WO2010109774A1 - データ処理装置、そのコンピュータプログラムおよびデータ処理方法 - Google Patents
データ処理装置、そのコンピュータプログラムおよびデータ処理方法 Download PDFInfo
- Publication number
- WO2010109774A1 WO2010109774A1 PCT/JP2010/001434 JP2010001434W WO2010109774A1 WO 2010109774 A1 WO2010109774 A1 WO 2010109774A1 JP 2010001434 W JP2010001434 W JP 2010001434W WO 2010109774 A1 WO2010109774 A1 WO 2010109774A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- confidential
- normal
- information
- area
- mode
- Prior art date
Links
- 238000012545 processing Methods 0.000 title claims abstract description 49
- 238000004590 computer program Methods 0.000 title claims description 15
- 238000003672 processing method Methods 0.000 title claims description 10
- 238000000034 method Methods 0.000 claims abstract description 21
- 238000012217 deletion Methods 0.000 claims description 21
- 230000037430 deletion Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 17
- 238000013500 data storage Methods 0.000 claims description 13
- 230000008859 change Effects 0.000 abstract description 13
- 238000004891 communication Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000007423 decrease Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Definitions
- the present invention relates to a data processing apparatus that records confidential information and normal information separately, a computer program thereof, and a data processing method.
- a system replaces the contents of a file to be disclosed according to the user's authority and prevents leakage of confidential information to a low-privileged user. Therefore, confidential information and normal business information can be distinguished by performing a confidential business with a highly authorized user and performing a regular business with a low-privileged user (see, for example, Patent Document 1).
- the present invention has been made in view of the above-described problems, and provides a data processing apparatus capable of distinguishing and storing confidential information and normal information with a small amount of HDD consumption, and a computer program and a data processing method thereof. It is to provide.
- the data processing apparatus of the present invention includes a mode setting means for setting a normal mode for handling normal information and a confidential mode for handling confidential information as a switchable operation mode, and a data storage for storing various data for each predetermined storage area
- An area dividing means for dividing the information into non-empty areas, a normal storing means for storing normal information in the designated normal area under the normal mode setting, and reading out the normal information from the designated normal area under the normal mode setting. Under normal read means and confidential mode settings, confidential information is stored in the designated confidential area and the normal area is specified.
- Confidential storage means that sometimes redirects and stores in the confidential area
- map generation means that generates a redirect relationship between the designated normal area and the stored confidential area for each corresponding confidential information, and confidentiality under the confidential mode setting
- a confidential reading means for reading out information from the designated confidential area and reading out from the confidential area stored by the redirection relationship when the normal area is designated.
- the computer program of the present invention is a computer program of a data processing apparatus having a data storage medium for storing various data for each predetermined unit of storage area, and switches between a normal mode for handling normal information and a secret mode for handling confidential information.
- a mode setting process for setting as a free operation mode, a normal area in which at least normal information is stored, a secret area in which only confidential information is stored, and a shared area in which normal information and confidential information are stored Area classification processing that divides into free areas where neither normal information nor confidential information is stored, normal storage processing that stores normal information in the specified normal area under normal mode settings, and normal under normal mode settings
- Normal read processing that reads information from the specified normal area and confidential information under the confidential mode setting For each confidential information corresponding to the confidential storage processing to be stored in the designated confidential area and redirected to the confidential area when the normal area is designated, and the redirect relationship between the designated ordinary area and the stored confidential area
- Data processing includes map generation processing to be generated at the same time, and confidential read processing for reading out confidential information from the designated confidential
- the data processing method of the present invention is a data processing method having a data storage medium for storing various data for each storage area of a predetermined unit, and is capable of switching between a normal mode for handling normal information and a secret mode for handling confidential information.
- Mode setting operation to be set as an operation mode, a normal area in which at least normal information is stored, a secret area in which only confidential information is stored, a shared area in which only normal information and confidential information are stored, and normal information
- Area classification operation that divides the area into empty areas in which no confidential information is stored, normal storage operation that stores normal information in the specified normal area under the normal mode setting, and normal information under the normal mode setting Reads data from the specified normal area and stores the confidential information in the specified confidential area under the confidential mode setting.
- the various components of the present invention need only be formed so as to realize their functions.
- dedicated hardware that exhibits a predetermined function
- data processing in which a predetermined function is provided by a computer program It can be realized as an apparatus, a predetermined function realized in the data processing apparatus by a computer program, an arbitrary combination thereof, or the like.
- a plurality of components are formed as a single member, and a single component is formed of a plurality of members. It may be that a certain component is a part of another component, a part of a certain component overlaps with a part of another component, or the like.
- the order of the plurality of processes and the plurality of operations can be changed within a range that does not hinder the contents.
- the computer program and the data processing method of the present invention are not limited to being executed at a timing when a plurality of processes and a plurality of operations are individually different. For this reason, other processes and operations occur during execution of certain processes and operations, and the execution timing of certain processes and operations overlaps with the execution timing of other processes and operations. Etc.
- the data processing apparatus reads a computer program and executes a corresponding processing operation, so that a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), an I / F It can be implemented as hardware constructed by general-purpose devices such as (Interface) units, dedicated logic circuits constructed to execute predetermined processing operations, combinations thereof, and the like.
- a CPU Central Processing Unit
- ROM Read Only Memory
- RAM Random Access Memory
- I / F I/ F
- causing the data processing apparatus to execute various operations corresponding to the computer program also means causing the data processing apparatus to control operations of the various devices.
- storing various data in the data processing device means that the CPU stores various data in an information storage medium such as an HDD (Hard Disc Drive) fixed to the data processing device, and can be exchanged for the data processing device.
- the CPU allows various data to be stored by the CD drive in an information storage medium such as a CD-R (Compact Disc-Recordable) loaded.
- the mode setting means sets the operation mode that can be switched between the normal mode for handling normal information and the confidential mode for handling confidential information.
- the data storage medium stores various data for each storage area of a predetermined unit.
- the storage area is at least a normal area where only normal information is stored, a confidential area where only confidential information is stored, a shared area where normal information and confidential information are stored, and a free space where neither normal information nor confidential information is stored
- Area classification means divides into areas.
- the normal storage means stores the normal information in the specified normal area under the normal mode setting.
- the normal reading means reads the normal information from the specified normal area under the normal mode setting.
- the confidential information is stored in the designated confidential area, and when the normal area is designated, the confidential storage means redirects to the confidential area for storage.
- the map generation means generates a redirect relationship between the designated normal area and the stored confidential area for each corresponding confidential information.
- the confidential information is read from the designated confidential area, and when the normal area is designated, the confidential reading means reads from the confidential area stored by the redirection relationship. Therefore, confidential information and normal information can be stored separately. For example, when the confidential information written in the confidential area is the same as the confidential information in the shared area or the normal information in the common area, the writing of the confidential information is stopped.
- the confidential storage means changes the writing location to the corresponding confidential area when the confidential area corresponding to the normal area to be written exists, and newly generates the confidential area when the corresponding confidential area does not exist. Therefore, confidential information and normal information can be distinguished and stored while reducing the consumption of the data storage medium more effectively.
- the data processing apparatus includes a computer apparatus 100 that operates under program control.
- the computer apparatus 100 includes a mode setting means for setting a normal mode for handling normal information and a confidential mode for handling confidential information as a switchable operation mode, and various data for each cluster which is a storage unit of a predetermined unit.
- HDD 103 which is a data storage medium for storing data, a normal cluster in which at least only normal information is stored, a confidential cluster in which only confidential information is stored, a shared cluster in which normal information and confidential information are stored, and normal information
- Clustering means for classifying the data into free clusters in which no confidential information is stored, normal storage means for storing normal information in a designated normal cluster under normal mode settings, and normal information under normal mode settings. Specify the normal reading means to read from the specified normal cluster and the confidential information under the confidential mode setting.
- the confidential storage means for storing the information in the designated confidential cluster and redirecting the information to the confidential cluster when the normal cluster is designated, and the redirect relationship between the designated normal cluster and the stored confidential cluster.
- the map generation means 106 to be generated and the confidential read means to read out the confidential information from the designated confidential cluster under the setting of the confidential mode and read out from the confidential cluster stored by the redirection relationship when the normal cluster is designated.
- the computer apparatus 100 includes a CPU 101, a memory 102, hardware such as an HDD 103 that is a data storage medium, an OS (Operating System) 104, various application programs (not shown), And so on.
- a CPU 101 central processing unit 101
- a memory 102 main memory 102
- hardware such as an HDD 103 that is a data storage medium
- an OS (Operating System) 104 various application programs (not shown), And so on.
- IO Input / Output
- map generation means 106 deletion means 107
- collection means 108 collection means 108
- encryption means 109 and the like.
- the mode setting unit, the cluster classification unit, the normal storage unit, the normal reading unit, the confidential storage unit, and the confidential reading unit are integrated in the IO redirect unit 105 described above.
- Such a logical function is logically realized by, for example, hardware such as the CPU 101 executing various operations corresponding to software such as an OS and various application programs.
- the components of the computer apparatus 100 as described above generally function as follows.
- the CPU 101 controls each device inside and outside the computer and calculates and processes information, executes a program stored in a memory, receives information from an input device and a storage device, calculates and processes the output device, Or output to a storage device.
- CPU 101 As an example of the CPU 101, a microprocessor or an IC (Integrated Circuit) having a similar function is conceivable. However, actually, it is not limited to these examples.
- the memory 102 is a semiconductor storage device such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a flash memory that can be directly read and written by the CPU.
- the memory 102 indicates a main storage device (main memory). However, actually, it is not limited to these examples.
- the HDD 103 is an auxiliary storage device that stores information and programs inside and outside the computer.
- the HDD 103 indicates an external storage device (storage).
- Such an external storage device may be a flash memory drive such as SSD (Solid State Drive).
- the HDD 103 is not limited to a storage device built in the computer apparatus 100, but may be a storage device installed in a peripheral device (external HDD or the like) or an external server (storage server or the like). However, actually, it is not limited to these examples.
- the HDD 103 records information in units called sectors. For example, in a general HDD, it is 512 bytes.
- a cluster is a set of a plurality of sectors, and the OS reads and writes information in units of clusters that are storage areas.
- processing in units of clusters will be described.
- confidential information and normal information can be recorded separately in the same manner in units of sectors.
- the IO redirect unit 105 hooks the writing of the OS or an application program operating inside the OS to the HDD 103 and redirects it to a free area of the HDD 103 to distinguish and record confidential information. Also, the read is hooked, the confidential information is read from the redirect destination, and the confidential information is passed to the OS.
- the cluster of the HDD 103 has four states.
- An empty state in which the cluster is an empty area is a state in which no information is recorded.
- the shared state in which the cluster is a shared area is a state that is read in both the confidential mode and the normal mode.
- the normal state where the cluster is a normal area is a state that is read only in the normal mode.
- the confidential state in which the cluster is a confidential area is a state that is read only in the confidential mode.
- the map generation unit generates a map indicating the state of the HDD 103.
- the map generation unit 106 records on the map where the confidential information has been redirected in the HDD 103 by the IO redirect unit 105. Further, the map is referred to in response to an inquiry from the IO redirect means 105, and the cluster status and the redirect destination location are returned.
- the deletion unit 107 obtains all redirect destinations by inquiring the map generation unit 106 and writes random numbers. In other words, all confidential information is deleted by overwriting with random numbers.
- the collection unit 108 operates in the confidential mode, compares the configuration of the file at a certain time, for example, the project start time, and the current file, and updates the file updated during the operation in the confidential mode and the newly created file to the CD.
- writes confidential information to an external storage medium such as a ROM or USB memory, or another computer such as a file server.
- the encryption unit 109 receives the confidential information from the IO redirect unit 105, encrypts it, and returns the encrypted confidential information to the IO redirect unit 105.
- the map generation means 106 reads the cluster usage information of the file system of the HDD 103 to generate an initial state map. Thereafter, as shown below, when writing is performed in the confidential mode or the normal mode, the state changes to the confidential state or the normal state.
- the present invention redirects the writing to the cluster in the confidential state when the OS or application program writes in the cluster in the normal state in the confidential mode.
- the confidential mode when a normal cluster is read, redirection is performed to read the confidential cluster. With this operation, confidential information is recorded in a cluster in a confidential state.
- the IO redirect unit 105 inquires of the map generation unit 106 about the state of the cluster to be written specified by the OS or application program.
- the map generation means 106 acquires the state of the write cluster by referring to the map shown in FIG. 4, and transmits the state to the IO redirect means 105 (S4).
- the IO redirect means determines the state to be written and performs the following processing (S5).
- the IO redirect unit 105 instructs the map generation unit 106 to create a cluster in a confidential state.
- the map generation means 106 refers to the map, selects one free cluster, and changes it to a confidential state. Further, the map generation unit 106 changes the state of the write target cluster to the normal state.
- the map generation unit 106 returns the location of the created confidential cluster to the IO redirect unit 105. Finally, the IO redirect unit 105 writes information in the confidential cluster (S6).
- the IO redirect unit 105 sends the redirect destination to the map generation unit 106. Inquire.
- the map generation unit 106 reads the location of the redirect destination cluster recorded in the map and returns it to the IO redirect unit 105.
- the IO redirect means 105 writes to the redirect destination cluster (S7).
- the IO redirect means 105 writes to the cluster to be written without performing redirection.
- the IO redirect unit 105 instructs the map generation unit 106 to change the write target cluster to the confidential state, and the map generation unit 106 changes the state of the cluster (S8).
- the IO redirect unit 105 When the cluster to be written designated by the OS or application program is in a confidential state, that is, when the confidential information has been written in the past in step S8, the IO redirect unit 105 does not perform the redirection and writes the cluster to be written. (S9).
- the IO redirect unit 105 acquires the status of the cluster to be read designated by the OS or application program (S4), and performs the following processing according to the status (S5).
- the IO redirect means 105 reads the information recorded in the cluster to be read without performing redirection and returns it to the OS (S11).
- the IO redirect unit 105 inquires of the map generation unit 106 about the location of the confidential cluster at the redirect destination.
- the map generation unit 106 refers to the map, acquires the location of the cluster in the confidential state corresponding to the cluster in the normal state, and returns it to the IO redirect unit 105.
- the IO redirect means 105 reads information from the cluster in the confidential state and passes it to the OS (S10).
- step S4 the state of the read target cluster is inquired (S13). If the cluster to be written is in the shared state, writing to the cluster as it is will affect the confidential mode because the cluster information is shared in the normal mode and the confidential mode, and the confidential mode file system will be damaged. End up. Therefore, before writing, the shared state is canceled by the following operation.
- the map generation means creates a confidential cluster as in step S6. Then, the IO redirect unit copies the information of the cluster in the shared state to be written to the cluster in the confidential state.
- the IO redirect means After releasing the shared state by the above operation, the IO redirect means writes information to the write target cluster designated by the OS or application program without performing redirection (S16).
- the IO redirect unit 105 When the cluster to be written designated by the OS or application program is in a normal state or an empty state, the IO redirect unit 105 writes without performing redirection. If the state of the cluster to be written is empty, the map generation unit 106 changes the state to the normal state (S17).
- the IO redirect means 105 reads information from the read target cluster designated by the OS or application program, and returns it to the OS or application program (S18).
- the IO redirection unit 105 redirects the read / write target cluster to distinguish and record confidential information.
- the IO redirect unit 105 may perform the following operation in order to reduce the consumption of the HDD 103.
- the IO redirect means 105 redirects the writing in step S6, generates a confidential cluster, and records the information. However, when the same data is written as follows, the IO redirect means 105 redirects the writing. It does not have to be done.
- the IO redirect unit 105 reads the information of the cluster to be written from the HDD 103. Next, the read information is compared with the information to be written.
- step S6 redirection is performed by the operation in step S6 shown above. If the information is the same, the data is written to the write target cluster without performing redirection. Even if the same information is written, the information recorded in the HDD 103 does not change, so the actual writing may not be performed and a message that the writing was successful may be returned to the OS.
- the IO redirect means 105 has written in the redirected confidential cluster in step S7. However, if the information to be written is the same as the redirected normal cluster information, the write is performed.
- the confidential cluster at the redirect destination may be deleted without performing the above.
- the IO redirect means 105 reads the information of the normal cluster that is the redirect source. Then, the read information is compared with the information to be written.
- redirecting and writing to the confidential cluster results in the same information being recorded in the normal cluster and the confidential cluster, and the HDD 103 is wasted.
- the IO redirect unit 105 instructs the map generation unit 106 to change the cluster in the normal state of the redirect source to the shared state, and the map generation unit 106 changes the state of the cluster to the shared state.
- the IO redirect means 105 instructs the redirect destination confidential state cluster to be changed to an empty state, and the map generation means changes the state of the cluster to an empty state.
- step S7 If the information of the cluster to be redirected is different from the information to be written, the redirect operation in step S7 described above is performed. By this operation, it is possible to avoid having duplicate data in the normal state cluster and the confidential state cluster, so that the consumption amount of the HDD 103 can be further reduced.
- the IO redirect unit 105 may delete a cluster in a confidential state or a normal state and reduce the consumption amount of the HDD 103 by the following operation.
- file table indicating in which cluster the file information is written in order to record the file information in the cluster of the HDD 103.
- Deletion of a file is performed by rewriting the information in the file table and marking the file to be deleted to make the file invisible from the OS or application program.
- the IO redirect unit 105 detects the deletion of the file by monitoring the change in the file table, and also deletes the redirection relationship of the map generation unit 106 in which the deleted file is recorded, thereby The amount can be reduced.
- the IO redirection unit 105 of the present embodiment performs the following processing so that the OS and application program do not write to the confidential cluster in the normal mode.
- the OS tries to write data to cluster No5.
- the information written in the cluster No. 5 is lost in the confidential mode, which needs to be prevented.
- the IO redirection unit 105 generates the cluster usage information of the normal mode file system when the cluster in the confidential state is generated in step S6 or S15 and the cluster usage information of the file system is changed during use. Also change during use.
- the IO redirection unit 105 prevents the OS from writing to the cluster in the confidential mode by reflecting the cluster usage information in the normal mode in the cluster usage information in the confidential mode in step S16.
- each cluster of the HDD 103 is used is recorded in a special file called $ BITMAP.
- the IO redirect means 105 monitors the change of the $ BITMAP file by monitoring a write command.
- the IO redirect means 105 monitors the cluster usage information of the file system, determines whether or not the cluster changed to unused is in a shared state, and if it is in a shared state, it is changed to unused. Return the stored information to use.
- step S14 it is confirmed whether the writing target is in a confidential state.
- the information of the cluster in the confidential state is copied to the free cluster in the same procedure as in step S15, and then the information is written in the write target cluster. Since the cluster information in the confidential state is copied, no information is lost.
- a cluster in a normal state that does not have a redirect destination that is, a cluster that has been determined to be free in step S14 and has changed from a free state to a normal state in step S16 appears to have nothing recorded in the confidential mode. May be subject to writing. Therefore, when writing is performed in the confidential mode, the following operation is performed.
- step S7 it is confirmed whether there is a redirect destination of a normal cluster. If not, the IO redirect means performs the same operation as in step S6 instead of the operation in step S7 described above, newly generates a redirected confidential cluster, and stores the information in the confidential cluster. Redirect.
- the deletion unit 107 inquires of the map generation unit 106 about the locations of all the confidential clusters.
- the map generation means 106 refers to the map and returns the location of all the confidential clusters.
- the deleting unit 107 writes random numbers to all confidential clusters and deletes confidential information.
- the present invention operates so that all the information written in the confidential mode is written in the confidential cluster by the operation of the confidential mode writing (step S6 to step S8), so the confidential cluster is deleted. Therefore, it is possible to guarantee the deletion of all confidential information.
- the confidential information deletion instruction is from the user.
- the administrator of the organization or the like may issue the confidential information deletion instruction to the deletion unit 107 through the network.
- the deletion unit 107 may periodically communicate with a specific server, and delete the confidential information when the communication cannot be performed for a certain period. In this operation, for example, even when a computer is stolen, confidential information is deleted, so that information leakage does not occur.
- the collection unit 108 scans the HDD 103 at a specific timing, for example, when the system starts operation or when a certain project starts, and for all files, as shown in FIG. Create a list (initial file list) that records the update date and time.
- the collection unit 108 When the collection unit 108 receives an instruction to collect confidential information, the system is activated in the confidential mode, and a list (update) of file names and update dates and times for all files is created, as in the creation of the initial file list. File list).
- the collecting unit 108 specifies a file updated in the confidential mode and a newly created file, that is, a file in which confidential information is recorded.
- the collection unit 108 compares the update date and time for files existing in both the initial file list and the update file list, and adds files with different update dates and times to the collection target list.
- the collection unit 108 adds a file that does not exist in the initial file list but exists only in the update file list to the collection target file list.
- the collection unit 108 reads the file to be collected from the HDD 103 and copies it to the external storage medium. You may upload via a network to NAS or a file server.
- the encryption unit 109 When the plaintext information is received from the IO redirect unit 105, the encryption unit 109 encrypts it using the encryption key stored therein and returns it to the IO redirect unit 105. When the encrypted information is received, it is decrypted and the plaintext information is returned to the IO redirect means 105.
- the IO redirect unit 105 transmits the plaintext information to the encryption unit 109 at the time of writing in the confidential mode, that is, in steps S6, S7, S8, and Step 9. And the encrypted information is written to the HDD 103.
- the encrypted information read from the HDD 103 is passed to the encryption means 109 for decryption, and the plaintext information is passed to the OS.
- the confidential information on the HDD 103 can be encrypted by the IO redirect unit 105 calling the encryption unit 109 when accessing the HDD 103 in the confidential mode.
- encryption is limited to only confidential information, and information on the cluster in a shared state, for example, an execution file of the OS or application program is not encrypted, so that the execution speed of the OS or application program decreases. There is no.
- encryption is used as a method for preventing confidential information from being handled in the normal mode.
- the IO redirect means 105 may block access to a cluster having a confidential state.
- the IO redirect unit 105 When the IO redirect unit 105 hooks a read command during operation in the normal mode, the IO redirect unit 105 inquires of the map generation unit 106 about the state of the cluster to be read. If the cluster state is a confidential state, the IO redirect unit 105 returns a read failure error message to the OS. Instead of an error message, dummy information, for example, all 0s may be returned.
- FIG. 6 is a block diagram showing a second embodiment. As shown in FIG. 6, it differs from the first embodiment in that it includes a NIC 110 and network control means 111.
- the same components as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.
- the NIC 110 is a communication device for transmitting / receiving information to / from the outside via a communication line (network).
- the network control unit 111 inquires about the mode to the IO redirect unit 105, hooks the network communication output by the OS or application program, and permits access to a specific server only in the confidential mode.
- the operation of the network control unit 111 will be described in detail.
- the network control means holds the address of the file server inside.
- the network control unit inquires about which mode the IO redirection unit 105 is operating.
- the network control unit 111 monitors the network communication of the OS or application program. Next, the network control unit 111 determines whether or not the communication destination is equal to the server address stored therein. If they are equal, the network control means cuts off the communication. If not, allow communication.
- the network control unit 111 When operating in the confidential mode, the network control unit 111 similarly monitors communication and determines whether or not the communication destination is equal to the stored address. If they are equal, the network control means permits communication, and if they are not equal, blocks the communication.
- the OS and application program can access the file server only when operating in the confidential mode. That is, all information downloaded from the file server is stored in a cluster in a confidential state.
- the deletion unit 107 can guarantee that all information downloaded from the file server is deleted.
- the collecting unit 108 can collect all the information downloaded from the foul server.
- the second embodiment has an effect of ensuring that all confidential information downloaded from the server is deleted or collected.
- the network control unit 111 stores the server address and determines whether or not communication is possible. In addition to the server address, the network control unit 111 also records the directory name and file name to determine whether or not communication is possible. You may decide.
- a data processing apparatus 100 in FIG. 1 is a general computer including hardware such as a CPU 101, a memory 102, an HDD 103, a mouse, a keyboard, and a display.
- the IO redirect means 105 and the map generation means 106 can be implemented as an OS driver, for example.
- the IO redirect means 105 displays a dialog asking the user whether to operate in the normal mode or the confidential mode.
- user authentication may be performed by inputting an ID and a password.
- the IO redirect means 105 executes a hook for reading and writing instructions of the OS and application programs.
- a hook for reading and writing instructions of the OS and application programs.
- an IRP IO request packet
- a volume filter driver between an NTFS driver and a disk driver.
- the IO redirect unit 105 inquires of the map generation unit 106 about the state of the cluster to be written. For example, in Windows, if the IRP instruction is IRP_MJ_WRITE, the IO redirect means 105 can determine that it is a write instruction, and the location of the write cluster can be obtained from the parameters in the IRP.
- the map generation means 106 creates the map shown in FIG. For example, when the map generation unit 106 is activated for the first time, an area for recording the cluster state corresponding to the total number of clusters of the HDD 103 may be prepared in the free area of the HDD 103 and referred to as a map.
- the area for storing the state is set to 2 bytes
- the number of clusters in the HDD 103 is 1000
- an area of 2000 bytes may be secured.
- the 123 * 2 byte information may be read.
- the map generation means 106 at the first startup refers to the $ BITMAP file that records whether or not the cluster is in use. If it is unused, the free state is recorded on the map. For example, if the file system is FAT, it is determined whether or not each cluster is in use by referring to the directory entry, and the same processing is performed.
- the map generation unit 106 changes the state of the No. 4 cluster in the free state to the confidential state.
- the map generation means records cluster No. 4 on the map as a redirect destination of cluster No. 1.
- the IO redirect means 105 rewrites the target cluster in the write command from No1 to No4.
- the write position information in the IRP is changed to cluster No4, and the changed IRP is passed to the lower-level disk driver, so that the No4 cluster that was in an empty state Write information to.
- the following operation may be performed.
- the IO redirect means 105 issues a read IRP to the cluster No. 1 to read the information.
- the information recorded in the cluster No. 1 is compared with the write information included in the IRP issued by the OS. If the information is the same, the information is written in the cluster No. 1 without creating a confidential cluster. A write success message may be returned to the OS without writing.
- the IO redirect unit 105 inquires the map generation unit 106 about the redirect destination, and the map generation unit 106 determines the confidential state of the redirect destination. Returns No3, which is the cluster. Then, the IO redirect unit 105 rewrites the target cluster in the write command from No2 to No3.
- the IO redirect unit 105 reads the information of the cluster No 2 that is the redirect source by issuing an IPR read command.
- the map generation means changes the state of cluster No. 3 to an empty state. Further, the map generation means rewrites the state of cluster No. 2 to the shared state. If the read information is different from the information to be written, as described above, the IO redirect means redirects the write to cluster No3.
- the map generation unit 106 changes the state of the cluster No. 4 to a confidential state.
- the IO redirect unit 105 writes information in the cluster No. 4 without performing redirection.
- the IO redirect unit 105 inquires the map generation unit 106 about the redirect destination. Information is read from cluster No. 3 by changing the number of.
- the cluster to be read is in a shared state or a confidential state, for example, when it is cluster No. 1 or cluster No. 5 in FIG. 4, no redirection is performed.
- the hooked IRP is not changed and is passed to the lower layer disk driver.
- the map generation unit 106 changes the cluster No. 4 in the empty state to the confidential state, and sets the redirect destination of the cluster No. 1 to No. 4.
- the IO redirect unit 105 issues a read IRP to the cluster No 1 to read information recorded in the cluster No 1 and issues a write IRP to the cluster No 4 to obtain information on the cluster No 1. Is copied to cluster No. 4.
- the IO redirect unit 105 does not perform the redirect. That is, for example, in the case of Windows, the hooked IRP is not changed and is passed to the lower layer disk driver.
- the IO redirect means 105 passes the hooked IRP to the lower disk driver without changing it.
- the IO redirect unit 105 may delete a cluster in a confidential state or a normal state by the following operation.
- the IO redirect unit 105 detects the deletion of the file by monitoring the MFT (master file table) and, if using the FAT, the directory entry. To do.
- the IO redirect unit 105 acquires the location of the cluster in which the file information is recorded by referring to the MFT in NTFS or the file allocation table in the FAT, for example. .
- the IO redirect means changes the cluster No3 to an empty state and there is no redirect destination of the cluster No2 Change to
- the IO redirect unit instructs the map generation unit to set the state of the cluster No. 5 to an empty state. Change to
- the IO redirect means copies the data recorded in the cluster No. 3 which is the redirect destination to the cluster No. 2. Then, the IO redirect unit instructs the map generation unit to change the state of the cluster No 3 to an empty state and the state of the cluster No 2 to a confidential state.
- the IO redirect unit instructs the map generation unit to change the state of cluster No. 6 to an empty state.
- the deletion unit 107 receives the cluster number of the confidential cluster from the map generation unit 106, for example, if the deletion unit 107 is implemented as a Windows driver, it issues a write command to the device driver. Overwrite the confidential cluster.
- the map generation unit 106 notifies the deletion unit 107 of the cluster No. 3 and the cluster No. 5, and the deletion unit 107 issues a write IRP for two clusters.
- the information to be written may be a random number or zero. In order to delete the information in the HDD 103 more completely, writing may be performed a plurality of times.
- the collection unit 108 scans the HDD 103 and creates an initial file list in which file names and update dates are recorded.
- a similar updated file list is created. Then, the update date / time of each file list is compared. For example, when the initial file list and the updated file list are shown in FIG. 5, the file a and the file b are not added to the collection file list because the update date and time are the same. Since the update date of file c has changed, it is added to the collected file list.
- the file d does not exist in the initial file list but exists only in the update file list, it is regarded as a newly created file and added to the collection file list. Since the file that exists in the initial file list and does not exist in the update file list is a deleted file, it is not added to the collection file list.
- the collection unit 108 reads the file described in the created collection file list from the HDD 103 and copies it to an external storage medium such as a CD-R or a USB memory. Copying may be performed, for example, to a network attached storage (NAS) or a file server using a file transfer protocol such as Windows file sharing protocol or FTP.
- NAS network attached storage
- FTP FTP
- the encryption unit 109 can be implemented as a driver or an application program, for example.
- the encryption unit 109 encrypts the cluster information using, for example, an encryption algorithm such as AES or RC4, and returns it to the IO redirect unit 105.
- an encryption algorithm such as AES or RC4
- the network control unit 111 can be implemented as a driver, for example.
- the network control means inquires of the IO redirection means 105 about the operation mode when the computer is activated.
- the network control unit 111 hooks an IP packet output to the NIC 110. Then, the destination IP address included in the header of the IP packet is compared with the IP address of the server stored in the network control means. If the IP addresses are the same, communication is prohibited by discarding the packet. On the other hand, if the IP addresses are different, communication is permitted by passing the packet to the NIC.
- the network control unit 111 similarly hooks the packet. Contrary to the normal mode, communication is permitted when the destination IP address matches the IP address of the server, and communication is prohibited by discarding the packet when they do not match.
- each unit of the data processing device 100 is logically realized as various functions by a computer program.
- each of these units can be formed as unique hardware, or can be realized as a combination of software and hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
Claims (13)
- 通常情報を扱う通常モードと機密情報を扱う機密モードとを切換自在な動作モードとして設定するモード設定手段と、
所定単位の記憶エリアごとに各種データを記憶するデータ記憶媒体と、
前記記憶エリアを少なくとも前記通常情報のみ記憶されている通常エリアと前記機密情報のみ記憶されている機密エリアと前記通常情報と前記機密情報とが記憶されている共有エリアと前記通常情報も前記機密情報も記憶されていない空きエリアとに区分するエリア区分手段と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアに記憶させる通常格納手段と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアから読み出す通常読出手段と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアに記憶させるとともに前記通常エリアが指定されたときには前記機密エリアにリダイレクトして記憶させる機密格納手段と、
指定された前記通常エリアと記憶された前記機密エリアとのリダイレクト関係を対応する前記機密情報ごとに生成するマップ生成手段と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアから読み出すとともに前記通常エリアが指定されたときには前記リダイレクト関係により記憶された前記機密エリアから読み出す機密読出手段と、
を有するデータ処理装置。 - 前記機密格納手段は、書き込み対象の前記通常エリアに対応する前記機密エリアが存在するときには、対応する前記機密エリアに書き込み場所を変更し、対応する前記機密エリアが存在しないときには、新たに前記機密エリアを生成する請求項1に記載のデータ処理装置。
- 前記機密格納手段は、指定された前記機密情報が格納される前記通常エリアに対応する前記機密エリアが存在しないときに、書き込み対象の前記通常エリアに記録されている前記通常情報と書き込もうとしている前記機密情報とを比較し、同じ場合に前記機密情報を記録する前記機密エリアを生成しない請求項1または2に記載のデータ処理装置。
- 前記機密格納手段は、指定された書き込み対象の前記通常エリアに対応する前記機密エリアが存在するときに、前記通常エリアに記録されている前記通常情報と書き込もうとしている前記機密情報が同じ場合に、前記通常エリアに対応する前記機密エリアを削除する請求項1ないし3の何れか一項に記載のデータ処理装置。
- 前記機密読出手段は、前記機密モードの設定下に前記機密情報の読み込みをフックし、前記マップ生成手段に、読み込み対象の前記通常エリアに対応する前記機密エリアが存在するか否かを問い合わせ、存在するときには、対応する前記機密エリアに読み込み対象を変更する請求項1ないし4の何れか一項に記載のデータ処理装置。
- 前記機密格納手段は、前記通常モードの設定下に前記通常データの書き込みをフックし、書き込み対象の前記通常エリアに対応する前記機密エリアが存在しないときに、新たに前記機密エリアを生成し、書き込み対象の前記通常データを生成した前記機密エリアにコピーした後、書き込み対象の前記通常エリアに書き込む請求項1ないし5の何れか一項に記載のデータ処理装置。
- 前記マップ生成手段は、前記データ記憶媒体のファイルの削除を検知し、前記ファイルの削除で不要となった前記リダイレクト関係を削除する請求項1ないし6の何れか一項に記載のデータ処理装置。
- 前記マップ生成手段に、前記機密情報が記録された前記機密エリアの場所を問い合わせ、前記機密エリアを上書きすることによって前記機密情報を削除する削除手段を備える請求項1ないし7の何れか一項に記載のデータ処理装置。
- 初期状態と作業後のファイルリストを比較することによって前記機密情報を特定し、コピーする回収手段を備える請求項1ないし8の何れか一項に記載のデータ処理装置。
- 情報の暗号化と復号を行う暗号化手段を備え、
前記機密格納手段は、前記機密情報を書き込むときに前記暗号化手段で暗号化し、
前記機密読出手段は、前記機密情報を読み込むときに前記暗号化手段で復号する請求項1ないし9の何れか一項に記載のデータ処理装置。 - ファイルサーバへのアクセスを制御するネットワーク制御手段を備え、
前期機密格納手段は、前記ファイルサーバからダウンロードした情報を前記機密情報として記録する請求項1ないし10の何れか一項に記載のデータ処理装置。 - 所定単位の記憶エリアごとに各種データを記憶するデータ記憶媒体を有するデータ処理装置のコンピュータプログラムであって、
通常情報を扱う通常モードと機密情報を扱う機密モードとを切換自在な動作モードとして設定するモード設定処理と、
前記記憶エリアを少なくとも前記通常情報のみ記憶されている通常エリアと前記機密情報のみ記憶されている機密エリアと前記通常情報と前記機密情報とが記憶されている共有エリアと前記通常情報も前記機密情報も記憶されていない空きエリアとに区分するエリア区分処理と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアに記憶させる通常格納処理と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアから読み出す通常読出処理と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアに記憶させるとともに前記通常エリアが指定されたときには前記機密エリアにリダイレクトして記憶させる機密格納処理と、
指定された前記通常エリアと記憶された前記機密エリアとのリダイレクト関係を対応する前記機密情報ごとに生成するマップ生成処理と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアから読み出すとともに前記通常エリアが指定されたときには前記リダイレクト関係により記憶された前記機密エリアから読み出す機密読出処理と、
をデータ処理装置に実行させるコンピュータプログラム。 - 所定単位の記憶エリアごとに各種データを記憶するデータ記憶媒体を有するデータ処理方法であって、
通常情報を扱う通常モードと機密情報を扱う機密モードとを切換自在な動作モードとして設定するモード設定動作と、
前記記憶エリアを少なくとも前記通常情報のみ記憶されている通常エリアと前記機密情報のみ記憶されている機密エリアと前記通常情報と前記機密情報とが記憶されている共有エリアと前記通常情報も前記機密情報も記憶されていない空きエリアとに区分するエリア区分動作と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアに記憶させる通常格納動作と、
前記通常モードの設定下で前記通常情報を指定された前記通常エリアから読み出す通常読出動作と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアに記憶させるとともに前記通常エリアが指定されたときには前記機密エリアにリダイレクトして記憶させる機密格納動作と、
指定された前記通常エリアと記憶された前記機密エリアとのリダイレクト関係を対応する前記機密情報ごとに生成するマップ生成動作と、
前記機密モードの設定下で前記機密情報を指定された前記機密エリアから読み出すとともに前記通常エリアが指定されたときには前記リダイレクト関係により記憶された前記機密エリアから読み出す機密読出動作と、
を有するデータ処理方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/254,325 US8516212B2 (en) | 2009-03-24 | 2010-03-03 | Data processing apparatus, computer program therefor, and data processing method |
JP2011505839A JP5429280B2 (ja) | 2009-03-24 | 2010-03-03 | データ処理装置、そのコンピュータプログラムおよびデータ処理方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2009072391 | 2009-03-24 | ||
JP2009-072391 | 2009-03-24 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010109774A1 true WO2010109774A1 (ja) | 2010-09-30 |
Family
ID=42780474
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2010/001434 WO2010109774A1 (ja) | 2009-03-24 | 2010-03-03 | データ処理装置、そのコンピュータプログラムおよびデータ処理方法 |
Country Status (3)
Country | Link |
---|---|
US (1) | US8516212B2 (ja) |
JP (1) | JP5429280B2 (ja) |
WO (1) | WO2010109774A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014523596A (ja) * | 2011-07-25 | 2014-09-11 | ▲騰▼▲訊▼科技(深▲セン▼)有限公司 | ファイルシステムをクリーニングするための方法及び装置並びにその記憶媒体 |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104376011B (zh) * | 2013-08-14 | 2018-08-17 | 华为终端(东莞)有限公司 | 实现隐私保护方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005258926A (ja) * | 2004-03-12 | 2005-09-22 | Ntt Comware Corp | ファイルアクセス制御装置、ファイルアクセス制御方法およびファイルアクセス制御プログラム |
JP2005352535A (ja) * | 2004-06-08 | 2005-12-22 | Ark Joho Systems:Kk | データを保護する方法 |
JP2007280255A (ja) * | 2006-04-11 | 2007-10-25 | Nec Corp | 情報漏洩防止システム、情報漏洩防止方法、プログラムおよび記録媒体 |
JP2008501182A (ja) * | 2004-06-04 | 2008-01-17 | レノソフト テクノロジー インコーポレイテッド | システム領域情報テーブルとマッピングテーブルを使用したコンピューターハードディスクシステムデータ保護装置及びその方法 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7539828B2 (en) * | 2000-08-08 | 2009-05-26 | Faronics Corporation | Method and system for automatically preserving persistent storage |
JP2003280915A (ja) | 2002-03-22 | 2003-10-03 | Toshiba Corp | 情報機器、記憶媒体、及びシステム起動方法 |
WO2006059639A1 (ja) | 2004-11-30 | 2006-06-08 | Nec Corporation | 情報共有システム、情報共有方法、グループ管理プログラム及びコンパートメント管理プログラム |
EP1947593B1 (en) * | 2005-11-07 | 2010-10-06 | Panasonic Corporation | Portable auxiliary storage device |
-
2010
- 2010-03-03 WO PCT/JP2010/001434 patent/WO2010109774A1/ja active Application Filing
- 2010-03-03 JP JP2011505839A patent/JP5429280B2/ja active Active
- 2010-03-03 US US13/254,325 patent/US8516212B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005258926A (ja) * | 2004-03-12 | 2005-09-22 | Ntt Comware Corp | ファイルアクセス制御装置、ファイルアクセス制御方法およびファイルアクセス制御プログラム |
JP2008501182A (ja) * | 2004-06-04 | 2008-01-17 | レノソフト テクノロジー インコーポレイテッド | システム領域情報テーブルとマッピングテーブルを使用したコンピューターハードディスクシステムデータ保護装置及びその方法 |
JP2005352535A (ja) * | 2004-06-08 | 2005-12-22 | Ark Joho Systems:Kk | データを保護する方法 |
JP2007280255A (ja) * | 2006-04-11 | 2007-10-25 | Nec Corp | 情報漏洩防止システム、情報漏洩防止方法、プログラムおよび記録媒体 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014523596A (ja) * | 2011-07-25 | 2014-09-11 | ▲騰▼▲訊▼科技(深▲セン▼)有限公司 | ファイルシステムをクリーニングするための方法及び装置並びにその記憶媒体 |
US9104685B2 (en) | 2011-07-25 | 2015-08-11 | Tencent Technology (Shenzhen) Company Limited | Method, device and storage medium for cleaning up file systems |
Also Published As
Publication number | Publication date |
---|---|
US8516212B2 (en) | 2013-08-20 |
JPWO2010109774A1 (ja) | 2012-09-27 |
US20110320753A1 (en) | 2011-12-29 |
JP5429280B2 (ja) | 2014-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8301909B2 (en) | System and method for managing external storage devices | |
US20080126813A1 (en) | Storage control device and method of controlling encryption function of storage control device | |
KR101705550B1 (ko) | 보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 | |
JP4521865B2 (ja) | ストレージシステム、計算機システムまたは記憶領域の属性設定方法 | |
NO334475B1 (no) | Anordning, medium og fremgangsmåte for opptak, og tilhørende datamaskinprogram | |
JP7187362B2 (ja) | ストレージ装置及び制御方法 | |
JP5184041B2 (ja) | ファイルシステム管理装置およびファイルシステム管理プログラム | |
JP6513295B2 (ja) | 計算機システム | |
JP2007183703A (ja) | データの改竄を防止する記憶装置 | |
JP6270780B2 (ja) | データ管理装置、データ管理方法、及びデータ管理プログラム | |
JP4764455B2 (ja) | 外部記憶装置 | |
US8132025B2 (en) | Management method for archive system security | |
US10296468B2 (en) | Storage system and cache control apparatus for storage system | |
JP5429280B2 (ja) | データ処理装置、そのコンピュータプログラムおよびデータ処理方法 | |
KR101055287B1 (ko) | 응용프로그램에서 사용되는 임시 파일의 관리 방법 | |
JP2006293583A (ja) | ファイル管理方法 | |
US9251382B2 (en) | Mapping encrypted and decrypted data via key management system | |
US8407369B2 (en) | Digitally shredding on removable drives | |
JP2007140727A (ja) | 仮想ファイル管理装置、仮想ファイル管理方法、および仮想ファイル管理プログラム | |
JP2019159766A (ja) | データ保護装置、データ保護方法、およびデータ保護用プログラム | |
JP2006318037A (ja) | ライフサイクル管理システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10755581 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011505839 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13254325 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10755581 Country of ref document: EP Kind code of ref document: A1 |