WO2021161418A1 - Information processing device, information processing method, and information processing program - Google Patents

Information processing device, information processing method, and information processing program Download PDF

Info

Publication number
WO2021161418A1
WO2021161418A1 PCT/JP2020/005343 JP2020005343W WO2021161418A1 WO 2021161418 A1 WO2021161418 A1 WO 2021161418A1 JP 2020005343 W JP2020005343 W JP 2020005343W WO 2021161418 A1 WO2021161418 A1 WO 2021161418A1
Authority
WO
WIPO (PCT)
Prior art keywords
hash value
page data
guest
rewriting
information processing
Prior art date
Application number
PCT/JP2020/005343
Other languages
French (fr)
Japanese (ja)
Inventor
山田 竜也
佳子 塩本
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2021564898A priority Critical patent/JP7004478B2/en
Priority to PCT/JP2020/005343 priority patent/WO2021161418A1/en
Publication of WO2021161418A1 publication Critical patent/WO2021161418A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • This disclosure relates to tampering detection.
  • secure boot is effective for verifying that the OS has not been tampered with when the OS (Operating System) is started. In secure boot, it is verified whether or not the hash value calculated from the OS image when the OS is read from the storage matches the stored genuine hash value. Secure boot is also effective in detecting tampering with the guest OS in a hypervisor environment. However, the guest OS is duplicated and restarted more frequently than the OS in the bare metal environment. Therefore, it is necessary to speed up secure boot when restarting the guest OS.
  • the simply designed secure boot has a problem that the delay at the time of restarting the OS is large.
  • Patent Document 1 there is a technique disclosed in Patent Document 1 as a technique for reducing the time required for secure boot.
  • one subprogram to be verified for a hash value is selected from among the subprograms in which the OS is divided into a plurality of parts each time the OS is started. Then, the hash value of the selected subprogram is calculated. Further, it is determined whether or not the calculated hash value matches the correct partial hash value which is the correct hash value of the partial program. If the calculated hash value and the correct partial hash value match, the system startup process is continued.
  • the technique of Patent Document 1 when the OS is started, the hash value is calculated only for one predetermined partial program as the target for calculating the hash value, and the calculated hash value and the correct partial hash value are compared. Therefore, when the OS is restarted after the temporary rewriting process is performed on some OS page data, in the technique of Patent Document 1, the hash value is only for the OS page data for which the hash value is calculated. Only verification using. That is, in the technique of Patent Document 1, the OS page data that has been rewritten is not verified using the hash value. Therefore, the technique of Patent Document 1 has a problem that even if the original data (data on the storage) of the OS page data that has been rewritten is falsified, the falsification cannot be detected.
  • One of the main purposes of this disclosure is to solve the above problems. More specifically, the main purpose of the present disclosure is to obtain a configuration capable of detecting falsification of the OS page data that has been rewritten to the original data.
  • the information processing device is When the rewriting process to any OS page data is detected during the operation of the OS (Operating System), the hash value of the pre-rewriting OS page data, which is the pre-rewriting OS page data, is calculated as the pre-rewriting hash value.
  • FIG. The figure which shows the hardware configuration example of the information processing apparatus which concerns on Embodiment 1.
  • FIG. The figure which shows the functional structure example of the information processing apparatus which concerns on Embodiment 1.
  • FIG. The figure which shows the example of the hash value table which concerns on Embodiment 1.
  • FIG. The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1.
  • the flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1.
  • the flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1.
  • the flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1.
  • the flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 2.
  • the flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 3.
  • the flowchart which shows the operation example of the information
  • FIG. 1 shows a hardware configuration example of the information processing apparatus 100 according to the present embodiment.
  • the information processing device 100 is a computer.
  • the operation procedure of the information processing device 100 corresponds to the information processing method.
  • the program that realizes the operation of the information processing device 100 corresponds to the information processing program.
  • the information processing device 100 includes a processor 101, a RAM (Random Access Memory) 103, a storage 104, an I / O (Input / Output) device 105, and a secure area 106.
  • the processor 101, RAM 103, storage 104, I / O device 105, and secure area 106 are connected by a bus 102.
  • the processor 101 is an arithmetic unit that controls the information processing device 100.
  • the processor 101 is, for example, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or the like.
  • the information processing device 100 may include a plurality of processors 101.
  • the RAM 103 is a volatile storage device in which programs, stacks, variables, etc. running on the processor 101 are stored.
  • the storage 104 is a non-volatile storage device that stores programs, data, and the like.
  • the storage 104 is, for example, an SSD (Solid State Drive), an HDD (Hard Disk Drive), or the like.
  • the I / O device 105 is an interface for connecting an external device such as a display and a keyboard.
  • the secure area 106 is a device used for storing a key or the like used for encryption, speeding up an encryption process, or the like.
  • the secure area 106 is realized by HSM (Hardware, Security, Module) or the like. Further, the secure area 106 may be directly connected to the processor 101 without passing through the bus 102 due to the configuration of SoC (System-on-a-Chip). In this embodiment, the secure area 106 is used to store the hash value of the secure boot. Even when the secure area 106 stores the hash value as in the present embodiment, the secure area 106 may be connected to the bus 102 or directly connected to the processor 101.
  • HSM Hardware, Security, Module
  • SoC System-on-a-Chip
  • processor 101 the RAM 103, the storage 104, the I / O device 105, and the secure area 106 are connected by the bus 102 is shown, but the processor 101, the RAM 103, the storage 104, the I / O device 105, and the secure area are shown.
  • the 106 may be connected by another connection form.
  • FIG. 2 shows an example of a functional configuration of the information processing apparatus 100 according to the present embodiment.
  • the information processing device 100 is a virtual machine having a hypervisor configuration.
  • the hypervisor 203 is operating in the RAM 103.
  • the hypervisor 203 includes a start processing unit 2031, a hash value calculation unit 2032, and a hash value comparison unit 2033. Details of the start processing unit 2031, the hash value calculation unit 2032, and the hash value comparison unit 2033 will be described later.
  • the guest OS kernel 202 operates on the hypervisor 203.
  • the guest OS kernel 202 is managed as guest OS page data which is a memory page.
  • the guest OS kernel 202 is managed as guest OS page data 2021 to 2026.
  • the guest OS kernel 202 loaded in the RAM 103 is stored in the storage 104 as the guest OS kernel 201.
  • the data formats of the guest OS kernel 201 stored in the storage 104 and the guest OS kernel 202 deployed on the RAM may differ depending on the recording method and the loading method.
  • the hash value storage area 204 of the secure area 106 stores the hash value for confirming the authenticity of the entire guest OS kernel 201 in the storage 104.
  • the hash value for confirming the authenticity of the entire guest OS kernel 201 stored in the hash value storage area 204 is hereinafter referred to as a collation hash value.
  • the hash value table 205 of the storage 104 stores the hash value (hash value before rewriting described later) and the address of the OS page data of the guest OS kernel 202 expanded in the RAM 103.
  • the boot processing unit 2031 performs boot processing and restart processing of the guest OS kernel 202.
  • the booting of the guest OS kernel 202 means the booting of the guest OS kernel 202 after the operation of the guest OS kernel 202 is completed without rewriting any of the guest OS page data.
  • restarting the guest OS kernel 202 means starting the guest OS kernel 202 when any of the guest OS page data is rewritten and the guest OS kernel 202 is rebooted.
  • the start processing unit 2031 corresponds to the replacement processing unit.
  • the hash value calculation unit 2032 calculates the hash value.
  • the hash value calculation unit 2032 applies a cryptographic hash function to calculate the hash value. Specifically, the hash value calculation unit 2032 calculates the hash value of the entire guest OS kernel 201 as the startup hash value when the guest OS kernel 202 is started. Further, when the hash value calculation unit 2032 detects a rewriting process to any guest OS page data during the operation of the guest OS kernel 202, the hash value calculation unit 2032 is the guest OS page data before rewriting, which is the guest OS page data before rewriting. The hash value of is calculated as the hash value before rewriting.
  • the hash value calculation unit 2032 calculates the hash value of the guest OS page data before rewriting loaded from the storage 104 into the RAM 103 as the restart hash value when the guest OS kernel 202 is restarted.
  • the hash value calculation unit 2032 corresponds to the activation hash value calculation unit, the pre-rewrite hash value calculation unit, and the restart hash value calculation unit.
  • the hash value comparison unit 2033 compares the startup hash value calculated by the hash value calculation unit 2032 with the collation hash value stored in the hash value storage area 204 when the guest OS kernel 202 is started. When the boot hash value and the collation hash value match, the hash value comparison unit 2033 permits the guest OS kernel 202 to continue booting. On the other hand, when the startup hash value and the matching hash value do not match, the hash value comparison unit 2033 stops the startup of the guest OS kernel 202. Further, the hash value comparison unit 2033 compares the restart hash value calculated by the hash value calculation unit 2032 with the hash value before rewriting stored in the hash value table 205 when the guest OS kernel 202 is restarted. ..
  • the hash value comparison unit 2033 permits the restart of the guest OS kernel 202 to continue.
  • the hash value comparison unit 2033 stops restarting the guest OS kernel 202.
  • FIG. 3 shows an example of the hash value table 205 shown in FIG.
  • the hash value table 205 entries for the guest OS page data that has been rewritten are managed. Specifically, each entry consists of an index, an address in memory, and a hash value before rewriting.
  • the index is the identifier of the entry.
  • the address on the memory is the address of the RAM 103 in which the guest OS page data to which the rewriting process has been performed exists.
  • the hash value before rewriting is a hash value before rewriting of the guest OS page data that has been rewritten, which is generated by the hash value calculation unit 2032.
  • the index is given to the database in general. In the hash value table 205, the index may not be present.
  • a hash value (collation hash value) obtained by using a cryptographic hash function for the entire guest OS kernel 201 image is stored in the hash value storage area 204. It shall be.
  • This matching hash value can be generated at the time of creating the guest OS kernel 201 image in the development environment, or can be calculated at the time of deploying the guest OS kernel 201 image to the information processing apparatus 100. ..
  • FIG. 4 shows an operation example of the information processing apparatus 100 according to the present embodiment. More specifically, FIG. 4 shows an operation flow from the start of the information processing device 100 to the occurrence of the rewriting process (COW (Copy-On-Write)) to the guest OS page data and the occurrence of the reboot. ..
  • COW Copy-On-Write
  • the information processing device 100 is activated (step S300), and the hypervisor 203 is activated (step S301). That is, the program that realizes the hypervisor 203 is loaded from the storage 104 into the RAM 103, and the processor 101 starts the hypervisor 203.
  • the hash value calculation unit 2032 calculates the hash value (startup hash value) of the entire guest OS kernel 201 image (step S302).
  • the hash value comparison unit 2033 compares the matching hash value stored in the hash value storage area 204 with the activation hash value (step S303).
  • the startup processing unit 2031 performs secure boot processing such as stopping the startup processing according to a predetermined policy (step S304). ..
  • step S303 the boot processing unit 2031 continues the boot process of the guest OS kernel 202 (step S305).
  • step S307 When rewriting (COW) to any guest OS page data occurs (TRUE in step S307) while the guest OS kernel 202 is in steady operation (step S306), the hypervisor 203 rewrites (COW). (Access to guest OS page data) is trapped (step S308).
  • COW rewriting
  • the hash value calculation unit 2032 calculates the pre-rewrite hash value of the pre-rewrite guest OS page data in the RAM 103 using the cryptographic hash function (step S309).
  • the hash value calculation unit 2032 associates the hash value before rewriting calculated in step S309 with the memory address of the guest OS page data that has undergone rewriting processing and stores it in the hash value table 205 (step S310).
  • step S312 the procedure of steps S307 to S310 is repeated every time the guest OS page data is rewritten.
  • the hash value before rewriting of the guest OS page data already exists in the hash value table 205.
  • the hash value calculation unit 2032 does not update the hash value before rewriting. That is, the hash value before rewriting first registered in the hash value table 205 is maintained.
  • FIG. 5 shows an operation example of the information processing apparatus 100 after the reboot occurs.
  • the boot processing unit 2031 starts the restart process of the guest OS kernel 202 (step S313).
  • the RAM 103 is not cleared in order to speed up the restart. That is, when the guest OS kernel 202 is restarted, the guest OS page data 2021 to 2026 before the restart are left in the RAM 103. That is, the guest OS page data after rewriting by the rewriting process is also left in the RAM 103.
  • the area where the guest OS page data after rewriting is stored is called a COW area.
  • the area of the guest OS page data 2026 is the COW area.
  • the startup processing unit 2031 loads the guest OS page data before rewriting of the COW area from the storage 104 to the RAM 103 (step S314).
  • the startup processing unit 2031 loads the guest OS page data 2026 before rewriting from the storage 104.
  • the hash value calculation unit 2032 calculates the restart hash value (step S315).
  • the hash value calculation unit 2032 calculates the hash value of the guest OS page data 2026 before rewriting loaded in step S314 as the restart hash value.
  • the hash value comparison unit 2033 reads the hash value before rewriting from the hash value table 205 (step S316).
  • the hash value calculation unit 2032 searches the hash value table 205 using the memory address of the guest OS page data 2026 as a key, and acquires the hash value before rewriting of the guest OS page data 2026.
  • the hash value comparison unit 2033 compares the restart hash value calculated in step S315 with the pre-rewrite hash value acquired in step S316 (step S317).
  • step S317 If the restart hash value and the hash value before rewriting do not match (FALSE in step S317), the boot processing unit 2031 stops restarting the guest OS kernel 202 (step S321). In step S321, for example, the same operation as in step S304 is performed.
  • the startup processing unit 2031 loads the guest OS page data after rewriting of the COW area before rewriting loaded in step S314. It is replaced with the guest OS page data of (step S318).
  • the guest OS page data 2026 after the rewriting of the COW area is replaced with the guest OS page data 2026 before the rewriting.
  • step S320 If there is a COW region in which the processing after step S314 has not been performed (FALSE in step S319), the processing after step S314 is performed. On the other hand, if the processing after step S314 is performed in all the COW areas (TRUE in step S319), the boot processing unit 2031 continues the restart process of the guest OS kernel 202 (step S320).
  • the restart hash value and the hash value before rewriting are compared with respect to the guest OS page data that has been rewritten when the guest OS is restarted. Therefore, according to the present embodiment, it is possible to detect falsification of the guest OS page data that has been rewritten to the original data (data on the storage).
  • the guest OS page data before the guest OS is restarted is left in the RAM 103.
  • the guest OS since the reading from the storage at the time of restart is limited to the guest OS page data that has been rewritten, the guest OS can be restarted at high speed.
  • the hash value is compared only for the guest OS page data that has been rewritten, and the hash value is used for the guest OS page data that has not been rewritten. No comparison is made. From this point as well, the guest OS can be restarted at high speed.
  • Patent Document 1 it is necessary to store the correct hash values of all guest OS page data.
  • the present embodiment only the hash value before rewriting of the guest OS page data before rewriting needs to be stored in the storage, so that the storage capacity can be reduced.
  • Embodiment 2 In this embodiment, the difference from the first embodiment will be mainly described. The matters not explained below are the same as those in the first embodiment.
  • the guest OS page data before rewriting of all COW areas may not be loaded in the RAM 103 when the guest OS is started. That is, after the guest OS is restarted, the guest OS page data before rewriting may be loaded on demand when it becomes necessary to load the guest OS page data before rewriting.
  • the guest OS page data before rewriting is loaded on demand after such a restart of the guest OS will be described.
  • FIG. 6 shows an operation example of the information processing apparatus 100 according to the present embodiment.
  • FIG. 6 corresponds to FIG. 5 described in the first embodiment. That is, the information processing apparatus 100 according to the present embodiment implements the flow shown in FIG. 6 when a reboot occurs in step S311 of FIG.
  • the startup processing unit 2031 loads the guest OS page data before rewriting of the COW area from the storage in step S314.
  • the guest OS page data before rewriting of the COW area is loaded from the storage.
  • step S322 When access to the COW area occurs while the guest OS kernel 202 is performing steady operation (step S322), the hypervisor 203 traps the access to the COW area (step S323).
  • the startup processing unit 2031 loads the guest OS page data before rewriting the COW area from the storage 104 to the RAM 103 (step S314).
  • the hash value calculation unit 2032 calculates the restart hash value (step S315).
  • the hash value comparison unit 2033 reads the hash value before rewriting from the hash value table 205 (step S316).
  • the hash value comparison unit 2033 compares the restart hash value calculated in step S315 with the pre-rewrite hash value acquired in step S316 (step S317).
  • step S31-7 If the restart hash value and the hash value before rewriting do not match (FALSE in step S317), the boot processing unit 2031 stops the guest OS kernel 202 (step S324). In step S324, for example, the same operation as in step S304 is performed.
  • the startup processing unit 2031 reads the guest OS page data after rewriting of the COW area before rewriting in step S314. It is replaced with the guest OS page data of (step S318). After that, the process returns to step S322, and the steady operation of the guest OS kernel 202 continues.
  • the guest OS can be restarted at high speed, and the storage capacity can be reduced.
  • Embodiment 3 In this embodiment, the differences from the first and second embodiments will be mainly described. Items not described below are the same as those in the first and second embodiments.
  • the information processing apparatus 100 is a virtual machine using a hypervisor.
  • the information processing device 100 is realized by a boot loader and a bare metal OS.
  • FIG. 7 shows an example of the functional configuration of the information processing apparatus 100 according to the present embodiment.
  • the hardware configuration example of the information processing device 100 according to the present embodiment is the same as that in FIG.
  • the boot loader 208 is deployed and operates as a boot loader 209 on the RAM 103 when the information processing apparatus 100 is started.
  • the boot loader 209 includes a boot processing unit 2091, a hash value calculation unit 2092, and a hash value comparison unit 2093.
  • the startup processing unit 2091 performs the same processing as the startup processing unit 2031.
  • the startup processing unit 2091 also corresponds to the replacement processing unit.
  • the hash value calculation unit 2092 performs the same processing as the start processing unit 2031.
  • the hash value calculation unit 2092 also corresponds to the activation hash value calculation unit, the pre-rewrite hash value calculation unit, and the restart hash value calculation unit.
  • the hash value comparison unit 2093 performs the same processing as the hash value comparison unit 2033.
  • the OS kernel 210 is loaded into the RAM 103 and operates as the OS kernel 211.
  • the OS kernel 211 is managed as OS page data, which is a memory page, in the RAM 103.
  • the OS kernel 211 is managed as OS page data 2111 to 2116. Since the other elements of FIG. 7 are the same as those shown in FIG. 2, the description thereof will be omitted.
  • the hash value (collation hash value) obtained by using the cryptographic hash function for the entire OS kernel 210 image is stored in the hash value storage area 204. It is assumed that it has been done.
  • This matching hash value can be generated at the time of creating the OS kernel 210 image in the development environment, or can be calculated at the time of deploying the OS kernel 210 image to the information processing apparatus 100.
  • FIG. 8 shows an operation example of the information processing apparatus 100 according to the present embodiment. More specifically, FIG. 4 shows an operation flow from the start of the information processing apparatus 100 to the occurrence of the rewriting process (COW) to the OS page data and the occurrence of the reboot.
  • COW rewriting process
  • step S300 the information processing device 100 is started (step S300), the boot loader 208 is loaded into the RAM 103, and the boot loader 209 is executed (step S400).
  • the hash value calculation unit 2092 calculates the hash value (startup hash value) of the entire OS kernel image 209 (step 401).
  • the hash value comparison unit 2093 compares the matching hash value stored in the hash value storage area 204 with the activation hash value (step S402).
  • the startup processing unit 2091 performs secure boot processing such as stopping the startup processing according to a predetermined policy (step S403). ..
  • the boot processing unit 2091 continues the boot process of the OS kernel 211 (step S404). Then, the OS kernel 211 transitions to a state of waiting for an external trigger input performed by a general OS (step S405).
  • the hash value calculation unit 2092 uses the cryptographic hash function to calculate the pre-rewrite hash value of the pre-rewrite OS page data in the RAM 103 (step S408).
  • the hash value calculation unit 2092 associates the hash value before rewriting calculated in step S408 with the memory address of the OS page data that has undergone rewriting processing and stores it in the hash value table 205 (step S409).
  • step S409 the procedure of steps S406 to S409 is repeated every time the OS page data is rewritten.
  • the hash value before rewriting of the OS page data already exists in the hash value table 205.
  • the hash value calculation unit 2092 does not update the hash value before rewriting. That is, the hash value before rewriting first registered in the hash value table 205 is maintained.
  • the startup processing unit 2091 invalidates the MMU entry for the memory address in the hash value table 205 (step S411), and the process proceeds to FIG. 9 (step S412).
  • FIG. 8 describes the operation procedure in the order of step S405, step S406, and step S410.
  • the OS kernel 211 is implemented event-driven, it is possible to directly transition from step S405 to step S410. It is possible.
  • FIG. 9 shows an operation example of the information processing apparatus 100 after the reboot occurs.
  • the boot processing unit 2091 starts the reboot process of the OS kernel 211 (step S413).
  • the RAM 103 is not cleared in order to speed up the restart. That is, when the OS kernel 211 is restarted, the OS page data 2111 to 2116 before the restart are left in the RAM 103. That is, the OS page data after rewriting by the rewriting process is also left in the RAM 103. Therefore, the boot processing unit 2091 boots the OS kernel 211 using the OS page data remaining in the RAM 103. Then, the OS kernel 211 transitions to steady operation (step S414).
  • the MMU traps the access to the COW area due to a page fault (step S415).
  • the boot processing unit 2091 loads the OS page data before rewriting of the COW area from the storage 104 to the RAM 103 (step S416).
  • the hash value calculation unit 2092 calculates the restart hash value (step S417).
  • the hash value comparison unit 2093 reads the hash value before rewriting from the hash value table 205 (step S418).
  • the hash value comparison unit 2093 compares the restart hash value calculated in step S417 with the pre-rewrite hash value acquired in step S418 (step S419).
  • step S421 If the restart hash value and the hash value before rewriting do not match (FALSE in step S419), the boot processing unit 2091 stops the OS kernel 211 (step S421). In step S421, for example, the same operation as in step S403 is performed.
  • step S419 when the restart hash value and the hash value before rewriting match (TRUE in step S419), the startup processing unit 2091 loads the OS page data after rewriting of the COW area in step S416 before rewriting. Replace with guest OS page data and update the MMU entry (step S420). After that, the process returns to step S414, and the steady operation of the OS kernel 211 continues.
  • the OS can be restarted at high speed, and the storage capacity can be reduced.
  • the programs that realize the functions of the startup processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the startup processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 are magnetic disks, flexible disks, and optical disks. , Compact discs, Blu-ray® discs, DVDs, and other portable recording media.
  • a portable recording medium in which a program that realizes the functions of the activation processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the activation processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 is stored is stored. It may be distributed.
  • the "parts" of the start processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the start processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 are referred to as “circuits", “processes”, or “processes”. It may be read as “procedure” or “processing”. Further, the information processing device 100 may be realized by a processing circuit.
  • the processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
  • the superordinate concept of the processor and the processing circuit is referred to as "processing circuit Lee". That is, the processor and the processing circuit are specific examples of the "processing circuit Lee", respectively.
  • 100 information processing device 101 processor, 102 bus, 103 RAM, 104 storage, 105 I / O device, 106 secure area, 201 guest OS kernel, 202 guest OS kernel, 203 hypervisor, 204 hash value storage area, 205 hash value Table, 208 boot loader, 209 boot loader, 210 OS kernel, 211 OS kernel, 2021 guest OS page data, 2022 guest OS page data, 2023 guest OS page data, 2024 guest OS page data, 2025 guest OS page data, 2026 guest OS page Data, 2031 startup processing unit, 2032 hash value calculation unit, 2033 hash value comparison unit, 2111 OS page data, 2112 OS page data, 2113 OS page data, 2114 OS page data, 2115 OS page data, 2116 OS page data, 2091 Start processing unit, 2092 hash value calculation unit, 2093 hash value comparison unit.

Abstract

If a rewriting process to guest operating system (OS) page data is detected while a guest OS is running, a hash value calculation unit (2032) calculates, as a pre-rewrite hash value, a hash value of the pre-rewrite guest OS page data, that is, the original guest OS page data before the rewriting. Further, the hash value calculation unit (2032) calculates, as a reboot hash value, a hash value of the pre-rewrite guest OS page data when the pre-rewrite guest OS page data has been loaded from a storage (104) into a RAM (103) at the time of rebooting the guest OS. A hash value comparison unit (2033) compares the pre-rewrite hash value and the reboot hash value.

Description

情報処理装置、情報処理方法及び情報処理プログラムInformation processing equipment, information processing methods and information processing programs
 本開示は、改ざん検知に関する。 This disclosure relates to tampering detection.
 一般的に、OS(Operating System)の起動時にOSが改ざんされていないことを検証するためには、セキュアブートが有効である。セキュアブートでは、OSがストレージから読み出されるときにOSイメージから計算されたハッシュ値と、保存されている真正のハッシュ値とが一致するか否かが検証される。ハイパーバイザ環境におけるゲストOSの改ざん検知においても、セキュアブートが有効である。しかしながら、ゲストOSはベアメタル環境のOSと比べて複製及び再起動が頻繁に行われる。そのため、ゲストOSの再起動におけるセキュアブートの高速化が必要である。 Generally, secure boot is effective for verifying that the OS has not been tampered with when the OS (Operating System) is started. In secure boot, it is verified whether or not the hash value calculated from the OS image when the OS is read from the storage matches the stored genuine hash value. Secure boot is also effective in detecting tampering with the guest OS in a hypervisor environment. However, the guest OS is duplicated and restarted more frequently than the OS in the bare metal environment. Therefore, it is necessary to speed up secure boot when restarting the guest OS.
 単純に設計されたセキュアブートでは、前述のように、ストレージに格納されているOSイメージ全体のハッシュ値と、保存されている真正のハッシュ値との比較が行われ、OSイメージの真正性が検証される。このため、単純に設計されたセキュアブートでは、OS再起動時の遅延が大きいという課題がある。 In a simply designed secure boot, as described above, the hash value of the entire OS image stored in the storage is compared with the genuine hash value stored, and the authenticity of the OS image is verified. Will be done. Therefore, the simply designed secure boot has a problem that the delay at the time of restarting the OS is large.
 この点、セキュアブートに要する時間を削減する技術として、特許文献1に開示の技術がある。
 特許文献1では、OSの起動ごとに、OSを複数に区分した部分プログラムのうち、ハッシュ値の検証対象となる1つの部分プログラムが選択される。そして、選択された部分プログラムのハッシュ値が算出される。また、算出されたハッシュ値が、当該部分プログラムの正解のハッシュ値である正解部分ハッシュ値と一致するか否かが判定される。算出されたハッシュ値と正解部分ハッシュ値が一致する場合にシステムの起動処理が継続される。 In this regard, there is a technique disclosed in Patent Document 1 as a technique for reducing the time required for secure boot.
In Patent Document 1, one subprogram to be verified for a hash value is selected from among the subprograms in which the OS is divided into a plurality of parts each time the OS is started. Then, the hash value of the selected subprogram is calculated. Further, it is determined whether or not the calculated hash value matches the correct partial hash value which is the correct hash value of the partial program. If the calculated hash value and the correct partial hash value match, the system startup process is continued.
特開2015-022521号公報Japanese Unexamined Patent Publication No. 2015-022521
 特許文献1の技術では、OS起動時に、ハッシュ値の算出対象として予め定められた1つの部分プログラムにのみハッシュ値を算出し、算出したハッシュ値と正解部分ハッシュ値とが比較される。
 このため、一部のOSページデータに一時的な書換え処理が行われた後にOSの再起動が行われる場合は、特許文献1の技術では、ハッシュ値の算出対象のOSページデータについてのみハッシュ値を用いた検証のみが行われる。つまり、特許文献1の技術では、書換え処理が行われたOSページデータについてはハッシュ値を用いた検証は行われない。
 従って、特許文献1の技術では、書換え処理が行われたOSページデータの元データ(ストレージ上のデータ)に改ざんが行われていたとしても、当該改ざんを検出することができないという課題がある。 In the technique of Patent Document 1, when the OS is started, the hash value is calculated only for one predetermined partial program as the target for calculating the hash value, and the calculated hash value and the correct partial hash value are compared.
Therefore, when the OS is restarted after the temporary rewriting process is performed on some OS page data, in the technique of Patent Document 1, the hash value is only for the OS page data for which the hash value is calculated. Only verification using. That is, in the technique of Patent Document 1, the OS page data that has been rewritten is not verified using the hash value.
Therefore, the technique of Patent Document 1 has a problem that even if the original data (data on the storage) of the OS page data that has been rewritten is falsified, the falsification cannot be detected.
 本開示は、上記のような課題を解決することを主な目的の一つとしている。より具体的には、本開示は、書換え処理が行われたOSページデータの元データへの改ざんを検出できる構成を得ることを主な目的とする。 One of the main purposes of this disclosure is to solve the above problems. More specifically, the main purpose of the present disclosure is to obtain a configuration capable of detecting falsification of the OS page data that has been rewritten to the original data.
 本開示に係る情報処理装置は、
 OS(Operating System)の動作中にいずれかのOSページデータへの書換え処理が検知された場合に、書換え前のOSページデータである書換え前OSページデータのハッシュ値を書換え前ハッシュ値として算出する書換え前ハッシュ値算出部と、
 前記OSの再起動時及び前記OSの再起動後のいずれかにストレージからメモリにロードされた前記書換え前OSページデータのハッシュ値を再起動ハッシュ値として算出する再起動ハッシュ値算出部と、
 前記書換え前ハッシュ値と前記再起動ハッシュ値とを比較するハッシュ値比較部とを有する。 The information processing device according to the present disclosure is
When the rewriting process to any OS page data is detected during the operation of the OS (Operating System), the hash value of the pre-rewriting OS page data, which is the pre-rewriting OS page data, is calculated as the pre-rewriting hash value. Hash value calculation unit before rewriting and
A restart hash value calculation unit that calculates the hash value of the pre-rewrite OS page data loaded from the storage into the memory either when the OS is restarted or after the OS is restarted as a restart hash value.
It has a hash value comparison unit that compares the hash value before rewriting with the restart hash value.
 本開示によれば、書換え処理が行われたOSページデータの元データへの改ざんを検出することができる。 According to the present disclosure, it is possible to detect falsification of the OS page data that has been rewritten to the original data.
実施の形態1に係る情報処理装置のハードウェア構成例を示す図。The figure which shows the hardware configuration example of the information processing apparatus which concerns on Embodiment 1. FIG. 実施の形態1に係る情報処理装置の機能構成例を示す図。The figure which shows the functional structure example of the information processing apparatus which concerns on Embodiment 1. FIG. 実施の形態1に係るハッシュ値テーブルの例を示す図。The figure which shows the example of the hash value table which concerns on Embodiment 1. FIG. 実施の形態1に係る情報処理装置の動作例を示すフローチャート。The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1. 実施の形態1に係る情報処理装置の動作例を示すフローチャート。The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 1. 実施の形態2に係る情報処理装置の動作例を示すフローチャート。The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 2. 実施の形態3に係る情報処理装置の機能構成例を示す図。The figure which shows the functional structure example of the information processing apparatus which concerns on Embodiment 3. 実施の形態3に係る情報処理装置の動作例を示すフローチャート。The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 3. 実施の形態3に係る情報処理装置の動作例を示すフローチャート。The flowchart which shows the operation example of the information processing apparatus which concerns on Embodiment 3.
 以下、実施の形態を図を用いて説明する。以下の実施の形態の説明及び図面において、同一の符号を付したものは、同一の部分又は相当する部分を示す。 Hereinafter, embodiments will be described with reference to figures. In the following description and drawings of the embodiments, those having the same reference numerals indicate the same parts or corresponding parts.
 実施の形態1.
***構成の説明***
 図1は、本実施の形態に係る情報処理装置100のハードウェア構成例を示す。
 情報処理装置100はコンピュータである。
 情報処理装置100の動作手順は、情報処理方法に相当する。また、情報処理装置100の動作を実現するプログラムは、情報処理プログラムに相当する。 Embodiment 1.
*** Explanation of configuration ***
FIG. 1 shows a hardware configuration example of the information processing apparatus 100 according to the present embodiment.
The information processing device 100 is a computer.
The operation procedure of the information processing device 100 corresponds to the information processing method. Further, the program that realizes the operation of the information processing device 100 corresponds to the information processing program.
 図1に示すように、情報処理装置100はプロセッサ101、RAM(Random・Access・Memory)103、ストレージ104、I/O(Input/Output)装置105及びセキュア領域106を備える。プロセッサ101、RAM103、ストレージ104、I/O装置105及びセキュア領域106は、バス102で接続される。 As shown in FIG. 1, the information processing device 100 includes a processor 101, a RAM (Random Access Memory) 103, a storage 104, an I / O (Input / Output) device 105, and a secure area 106. The processor 101, RAM 103, storage 104, I / O device 105, and secure area 106 are connected by a bus 102.
 プロセッサ101は、情報処理装置100の制御を行う演算装置である。プロセッサ101は、例えば、CPU(Central Processing Unit)、DSP(Digital Signal Processor)等である。情報処理装置100は、プロセッサ101を複数個備えていてもよい。 The processor 101 is an arithmetic unit that controls the information processing device 100. The processor 101 is, for example, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or the like. The information processing device 100 may include a plurality of processors 101.
 RAM103は、プロセッサ101上で実行中のプログラム、スタック、変数等が格納される揮発性記憶装置である。 The RAM 103 is a volatile storage device in which programs, stacks, variables, etc. running on the processor 101 are stored.
 ストレージ104は、プログラム、データ等が格納される不揮発性記憶装置である。ストレージ104は、例えば、SSD(Solid State Drive)、HDD(Hard Disk Drive)等である。 The storage 104 is a non-volatile storage device that stores programs, data, and the like. The storage 104 is, for example, an SSD (Solid State Drive), an HDD (Hard Disk Drive), or the like.
 I/O装置105は、ディスプレイ、キーボード等の外部デバイスを接続するためのインタフェースである。 The I / O device 105 is an interface for connecting an external device such as a display and a keyboard.
 セキュア領域106は、暗号化で使用する鍵等の保存、暗号化処理の高速化等に使用されるデバイスである。セキュア領域106は、HSM(Hardware・Security・Module)等で実現される。
 また、セキュア領域106は、SoC(System-on-a-Chip)の構成によって、バス102を経由せずにプロセッサ101と直接接続されていてもよい。
 本実施の形態では、セキュア領域106は、セキュアブートのハッシュ値を格納するために使用される。本実施の形態のようにセキュア領域106がハッシュ値を格納する場合でも、セキュア領域106は、バス102に接続されていても、プロセッサ101に直接接続されていてもよい。 The secure area 106 is a device used for storing a key or the like used for encryption, speeding up an encryption process, or the like. The secure area 106 is realized by HSM (Hardware, Security, Module) or the like.
Further, the secure area 106 may be directly connected to the processor 101 without passing through the bus 102 due to the configuration of SoC (System-on-a-Chip).
In this embodiment, the secure area 106 is used to store the hash value of the secure boot. Even when the secure area 106 stores the hash value as in the present embodiment, the secure area 106 may be connected to the bus 102 or directly connected to the processor 101.
 ここでは、プロセッサ101、RAM103、ストレージ104、I/O装置105、セキュア領域106がバス102で接続される例を示しているが、プロセッサ101、RAM103、ストレージ104、I/O装置105、セキュア領域106が他の接続形態によって接続されていてもよい。 Here, an example in which the processor 101, the RAM 103, the storage 104, the I / O device 105, and the secure area 106 are connected by the bus 102 is shown, but the processor 101, the RAM 103, the storage 104, the I / O device 105, and the secure area are shown. The 106 may be connected by another connection form.
 図2は、本実施の形態に係る情報処理装置100の機能構成例を示す。
 本実施の形態では、情報処理装置100は、ハイパーバイザ構成の仮想マシンである。 FIG. 2 shows an example of a functional configuration of the information processing apparatus 100 according to the present embodiment.
In the present embodiment, the information processing device 100 is a virtual machine having a hypervisor configuration.
 図2では、RAM103において、ハイパーバイザ203が動作している。ハイパーバイザ203には、起動処理部2031、ハッシュ値算出部2032及びハッシュ値比較部2033が含まれる。起動処理部2031、ハッシュ値算出部2032及びハッシュ値比較部2033の詳細は後述する。 In FIG. 2, the hypervisor 203 is operating in the RAM 103. The hypervisor 203 includes a start processing unit 2031, a hash value calculation unit 2032, and a hash value comparison unit 2033. Details of the start processing unit 2031, the hash value calculation unit 2032, and the hash value comparison unit 2033 will be described later.
 また、RAM103では、ハイパーバイザ203の上でゲストOSカーネル202が動作する。RAM103では、ゲストOSカーネル202はメモリページであるゲストOSページデータとして管理される。図2では、ゲストOSカーネル202は、ゲストOSページデータ2021~2026として管理されている。
 RAM103にロードされるゲストOSカーネル202はストレージ104にゲストOSカーネル201として格納されている。ストレージ104に格納されるゲストOSカーネル201とRAM上に展開されるゲストOSカーネル202は、記録方式やロード方式によって、データ形式が異なってもよい。 Further, in the RAM 103, the guest OS kernel 202 operates on the hypervisor 203. In the RAM 103, the guest OS kernel 202 is managed as guest OS page data which is a memory page. In FIG. 2, the guest OS kernel 202 is managed as guest OS page data 2021 to 2026.
The guest OS kernel 202 loaded in the RAM 103 is stored in the storage 104 as the guest OS kernel 201. The data formats of the guest OS kernel 201 stored in the storage 104 and the guest OS kernel 202 deployed on the RAM may differ depending on the recording method and the loading method.
 セキュア領域106のハッシュ値記憶領域204は、ストレージ104にあるゲストOSカーネル201全体の真正性を確認するためのハッシュ値を保存する。ハッシュ値記憶領域204に保存されているゲストOSカーネル201全体の真正性を確認するためのハッシュ値を、以下では照合ハッシュ値という。 The hash value storage area 204 of the secure area 106 stores the hash value for confirming the authenticity of the entire guest OS kernel 201 in the storage 104. The hash value for confirming the authenticity of the entire guest OS kernel 201 stored in the hash value storage area 204 is hereinafter referred to as a collation hash value.
 ストレージ104のハッシュ値テーブル205は、RAM103に展開されているゲストOSカーネル202のOSページデータのハッシュ値(後述する書換え前ハッシュ値)とアドレスを保存する。 The hash value table 205 of the storage 104 stores the hash value (hash value before rewriting described later) and the address of the OS page data of the guest OS kernel 202 expanded in the RAM 103.
 起動処理部2031は、ゲストOSカーネル202の起動処理及び再起動処理を行う。
 なお、ゲストOSカーネル202の起動とは、いずれのゲストOSページデータにも書換え処理が行われずにゲストOSカーネル202の動作が終了した後のゲストOSカーネル202の起動をいう。一方、ゲストOSカーネル202の再起動とは、いずれかのゲストOSページデータに書換え処理が行われてゲストOSカーネル202のリブートが行われる場合のゲストOSカーネル202の起動をいう。
 起動処理部2031は、置換え処理部に相当する。 The boot processing unit 2031 performs boot processing and restart processing of the guest OS kernel 202.
The booting of the guest OS kernel 202 means the booting of the guest OS kernel 202 after the operation of the guest OS kernel 202 is completed without rewriting any of the guest OS page data. On the other hand, restarting the guest OS kernel 202 means starting the guest OS kernel 202 when any of the guest OS page data is rewritten and the guest OS kernel 202 is rebooted.
The start processing unit 2031 corresponds to the replacement processing unit.
 ハッシュ値算出部2032は、ハッシュ値を算出する。ハッシュ値算出部2032は、暗号学的ハッシュ関数を適用してハッシュ値を算出する。
 具体的には、ハッシュ値算出部2032は、ゲストOSカーネル202の起動時にゲストOSカーネル201全体のハッシュ値を起動ハッシュ値として算出する。
 また、ハッシュ値算出部2032は、ゲストOSカーネル202の動作中にいずれかのゲストOSページデータへの書換え処理が検知された場合に、書換え前のゲストOSページデータである書換え前ゲストOSページデータのハッシュ値を書換え前ハッシュ値として算出する。
 更に、ハッシュ値算出部2032は、ゲストOSカーネル202の再起動時に、ストレージ104からRAM103にロードされた書換え前ゲストOSページデータのハッシュ値を再起動ハッシュ値として算出する。
 ハッシュ値算出部2032は、起動ハッシュ値算出部、書換え前ハッシュ値算出部、再起動ハッシュ値算出部に相当する。 The hash value calculation unit 2032 calculates the hash value. The hash value calculation unit 2032 applies a cryptographic hash function to calculate the hash value.
Specifically, the hash value calculation unit 2032 calculates the hash value of the entire guest OS kernel 201 as the startup hash value when the guest OS kernel 202 is started.
Further, when the hash value calculation unit 2032 detects a rewriting process to any guest OS page data during the operation of the guest OS kernel 202, the hash value calculation unit 2032 is the guest OS page data before rewriting, which is the guest OS page data before rewriting. The hash value of is calculated as the hash value before rewriting.
Further, the hash value calculation unit 2032 calculates the hash value of the guest OS page data before rewriting loaded from the storage 104 into the RAM 103 as the restart hash value when the guest OS kernel 202 is restarted.
The hash value calculation unit 2032 corresponds to the activation hash value calculation unit, the pre-rewrite hash value calculation unit, and the restart hash value calculation unit.
 ハッシュ値比較部2033は、ゲストOSカーネル202の起動時に、ハッシュ値算出部2032により算出された起動ハッシュ値と、ハッシュ値記憶領域204で保存されている照合ハッシュ値とを比較する。起動ハッシュ値と照合ハッシュ値とが一致する場合に、ハッシュ値比較部2033は、ゲストOSカーネル202の起動の継続を許可する。一方、起動ハッシュ値と照合ハッシュ値とが一致しない場合に、ハッシュ値比較部2033は、ゲストOSカーネル202の起動を停止する。
 また、ハッシュ値比較部2033は、ゲストOSカーネル202の再起動時に、ハッシュ値算出部2032により算出された再起動ハッシュ値と、ハッシュ値テーブル205で保存されている書換え前ハッシュ値とを比較する。再起動ハッシュ値と書換え前ハッシュ値とが一致する場合に、ハッシュ値比較部2033は、ゲストOSカーネル202の再起動の継続を許可する。一方、再起動ハッシュ値と書換え前ハッシュ値とが一致しない場合に、ハッシュ値比較部2033は、ゲストOSカーネル202の再起動を停止する。 The hash value comparison unit 2033 compares the startup hash value calculated by the hash value calculation unit 2032 with the collation hash value stored in the hash value storage area 204 when the guest OS kernel 202 is started. When the boot hash value and the collation hash value match, the hash value comparison unit 2033 permits the guest OS kernel 202 to continue booting. On the other hand, when the startup hash value and the matching hash value do not match, the hash value comparison unit 2033 stops the startup of the guest OS kernel 202.
Further, the hash value comparison unit 2033 compares the restart hash value calculated by the hash value calculation unit 2032 with the hash value before rewriting stored in the hash value table 205 when the guest OS kernel 202 is restarted. .. When the restart hash value and the hash value before rewriting match, the hash value comparison unit 2033 permits the restart of the guest OS kernel 202 to continue. On the other hand, when the restart hash value and the hash value before rewriting do not match, the hash value comparison unit 2033 stops restarting the guest OS kernel 202.
 図3は、図2に示すハッシュ値テーブル205の例を示す。
 ハッシュ値テーブル205では、書換え処理が行われたゲストOSページデータに対するエントリが管理されている。
 具体的には、各エントリは、インデクス、メモリ上のアドレス、書換え前ハッシュ値で構成される。インデクスは、エントリの識別子である。メモリ上のアドレスは、書換え処理が行われたゲストOSページデータが存在するRAM103のアドレスである。書換え前ハッシュ値は、ハッシュ値算出部2032により生成された、書換え処理が行われたゲストOSページデータの書換え前ハッシュ値である。
 なお、インデクスはデータベース一般に付与されるものである。ハッシュ値テーブル205では、インデクスはなくてもよい。 FIG. 3 shows an example of the hash value table 205 shown in FIG.
In the hash value table 205, entries for the guest OS page data that has been rewritten are managed.
Specifically, each entry consists of an index, an address in memory, and a hash value before rewriting. The index is the identifier of the entry. The address on the memory is the address of the RAM 103 in which the guest OS page data to which the rewriting process has been performed exists. The hash value before rewriting is a hash value before rewriting of the guest OS page data that has been rewritten, which is generated by the hash value calculation unit 2032.
The index is given to the database in general. In the hash value table 205, the index may not be present.
***動作の説明***
 次に、本実施の形態に係る情報処理装置100の動作を説明する。 *** Explanation of operation ***
Next, the operation of the information processing device 100 according to the present embodiment will be described.
 なお、情報処理装置100の動作の前提として、ゲストOSカーネル201イメージ全体に対して暗号学的ハッシュ関数を使用して求めたハッシュ値(照合ハッシュ値)がハッシュ値記憶領域204に格納されているものとする。この照合ハッシュ値は、開発環境でゲストOSカーネル201イメージを作成する時点で生成することも可能であるし、ゲストOSカーネル201イメージを情報処理装置100にデプロイする時点で計算することも可能である。 As a premise of the operation of the information processing device 100, a hash value (collation hash value) obtained by using a cryptographic hash function for the entire guest OS kernel 201 image is stored in the hash value storage area 204. It shall be. This matching hash value can be generated at the time of creating the guest OS kernel 201 image in the development environment, or can be calculated at the time of deploying the guest OS kernel 201 image to the information processing apparatus 100. ..
 図4は、本実施の形態に係る情報処理装置100の動作例を示す。
 より具体的には、図4は、情報処理装置100の起動から、ゲストOSページデータへの書換え処理(COW(Copy-On-Write))が発生し、リブートが発生するまでの動作フローを示す。 FIG. 4 shows an operation example of the information processing apparatus 100 according to the present embodiment.
More specifically, FIG. 4 shows an operation flow from the start of the information processing device 100 to the occurrence of the rewriting process (COW (Copy-On-Write)) to the guest OS page data and the occurrence of the reboot. ..
 先ず、情報処理装置100が起動し(ステップS300)、ハイパーバイザ203が起動する(ステップS301)。つまり、ハイパーバイザ203を実現するプログラムがストレージ104からRAM103にロードされ、プロセッサ101によりハイパーバイザ203が起動される。 First, the information processing device 100 is activated (step S300), and the hypervisor 203 is activated (step S301). That is, the program that realizes the hypervisor 203 is loaded from the storage 104 into the RAM 103, and the processor 101 starts the hypervisor 203.
 ハイパーバイザ203では、ハッシュ値算出部2032が、ゲストOSカーネル201イメージ全体のハッシュ値(起動ハッシュ値)を計算する(ステップS302)。 In the hypervisor 203, the hash value calculation unit 2032 calculates the hash value (startup hash value) of the entire guest OS kernel 201 image (step S302).
 そして、ハッシュ値比較部2033が、ハッシュ値記憶領域204に格納してある照合ハッシュ値と起動ハッシュ値を比較する(ステップS303)。 Then, the hash value comparison unit 2033 compares the matching hash value stored in the hash value storage area 204 with the activation hash value (step S303).
 起動ハッシュ値と照合ハッシュ値とが一致しない場合(ステップS303でFALSE)は、起動処理部2031は、予め定められたポリシにしたがって、起動処理を停止する等のセキュアブート処理を行う(ステップS304)。 If the startup hash value and the matching hash value do not match (FALSE in step S303), the startup processing unit 2031 performs secure boot processing such as stopping the startup processing according to a predetermined policy (step S304). ..
 一方、起動ハッシュ値と照合ハッシュ値とが一致する場合(ステップS303でTRUE)は、起動処理部2031は、ゲストOSカーネル202の起動処理を継続する(ステップS305)。 On the other hand, if the boot hash value and the collation hash value match (TRUE in step S303), the boot processing unit 2031 continues the boot process of the guest OS kernel 202 (step S305).
 ゲストOSカーネル202が定常動作している間(ステップS306)に、いずれかのゲストOSページデータへの書換え(COW)が発生した場合(ステップS307でTRUE)に、ハイパーバイザ203が書換え(COW)の発生(ゲストOSページデータへのアクセス)をトラップする(ステップS308)。 When rewriting (COW) to any guest OS page data occurs (TRUE in step S307) while the guest OS kernel 202 is in steady operation (step S306), the hypervisor 203 rewrites (COW). (Access to guest OS page data) is trapped (step S308).
 そして、ハッシュ値算出部2032が、暗号学的ハッシュ関数を使用して、RAM103にある書換え前ゲストOSページデータの書換え前ハッシュ値を算出する(ステップS309)。 Then, the hash value calculation unit 2032 calculates the pre-rewrite hash value of the pre-rewrite guest OS page data in the RAM 103 using the cryptographic hash function (step S309).
 その後、ハッシュ値算出部2032が、ステップS309で算出した書換え前ハッシュ値と、書換え処理のあったゲストOSページデータのメモリアドレスを対応付けてハッシュ値テーブル205に格納する(ステップS310)。 After that, the hash value calculation unit 2032 associates the hash value before rewriting calculated in step S309 with the memory address of the guest OS page data that has undergone rewriting processing and stores it in the hash value table 205 (step S310).
 なお、ステップS309及びS310と並行して、書換え対象のゲストOSページデータは書換えられている。 In parallel with steps S309 and S310, the guest OS page data to be rewritten has been rewritten.
 リブートが発生しなければ、ゲストOSページデータの書換えが発生するたびに、ステップS307~S310の手順が繰り返される。
 なお、既に書換えが発生しているゲストOSページデータで更に書換えが発生した場合は、既に当該ゲストOSページデータの書換え前ハッシュ値がハッシュ値テーブル205に存在している。この場合に、ハッシュ値算出部2032は書換え前ハッシュ値の更新は行わない。つまり、ハッシュ値テーブル205に最初に登録された書換え前ハッシュ値が維持される。
 リブートが発生したら(ステップS311でTRUE)、処理が図5に進む(ステップS312)。 If the reboot does not occur, the procedure of steps S307 to S310 is repeated every time the guest OS page data is rewritten.
When further rewriting occurs in the guest OS page data that has already been rewritten, the hash value before rewriting of the guest OS page data already exists in the hash value table 205. In this case, the hash value calculation unit 2032 does not update the hash value before rewriting. That is, the hash value before rewriting first registered in the hash value table 205 is maintained.
When a reboot occurs (TRUE in step S311), the process proceeds to FIG. 5 (step S312).
 図5は、リブート発生後の情報処理装置100の動作例を示す。 FIG. 5 shows an operation example of the information processing apparatus 100 after the reboot occurs.
 リブートが発生したら(ステップS311でTRUE)、起動処理部2031がゲストOSカーネル202の再起動処理を開始する(ステップS313)。なお、再起動の高速化のために、RAM103はクリアされない。すなわち、ゲストOSカーネル202の再起動時に、再起動前のゲストOSページデータ2021~2026がRAM103に残されている。つまり、書換え処理による書換え後のゲストOSページデータもRAM103に残されている。なお、書換え後のゲストOSページデータが格納されている領域をCOW領域という。図2のゲストOSページデータ2026に書換え処理が発生していた場合は、ゲストOSページデータ2026の領域がCOW領域である。 When a reboot occurs (TRUE in step S311), the boot processing unit 2031 starts the restart process of the guest OS kernel 202 (step S313). The RAM 103 is not cleared in order to speed up the restart. That is, when the guest OS kernel 202 is restarted, the guest OS page data 2021 to 2026 before the restart are left in the RAM 103. That is, the guest OS page data after rewriting by the rewriting process is also left in the RAM 103. The area where the guest OS page data after rewriting is stored is called a COW area. When the guest OS page data 2026 in FIG. 2 has been rewritten, the area of the guest OS page data 2026 is the COW area.
 ハイパーバイザ203にCOW領域の再読み込みサポートがある場合、起動処理部2031が、COW領域の書換え前ゲストOSページデータをストレージ104からRAM103にロードする(ステップS314)。
 図2のゲストOSページデータ2026に書換え処理が発生していた場合は、起動処理部2031は、ストレージ104から書換え前のゲストOSページデータ2026をロードする。 When the hypervisor 203 has support for reloading the COW area, the startup processing unit 2031 loads the guest OS page data before rewriting of the COW area from the storage 104 to the RAM 103 (step S314).
When the guest OS page data 2026 of FIG. 2 has been rewritten, the startup processing unit 2031 loads the guest OS page data 2026 before rewriting from the storage 104.
 次に、ハッシュ値算出部2032が再起動ハッシュ値を算出する(ステップS315)。
 前述の例では、ハッシュ値算出部2032は、ステップS314でロードされた書換え前のゲストOSページデータ2026のハッシュ値を再起動ハッシュ値として算出する。 Next, the hash value calculation unit 2032 calculates the restart hash value (step S315).
In the above example, the hash value calculation unit 2032 calculates the hash value of the guest OS page data 2026 before rewriting loaded in step S314 as the restart hash value.
 次に、ハッシュ値比較部2033が、ハッシュ値テーブル205から書換え前ハッシュ値を読み込む(ステップS316)。
 前述の例では、ハッシュ値算出部2032は、ゲストOSページデータ2026のメモリアドレスをキーにしてハッシュ値テーブル205を探索し、ゲストOSページデータ2026の書換え前ハッシュ値を取得する。 Next, the hash value comparison unit 2033 reads the hash value before rewriting from the hash value table 205 (step S316).
In the above example, the hash value calculation unit 2032 searches the hash value table 205 using the memory address of the guest OS page data 2026 as a key, and acquires the hash value before rewriting of the guest OS page data 2026.
 次に、ハッシュ値比較部2033が、ステップS315で算出された再起動ハッシュ値とステップS316で取得された書換え前ハッシュ値とを比較する(ステップS317)。 Next, the hash value comparison unit 2033 compares the restart hash value calculated in step S315 with the pre-rewrite hash value acquired in step S316 (step S317).
 再起動ハッシュ値と書換え前ハッシュ値とが一致しない場合(ステップS317でFALSE)は、起動処理部2031は、ゲストOSカーネル202の再起動を停止する(ステップS321)。ステップS321では、例えば、ステップS304と同様の動作が行われる。 If the restart hash value and the hash value before rewriting do not match (FALSE in step S317), the boot processing unit 2031 stops restarting the guest OS kernel 202 (step S321). In step S321, for example, the same operation as in step S304 is performed.
 一方、再起動ハッシュ値と書換え前ハッシュ値とが一致する場合(ステップS317でTRUE)は、起動処理部2031は、COW領域の書換え後のゲストOSページデータを、ステップS314でロードされた書換え前のゲストOSページデータで置き換える(ステップS318)。
 前述の例では、COW領域の書換え後のゲストOSページデータ2026を、書換え前のゲストOSページデータ2026で置き換える。 On the other hand, when the restart hash value and the hash value before rewriting match (TRUE in step S317), the startup processing unit 2031 loads the guest OS page data after rewriting of the COW area before rewriting loaded in step S314. It is replaced with the guest OS page data of (step S318).
In the above example, the guest OS page data 2026 after the rewriting of the COW area is replaced with the guest OS page data 2026 before the rewriting.
 ステップS314以降の処理が行われていないCOW領域があれば(ステップS319でFALSE)、ステップS314以降の処理が行われる。
 一方、ステップS314以降の処理が全てのCOW領域で行われていれば(ステップS319でTRUE)、起動処理部2031は、ゲストOSカーネル202の再起動処理を継続する(ステップS320)。 If there is a COW region in which the processing after step S314 has not been performed (FALSE in step S319), the processing after step S314 is performed.
On the other hand, if the processing after step S314 is performed in all the COW areas (TRUE in step S319), the boot processing unit 2031 continues the restart process of the guest OS kernel 202 (step S320).
***実施の形態の効果の説明***
 以上、本実施の形態では、ゲストOSの再起動時に、書換え処理が行われたゲストOSページデータについて、再起動ハッシュ値と書換え前ハッシュ値とが比較される。このため、本実施の形態によれば、書換え処理が行われたゲストOSページデータの元データ(ストレージ上のデータ)への改ざんを検出することができる。 *** Explanation of the effect of the embodiment ***
As described above, in the present embodiment, the restart hash value and the hash value before rewriting are compared with respect to the guest OS page data that has been rewritten when the guest OS is restarted. Therefore, according to the present embodiment, it is possible to detect falsification of the guest OS page data that has been rewritten to the original data (data on the storage).
 また、本実施の形態では、ゲストOS再起動時に、ゲストOSの再起動前のゲストOSページデータがRAM103に残されている。本実施の形態では、再起動時のストレージからの読み込みは、書換え処理があったゲストOSページデータに限られるので、ゲストOSの再起動を高速に行うことができる。 Further, in the present embodiment, when the guest OS is restarted, the guest OS page data before the guest OS is restarted is left in the RAM 103. In the present embodiment, since the reading from the storage at the time of restart is limited to the guest OS page data that has been rewritten, the guest OS can be restarted at high speed.
 また、本実施の形態では、ゲストOS再起動時に、書換え処理が行われたゲストOSページデータについてのみハッシュ値の比較が行われ、書換え処理が行われていないゲストOSページデータについてはハッシュ値の比較が行われない。この点からも、ゲストOSの再起動を高速に行うことができる。 Further, in the present embodiment, when the guest OS is restarted, the hash value is compared only for the guest OS page data that has been rewritten, and the hash value is used for the guest OS page data that has not been rewritten. No comparison is made. From this point as well, the guest OS can be restarted at high speed.
 例えば、特許文献1では、全てのゲストOSページデータの正解ハッシュ値を保存しておく必要がある。これに対して、本実施の形態では、書換え前ゲストOSページデータの書換え前ハッシュ値のみをストレージに保存すればよいので、ストレージ容量の削減が可能である。 For example, in Patent Document 1, it is necessary to store the correct hash values of all guest OS page data. On the other hand, in the present embodiment, only the hash value before rewriting of the guest OS page data before rewriting needs to be stored in the storage, so that the storage capacity can be reduced.
 実施の形態2.
 本実施の形態では、主に実施の形態1との差異を説明する。
 なお、以下で説明していない事項は、実施の形態1と同様である。 Embodiment 2.
In this embodiment, the difference from the first embodiment will be mainly described.
The matters not explained below are the same as those in the first embodiment.
 ハイパーバイザ又はゲストOSの設計によっては、ゲストOSの起動時に全てのCOW領域の書換え前ゲストOSページデータがRAM103にロードされていなくてもよい場合がある。つまり、ゲストOSの再起動後に、書換え前ゲストOSページデータのロードが必要になったときにオンデマンドで書換え前ゲストOSページデータがロードされる場合もある。
 本実施の形態では、このようなゲストOSの再起動後にオンデマンドで書換え前ゲストOSページデータがロードされる例を説明する。 Depending on the design of the hypervisor or guest OS, the guest OS page data before rewriting of all COW areas may not be loaded in the RAM 103 when the guest OS is started. That is, after the guest OS is restarted, the guest OS page data before rewriting may be loaded on demand when it becomes necessary to load the guest OS page data before rewriting.
In the present embodiment, an example in which the guest OS page data before rewriting is loaded on demand after such a restart of the guest OS will be described.
 図6は、本実施の形態に係る情報処理装置100の動作例を示す。
 図6は、実施の形態1で説明した図5に対応する。すなわち、本実施の形態に係る情報処理装置100は、図4のステップS311においてリブートが発生した場合に、図6に示すフローを実施する。 FIG. 6 shows an operation example of the information processing apparatus 100 according to the present embodiment.
FIG. 6 corresponds to FIG. 5 described in the first embodiment. That is, the information processing apparatus 100 according to the present embodiment implements the flow shown in FIG. 6 when a reboot occurs in step S311 of FIG.
 図5では、ゲストOSの再起動処理中にステップS314にて起動処理部2031がCOW領域の書換え前ゲストOSページデータをストレージからロードする。一方で、図6では、ゲストOSの起動処理が完了して、ゲストOSが定常動作を行っている際に、COW領域の書換え前ゲストOSページデータをストレージからロードする。 In FIG. 5, during the restart processing of the guest OS, the startup processing unit 2031 loads the guest OS page data before rewriting of the COW area from the storage in step S314. On the other hand, in FIG. 6, when the guest OS startup process is completed and the guest OS is performing steady operation, the guest OS page data before rewriting of the COW area is loaded from the storage.
 ゲストOSカーネル202が定常動作を行っている際に(ステップS322)、COW領域へのアクセスが発生した場合に、ハイパーバイザ203がCOW領域へのアクセスをトラップする(ステップS323)。 When access to the COW area occurs while the guest OS kernel 202 is performing steady operation (step S322), the hypervisor 203 traps the access to the COW area (step S323).
 次に、起動処理部2031が、COW領域の書換え前のゲストOSページデータをストレージ104からRAM103にロードする(ステップS314)。 Next, the startup processing unit 2031 loads the guest OS page data before rewriting the COW area from the storage 104 to the RAM 103 (step S314).
 次に、ハッシュ値算出部2032が再起動ハッシュ値を算出する(ステップS315)。 Next, the hash value calculation unit 2032 calculates the restart hash value (step S315).
 次に、ハッシュ値比較部2033が、ハッシュ値テーブル205から書換え前ハッシュ値を読み込む(ステップS316)。 Next, the hash value comparison unit 2033 reads the hash value before rewriting from the hash value table 205 (step S316).
 次に、ハッシュ値比較部2033が、ステップS315で算出された再起動ハッシュ値とステップS316で取得された書換え前ハッシュ値とを比較する(ステップS317)。 Next, the hash value comparison unit 2033 compares the restart hash value calculated in step S315 with the pre-rewrite hash value acquired in step S316 (step S317).
 再起動ハッシュ値と書換え前ハッシュ値とが一致しない場合(ステップS317でFALSE)は、起動処理部2031は、ゲストOSカーネル202を停止する(ステップS324)。ステップS324では、例えば、ステップS304と同様の動作が行われる。 If the restart hash value and the hash value before rewriting do not match (FALSE in step S317), the boot processing unit 2031 stops the guest OS kernel 202 (step S324). In step S324, for example, the same operation as in step S304 is performed.
 一方、再起動ハッシュ値と書換え前ハッシュ値とが一致する場合(ステップS317でTRUE)は、起動処理部2031は、COW領域の書換え後のゲストOSページデータを、ステップS314で読み込まれた書換え前のゲストOSページデータで置き換える(ステップS318)。
 その後、処理がステップS322に戻り、ゲストOSカーネル202の定常動作が継続する。 On the other hand, when the restart hash value and the hash value before rewriting match (TRUE in step S317), the startup processing unit 2031 reads the guest OS page data after rewriting of the COW area before rewriting in step S314. It is replaced with the guest OS page data of (step S318).
After that, the process returns to step S322, and the steady operation of the guest OS kernel 202 continues.
 本実施の形態によれば、ゲストOSの再起動後にも、書換え処理が行われたゲストOSページデータの元データ(ストレージ上のデータ)への改ざんを検出することができる。また、本実施の形態でも、ゲストOSの再起動を高速に行うことができ、更に、ストレージ容量の削減も可能である。 According to this embodiment, it is possible to detect falsification of the guest OS page data that has been rewritten to the original data (data on the storage) even after the guest OS is restarted. Further, also in this embodiment, the guest OS can be restarted at high speed, and the storage capacity can be reduced.
 実施の形態3.
 本実施の形態では、主に実施の形態1、2との差異を説明する。
 なお、以下で説明していない事項は、実施の形態1、2と同様である。 Embodiment 3.
In this embodiment, the differences from the first and second embodiments will be mainly described.
Items not described below are the same as those in the first and second embodiments.
 実施の形態1及び実施の形態2では、情報処理装置100がハイパーバイザによる仮想マシンである例を説明した。
 本実施の形態では、情報処理装置100がブートローダとベアメタルのOSで実現されている。 In the first embodiment and the second embodiment, an example in which the information processing apparatus 100 is a virtual machine using a hypervisor has been described.
In this embodiment, the information processing device 100 is realized by a boot loader and a bare metal OS.
***構成の説明***
 図7は、本実施の形態に係る情報処理装置100の機能構成例を示す。なお、本実施の形態に係る情報処理装置100のハードウェア構成例は、図1と同様である。 *** Explanation of configuration ***
FIG. 7 shows an example of the functional configuration of the information processing apparatus 100 according to the present embodiment. The hardware configuration example of the information processing device 100 according to the present embodiment is the same as that in FIG.
 ブートローダ208は、情報処理装置100の起動時にRAM103上にブートローダ209として展開されて動作する。
 ブートローダ209には、起動処理部2091、ハッシュ値算出部2092及びハッシュ値比較部2093が含まれる。
 起動処理部2091は、起動処理部2031と同様の処理を行う。起動処理部2091も置き換え処理部に相当する。
 ハッシュ値算出部2092は、起動処理部2031と同様の処理を行う。ハッシュ値算出部2092も起動ハッシュ値算出部、書換え前ハッシュ値算出部及び再起動ハッシュ値算出部に相当する。
 ハッシュ値比較部2093は、ハッシュ値比較部2033と同様の処理を行う。 The boot loader 208 is deployed and operates as a boot loader 209 on the RAM 103 when the information processing apparatus 100 is started.
The boot loader 209 includes a boot processing unit 2091, a hash value calculation unit 2092, and a hash value comparison unit 2093.
The startup processing unit 2091 performs the same processing as the startup processing unit 2031. The startup processing unit 2091 also corresponds to the replacement processing unit.
The hash value calculation unit 2092 performs the same processing as the start processing unit 2031. The hash value calculation unit 2092 also corresponds to the activation hash value calculation unit, the pre-rewrite hash value calculation unit, and the restart hash value calculation unit.
The hash value comparison unit 2093 performs the same processing as the hash value comparison unit 2033.
 なお、本実施の形態では、情報処理装置100がソフトリセットする際に、RAM103のデータが消去されないようになっているものとする。
 本実施の形態では、OSカーネル210がRAM103にロードされ、OSカーネル211として動作する。OSカーネル211は、RAM103では、メモリページであるOSページデータとして管理される。図7では、OSカーネル211は、OSページデータ2111~2116として管理されている。
 図7の他の要素は、図2に示したものと同様であるため、説明を省略する。 In the present embodiment, it is assumed that the data in the RAM 103 is not erased when the information processing apparatus 100 soft resets.
In this embodiment, the OS kernel 210 is loaded into the RAM 103 and operates as the OS kernel 211. The OS kernel 211 is managed as OS page data, which is a memory page, in the RAM 103. In FIG. 7, the OS kernel 211 is managed as OS page data 2111 to 2116.
Since the other elements of FIG. 7 are the same as those shown in FIG. 2, the description thereof will be omitted.
***動作の説明***
 次に、本実施の形態に係る情報処理装置100の動作を説明する。 *** Explanation of operation ***
Next, the operation of the information processing device 100 according to the present embodiment will be described.
 本実施の形態でも、情報処理装置100の動作の前提として、OSカーネル210イメージ全体に対して暗号学的ハッシュ関数を使用して求めたハッシュ値(照合ハッシュ値)がハッシュ値記憶領域204に格納されているものとする。この照合ハッシュ値は、開発環境でOSカーネル210イメージを作成する時点で生成することも可能であるし、OSカーネル210イメージを情報処理装置100にデプロイする時点で計算することも可能である。 Also in this embodiment, as a premise of the operation of the information processing apparatus 100, the hash value (collation hash value) obtained by using the cryptographic hash function for the entire OS kernel 210 image is stored in the hash value storage area 204. It is assumed that it has been done. This matching hash value can be generated at the time of creating the OS kernel 210 image in the development environment, or can be calculated at the time of deploying the OS kernel 210 image to the information processing apparatus 100.
 図8は、本実施の形態に係る情報処理装置100の動作例を示す。
 より具体的には、図4は、情報処理装置100の起動から、OSページデータへの書換え処理(COW)が発生し、リブートが発生するまでの動作フローを示す。 FIG. 8 shows an operation example of the information processing apparatus 100 according to the present embodiment.
More specifically, FIG. 4 shows an operation flow from the start of the information processing apparatus 100 to the occurrence of the rewriting process (COW) to the OS page data and the occurrence of the reboot.
 先ず、情報処理装置100が起動し(ステップS300)、ブートローダ208がRAM103にロードされ、ブートローダ209が実行される(ステップS400)。 First, the information processing device 100 is started (step S300), the boot loader 208 is loaded into the RAM 103, and the boot loader 209 is executed (step S400).
 次に、ハッシュ値算出部2092が、OSカーネルイ209メージ全体のハッシュ値(起動ハッシュ値)を計算する(ステップ401)。 Next, the hash value calculation unit 2092 calculates the hash value (startup hash value) of the entire OS kernel image 209 (step 401).
 そして、ハッシュ値比較部2093が、ハッシュ値記憶領域204に格納してある照合ハッシュ値と起動ハッシュ値を比較する(ステップS402)。 Then, the hash value comparison unit 2093 compares the matching hash value stored in the hash value storage area 204 with the activation hash value (step S402).
 起動ハッシュ値と照合ハッシュ値とが一致しない場合(ステップS402でFALSE)は、起動処理部2091は、予め定められたポリシにしたがって、起動処理を停止する等のセキュアブート処理を行う(ステップS403)。 If the startup hash value and the matching hash value do not match (FALSE in step S402), the startup processing unit 2091 performs secure boot processing such as stopping the startup processing according to a predetermined policy (step S403). ..
 一方、起動ハッシュ値と照合ハッシュ値とが一致する場合(ステップS402でTRUE)は、起動処理部2091は、OSカーネル211の起動処理を継続する(ステップS404)。
 そして、OSカーネル211は、一般的なOSが行っている外部からのトリガ入力を待つ状態に遷移する(ステップS405)。 On the other hand, when the boot hash value and the collation hash value match (TRUE in step S402), the boot processing unit 2091 continues the boot process of the OS kernel 211 (step S404).
Then, the OS kernel 211 transitions to a state of waiting for an external trigger input performed by a general OS (step S405).
 OSカーネル211が定常動作している間(ステップS405)に、いずれかのOSページデータへの書換え(COW)が発生した場合(ステップS406でTRUE)に、MMU(Memory Management Unit)が書換え(COW)の発生(OSページデータへのアクセス)をトラップする(ステップS407)。 When rewriting (COW) to any OS page data occurs while the OS kernel 211 is in steady operation (step S405) (TRUE in step S406), MMU (Memory Management Unit) rewrites (COW). ) Is trapped (access to OS page data) (step S407).
 そして、ハッシュ値算出部2092が、暗号学的ハッシュ関数を使用して、RAM103にある書換え前のOSページデータの書換え前ハッシュ値を算出する(ステップS408)。 Then, the hash value calculation unit 2092 uses the cryptographic hash function to calculate the pre-rewrite hash value of the pre-rewrite OS page data in the RAM 103 (step S408).
 その後、ハッシュ値算出部2092が、ステップS408で算出した書換え前ハッシュ値と、書換え処理のあったOSページデータのメモリアドレスを対応付けてハッシュ値テーブル205に格納する(ステップS409)。 After that, the hash value calculation unit 2092 associates the hash value before rewriting calculated in step S408 with the memory address of the OS page data that has undergone rewriting processing and stores it in the hash value table 205 (step S409).
 なお、ステップS408及びS409と並行して、書換え処理の対象のOSページデータは書換えられている。 In parallel with steps S408 and S409, the OS page data to be rewritten is rewritten.
 リブートが発生しなければ、OSページデータの書換えが発生するたびに、ステップS406~S409の手順が繰り返される。
 なお、既に書換えが発生しているOSページデータで更に書換えが発生した場合は、既に当該OSページデータの書換え前ハッシュ値がハッシュ値テーブル205に存在している。この場合に、ハッシュ値算出部2092は書換え前ハッシュ値の更新は行わない。つまり、ハッシュ値テーブル205に最初に登録された書換え前ハッシュ値が維持される。
 リブートが発生したら(ステップS410でTRUE)、起動処理部2091がハッシュ値テーブル205にあるメモリアドレスに対するMMUのエントリを無効化し(ステップS411)、処理が図9に進む(ステップS412)。なお、図8では、ステップS405、ステップS406、ステップS410という順序の動作手順を記載しているが、OSカーネル211はイベントドリブンに実装されているため、ステップS405から直接ステップS410に遷移することも可能である。 If the reboot does not occur, the procedure of steps S406 to S409 is repeated every time the OS page data is rewritten.
When further rewriting occurs in the OS page data that has already been rewritten, the hash value before rewriting of the OS page data already exists in the hash value table 205. In this case, the hash value calculation unit 2092 does not update the hash value before rewriting. That is, the hash value before rewriting first registered in the hash value table 205 is maintained.
When a reboot occurs (TRUE in step S410), the startup processing unit 2091 invalidates the MMU entry for the memory address in the hash value table 205 (step S411), and the process proceeds to FIG. 9 (step S412). Note that FIG. 8 describes the operation procedure in the order of step S405, step S406, and step S410. However, since the OS kernel 211 is implemented event-driven, it is possible to directly transition from step S405 to step S410. It is possible.
 図9は、リブート発生後の情報処理装置100の動作例を示す。 FIG. 9 shows an operation example of the information processing apparatus 100 after the reboot occurs.
 リブートが発生したら(ステップS410でTRUE)、起動処理部2091がOSカーネル211の再起動処理を開始する(ステップS413)。なお、再起動の高速化のために、RAM103はクリアされない。すなわち、OSカーネル211の再起動時に、再起動前のOSページデータ2111~2116がRAM103に残されている。つまり、書換え処理による書換え後のOSページデータもRAM103に残されている。
 このため、RAM103に残されているOSページデータを用いて起動処理部2091は、OSカーネル211の起動を行う。
 そして、OSカーネル211は定常動作に遷移する(ステップS414)。 When a reboot occurs (TRUE in step S410), the boot processing unit 2091 starts the reboot process of the OS kernel 211 (step S413). The RAM 103 is not cleared in order to speed up the restart. That is, when the OS kernel 211 is restarted, the OS page data 2111 to 2116 before the restart are left in the RAM 103. That is, the OS page data after rewriting by the rewriting process is also left in the RAM 103.
Therefore, the boot processing unit 2091 boots the OS kernel 211 using the OS page data remaining in the RAM 103.
Then, the OS kernel 211 transitions to steady operation (step S414).
 OSカーネル211が定常動作を行っている際に、COW領域へのアクセスが発生した場合に、MMUがページフォルトでCOW領域へのアクセスをトラップする(ステップS415)。 If an access to the COW area occurs while the OS kernel 211 is performing steady operation, the MMU traps the access to the COW area due to a page fault (step S415).
 次に、起動処理部2091が、COW領域の書換え前のOSページデータをストレージ104からRAM103にロードする(ステップS416)。 Next, the boot processing unit 2091 loads the OS page data before rewriting of the COW area from the storage 104 to the RAM 103 (step S416).
 次に、ハッシュ値算出部2092が再起動ハッシュ値を算出する(ステップS417)。 Next, the hash value calculation unit 2092 calculates the restart hash value (step S417).
 次に、ハッシュ値比較部2093が、ハッシュ値テーブル205から書換え前ハッシュ値を読み込む(ステップS418)。 Next, the hash value comparison unit 2093 reads the hash value before rewriting from the hash value table 205 (step S418).
 次に、ハッシュ値比較部2093が、ステップS417で算出された再起動ハッシュ値とステップS418で取得された書換え前ハッシュ値とを比較する(ステップS419)。 Next, the hash value comparison unit 2093 compares the restart hash value calculated in step S417 with the pre-rewrite hash value acquired in step S418 (step S419).
 再起動ハッシュ値と書換え前ハッシュ値とが一致しない場合(ステップS419でFALSE)は、起動処理部2091は、OSカーネル211を停止する(ステップS421)。ステップS421では、例えば、ステップS403と同様の動作が行われる。 If the restart hash value and the hash value before rewriting do not match (FALSE in step S419), the boot processing unit 2091 stops the OS kernel 211 (step S421). In step S421, for example, the same operation as in step S403 is performed.
 一方、再起動ハッシュ値と書換え前ハッシュ値とが一致する場合(ステップS419でTRUE)は、起動処理部2091は、COW領域の書換え後のOSページデータを、ステップS416でロードされた書換え前のゲストOSページデータで置き換え、またMMUのエントリを更新する(ステップS420)。
 その後、処理がステップS414に戻り、OSカーネル211の定常動作が継続する。 On the other hand, when the restart hash value and the hash value before rewriting match (TRUE in step S419), the startup processing unit 2091 loads the OS page data after rewriting of the COW area in step S416 before rewriting. Replace with guest OS page data and update the MMU entry (step S420).
After that, the process returns to step S414, and the steady operation of the OS kernel 211 continues.
***実施の形態の効果の説明***
 以上、本実施の形態によれば、ブートローダとベアメタルのOSで実現されている情報処理装置100でも、書換え処理が行われたOSページデータの元データ(ストレージ上のデータ)への改ざんを検出することができる。 *** Explanation of the effect of the embodiment ***
As described above, according to the present embodiment, even in the information processing device 100 realized by the boot loader and the bare metal OS, the falsification of the OS page data that has been rewritten to the original data (data on the storage) is detected. be able to.
 また、本実施の形態でもOSの再起動を高速に行うことができ、更に、ストレージ容量の削減が可能である。 Also, in this embodiment, the OS can be restarted at high speed, and the storage capacity can be reduced.
 以上、実施の形態1~3を説明したが、これらの実施の形態のうち、2つ以上を組み合わせて実施しても構わない。
 あるいは、これらの実施の形態のうち、1つを部分的に実施しても構わない。
 あるいは、これらの実施の形態のうち、2つ以上を部分的に組み合わせて実施しても構わない。
 また、これらの実施の形態に記載された構成及び手順を必要に応じて変更してもよい。
***ハードウェア構成の補足説明***
 最後に、情報処理装置100のハードウェア構成の補足説明を行う。 Although the first to third embodiments have been described above, two or more of these embodiments may be combined and implemented.
Alternatively, one of these embodiments may be partially implemented.
Alternatively, two or more of these embodiments may be partially combined and implemented.
In addition, the configurations and procedures described in these embodiments may be modified as necessary.
*** Supplementary explanation of hardware configuration ***
Finally, a supplementary explanation of the hardware configuration of the information processing apparatus 100 will be given.
 起動処理部2031、ハッシュ値算出部2032、ハッシュ値比較部2033、起動処理部2091、ハッシュ値算出部2092及びハッシュ値比較部2093の処理の結果を示す情報、データ、信号値及び変数値の少なくともいずれかが、RAM103、ストレージ104、プロセッサ101内のレジスタ及びキャッシュメモリの少なくともいずれかに記憶される。
 また、起動処理部2031、ハッシュ値算出部2032、ハッシュ値比較部2033、起動処理部2091、ハッシュ値算出部2092及びハッシュ値比較部2093の機能を実現するプログラムは、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD等の可搬記録媒体に格納されていてもよい。そして、起動処理部2031、ハッシュ値算出部2032、ハッシュ値比較部2033、起動処理部2091、ハッシュ値算出部2092及びハッシュ値比較部2093の機能を実現するプログラムが格納された可搬記録媒体を流通させてもよい。 At least information, data, signal values and variable values indicating the processing results of the start processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the start processing unit 2091, the hash value calculation unit 2092 and the hash value comparison unit 2093. Any of them is stored in at least one of the RAM 103, the storage 104, the register in the processor 101, and the cache memory.
The programs that realize the functions of the startup processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the startup processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 are magnetic disks, flexible disks, and optical disks. , Compact discs, Blu-ray® discs, DVDs, and other portable recording media. Then, a portable recording medium in which a program that realizes the functions of the activation processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the activation processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 is stored is stored. It may be distributed.
 また、起動処理部2031、ハッシュ値算出部2032、ハッシュ値比較部2033、起動処理部2091、ハッシュ値算出部2092及びハッシュ値比較部2093の「部」を、「回路」又は「工程」又は「手順」又は「処理」に読み替えてもよい。
 また、情報処理装置100は、処理回路により実現されてもよい。処理回路は、例えば、ロジックIC(Integrated Circuit)、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)である。
 なお、本明細書では、プロセッサと処理回路との上位概念を、「プロセッシングサーキットリー」という。
 つまり、プロセッサと処理回路とは、それぞれ「プロセッシングサーキットリー」の具体例である。 Further, the "parts" of the start processing unit 2031, the hash value calculation unit 2032, the hash value comparison unit 2033, the start processing unit 2091, the hash value calculation unit 2092, and the hash value comparison unit 2093 are referred to as "circuits", "processes", or "processes". It may be read as "procedure" or "processing".
Further, the information processing device 100 may be realized by a processing circuit. The processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
In this specification, the superordinate concept of the processor and the processing circuit is referred to as "processing circuit Lee".
That is, the processor and the processing circuit are specific examples of the "processing circuit Lee", respectively.
 100 情報処理装置、101 プロセッサ、102 バス、103 RAM、104 ストレージ、105 I/O装置、106 セキュア領域、201 ゲストOSカーネル、202 ゲストOSカーネル、203 ハイパーバイザ、204 ハッシュ値記憶領域、205 ハッシュ値テーブル、208 ブートローダ、209 ブートローダ、210 OSカーネル、211 OSカーネル、2021 ゲストOSページデータ、2022 ゲストOSページデータ、2023 ゲストOSページデータ、2024 ゲストOSページデータ、2025 ゲストOSページデータ、2026 ゲストOSページデータ、2031 起動処理部、2032 ハッシュ値算出部、2033 ハッシュ値比較部、2111 OSページデータ、2112 OSページデータ、2113 OSページデータ、2114 OSページデータ、2115 OSページデータ、2116 OSページデータ、2091 起動処理部、2092 ハッシュ値算出部、2093 ハッシュ値比較部。 100 information processing device, 101 processor, 102 bus, 103 RAM, 104 storage, 105 I / O device, 106 secure area, 201 guest OS kernel, 202 guest OS kernel, 203 hypervisor, 204 hash value storage area, 205 hash value Table, 208 boot loader, 209 boot loader, 210 OS kernel, 211 OS kernel, 2021 guest OS page data, 2022 guest OS page data, 2023 guest OS page data, 2024 guest OS page data, 2025 guest OS page data, 2026 guest OS page Data, 2031 startup processing unit, 2032 hash value calculation unit, 2033 hash value comparison unit, 2111 OS page data, 2112 OS page data, 2113 OS page data, 2114 OS page data, 2115 OS page data, 2116 OS page data, 2091 Start processing unit, 2092 hash value calculation unit, 2093 hash value comparison unit.

Claims (7)

  1.  OS(Operating System)の動作中にいずれかのOSページデータへの書換え処理が検知された場合に、書換え前のOSページデータである書換え前OSページデータのハッシュ値を書換え前ハッシュ値として算出する書換え前ハッシュ値算出部と、
     前記OSの再起動時及び前記OSの再起動後のいずれかにストレージからメモリにロードされた前記書換え前OSページデータのハッシュ値を再起動ハッシュ値として算出する再起動ハッシュ値算出部と、
     前記書換え前ハッシュ値と前記再起動ハッシュ値とを比較するハッシュ値比較部とを有する情報処理装置。     When the rewriting process to any OS page data is detected during the operation of the OS (Operating System), the hash value of the pre-rewriting OS page data, which is the pre-rewriting OS page data, is calculated as the pre-rewriting hash value. Hash value calculation unit before rewriting and
    A restart hash value calculation unit that calculates the hash value of the pre-rewrite OS page data loaded from the storage into the memory either when the OS is restarted or after the OS is restarted as a restart hash value.
    An information processing device having a hash value comparison unit that compares the hash value before rewriting with the restart hash value.
  2.  前記OSの再起動時に、前記OSの再起動前のOSページデータが前記メモリに残されている請求項1に記載の情報処理装置。 The information processing device according to claim 1, wherein the OS page data before the restart of the OS is left in the memory when the OS is restarted.
  3.  前記情報処理装置は、更に、
     前記書換え前ハッシュ値と前記再起動ハッシュ値とが一致する場合に、前記メモリ内の、前記書換え処理による書換え後のOSページデータを、前記ストレージから前記メモリにロードされた前記書換え前OSページデータで置換える置換え処理部を有する請求項1に記載の情報処理装置。     The information processing device further
    When the hash value before rewriting and the restart hash value match, the OS page data after rewriting by the rewriting process in the memory is loaded into the memory from the storage, and the OS page data before rewriting is loaded into the memory. The information processing apparatus according to claim 1, further comprising a replacement processing unit that is replaced with.
  4.  前記情報処理装置は、更に、
     前記OSの起動時に、前記OS全体のハッシュ値を起動ハッシュ値として算出する起動ハッシュ値算出部を有し、
     前記ハッシュ値比較部は、
     前記起動ハッシュ値と、予め生成されている前記OS全体のハッシュ値である照合ハッシュ値とを比較し、前記起動ハッシュ値と前記照合ハッシュ値とが一致する場合に、前記OSの起動を許可する請求項1に記載の情報処理装置。     The information processing device further
    It has a startup hash value calculation unit that calculates the hash value of the entire OS as the startup hash value when the OS is started.
    The hash value comparison unit
    The startup hash value is compared with a collation hash value that is a hash value of the entire OS generated in advance, and when the startup hash value and the collation hash value match, the OS is allowed to start. The information processing device according to claim 1.
  5.  前記書換え前ハッシュ値算出部は、
     ハイパーバイザ上で動作するゲストOSの動作中にいずれかのゲストOSページデータへの書換え処理が検知された場合に、書換え前のゲストOSページデータである書換え前ゲストOSページデータのハッシュ値を前記書換え前ハッシュ値として算出し、
     前記再起動ハッシュ値算出部は、
     前記ゲストOSの再起動時及び前記ゲストOSの再起動後のいずれかに前記ストレージから前記メモリにロードされた前記書換え前ゲストOSページデータのハッシュ値を前記再起動ハッシュ値として算出する請求項1に記載の情報処理装置。     The hash value calculation unit before rewriting is
    When the rewriting process to any guest OS page data is detected during the operation of the guest OS running on the hypervisor, the hash value of the guest OS page data before rewriting, which is the guest OS page data before rewriting, is used as described above. Calculated as the hash value before rewriting,
    The restart hash value calculation unit
    Claim 1 to calculate the hash value of the guest OS page data before rewriting loaded from the storage into the memory as the restart hash value either when the guest OS is restarted or after the guest OS is restarted. The information processing device described in.
  6.  OS(Operating System)の動作中にいずれかのOSページデータへの書換え処理が検知された場合に、書換え前ハッシュ値算出部が、書換え前のOSページデータである書換え前OSページデータのハッシュ値を書換え前ハッシュ値として算出し、
     再起動ハッシュ値算出部が、前記OSの再起動時及び前記OSの再起動後のいずれかにストレージからメモリにロードされた前記書換え前OSページデータのハッシュ値を再起動ハッシュ値として算出し、
     ハッシュ値比較部が、前記書換え前ハッシュ値と前記再起動ハッシュ値とを比較する情報処理方法。     When the rewriting process to any OS page data is detected during the operation of the OS (Operating System), the hash value calculation unit before rewriting determines the hash value of the OS page data before rewriting, which is the OS page data before rewriting. Is calculated as the hash value before rewriting,
    The restart hash value calculation unit calculates the hash value of the pre-rewrite OS page data loaded from the storage into the memory either at the time of restarting the OS or after the restart of the OS as a restart hash value.
    An information processing method in which the hash value comparison unit compares the hash value before rewriting with the restart hash value.
  7.  OS(Operating System)の動作中にいずれかのOSページデータへの書換え処理が検知された場合に、書換え前のOSページデータである書換え前OSページデータのハッシュ値を書換え前ハッシュ値として算出する書換え前ハッシュ値算出処理と、
     前記OSの再起動時及び前記OSの再起動後のいずれかにストレージからメモリにロードされた前記書換え前OSページデータのハッシュ値を再起動ハッシュ値として算出する再起動ハッシュ値算出処理と、
     前記書換え前ハッシュ値と前記再起動ハッシュ値とを比較するハッシュ値比較処理とをコンピュータに実行させる情報処理プログラム。     When the rewriting process to any OS page data is detected during the operation of the OS (Operating System), the hash value of the pre-rewriting OS page data, which is the pre-rewriting OS page data, is calculated as the pre-rewriting hash value. Hash value calculation process before rewriting and
    A restart hash value calculation process that calculates the hash value of the pre-rewrite OS page data loaded from the storage into the memory either when the OS is restarted or after the OS is restarted as a restart hash value.
    An information processing program that causes a computer to execute a hash value comparison process that compares the hash value before rewriting with the restart hash value.
PCT/JP2020/005343 2020-02-12 2020-02-12 Information processing device, information processing method, and information processing program WO2021161418A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2021564898A JP7004478B2 (en) 2020-02-12 2020-02-12 Information processing equipment, information processing methods and information processing programs
PCT/JP2020/005343 WO2021161418A1 (en) 2020-02-12 2020-02-12 Information processing device, information processing method, and information processing program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/005343 WO2021161418A1 (en) 2020-02-12 2020-02-12 Information processing device, information processing method, and information processing program

Publications (1)

Publication Number Publication Date
WO2021161418A1 true WO2021161418A1 (en) 2021-08-19

Family

ID=77292135

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/005343 WO2021161418A1 (en) 2020-02-12 2020-02-12 Information processing device, information processing method, and information processing program

Country Status (2)

Country Link
JP (1) JP7004478B2 (en)
WO (1) WO2021161418A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004280284A (en) * 2003-03-13 2004-10-07 Sony Corp Control processor, electronic equipment, and program starting method for electronic equipment, and system module updating method for electronic equipment
JP2006053787A (en) * 2004-08-12 2006-02-23 Ntt Docomo Inc Program execution device and program execution method
US20170371388A1 (en) * 2016-06-23 2017-12-28 Vmware, Inc. Efficient reboot of an operating system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004280284A (en) * 2003-03-13 2004-10-07 Sony Corp Control processor, electronic equipment, and program starting method for electronic equipment, and system module updating method for electronic equipment
JP2006053787A (en) * 2004-08-12 2006-02-23 Ntt Docomo Inc Program execution device and program execution method
US20170371388A1 (en) * 2016-06-23 2017-12-28 Vmware, Inc. Efficient reboot of an operating system

Also Published As

Publication number Publication date
JP7004478B2 (en) 2022-01-21
JPWO2021161418A1 (en) 2021-08-19

Similar Documents

Publication Publication Date Title
EP3764237B1 (en) System startup method and apparatus, electronic device and storage medium
JP4916576B2 (en) Multi-operating system (OS) booting apparatus, multi-OS booting program, recording medium, and multi-OS booting method
US9230116B2 (en) Technique for providing secure firmware
KR101201186B1 (en) Memory dump generation with quick reboot
US8943491B2 (en) Systems and methods for maintaining CRTM code
JP5740573B2 (en) Information processing apparatus and information processing method
US9015461B2 (en) Booting an operating system of a system using a read ahead technique
US7313683B2 (en) Computer system and method which boots from a bootup-memory-image stored in nonvolatile memory and copies data within an address range of predetermined width to main memory so that the system boots quickly after initialization
US20120324446A1 (en) Virtual machine image composition and signing
US20110213954A1 (en) Method and apparatus for generating minimum boot image
CN110162429B (en) System repair method, server and storage medium
US10664598B1 (en) Firmware security patch deployment
JP5466645B2 (en) Storage device, information processing device, and program
US8688933B2 (en) Firmware component modification
CN101785239A (en) Key based hidden partition system
JP7004478B2 (en) Information processing equipment, information processing methods and information processing programs
KR20220027965A (en) Prevent firmware rollback
US7080243B2 (en) Method and system for comparing firmware images
US6971003B1 (en) Method and apparatus for minimizing option ROM BIOS code
US20240095188A1 (en) Memory deduplication for encrypted virtual machines
US9202058B1 (en) Root volume encryption mechanism in para-virtualized virtual machine
US20230069169A1 (en) Information processing apparatus and control method of the same
US11734182B2 (en) Latency reduction for kernel same page merging
US20230342132A1 (en) Patch uninstallation using a signed operating system install package
US11204781B2 (en) Optimizing power, memory and load time of a computing system during image loading based on image segmentation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20918598

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021564898

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20918598

Country of ref document: EP

Kind code of ref document: A1