduction unit 21 outputs the model Mb430 including the security function of each information asset against the security DB22A of FIG. 15 and the security DB22B of FIG. 16 in the same manner as described above.

Embodiment 5.
Regarding this embodiment, the differences from Embodiment 4 will be mainly described using FIGS. 21 to 25.

In this embodiment, for a model without a security function, the processing in the model is grouped based on the information assets used in the model, and all importable security functions are imported into the group according to the security DB.
In this embodiment, it is characterized by repeatedly deleting or exchanging security functions based on model checking and group evaluation within the model based on cost.

*** Composition Explanation ***
Fig. 21 is a configuration diagram showing a safety design device 10 according to an embodiment of the present invention.
The safety design device 10 of FIG. 21 includes a group evaluation unit 26 in addition to the same countermeasure introduction unit 21, safety DB 22, redundancy check unit 23, and processing classification unit 25 as those in the fourth embodiment.
The group evaluation unit 26 obtains the evaluation value of the security processing of the grouped processing order based on the cost defined by the security DB, and determines whether to group the security processing in the grouped processing order from the evaluation value. Import objects are excluded.

The security DB 22 is the same as the fourth embodiment, and stores information used when the update model M2 is introduced into the countermeasure introduction unit 21 in a secure manner.

The security DB22A of FIG. 22 and the security DB22B of FIG. 23 are examples of the constituent elements of the security DB22 of FIG. 21.
The security DB 22A in FIG. 22 is a specific example of a security DB for information assets with high importance.
The security DB 22B in FIG. 23 is a specific example of a security DB for a low-importance information asset.
In the safety DB 22A and the safety DB 22B, in addition to the same safety function introduction rules as in Embodiment 4, the cost C required for the function introduction is maintained.
As an example of the cost C, the key length of encryption and the time required for security function execution are considered. It is also possible to maintain a plurality of types of costs in one DB.

The group evaluation unit 26 calculates an evaluation value based on the cost C held in the safety DB 22 as a reference for a group in which a model of safety function is introduced.
For the purpose of evaluation, consideration can be given to, for example, performance (overall processing speed) or security strength, consideration of resource constraints such as CPU, memory, etc. It is also possible to simply add or multiply the evaluation value, or a user-defined function.

In addition, the group evaluation unit 26 calculates an evaluation value of the model and confirms whether or not the model satisfies a user's request. When the requirements are not met, the safety introduction function 21 is used to delete or exchange the safety function to another function. Or consider ways to alert users.

However, in this embodiment, as in the fourth embodiment, since the security function corresponding to the importance of each information asset is introduced, it is considered that the redundancy of the premise existing in the first to third embodiments is reduced or absent. Therefore, there is a possibility that the redundancy inspection unit 23 is not operated or unnecessary.

＊＊＊ Outline operation description **
The procedure for introducing the safety function of the fifth embodiment will be described using a schematic operation flowchart of the safety design device 10 of FIG. 24.
First, in step S500, according to a user request of a design object model such as performance (overall processing speed) or security strength, resource constraints such as CPU, memory, etc., an evaluation criterion for setting and defining a processing time for security processing is set in advance.

In step S501, the user uses the model to perform software design without considering security, and inputs the created input model M1 and information asset importance information L1 to the security design device 10.

In step S502, the security design device 10 inputs the input model M1 to the processing classification unit 25. The processing classification unit 25 groups the processing included in the model according to the used information assets, and outputs the grouped model as the update model M2.

In step S503, the countermeasure introduction unit 21 uses the safety DB 22 as a reference, and adds safety functions that can be imported to the update model M2 in all places.

In step S504, a model check is performed in the redundancy check unit 23 to confirm the presence or absence of the redundancy of the update model M2.

In step S504, if it is determined that the update model M2 is redundant, in step S505, the countermeasure introduction unit 21 deletes one of the redundant safety functions and performs model checking again.

When it is determined in step S504 that the update model M2 is not redundant, in step S507, the group evaluation unit 26 calculates an evaluation value of each group of the update model M2 at that point in time.

If it is confirmed in step S508 that the evaluation value satisfies the reference, the countermeasure introduction unit 21 uses the update model M2 at that time as the output model M3, and proceeds to step S509 to end the process.

If the evaluation value does not satisfy the criterion, in step S506, the countermeasure introduction unit 21 deletes one safety function in the update model M2 at that point in time or exchanges the safety function with a low cost value, and the redundancy check unit 23 performs the operation again. Model check.

The security design device 10 repeats the above processing until it can be confirmed that there is no redundancy and the evaluation value satisfies the reference, and outputs a model that applies a security function to each information asset in the processing level.

**＊ Description of operation based on DB and model examples **
An example of adding a security function according to the fifth embodiment will be described with reference to a grouped model change example shown in FIG. 25.
Here, a simple process is input as a processing model and then output.
The user creates the model M510 without considering the safety function. The model M510 as an example is assumed to be a control software of a field machine, which receives a plurality of instructions, namely, instruction A and instruction B from the outside, and then ends the processing model after transmitting each instruction to the outside.
However, the importance of instruction A is set to be high, and the importance of instruction B is set to be low.

The user first determines an evaluation criterion for the instruction A and an evaluation criterion for the instruction B.
For example, suppose that the processing time for the secure processing of each instruction is evaluated.
The user decides the evaluation criterion C _A0 on the instruction A and the evaluation criterion C _B0 on the instruction B as the evaluation criterion of the processing time of the security processing. According to the immediate consideration, the processing time of the security processing of each instruction cannot exceed the evaluation criterion.

The user inputs the processing model M510 as the input model M1.
The processing classification unit 25 groups each processing according to the information assets used in each processing.
In the model M510, there are processing using the instruction A and processing using the instruction B. The processing classification unit 25 can classify each processing into two groups (group G521 and group G522 of the model M520 in FIG. 25).

Next, the countermeasure introduction unit 21 introduces the security function of each group by referring to the security DB 22A of FIG. 22 and the security DB 22B of FIG. 23 to the grouped model M520.

The countermeasure introduction unit 21 introduces the safety function of the safety DB22A into the group G521, and imports the safety function of the safety DB22B into the group G522, and outputs it as a model M530.

The redundancy check unit 23 performs a model check to confirm the presence or absence of redundancy of the update model M2.
When it is determined that the update model M2 is redundant, the countermeasure introduction unit 21 deletes one of the redundant safety functions and performs a model check again.

When it is determined that the update model M2 is not redundant, the group evaluation unit 26 calculates an evaluation value of each group of the update model M2 at that point in time.

The group evaluation unit 26 obtains the evaluation values of the group G531 and the group G532.
For example, the group evaluation unit 26 simply adds up the cost values to obtain the evaluation value C _A = C ₁ + C ₂ + C ₃ of the group G531 and the evaluation value C _B = C _{1 of the} group G532.

The group evaluation unit 26 compares the evaluation value with the evaluation criterion, and obtains C _A > C _A0 and C _B <C _B0 .
Because C _A exceeds the reference C _A0 , it is necessary to perform a process of canceling one of the safety functions of group G531 or exchanging with other functions.
After the group evaluation unit 26 decides to cancel or exchange safety functions with other functions, it instructs the countermeasure introduction unit 21.
In FIG. 25, the display countermeasure introduction unit 21 satisfies C _A &lt; C _A0 by canceling the tamper detection processing M541, and obtains an example of the model M540.

The so-called group evaluation unit 26 may cancel or exchange the determination of which safety function is from the group. The safety function may be used in priority order, and the cost value of the safety function may be used.
The group evaluation unit 26 does not automatically delete the security function or automatically exchanges the security function. Instead, the group evaluation unit 26 may prompt the user to delete the warning or select an item.

The above process is repeated until it can be confirmed that the update model M2 has no redundancy and the evaluation value satisfies the benchmark.
When it can be confirmed by the group evaluation unit 26 that the evaluation values of all the groups satisfy the reference, the countermeasure introduction unit 21 outputs the update model M2 at that time as the output model M3.

*** Explanation of the effect of the implementation form ***
According to this embodiment, a security function can be introduced in accordance with the importance of the information asset determined by the user.

According to this embodiment, since the group evaluation unit 26 is provided, the security function can be introduced after considering the performance of the system (the overall processing speed), the security strength, and the limitation of hardware resources.

*** Other implementations ***
A part or all of the foregoing embodiments may be combined with other embodiments.
A part or all of the functions of the foregoing embodiments may be realized only by software, hardware, or a combination of software and hardware.

10‧‧‧ Safety Design Device

11‧‧‧ processor

12‧‧‧Memory

13‧‧‧Communication device

14‧‧‧ input machine

15‧‧‧ Display

21‧‧‧ Countermeasure introduction department

22‧‧‧ Safety Database

22A‧‧‧Safety Database

22B‧‧‧Safety Database

23‧‧‧ Lengthy Inspection Department

24‧‧‧ Evaluation Department

25‧‧‧Treatment and Classification Department

26‧‧‧Group Evaluation Department

M1‧‧‧ input model

M2‧‧‧Update Model

M3‧‧‧ output model

M3a‧‧‧ output model

M3b‧‧‧ output model

P1‧‧‧Safe handling

P2‧‧‧Safe handling

P3‧‧‧Safe handling

P3a‧‧‧Safe handling

P3b‧‧‧Safe handling

P3c‧‧‧Safe handling

P4‧‧‧Safe handling

P5‧‧‧Safe handling

P6‧‧‧Safe handling

Fig. 1 is a block diagram showing the configuration of a safety design device according to the first embodiment.

Fig. 2 is a table showing an example of a safety database configuration of the safety design device according to the first embodiment.

Fig. 3 is a flowchart showing the operation of the safety design device according to the first embodiment.

Fig. 4 is a diagram showing an example of a model according to the first embodiment.

Fig. 5 is a table showing a configuration example of a safety database of a safety design device according to a modification of the first embodiment.

Fig. 6 is a diagram showing a model example relating to a modification of the first embodiment.

Fig. 7 is a table showing an example of a safety database configuration of a safety design device according to the second embodiment.

Fig. 8 is a flowchart showing the operation of the safety design device according to the second embodiment.

Fig. 9 is a diagram showing an example of a model according to the second embodiment.

Fig. 10 is a block diagram showing a configuration of a safety design device according to a third embodiment.

Fig. 11 is a table showing an example of a safety database configuration of a safety design device according to the third embodiment.

Fig. 12 is a flowchart showing the operation of the safety design device according to the third embodiment.

Fig. 13 is a diagram showing an example of a model according to the third embodiment.

Fig. 14 is a block diagram showing a configuration of a safety design device according to a fourth embodiment.

FIG. 15 is a table showing an example of the structure of a security database for high-importance information assets according to the fourth embodiment.

FIG. 16 is a table showing a configuration example of a security database for a low-importance information asset according to the fourth embodiment.

Fig. 17 is a flowchart showing the operation of the safety design device according to the fourth embodiment.

FIG. 18 is a diagram showing a modification example of the model according to the fourth embodiment by grouping the devices according to the security design.

FIG. 19 is a diagram showing a modification example of the model according to the fourth embodiment, which is grouped by the security design device.

FIG. 20 is a diagram showing a modification example of the model according to the fourth embodiment by grouping the devices according to the security design.

Fig. 21 is a block diagram showing a configuration of a safety design device according to a fifth embodiment.

Fig. 22 is a table showing an example of the structure of a security database for high-importance information assets according to the fifth embodiment.

FIG. 23 is a table showing an example of the structure of a security database for a low-importance information asset according to the fifth embodiment.

Fig. 24 is a flowchart showing the operation of the safety design device according to the fifth embodiment.

FIG. 25 is a diagram showing a modification example of the model according to the fifth embodiment, which is grouped by the security design device.

Claims (11)

A safety design device includes: The countermeasure introduction unit, when inputting an input model that defines a processing sequence of a program, refers to a security database that defines a plurality of security processes to be executed to deal with each threat, and selects and imports from among the plurality of security processes to the input based on the input. One or more security processes in the processing sequence defined by the model, and an output model that defines the processing sequence of the aforementioned program after introducing the selected security process; and The redundancy check unit, in the security process selected by the countermeasure introduction unit, if the introduction of the processing sequence of the program is repeated and the security process executed to deal with the same threat includes two or more, At least one of the two or more security processes is excluded from the import object to the processing order defined by the aforementioned output model. For example, the security design device according to the first patent application scope, wherein the redundancy check section excludes security processing other than one of the two or more security processings from the import target as the at least one security processing. For example, the security design device of the scope of application for a patent, in which the aforementioned security database defines, for each of the aforementioned plurality of security processes, the introduction place and the threats handled by the security treatment imported into the introduction place, The one or more security processes described above are security processes in which the import place defined by the security database exists in the processing order defined by the input model, The two or more security processes are executed continuously in the processing sequence of the program, and are consistent security processes according to the threats defined by the security database. For example, if the security design device according to any one of claims 1 to 3 is applied for, the aforementioned redundancy check section determines whether to register the above 2 or more according to the registration positions of the above 2 or more security processes of the aforementioned security database. Each of the security processing is excluded from the import object. For example, if the security design device of any one of claims 1 to 3 is applied for, the aforementioned security database defines a priority order for at least a part of the aforementioned plurality of security processes, The redundancy check unit determines whether or not to exclude each of the two or more security processes from the import target by using the priority order defined by the security database. For example, if the security design device according to any one of claims 1 to 3 is applied for, the aforementioned security database is defined for each of the aforementioned multiple security processes. The redundancy check unit decides whether or not to exclude each of the two or more security processes from the import target by using the cost defined by the security database. For example, the security design device according to any one of claims 1 to 3 includes a processing classification unit that groups the processing in the input model according to the information assets used in the input model. The countermeasure introduction unit selects a security process to be imported into the processing order after grouping from among the plurality of security processes, and imports the selected security process to the processing order after grouping. For example, the security design device for the seventh scope of the application for a patent, in which the aforementioned processing classification unit inputs the importance information of the information assets used in the aforementioned input model, and according to the importance information of the information assets, the aforementioned input processing group in the model Organization. For example, the security design device of the scope of application for patent No. 7 wherein the aforementioned security database is defined for each of the aforementioned multiple security processes, and Including: a group evaluation unit, which uses the cost defined by the aforementioned security database to obtain a security processing evaluation value in the grouped processing order, and determines whether to group the processing order according to the foregoing evaluation value Security processing is excluded from the import object. A security design method. When a countermeasure importing unit inputs an input model that defines a processing sequence of a program, it refers to a security database that defines a plurality of security processes to be executed to deal with each threat, and selects and imports from the foregoing security processes. By using one or more security processes defined in the processing sequence defined by the input model, and outputting an output model that defines the processing sequence of the aforementioned program after introducing the selected security process, When the redundancy check section uses the security processing selected by the countermeasure introduction section, if the introduction of the processing sequence of the program is duplicated and the security processing performed to deal with the same threat includes two or more, Wait for at least one of the two or more security processes to be excluded from the import object for the processing order defined by the aforementioned output model. A security design program product that runs on a computer: The countermeasure introduction process is a process of inputting a model that defines a processing sequence of a program, and refers to a security database that defines a plurality of security processes to be executed to deal with each threat. One or more security processes in the processing sequence defined by the input model, and an output model that defines the processing sequence of the aforementioned program after introducing the selected security process; and Redundancy check processing is performed when the security processing selected by the countermeasure introduction unit is repeated in the processing sequence of the aforementioned program and the security processing executed to deal with the same threat includes two or more , At least one of the two or more security processes is excluded from the import object of the processing order defined according to the aforementioned output model.