WO2020261438A1 - 実行制御システム、実行制御方法、及びプログラム - Google Patents

実行制御システム、実行制御方法、及びプログラム Download PDF

Info

Publication number
WO2020261438A1
WO2020261438A1 PCT/JP2019/025414 JP2019025414W WO2020261438A1 WO 2020261438 A1 WO2020261438 A1 WO 2020261438A1 JP 2019025414 W JP2019025414 W JP 2019025414W WO 2020261438 A1 WO2020261438 A1 WO 2020261438A1
Authority
WO
WIPO (PCT)
Prior art keywords
determination
target application
information
introduction
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/025414
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
純明 榮
和彦 磯山
貴史 小梨
淳 西岡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to PCT/JP2019/025414 priority Critical patent/WO2020261438A1/ja
Priority to JP2021528745A priority patent/JP7255681B2/ja
Priority to US17/619,314 priority patent/US20220366035A1/en
Publication of WO2020261438A1 publication Critical patent/WO2020261438A1/ja
Anticipated expiration legal-status Critical
Priority to JP2023052782A priority patent/JP2023078441A/ja
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3604Analysis of software for verifying properties of programs
    • G06F11/3612Analysis of software for verifying properties of programs by runtime analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to controlling the operation of software.
  • Patent Document 1 A system that controls the operation of software has been developed. For example, in Patent Document 1, whether it is desirable to install software in a sandbox environment and install the software based on the actions generated during the installation performed in the sandbox environment. The technique for determining the above is disclosed.
  • the present inventor has found a new technique for controlling the operation of software.
  • the present invention has been made in view of the above-mentioned problems, and one of the objects thereof is to provide a new technique for controlling the operation of software.
  • the execution control system of the present invention has a determination unit for determining whether or not the operation of the target software is permitted.
  • the determination includes a first determination and a second determination to be performed when the permission or rejection of the operation of the target software cannot be determined by the first determination.
  • the execution control system of the present invention further includes a control unit that operates the target software in a protected environment after the first determination is completed and while the second determination is being performed.
  • the execution control method of the present invention is executed by a computer.
  • the execution control method includes a determination step for determining whether or not the operation of the target software is permitted.
  • the determination includes a first determination and a second determination to be performed when the permission or rejection of the operation of the target software cannot be determined by the first determination.
  • the execution control method further includes a control step for operating the target software in a protected environment after the first determination is completed and while the second determination is being performed.
  • the control method of the present invention is executed by a computer.
  • the control method is to evaluate the application by using 1) the acquisition step of acquiring the introduction record information related to the introduction of the application and 2) the acquired introduction record information for the application that has been processed to detect the abnormality of the application. It has an evaluation step to be performed.
  • the program of the present invention causes a computer to execute each step of the execution control method of the present invention.
  • FIG. 1 is a first diagram illustrating an apparatus configuration of an execution control system. It is the 2nd figure which illustrates the apparatus configuration of the execution control system. It is a figure which exemplifies the introduction record information in a table format. It is a figure which illustrates the introduction standard information in a table format. It is a figure which illustrates the structure which manages the introduction standard information. It is a block diagram which illustrates the functional structure of the execution control system which has an output part.
  • each block diagram represents a configuration of a functional unit, not a configuration of a hardware unit.
  • FIG. 1 is a diagram illustrating an outline of the operation of the execution control system 2000 of the present embodiment.
  • FIG. 1 is a diagram showing a conceptual explanation for facilitating an understanding of the operation of the execution control system 2000, and does not specifically limit the operation of the execution control system 2000.
  • the execution control system 2000 determines whether or not the software operation is permitted, and controls the software operation.
  • application execution is treated as “software operation”.
  • “Loading a shared library”, which is another example of “software operation”, will be described in a modified example described later.
  • the application that is the target of the determination by the execution control system 2000 is referred to as the target application 30.
  • the target application 30 For example, an application launched by a user or another application is treated as the target application 30. That is, when an application is started, the execution control system 2000 determines whether or not the application can be executed before the execution of the application is started.
  • the timing for determining the execution permission / rejection of the target application 30 is not limited to the timing when the target application 30 is started.
  • the determination of execution permission / rejection is performed by determining whether or not the target application 30 is a normal application. By making such a determination, it is possible to prevent damage caused by executing an abnormal application (for example, an application having a high probability of being malware).
  • an abnormal application for example, an application having a high probability of being malware
  • the determination of whether or not the target application 30 can be executed by the execution control system 2000 includes the first determination and the second determination.
  • the second determination is executed when the execution permission / rejection of the target application 30 cannot be determined in the first determination.
  • the target application 30 can operate in at least two types of execution environments.
  • This execution environment includes a protected environment and a normal environment.
  • the operation of the target application 30 executed in the protected environment is more restricted than that executed in the normal environment. Examples of restrictions include writing data (writing to a storage area, transmitting to the outside, etc.).
  • writing data writing to a storage area, transmitting to the outside, etc.
  • the target application 30 executed in the protected environment cannot write data to at least a part of the storage area in which the target application 30 executed in the normal environment can write data.
  • the execution control system 2000 does not execute the target application 30 until the first determination is completed. Then, the execution permission / rejection of the target application 30 cannot be determined in the first determination, and when the second determination is made, the execution control system 2000 protects the target application until the determination of the execution permission / rejection of the target application 30 is completed. Operate with.
  • the user of the target application 30 wants to use the target application 30 faster. Therefore, it is conceivable to execute the target application 30 in the protected environment while determining whether or not the target application 30 can be executed. By doing so, it is possible to quickly execute the target application for which it is not yet clear whether or not it can be executed, and it is possible to prevent the target application from compromising other applications or the like. That is, it is possible to prevent a problem from occurring by executing the application while responding to the request of the user who desires to start the execution of the application earlier.
  • the target application 30 whose execution permission is being determined in a protected environment. If execution of the target application 30 running in the protected environment is permitted, then the target application 30 needs to be executed in the normal environment. For that purpose, as will be described later, it is necessary to switch the execution environment of the target application 30 from the protected environment to the normal environment, or to temporarily stop the execution of the target application 30 and start the target application 30 again in the normal environment. is there. On the other hand, when the target application 30 whose startup is suspended is permitted to be executed, the suspended startup may be restarted. Therefore, the processing required after the execution of the target application 30 is permitted becomes relatively simple.
  • the target application 30 is not executed in the protected environment. It is considered preferable to suspend the startup of the application 30.
  • the determination of the execution permission / rejection of the target application 30 includes the first determination and the second determination, and the execution permission / rejection cannot be determined by the first determination, and the second determination is required.
  • the target application 30 is executed in the protected environment. By doing so, the processing required after the execution of the target application 30 is permitted is taken into consideration, and the request of the user who desires the earlier execution start of the target application 30 is met, and the target application 30 is executed. This can prevent problems from occurring.
  • FIG. 2 is a diagram illustrating the configuration of the execution control system 2000 of the first embodiment.
  • the execution control system 2000 has a determination unit 2020 and a control unit 2040.
  • the determination unit 2020 determines whether or not the target application 30 can be executed.
  • the determination of approval / disapproval includes the first determination and the second determination.
  • the control unit 2040 executes the target application 30 in the protected environment while the second determination is being performed.
  • Each functional component of the execution control system 2000 may be realized by hardware (eg, a hard-wired electronic circuit) that realizes each functional component, or a combination of hardware and software (eg, example). It may be realized by a combination of an electronic circuit and a program that controls it).
  • hardware eg, a hard-wired electronic circuit
  • software eg, example
  • It may be realized by a combination of an electronic circuit and a program that controls it).
  • a case where each functional component of the execution control system 2000 is realized by a combination of hardware and software will be further described.
  • FIG. 3 is a diagram illustrating a computer 1000 for realizing the execution control system 2000.
  • the computer 1000 is an arbitrary computer.
  • the computer 1000 is a personal computer (PC), a server machine, a tablet terminal, a smartphone, or the like.
  • the computer 1000 may be a dedicated computer designed to realize the execution control system 2000, or may be a general-purpose computer.
  • the computer 1000 has a bus 1020, a processor 1040, a memory 1060, a storage device 1080, an input / output interface 1100, and a network interface 1120.
  • the bus 1020 is a data transmission line for the processor 1040, the memory 1060, the storage device 1080, the input / output interface 1100, and the network interface 1120 to transmit and receive data to and from each other.
  • the method of connecting the processors 1040 and the like to each other is not limited to the bus connection.
  • the processor 1040 is a processor such as a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), or an FPGA (Field-Programmable Gate Array).
  • the memory 1060 is a main storage device realized by using RAM (Random Access Memory) or the like.
  • the storage device 1080 is an auxiliary storage device realized by using a hard disk drive, an SSD (Solid State Drive), a memory card, a ROM (Read Only Memory), or the like.
  • the storage device 1080 may be composed of the same hardware as the hardware constituting the main storage device, such as RAM.
  • the input / output interface 1100 is an interface for connecting the computer 1000 and the input / output device.
  • the network interface 1120 is an interface for connecting the computer 1000 to the communication network.
  • This communication network is, for example, LAN (Local Area Network) or WAN (Wide Area Network).
  • the method of connecting the network interface 1120 to the communication network may be a wireless connection or a wired connection.
  • the storage device 1080 stores a program module that realizes a functional component of the execution control system 2000.
  • the processor 1040 realizes the function corresponding to each program module by reading each of these program modules into the memory 1060 and executing the program module.
  • the execution control system 2000 may be realized by two or more computers. Each computer in this case also has, for example, the hardware configuration shown in FIG.
  • FIG. 4 is a flowchart illustrating the flow of processing executed by the execution control system 2000 of the first embodiment.
  • the determination unit 2020 makes a first determination regarding whether or not the target application 30 can be executed (S102).
  • the control unit 2040 controls the execution of the target application 30 based on the determination result (S110).
  • the determination unit 2020 makes a second determination regarding the execution permission / rejection of the target application 30 (S106). Further, while the second determination is being made, the control unit 2040 executes the target application 30 in the protected environment (S108).
  • control unit 2040 controls the execution of the target application 30 based on the determination result (S110).
  • the timing at which processing by the execution control system 2000 is started for example, the timing at which a certain application is started by a user or another application.
  • the execution control system 2000 treats the started application as the target application 30 and determines whether or not to execute it.
  • the timing at which the execution control system 2000 determines whether or not to execute the application may be before the application is started. For example, when a new application is introduced into the first device 10, the execution control system 2000 treats the application as the target application 30 and determines whether or not to execute the application. In this case, when the target application 30 is started, it is possible that the determination of whether or not to execute the target application 30 has already been completed. Therefore, for example, when the target application 30 is started, if the determination of whether or not to execute the target application 30 has already been completed, the execution control system 2000 will perform the target application 30 based on the result of the determination that has already been completed. Control the execution of.
  • the execution control system 2000 suspends the start of the target application 30 until the first determination is completed. Further, when the target application 30 is started, if the second determination is made for the target application 30, the execution control system 2000 executes the target application 30 in the protected environment.
  • the determination of whether or not to execute the target application 30 may be performed at regular timing (for example, once a day).
  • the execution control system 2000 determines whether or not to execute each application newly introduced into the first device 10 (each application whose execution permission or rejection has not yet been determined) at a periodic timing.
  • execution control system 2000 can be realized by various device configurations. Here, some specific examples will be illustrated.
  • FIG. 5 is a first diagram illustrating the device configuration of the execution control system 2000.
  • the execution control system 2000 is composed of the first device 10 and the second device 20.
  • the first device 10 is a device on which the target application 30 is executed.
  • the second device 20 is a device that determines whether or not the target application 30 can be executed.
  • the first device 10 has a function of detecting that an application has been started. When the activation of the application is detected in the first device 10, the application is treated as the target application 30. The first device 10 transmits a request for inquiring whether or not the target application 30 can be executed to the second device 20. This request includes identification information of the target application 30.
  • the second device 20 includes a control unit 2040.
  • the control unit 2040 executes the target application 30 in the protected environment.
  • the second device 20 is provided with a determination unit 2020.
  • the determination unit 2020 receives the above request from the first device 10 and determines whether or not to execute the target application 30 specified by the identification information shown in the request.
  • the determination unit 2020 transmits a notification indicating the determination result of the first determination to the first device 10. In this notification, for example, a combination of "identification information of the target application 30, determination result" is shown.
  • control unit 2040 controls the execution of the target application 30 based on the determination result. As a result, a series of processes by the execution control system 2000 is completed.
  • the control unit 2040 executes the target application 30 in the protected environment. .. After that, the determination unit 2020 transmits a notification indicating the determination result of the second determination to the control unit 2040. The control unit 2040 controls the execution of the target application 30 based on the determination result indicated by this notification.
  • FIG. 6 is a second diagram illustrating the device configuration of the execution control system 2000.
  • both the determination unit 2020 and the control unit 2040 are provided in the first device 10. That is, in the device in which the target application 30 is executed, the determination of whether or not the target application 30 can be executed and the execution of the target application 30 are controlled.
  • the determination unit 2020 determines whether or not the target application 30 can be executed (S102, S106).
  • the execution permission / rejection of the target application 30 can be determined by using an arbitrary standard. The specific criteria used for determining the execution permission / rejection of the target application 30 will be described later.
  • the determination process performed by the determination unit 2020 includes at least a two-stage determination of a first determination and a second determination.
  • the second determination is executed when the execution permission / rejection cannot be determined in the first determination (when the execution permission / rejection determination of the target application 30 cannot be completed in the first determination). Therefore, the result of the first determination is either 1) the execution of the target application 30 is permitted, 2) the execution of the target application 30 is not permitted, or 3) the second determination is performed.
  • another determination may be made before the first determination or after the second determination. That is, in the execution control system 2000, 1) the determination by the determination unit 2020 includes determinations in two or more stages, and 2) the target application 30 is executed until a specific determination (first determination) is completed. However, 3) If it is not possible to determine whether or not to execute even after the specific determination is completed, the process proceeds to the next determination (second determination) and the target application 30 is executed in the protected environment. The determination at each stage results in either 1) permitting the execution of the target application 30, 2) disallowing the execution of the target application 30, and 3) proceeding to the next determination.
  • the target application 30 is executed in the protected environment during that period. That is, the target application 30 is executed in the protected environment from the start of the second determination until the determination of the execution permission / rejection of the target application 30 is completed.
  • the multi-stage determination by the determination unit 2020 is configured so that, for example, the more the stage progresses, the longer the determination takes.
  • the required time is preferentially (earlier) determined when the required time is relatively short, and only when it is difficult to determine whether or not the target application 30 can be executed by the determination ending in such a short time. Perform a relatively long judgment process. By doing so, the time required for determining whether or not the target application 30 can be executed can be shortened as much as possible.
  • the determination of each stage by the determination unit 2020 is performed using different criteria. For example, the higher the determination stage, the longer it takes to acquire the information used for the determination.
  • the information indicating the criteria used in the first determination is referred to as the first reference information
  • the information indicating the criteria used in the second determination is referred to as the second reference information.
  • the first reference information is already stored in the storage device, while the second reference information is generated on the spot.
  • ⁇ Reuse of judgment For the target application 30 for which the execution permission / rejection has been determined once, it is preferable to save the determination result so that the determination again is unnecessary.
  • the determination unit 2020 determines whether or not the target application 30 can be executed, the combination of "identification information of the application for which the determination has been made and the determination result" is stored in a predetermined storage device.
  • the information composed of the above combinations is referred to as determination result information.
  • a storage device that stores determination result information is called a determination result information storage device.
  • the determination unit 2020 When determining whether or not the target application 30 can be executed, the determination unit 2020 first searches the identification information of the target application 30 for information stored in the determination result information storage device. If the determination result information indicating the identification information of the target application 30 is stored, the determination unit 2020 uses the determination result shown in the determination result information. On the other hand, if the determination result information indicating the identification information of the target application 30 is not stored, the determination unit 2020 determines whether or not to execute the target application 30.
  • the determination unit 2020 does not use the determination result information stored in the determination result information storage device before the update. Therefore, for example, when the criteria for determining whether or not to execute is updated, the determination result information generated before the update is deleted from the determination result information storage device.
  • the control unit 2040 executes the target application 30 in the protected environment while the second determination is being performed (S108).
  • the protected environment referred to here is an environment in which at least a part of the operation of the target application 30 is more restricted as compared with the normal environment, and the operation of the target application 30 is less likely to affect other applications. ..
  • Such an environment can also be called a sandbox environment or the like.
  • any restrictions can be adopted for the target application 30 in the protected environment. For example, in a protected environment, reading and writing data and starting processes by the target application 30 are restricted. For example, when restricting the writing of data, the target application 30 operating in the protected environment is controlled to write data to a storage area that cannot be accessed by other applications. For example, when the target application 30 makes changes to data shared with other applications (files stored in storage devices, files mapped to memory, registry, data on shared memory, etc.). Makes a copy of the data in storage that is inaccessible to other applications so that changes can be made to the copy. By doing so, the data change made by the target application 30 cannot be recognized by other applications. Therefore, it is possible to prevent the data written by the target application 30 from adversely affecting other applications.
  • data shared with other applications files stored in storage devices, files mapped to memory, registry, data on shared memory, etc.
  • the target application 30 operating in the protected environment and another application are the same. It is also conceivable to write to the data of. In such a case, it is necessary to resolve the write conflict by some criteria.
  • the control unit 2040 preferentially applies (enables) the writing at the latest writing time, and prevents (disables) other writing from being applied. In this case, it is preferable to notify the application to which the writing has not been applied that the writing by the application has not been applied.
  • control unit 2040 may apply both writings.
  • the control unit 2040 notifies the user that there is a conflict in writing to the data at the timing when the operating environment of the target application 30 shifts from the protected environment to the normal environment. You may let the user choose whether to apply the writing by the application. In this case, the control unit 2040 applies the writing by the application selected by the user, and does not apply the writing by other applications.
  • control unit 2040 may preferentially apply writing by an application operating in a normal environment.
  • the control unit 2040 makes a copy of the data and applies the writing to the copy. Then, the control unit 2040 writes to the copy of the data due to a write conflict at an arbitrary timing (for example, the timing when the target application 30 shifts from the protected environment to the normal environment), and the copy Notify the user of the storage location, etc.
  • control unit 2040 may prohibit writing by another application to the data after the target application 30 operating in the protected environment writes to a certain data. In this case, it is preferable that the control unit 2040 notifies the user that writing is prohibited due to a writing conflict.
  • the target application 30 operating in the protected environment is restricted from read access to a specific storage area.
  • the storage area that can be read-accessed is limited.
  • a specific area is a storage area in which confidential information is stored, a system area used by an OS or middleware, and the like. By doing so, it is possible to prevent the malicious target application 30 from stealing important data such as confidential information and the target application 30 from compromising the first device 10.
  • the writing of data is restricted, even if the data is read by the malicious target application 30, it is possible to prevent the data from leaking (writing) to the outside by the target application 30.
  • reading and writing of data is not limited to the storage area.
  • reading and writing data (communication with an external device) to the network may be restricted. This makes it possible to prevent data leakage via the network.
  • the target application 30 operating in the protected environment is restricted so that all or some of the applications cannot be started.
  • the applications that can be launched are limited to some.
  • some malware uses other applications (for example, shells) to perform malicious operations. By restricting the activation of other applications by the target application 30, it is possible to prevent such malicious operations by malware.
  • the target application 30 when the target application 30 starts another application, the other application may also be executed in the protected environment. In this case, it is preferable that the target application 30 and the other application can share data with each other.
  • the amount of computer resources that can be used by the target application 30 may be limited.
  • Examples of computer resources include processor resources, memory resources, disk bandwidth, network bandwidth, and the like.
  • the control unit 2040 changes the execution environment of the target application 30 to a normal environment. For example, it is assumed that in the protected environment, the reading and writing of data by the target application 30, the activation of the application, the amount of resources that can be used by the target application 30, and the like are limited as compared with the case of the normal environment. In this case, the restriction on the target application 30 is changed to the same restriction as in the normal environment.
  • the control unit 2040 moves or copies the data written by the target application 30 in the protected environment to a storage area that can be accessed by an application operating in the normal environment.
  • the target application 30 running in the protected environment has made changes to the data shared with other applications, it makes a copy of that data in a storage area that cannot be accessed by other applications, and that data. Is changed.
  • the control unit 2040 makes the contents added to the copy reflected in the original data.
  • control unit 2040 ends the execution of the target application 30. By doing so, it is possible to prevent the target application 30 which is not preferable to be executed, such as an application which may be a security threat, from being continuously executed.
  • control unit 2040 may discard the data written in the storage area by the target application 30 executed in the protected environment.
  • control unit 2040 may record the data written by the target application 30 as information representing the record of the activity by the target application 30.
  • control unit 2040 may continue to execute the target application 30 in the protected environment when the determination unit 2020 does not permit the execution of the target application 30. By doing so, the user can continue the execution of the target application 30 while preventing the target application 30 from adversely affecting other applications and the like.
  • the determination unit 2020 determines whether or not the target application 30 can be executed based on various criteria. For example, a criterion related to the introduction of the target application 30 can be used to determine whether or not the target application 30 can be executed. The details will be described below.
  • the application is installed in the device that executes the application.
  • the introduction here means to make the target application 30 executable on the device.
  • the target application 30 is introduced in the first device 10.
  • the introduction of the target application 30 to the first device 10 also includes a process of acquiring the target application 30. Therefore, for example, the introduction of the target application 30 to the first device 10 includes 1) a process of obtaining the target application 30, 2) a process of arranging the obtained target application 30 on the file system, and 3) setting related to the target application 30. Includes processing to be performed.
  • Obtaining the target application 30 is, for example, a process of downloading the target application 30 from the server on which the target application 30 is provided, or reading the target application 30 from the storage device in which the target application 30 is stored.
  • the process of arranging the target application 30 on the file system is, for example, a process of storing the executable file and the setting file of the target application 30 in a predetermined directory.
  • the process of setting the target application 30 is, for example, a process of writing the setting data necessary for executing the target application 30 to a registry, a setting file, or the like.
  • the process of arranging the executable file of the target application 30 in a predetermined directory and the process of setting the target application 30 may be automatically performed by executing the installer of the target application 30, or the target application 30 may be executed. It may be done manually by the user who installs.
  • the process of obtaining the target application 30 can be automatically performed. For example, when one application X needs another application Y, there is a case where the installer of the application X automatically obtains the application Y.
  • the determination unit 2020 acquires information related to the introduction of the target application 30 to the first device 10, and uses this information as the target application 30. Compare with implementation criteria.
  • the information related to the introduction of the target application 30 to the first device 10 will be referred to as the introduction record information.
  • the information used for determining the execution permission / rejection of the target application 30 by paying attention to the introduction of the target application 30 to the first device 10 is particularly referred to as introduction reference information.
  • the introduction record information corresponds to the identification information of the target application 30 and indicates the information regarding the introduction of the target application 30.
  • the identification information of the target application 30 is represented by, for example, the name of the target application 30, the path of the executable file of the target application 30, or the like.
  • the identification information of the target application 30 includes "the first in which the target application 30 is installed. It is represented by a combination of "identification information of the device 10, the name of the target application 30, etc.”
  • the introduction record information may include the following information. 1) Route information: Information about the introduction route of the target application 30 2) Placement information: Information about the place where the target application 30 is placed 3) Setting information: Information about the settings associated with the introduction of the target application 30
  • the route information includes information on software, hardware, services, and the like related to the introduction of the target application 30.
  • the software related to the introduction of the target application 30 is, for example, a downloader used to download the target application 30 or an installer used to install the target application 30. Further, when the installer of the target application 30 or the like obtains a compressed file, the decompression software used for decompressing the compressed file can also be said to be software related to the introduction of the target application 30.
  • the hardware involved in introducing the target application 30 is, for example, a storage device in which an installer of the target application 30, an executable file, or the like is stored. Services related to the introduction of the target application 30 include, for example, a website that provides an installer for the target application 30, a proxy that is placed between the provider of the target application 30 and the first device 10.
  • file F which is a compressed file of installer I of application X
  • server S the file F is downloaded from the server S using the downloader D
  • the file F is decompressed by the decompression software B
  • the installer I of the application X obtained by this decompression is executed, so that the application is applied to the first device 10.
  • X is introduced.
  • the route information for the application X indicates the information "server S, downloader D, decompression software B, installer I".
  • the generation of route information can be realized, for example, by using the history of various events that may be related to the introduction of the target application 30.
  • An event is represented by, for example, a combination of "subject, object, content”.
  • Events that may be related to the introduction of the target application 30 include, for example, downloading a file, decompressing a compressed file, and executing an installer.
  • the history of these events is stored in the storage device.
  • the existing technology can be used as the technology for recording the history of these events. For example, the system call executed on the first device 10 is recorded as an event.
  • the route information is generated by, for example, the agent software resident in the first device 10.
  • the agent software detects the occurrence of a specific event (hereinafter, key event) that may occur with the introduction of the target application 30.
  • key event is the execution of the installer.
  • the agent software identifies other events related to the key event in response to the detection of the key event. For example, when the key event is the execution of the installer, the agent software extracts the event of decompressing the compressed file containing the installer and the event of downloading the compressed file from the event history.
  • the introduction route information can be generated from this event sequence. For example, based on the compressed file download event, the provider (website, etc.) of the installer of the target application 30 can be specified, and the downloader used for the download can be specified.
  • the decompression software used for decompression can be identified based on the event of decompressing the compressed file that includes the installer.
  • the installer used for installing the target application 30 can be specified based on the event of executing the installer.
  • the route information is composed of various identified information.
  • events that meet certain conditions can be used.
  • the standard directory in which an application is placed is predetermined for each OS and middleware, and writing a file to such a directory is considered to be an event with a high probability related to the introduction of the target application 30. .. So, for example, the agent software detects as a key event an event that writes a file to a standard directory where an application should be located.
  • the introduction of an application often involves updating the registry and predetermined setting files (files containing environment variables, etc.). Therefore, for example, the agent software detects an event of writing to the registry or a predetermined setting file as a key event.
  • application installation is often performed using a known installer (for example, an installer provided as standard in the OS). Therefore, for example, the agent software detects an event representing the execution of such a known installer (an event representing the execution of a predetermined program) as a key event.
  • a known installer for example, an installer provided as standard in the OS. Therefore, for example, the agent software detects an event representing the execution of such a known installer (an event representing the execution of a predetermined program) as a key event.
  • predetermined conditions used for detecting the key event are stored in advance in a storage device accessible from the agent software.
  • Placement information indicates information about a location (directory, etc.) in which a file (executable file, setting file, etc.) related to the target application 30 is written.
  • the placement information is generated as follows. First, as a premise, record the history of file write events. Then, the agent software described above uses the history of this event to generate placement information. For example, the agent software first detects an event of installer execution. In addition, the agent software identifies file write events made by the installer. Then, the agent software generates placement information indicating the location where the file is written in each specified event.
  • Setting information >> Depending on the target application 30, changes are made to the registry and existing configuration files with the installation.
  • the setting information represents a change in the setting made with the introduction of the target application 30 in this way.
  • the setting information is generated by using the history of the file write event as well as the arrangement information.
  • the agent software first detects an event of installer execution.
  • the agent software identifies write events made by the installer to the registry and certain configuration files. Then, the agent software generates setting information indicating a combination of "identification information (path, etc.) of the file written in the event and the contents of the data written to the file" for each specified event. ..
  • FIG. 7 is a diagram exemplifying the introduction record information in a table format.
  • the table of FIG. 7 is called a table 200.
  • Table 200 has two columns: identification information 202, attribute name 204, and attribute value 206.
  • the identification information 202 represents the identification information of the target application 30.
  • Attribute name 204 represents the type of information such as provider, downloader, decompression software, installer, placement information, and setting information.
  • the attribute value 206 represents the content of the type of information indicated by the attribute name 202.
  • a record showing the set of "identification information 202: application A of terminal X, attribute name 204: downloader, attribute value 206: browser X" is a browser as a downloader when introducing application A running on terminal X. Indicates that X has been used.
  • the generation of the introduction record information does not necessarily have to be performed by the first device 10, but may be performed by the second device 20 or other devices.
  • the device that generates the introduction record information uses the event history recorded for the first device 10 to generate the introduction record information for each application introduced to the first device 10.
  • the timing at which the introduction record information is generated is the timing used for the determination by the determination unit 2020, or an arbitrary timing before that. In the latter case, for example, when a new application is introduced into the first device 10, introduction record information about that application is generated.
  • the method by which the judgment unit 2020 acquires the introduction record information is arbitrary.
  • the determination unit 2020 acquires the introduction record information about the target application 30 from the storage device.
  • the determination unit 2020 may acquire the introduction record information by transmitting the acquisition request of the introduction record information of the target application 30 to the agent software described above.
  • the determination unit 2020 acquires the introduction record information for the target application 30, and compares the acquired introduction record information with the introduction standard information, so that the introduction standard information for determining the execution permission / rejection of the target application 30 includes rules, policies, and the like. Can be called.
  • the introduction standard information is information that defines the introduction route for a normal application.
  • introduction standard information is used, for example, when the degree of agreement between the introduction record information and the introduction standard information is high, it can be determined that the normality of the target application 30 is high.
  • introduction standard information is called normal introduction standard information.
  • the normal introduction standard information includes the following information. 1) Normal route information: Normal introduction route of the target application 30 2) Normal placement information: Normal placement location of the target application 30 3) Normal setting information: Normal setting accompanying the installation of the target application 30
  • the normal route information represents information such as normal software, normal hardware, and normal service related to the introduction of the target application 30.
  • the normal route information represents a normal service or hardware (website, storage device, etc.) that is a provider of the target application 30.
  • the normal route information indicates normal software that can be used to install an application, such as a normal installer, a normal decompression software, and a normal downloader.
  • Normal introduction standard information is determined for each application, for example.
  • normal introduction standard information may be defined for each execution environment such as an OS.
  • the normal route information may represent a normal provider or software set.
  • this information is information such as "server S1, downloader D1, installer I1" and the like.
  • Normal placement information indicates a normal location (directory, etc.) where the application should be installed.
  • the location where the application should be installed may be determined for each application or for each execution environment such as the OS.
  • Normal setting information represents the normal setting performed with the introduction of the application.
  • the normal setting information is determined for each application, for example. For example, suppose it is known that a predetermined record R will be added to the registry when application X is introduced. In this case, the normal setting information for the application X indicates "addition of record R to the registry".
  • the introduction standard information may be information that defines an introduction route for an abnormal application.
  • introduction standard information when such introduction standard information is used, for example, when the degree of agreement between the introduction record information and the introduction standard information is high, it can be determined that the degree of abnormality of the target application 30 is high (normality is low).
  • Such introduction standard information is called abnormal introduction standard information.
  • the anomaly introduction criterion information may include, for example, the following information. 1) Abnormal route information: Abnormal installation route of the application 2) Abnormal placement information: Abnormal placement location of the application 3) Abnormal setting information: Abnormal setting due to application installation
  • the details of the abnormal introduction standard information can be basically grasped by exchanging "normal” and "abnormal” in the explanation of the normal introduction standard information.
  • the normal route information indicates normal software that can be used for introducing an application
  • the abnormal route information indicates abnormal software that can be used for introducing an application.
  • the anomalous route information can include the URL of that website as the source of the anomalous software. ..
  • each attribute value may be associated with the normality (or abnormality) of the attribute value.
  • information such as "attribute name: installer, attribute value: installer I1, normal degree: c1" can be used as introduction reference information.
  • FIG. 8 is a diagram illustrating introduction standard information in a table format.
  • This table is called a table 300.
  • Table 300 includes four columns: identification information 302, attribute name 304, attribute value 306, and normality 308.
  • the identification information 302, the attribute name 304, and the attribute value 306 are the same as the identification information 202, the attribute name 204, and the attribute value 306 in the table 200.
  • the record whose data is not shown in the identification information 202 indicates that it does not depend on the application or the execution environment.
  • Normality 308 represents the normality of the corresponding attribute value.
  • the determination unit 2020 determines whether or not the target application 30 can be executed by comparing the introduction record information with the introduction standard information. For example, the determination unit 2020 calculates an evaluation value representing the normality or abnormality degree of the target application 30 by comparing the introduction record information and the introduction reference information. When the evaluation value represents the normality of the target application 30, for example, the determination unit 2020 permits the execution of the target application 30 if the evaluation value is equal to or more than a predetermined threshold value, and the target if the evaluation value is less than the predetermined threshold value. Do not allow the execution of application 30.
  • the determination unit 2020 permits execution of the target application 30 if the evaluation value is, for example, equal to or less than a predetermined threshold value, and if the evaluation value is larger than the predetermined threshold value. The execution of the target application 30 is not permitted.
  • the evaluation value of the target application 30 is calculated based on, for example, the degree of agreement between the introduction record information and the introduction standard information.
  • various existing techniques can be used as the technique itself for calculating the degree of agreement between the rule or policy (introduction reference information in the present invention) and the actual situation (introduction record information in the present invention).
  • the degree of agreement between the introduction record information and the introduction standard information can be calculated by using the following formula (1) or the like.
  • v represents the evaluation value.
  • E is a set of attribute values shown in the introduction record information, and
  • S is a set of attribute values that match each other in the introduction record information and the introduction standard information, and
  • the degree of agreement of these indicates the degree of normality of the target application 30.
  • the degree of agreement thereof represents the degree of abnormality of the target application 30.
  • the introduction standard information indicates the normality of each attribute.
  • the integrated value and statistical value mean value, median value, mode value, maximum value, minimum value, etc.
  • the evaluation value can be calculated using the following mathematical formula (2) or the like. Where wi is the normality attached to the attribute value i.
  • the introduction standard information indicates the degree of abnormality for each attribute.
  • the integrated value or the statistical value of the abnormality degree of the attribute value that matches between the introduction record information and the abnormality introduction standard information can be used as an evaluation value indicating the abnormality degree of the target application 30.
  • the calculation method is the same as the evaluation value indicating the normality.
  • the determination unit 2020 may use the degree of inconsistency between the introduction record information and the introduction standard information for evaluation. For example, the determination unit 2020 subtracts the evaluation value indicating the degree of disagreement between the introduction record information and the normal introduction standard information from the evaluation value indicating the degree of agreement between the introduction record information and the normal introduction standard information, so that the target application 30 is normal. Calculate the evaluation value that represents the degree. Similarly, for example, the determination unit 2020 subtracts the evaluation value indicating the degree of disagreement between the introduction record information and the abnormality introduction standard information from the evaluation value indicating the degree of agreement between the introduction record information and the abnormality introduction standard information, so that the target application An evaluation value representing the degree of abnormality of 30 may be calculated.
  • the introduction standard information is manually generated by the IT administrator of the organization that operates the execution control system 2000.
  • the introduction reference information may be automatically generated by the apparatus.
  • the device that generates the introduction reference information may be the first device 10, the second device 20, or any other device.
  • a device that generates introduction reference information will be referred to as a reference information generation device.
  • the reference information generation device is, for example, a computer having the hardware configuration illustrated in FIG. 3 like the first device 10 and the second device 20.
  • the reference information generation device generates introduction reference information based on the results of introduction of the target application 30 in one or more first devices 10 included in the execution control system 2000.
  • introduction route information is generated at the timing when the target application 30 is introduced.
  • the reference information generation device generates the introduction reference information by statistically processing the introduction record information generated so far.
  • the normality of each attribute value is determined to have a positive correlation with the number of introduction record information generated so far that indicates the attribute value.
  • the normality is determined as a value obtained by inputting the above number into a predetermined non-monotonic decrease function.
  • the number of the first device 10 may be counted instead of the number of introduction record information. That is, the normality of the attribute value is determined so as to have a positive correlation with the number of the first devices 10 for which the introduction record information indicating the attribute value is generated.
  • the reference information generator When generating the introduction reference information indicating the normality, for example, the reference information generator generates the introduction reference information including the combination of the attribute value and the normality for the attribute value for which the normality is calculated by the above-mentioned method. .. When generating the normal introduction reference information, for example, the reference information generator generates the normal introduction reference information including the attribute value whose normality calculated by the above-mentioned method is equal to or higher than a predetermined threshold value. When generating the abnormal introduction reference information, for example, the reference information generator generates the normal introduction reference information including the attribute value whose normality calculated by the above-mentioned method is equal to or less than a predetermined threshold value.
  • the threshold value used for generating the normal introduction reference information and the threshold value used for generating the abnormal introduction reference information may be the same or different.
  • the reference information generator may determine the normality of each attribute value or the like based on the reputation in the group or external organization in which the execution control system 2000 is operated.
  • the reputation of the group in which the execution control system 2000 is operated is, for example, the aggregation of questionnaires conducted to the members of the group and the collection of information posted on the SNS (Social Networking Service) operated in the group. You can get it by doing it.
  • reputation in external organizations can be collected, for example, by accessing a site that publishes information on malicious software such as malware or a malicious website.
  • the reference information generator can include various attribute values (services and hardware that provide the application, software used for installation, application placement location, and application installation) that can be included in the installation standard information.
  • the reference information generator performs a process of calculating the normality and the degree of abnormality of each attribute value based on the collected reputation information, and a process of determining whether each attribute value is normal or abnormal. .. Then, the reference information generation device generates introduction reference information based on these processing results.
  • the target application 30 is a well-known application with high reliability
  • information on the introduction route and location of the application and the settings made in connection with the introduction of the application can be obtained from a reliable website or the like (for example, the target). It may be published on the website of the provider of the application 30). Therefore, the reference information generator may generate the introduction reference information by accessing a website or the like which is considered to provide highly reliable information about the introduction of the target application 30 and obtaining the information.
  • the judgment unit 2020 acquires the introduction standard information.
  • the determination unit 2020 acquires the introduction reference information from the storage device in which the introduction reference information is stored.
  • the determination unit 2020 may acquire the introduction reference information from the introduction reference information generator.
  • the determination unit 2020 may acquire the introduction standard information by the method described below.
  • FIG. 9 is a diagram illustrating a configuration for managing introduction reference information. In this example, it is premised that the determination unit 2020 is provided in the second device 20.
  • a first storage device 70 that requires a relatively short time to access from the determination unit 2020 and a second storage device that takes a relatively long time to access from the determination unit 2020. 80 is provided.
  • the first storage device 70 is a storage device provided inside the device provided with the determination unit 2020, or a storage device connected to the device provided with the determination unit 2020 via a LAN.
  • the second storage device 80 is a storage device (for example, cloud storage) connected by WAN to the device provided with the determination unit 2020.
  • the introduction reference information can be stored in both the first storage device 70 and the second storage device 80.
  • the introduction reference information stored in the first storage device 70 is referred to as the first introduction reference information
  • the introduction reference information stored in the second storage device 80 is referred to as the second introduction reference information.
  • the first introduction reference information at the start of operation of the reference information generator is, for example, manually generated by the IT administrator.
  • the reference information generation device may update the first introduction reference information based on the results of introduction of the target application 30 in the execution control system 2000.
  • the second introduction standard information is updated as needed by the server 90 collecting information on the Internet.
  • the determination unit 2020 When acquiring the introduction standard information to be used for comparison with the acquired introduction record information, the determination unit 2020 first accesses the first storage device 70 and tries to acquire the first introduction standard information. If the first introduction standard information includes an attribute value that matches the attribute value shown in the introduction record information, the determination unit 2020 uses the first introduction standard information. On the other hand, if there is an attribute value shown in the introduction record information that does not exist in the first introduction reference information, the determination unit 2020 accesses the server 90.
  • the determination unit 2020 sends a request indicating the attribute value to the server 90.
  • the server 90 accesses the second storage device 80 and determines whether or not the attribute value indicated in the request is included in the second introduction reference information.
  • the server 90 transmits a response including the record of the second introduction reference information indicating the attribute value to the determination unit 2020.
  • the determination unit 2020 uses the information contained in the received record to determine whether or not the target application 30 can be executed. Further, the determination unit 2020 adds the record acquired in this way to the first introduction reference information. By doing so, in the next and subsequent evaluations, the same information can be acquired from the first storage device 70 instead of the second storage device 80, so that the information can be acquired more quickly.
  • the server 90 transmits a response indicating that the desired information is not included in the second introduction reference information to the determination unit 2020.
  • a judgment using only the first introduction standard information is defined as the first judgment
  • a judgment using the second introduction standard information is also referred to as the second judgment. That is, if the information is insufficient in the first introduction standard information and it is necessary to acquire the second introduction standard information (access to the server 90), the judgment by the judgment unit 2020 is changed from the first judgment to the second judgment. move on. Therefore, when the second device 20 decides to acquire the second introduction reference information, the second device 20 transmits a notification to the first device 10 that "proceed to the second determination".
  • a manual judgment by the IT administrator may be added as a third judgment.
  • two threshold values T1 and T2 are set for the domain of the evaluation value indicating the normality (T1> T2). In this case, in the second judgment, 1) if the evaluation value is T1 or more, the execution of the target application 30 is permitted, 2) if the evaluation value is less than T2, the execution of the target application 30 is not permitted, and 3) evaluation. If the value is T2 or more and less than T1, the third judgment is performed.
  • a terminal such as an IT administrator (hereinafter, an administrator terminal) is notified that the target application 30 that requires the third determination exists.
  • the IT administrator or the like inputs to the administrator terminal to select whether or not to allow the execution of the target application 30. This input result is treated as the result of the determination by the determination unit 2020.
  • the target application 30 In determining whether or not the target application 30 can be executed, other than the criteria for introducing the target application 30 may be used. As other criteria, for example, the following criteria can be used. 1) Creator of target application 30 2) Signature of target application 30 (binary hash value, etc.) 3) Reputation regarding the target application 30 itself
  • the normality of the target application 30 is considered to be high.
  • the signature of the target application 30 matches the signature published for the application whose reliability is guaranteed (for example, it has been authenticated by a legitimate certificate authority)
  • the normality of the target application 30 is high. Conceivable.
  • the signature of the target application 30 introduced in the first device 10 matches the signature of the malware knownly
  • the normality of the target application 30 is considered to be low.
  • the target application 30 has a high reputation in a group or an external organization in which the execution control system 2000 is operated (for example, on the Internet), the normality of the target application 30 is considered to be high.
  • the determination unit 2020 further utilizes these various pieces of information to determine whether or not the target application 30 can be executed.
  • the standard regarding the creator, signature, reputation, etc. of the target application 30 is also added to the standard information. For example, it is a standard such as "attribute name: creator, attribute value: xyz.inc".
  • the determination unit 2020 acquires information on the creator, signature, reputation, etc. of the target application 30 in addition to the introduction record information for the target application 30. Then, the determination unit 2020 determines whether or not the target application 30 can be executed by comparing the acquired various information with the reference information.
  • the method of comparing the information about the creator, signature, reputation, etc. acquired about the target application 30 with the information included in the standard information is the same as the method of comparing the introduction record information and the standard information. is there.
  • the determination unit 2020 determines not only the degree of agreement of the information related to the introduction of the target application 30 but also the creator, signature, reputation, etc. in the evaluation value calculation formulas shown in the above-mentioned formulas (1) and (2). Also include the degree of matching of.
  • the standard information does not necessarily include the introduction standard information. That is, the determination of whether or not the target application 30 can be executed may be performed using only criteria other than the criteria related to the introduction of the target application 30, such as the criteria for the author of the target application 30.
  • FIG. 10 is a block diagram illustrating the functional configuration of the execution control system 2000 having the output unit 2060.
  • the output unit 2060 is provided in either one or both of the first device 10 and the second device 20.
  • the output information output by the output unit 2060 is output by the first device 10 to an arbitrary target whose contents can be grasped by the user of the first device 10.
  • the first device 10 causes a display device connected to the first device 10 to display a screen showing the contents of the output information.
  • the output information includes information on the final result of the determination by the determination unit 2020 and the progress of the determination.
  • the information regarding the final result includes information indicating whether or not the execution of the target application 30 is permitted.
  • Information on the final result is output, for example, at the timing when the determination by the determination unit 2020 is completed.
  • a message or the like that enables the user to understand that the target application 30 can be used normally is output. For example, a message such as "The execution of the target application 30 is permitted. The target application 30 can be used normally."
  • a message or the like that enables the user to understand that the target application 30 cannot be used normally is output. For example, a message such as "The execution of the target application 30 was not permitted. The target application 30 will be terminated.”
  • a message is output so that the user can grasp that the execution permission / rejection of the target application 30 is determined. For example, this information is output at the timing when the determination by the determination unit 2020 is started. For example, a message such as "determining whether or not the target application 30 can be executed" is output.
  • the information regarding the progress of the determination is, for example, a message that enables the user to grasp which stage the determination is being made.
  • the second determination is performed because the execution permission / rejection of the target application 30 cannot be determined in the first determination.
  • a message such as "The first judgment is completed.
  • the second judgment is started.”
  • the second judgment is being executed" is output.
  • a message such as "The execution permission / rejection of the target application 30 is determined.
  • the target application 30 is executed in the protected environment" is output.
  • a message or the like that allows the user to understand this. For example, a message such as "change the execution environment of the target application 30 to the normal environment” is output.
  • the execution control system 2000 determines and controls the execution permission / rejection of the application.
  • the execution control system 2000 may determine and control whether or not to load the shared library in addition to or instead of the application. That is, the execution control system 2000 determines whether or not to load the shared library and controls processing using the shared library in the same manner as the method of determining whether or not to execute the application and controlling the execution of the application.
  • the shared library to be determined and controlled by the execution control system 2000 will be referred to as a target library.
  • the determination of permission / rejection of loading of the target library includes the first determination and the second determination (as described above, three or more determinations may be included), similarly to the determination of permission / rejection of execution of the target application 30.
  • the execution control system 2000 does not load the target library until the first determination is completed. Then, when the first determination cannot determine whether to load the target library and the second determination is performed, the execution control system 2000 uses the target library for processing (execution of a function defined in the shared library, etc.). Load the shared library so that is done in a protected environment.
  • the target library can be handled in the same manner as the target application 30 in terms of handling according to the result of determination by the execution control system 2000. That is, when it is determined that the target library loaded so that the process is executed in the protected environment is permitted to be loaded, the control unit 2040 causes the process using the target library to be executed in the normal environment. (Migrate to normal environment). Further, when it is determined that the target library loaded so that the process is executed in the protected environment is not permitted to be loaded, for example, the control unit 2040 unloads the target library.
  • the same criteria as for determining whether or not to load the shared library can be used.
  • shared libraries like applications, are somehow installed on the terminal (eg, installed over the Internet). Therefore, it is possible to grasp the introduction route of the shared library as well as the application. Therefore, for example, the execution control system 2000 determines whether or not to load the target library by comparing the introduction route of the target library with the criteria for introducing the shared library.
  • the same method as the method of determining the permission / rejection of execution of the target application 30 based on the introduction route of the target application 30 can be adopted.
  • Some or all of the above embodiments may also be described, but not limited to: 1.
  • It has a judgment unit that determines whether or not the operation of the target software is permitted. The determination includes a first determination and a second determination to be performed when the permission or rejection of the operation of the target software cannot be determined by the first determination.
  • An execution control system having a control unit for operating the target software in a protected environment after the first determination is completed and while the second determination is being performed. 2.
  • the determination by the determination unit is started at least one of the time when the operation of the target software is started and the time when the target software is introduced. Execution control system described in. 3. 3. The time required for the second determination is longer than the time required for the first determination. Or 2. Execution control system described in. 4.
  • Data writing performed by the target software operating in the protected environment is performed on the first storage area that cannot be accessed from other software.
  • the control unit writes the data written in the first storage area to the second storage area accessible from at least one other software.
  • the execution control system described in any one. 5 When the operation of the target software is permitted, the control unit changes the operating environment of the target software from the protected environment to the normal execution environment. To 4. The execution control system described in any one. 6. When the operation of the target software is not permitted, the control unit terminates the operation of the target software. To 5.
  • the execution control system described in any one. 7. Execution control method executed by a computer It has a judgment step to judge whether the operation of the target software is permitted or not.
  • the determination includes a first determination and a second determination to be performed when the permission or rejection of the operation of the target software cannot be determined by the first determination.
  • An execution control method including a control step for operating the target software in a protected environment after the first determination is completed and while the second determination is being performed. 8. The determination by the determination step is started at least one of the time when the operation of the target software is started and the time when the target software is introduced. Execution control method described in. 9. The time required for the second determination is longer than the time required for the first determination. Or 8. Execution control method described in. 10. Data writing performed by the target software operating in the protected environment is performed on the first storage area that cannot be accessed from other software.
  • the data written in the first storage area is written in the second storage area accessible from at least one other software.
  • ⁇ 9. The execution control method described in any one of them. 11.
  • the operation of the target software is permitted, the operating environment of the target software is changed from the protected environment to the normal execution environment in the control step.
  • To 10. The execution control method described in any one of them. 12. If the operation of the target software is not permitted, the operation of the target software is terminated in the control step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)
PCT/JP2019/025414 2019-06-26 2019-06-26 実行制御システム、実行制御方法、及びプログラム Ceased WO2020261438A1 (ja)

Priority Applications (4)

Application Number Priority Date Filing Date Title
PCT/JP2019/025414 WO2020261438A1 (ja) 2019-06-26 2019-06-26 実行制御システム、実行制御方法、及びプログラム
JP2021528745A JP7255681B2 (ja) 2019-06-26 2019-06-26 実行制御システム、実行制御方法、及びプログラム
US17/619,314 US20220366035A1 (en) 2019-06-26 2019-06-26 Execution control system, execution control method, and program
JP2023052782A JP2023078441A (ja) 2019-06-26 2023-03-29 実行制御システム、実行制御方法、及びプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/025414 WO2020261438A1 (ja) 2019-06-26 2019-06-26 実行制御システム、実行制御方法、及びプログラム

Publications (1)

Publication Number Publication Date
WO2020261438A1 true WO2020261438A1 (ja) 2020-12-30

Family

ID=74061072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/025414 Ceased WO2020261438A1 (ja) 2019-06-26 2019-06-26 実行制御システム、実行制御方法、及びプログラム

Country Status (3)

Country Link
US (1) US20220366035A1 (https=)
JP (2) JP7255681B2 (https=)
WO (1) WO2020261438A1 (https=)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007074565A1 (ja) * 2005-12-27 2007-07-05 Nec Corporation プログラム実行制御方法および装置ならびに実行制御プログラム
US20080120611A1 (en) * 2006-10-30 2008-05-22 Jeffrey Aaron Methods, systems, and computer program products for controlling software application installations
JP2010079906A (ja) * 2008-09-26 2010-04-08 Symantec Corp マルウェアの誤検出を低減する方法及び装置
JP2013540303A (ja) * 2010-08-25 2013-10-31 ルックアウト、アイエヌシー. サーバで結合されたマルウェア防止のためのシステムと方法
JP2014021929A (ja) * 2012-07-23 2014-02-03 Toshiba Corp 情報処理装置および制御方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4222774B2 (ja) * 2002-05-20 2009-02-12 株式会社エヌ・ティ・ティ・ドコモ 携帯端末およびプログラムの起動方法
JP4412489B2 (ja) * 2005-03-31 2010-02-10 日本電気株式会社 不正アクセスに対する防御ポリシ作成システム及び方法とそのプログラム
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
US8869300B2 (en) * 2010-05-10 2014-10-21 Citrix Sytems, Inc. Redirection of information from secure virtual machines to unsecure virtual machines
CN105814579B (zh) * 2013-10-22 2019-01-08 英派尔科技开发有限公司 沙盒应用数据重定向至数据中心
JP2016181208A (ja) 2015-03-25 2016-10-13 三菱電機株式会社 不正監視装置および不正監視プログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007074565A1 (ja) * 2005-12-27 2007-07-05 Nec Corporation プログラム実行制御方法および装置ならびに実行制御プログラム
US20080120611A1 (en) * 2006-10-30 2008-05-22 Jeffrey Aaron Methods, systems, and computer program products for controlling software application installations
JP2010079906A (ja) * 2008-09-26 2010-04-08 Symantec Corp マルウェアの誤検出を低減する方法及び装置
JP2013540303A (ja) * 2010-08-25 2013-10-31 ルックアウト、アイエヌシー. サーバで結合されたマルウェア防止のためのシステムと方法
JP2014021929A (ja) * 2012-07-23 2014-02-03 Toshiba Corp 情報処理装置および制御方法

Also Published As

Publication number Publication date
JP7255681B2 (ja) 2023-04-11
US20220366035A1 (en) 2022-11-17
JPWO2020261438A1 (https=) 2020-12-30
JP2023078441A (ja) 2023-06-06

Similar Documents

Publication Publication Date Title
US10511616B2 (en) Method and system for detecting and remediating polymorphic attacks across an enterprise
US11086983B2 (en) System and method for authenticating safe software
CN100407142C (zh) 具有自动完整性参考生成及维护的计算设备
US9154517B2 (en) System and method for preventing spread of malware in peer-to-peer network
US9635041B1 (en) Distributed split browser content inspection and analysis
JP4676744B2 (ja) セキュリティ関連プログラミング・インターフェース
US8621608B2 (en) System, method, and computer program product for dynamically adjusting a level of security applied to a system
EP3497917B1 (en) Detection of bulk operations associated with remotely stored content
US20130160126A1 (en) Malware remediation system and method for modern applications
US8108686B2 (en) Method and system for detecting modified pages
US11601443B2 (en) System and method for generating and storing forensics-specific metadata
WO2023124041A1 (zh) 一种勒索病毒检测方法以及相关系统
EP4425358B1 (en) Fingerprinting techniques to support file hash generation
KR101977428B1 (ko) 애플리케이션용 콘텐츠 핸들링 기법
US10880316B2 (en) Method and system for determining initial execution of an attack
US10389743B1 (en) Tracking of software executables that come from untrusted locations
US20220342985A1 (en) Anomaly detection and characterization in app permissions
CN104573496A (zh) 一种禁止启动项启动的方法和装置
JP6884652B2 (ja) ホワイトリスト管理システムおよびホワイトリスト管理方法
JP7255681B2 (ja) 実行制御システム、実行制御方法、及びプログラム
JP7235109B2 (ja) 評価装置、システム、制御方法、及びプログラム
CN119646803B (zh) 一种应用程序的安全检测方法、装置、服务器及介质
US12032695B2 (en) Reducing malware signature redundancy
CN113836542B (zh) 可信白名单匹配方法、系统和装置
JP7268742B2 (ja) ポリシー評価装置、制御方法、及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19934673

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021528745

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19934673

Country of ref document: EP

Kind code of ref document: A1