JP2018036695A - Information processing monitoring device, information processing monitoring method, monitoring program, recording medium, and information processing apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To suppress improper information processing due to using a real mode in advance by disabling switching to a real mode in a CPU mode.SOLUTION: An information processing monitoring device 6 includes: a process monitoring part 61 for detecting issuance of access for switching a CPU mode to a real mode; and a result processing part 62 for disabling access operation with respect to the access detected after booting of an OS.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a security technique for monitoring information processing operations executed by a computer program.

  Recently, access to resources by malicious programs created with the intention of performing illegal and harmful operations (hereinafter referred to as unauthorized programs), such as falsification of files and changes in system settings, greatly reduces computer security. Yes. Today, various types of corresponding software for monitoring access to resources of unauthorized programs and regulating unauthorized operations have been proposed.

  In Patent Document 1, a step of monitoring an I / O process which is a processing request for a resource, a step of temporarily holding a processing request for a resource issued from an application, and a hash indicating whether or not the application is a legitimate application An application monitoring method for preventing information leakage of resources, comprising: authenticating with a value; and permitting processing based on the temporarily suspended processing request only when the authentication result of the activated application is successful. Have been described.

  In Patent Document 2, when an application executed on a computer accesses information stored in a storage device such as a hard disk HDD, the application is hooked using an operating system (OS) hook function in advance. Computer information that is judged by checking against the contents of the set access permission condition table. If the information is not matched, it is assumed that the access is illegal, such as a virus. Computer information that prohibits the transfer of information stored in the storage device to the application A leak prevention system is described.

JP 2003-108253 A JP 2007-140798 A

  The application monitoring method described in Patent Document 1 calculates a hash value of an application for each process of processing requests for resources, and collates the calculated hash value with a previously stored hash value. . In this way, there is a limit to highly reliable monitoring simply by attempting authentication verification using a hash value at the time of processing request for a resource.

  The information leakage prevention system described in Patent Document 2 monitors functions (API (Application Programming Interface) and Syscall) related to input / output of a file system, and uses a user interface of a computer as an access permission condition. Access, which is a white list, for certain check items such as IO type, application name, data file name, execution program execution constraint condition (date and time, range, etc.) representing operations such as writing file data, etc. Since the content is collated with the contents of the allowable condition table, monitoring is similarly limited only by the collation processing with the white list.

  In addition, Patent Documents 1 and 2 are not sufficient in that they are monitored in order to verify the validity of IO access to resources. Further, Patent Documents 1 and 2 are intended to prevent falsification, deletion, leakage, etc. of a file that is performed through access to a resource by an unauthorized program, and may be performed due to a mode related to the operating state of the CPU. There is no description of any technology that prevents certain unfair information processing.

  The present invention has been made in view of the above, and is an information processing monitoring apparatus, an information processing monitoring method, a monitoring program, a recording medium, and an information processing monitoring apparatus capable of preventing unfair information processing caused by CPU mode switching. An information processing apparatus is provided.

  An information processing monitoring apparatus according to the present invention includes a monitoring unit that detects issuance of an access for switching a CPU mode to a real mode, and an invalidation process that invalidates an access operation for the access detected after the OS is booted Means.

  The monitoring program according to the present invention includes a monitoring unit that detects issuance of an access for switching the CPU mode to the real mode, an invalidation processing unit that invalidates an access operation for the access detected after the OS is booted, As a result, the information processing apparatus functions.

  In addition, the information processing monitoring method according to the present invention includes a monitoring step for detecting issuance of access for switching the CPU mode to the real mode, and invalidation for invalidating an access operation for the access detected after the OS is booted. And a step.

  Further, the recording medium according to the present invention includes a monitoring unit that detects issuance of access for switching the CPU mode to the real mode, an invalid processing unit that invalidates an access operation for the access detected after the OS is booted, As a computer-readable recording medium on which a program for causing the information processing apparatus to function is recorded.

  An information processing apparatus according to the present invention includes a main memory in which an OS is booted, a CPU that executes the OS booted on the main memory, and the information processing monitoring apparatus according to claim 1. It is equipped with.

  The CPU starts up in the real mode using the OS as an architecture, then goes through the protect mode, and then transitions to a higher bit mode to finish the startup. After starting up, the OS switches the CPU mode as necessary to execute information processing. When the CPU mode is switched to a specific mode, for example, an illegal execution code is issued in the real mode, and there is a possibility that the contents of registers and environment setting values may be illegally rewritten without being identified by the OS. Therefore, when the issuance of an execution code, which is an access for switching the CPU mode to the real mode, is detected after the booting of the OS, the access is invalidated while the access leads to an illegal act. . Thus, by invalidating the switching of the CPU mode to the real mode, it is possible to prevent unauthorized information processing by using the real mode.

  In addition, a monitoring module loading unit that loads the monitoring module into the main memory at a privilege level higher than that of the OS is provided, and the monitoring module includes the monitoring unit and the invalidation processing unit. According to this configuration, it is possible to reliably detect access for switching the CPU mode issued by the OS to the real mode.

  The access is an execution code for switching the CPU mode from the protected mode to the real mode. According to this configuration, it is possible to prevent an operation that leads to an inappropriate operation.

  The monitoring means may detect the issuance of an execution code for switching from the protect mode to the real mode in a state where the CPU mode is switched from the 64-bit mode to the 32-bit protect mode mode. According to this configuration, since the CPU mode is switched from the 64-bit mode to the 32-bit protect mode mode and the next access is switched from the protect mode to the real mode, the unauthorized operation can be prevented more quickly. It becomes possible to do.

  The access is an execution code that invalidates the page table. According to this configuration, since it is an exceptional process that is not possible as a legitimate operation and can be a hotbed access of an illegal operation, it is possible to effectively prevent illegal operation by invalidating the execution code. Can be planned.

  According to the present invention, by invalidating the switching of the CPU mode to the real mode, unauthorized information processing by using the real mode can be prevented in advance.

It is a schematic block diagram which shows one Embodiment of the information processing apparatus which concerns on this invention. It is a figure which shows the memory map of RAM which is a chipset and main memory. It is a flowchart which shows the procedure of a starting process. It is a figure explaining the execution procedure of an execution code. It is a flowchart which shows the procedure of the monitoring operation | movement process (after OS boot) by a monitoring module.

  FIG. 1 is a schematic configuration diagram showing an embodiment of an information processing apparatus according to the present invention. The information processing apparatus 100 to which the present invention is applied includes a general-purpose personal computer, a server apparatus incorporating a computer, a portable information processing terminal, and the like, and a function of performing information communication for various purposes via a network. Includes various information processing devices.

  The information processing apparatus 100 includes a microcomputer and includes a CPU 10 as a processor and a chip set 1. The CPU 10 has a flash ROM 21 for storing a BIOS (Basic Input / Output System) as a program, a hard disk drive (HDD) 22 as an auxiliary storage device, and a RAM (Random Access) as a main memory via a bus BA. Memory) 3, an input unit 41, and an output unit 42.

  The HDD 22 stores various programs, files, and necessary data. The HDD 22 is divided into a plurality of partitions. Normally, an operating system (OS) program such as Windows (registered trademark) and various application programs (APP) operating under the OS are stored in a location (path). Is stored in the C drive area. Normally, data files that can be used (accessed) by various APPs are stored in the D drive area as paths.

  When the information processing apparatus 100 is activated, the RAM 3 is loaded with the BIOS stored in the flash ROM 21, the program stored in the HDD 22, and the information being processed is temporarily stored. The information processing apparatus 100 loads program files, data files, and the like stored in the HDD 22 into the RAM 3 and executes them by the CPU 10, so that in addition to literal information processing, documents and figures can be created as necessary. An editing function, information communication, browser function, electronic payment, and other various processing functions are executed.

  The input unit 41 includes a keyboard, a mouse, a touch panel, or the like provided with a numeric keypad, etc., and inputs required information and instructs processing. The output unit 42 is assumed to be a display unit that displays an image. Note that the output unit 42 may be a printer unit, a communication unit that is connected to a network such as the Internet and exchanges information, and may further be provided with these.

  FIG. 2 shows a memory map of the RAM 3 and the chip set 1. 2 shows the BIOS 211 stored in the flash ROM 21, the OS 5 stored in the HDD 22, various application programs APP 1, APP 2,... Operating outside the OS 5 environment, stored outside the HDD 22 file system (NTFS or FAT). An example of a state in which the monitoring module as the operation monitoring unit 6 is read into the RAM 3 is shown. Application programs APP1, APP2,... Are expanded in the APP area 31 of the privilege level (ring R = 3). An API (Application Programming Interface) is also developed in a predetermined area in the APP area 31. The API is a specification that defines procedures and data formats for calling various functions (software) that can be commonly used by a plurality of programs.

  The OS 5 is expanded in the kernel area 32 at the privilege level (ring R = 2). The system table 51 is for operating the OS. The system table 51 is prepared corresponding to the CPU mode. In the state after booting, for example, in the 64-bit mode, the corresponding GDT (Global Descriptor Table) 511 and IDT (Interrupt Descriptor Table) for operating the OS 5 are used. ) 512, a task state segment (TSS) 513, a page table entry (PTE) 514 that converts a linear address from the GDT 511 into a physical address, and the like. The operation monitoring unit 6 is expanded in the monitoring processing area 33 of the privilege level (ring R = 0). Although not shown in FIG. 2, a system table for operating the operation monitoring unit 6 is developed in the monitoring processing area 33.

  The OS 5 may be deployed in the region 32 with the ring R = 1. By setting the privilege level of the operation monitoring unit 6 to a ring value that is smaller than that of the OS 5, it is possible to operate at a higher level than the OS 5, that is, under monitoring.

  The chip set 1 includes a register group 12 in which various environment setting values required for the operation and control of the CPU 10 are set. The register group 12 includes a flag register indicating the current state of the CPU 10, an MSR (Model Specific Register), a general-purpose register for storing data, an index register related to memory addressing, a special register, and a memory management system. Includes related segment registers CS. The register group 12 further includes a control register (CR0, CR4, CR3), a debug register (DR0 to DR7), an MSR (IA32E_EFER, etc.), an environment setting value of the CPU 10 stored in the GDTR, IDTR, and LDTR, and the environment of the MSR. A set value can be included. As another environment setting value, there is an environment setting value of a BIOS jump instruction that uses a BIOS function using a software interrupt when the OS is in the real mode. To prevent tampering and unauthorized use of this BIOS Function, a real mode interrupt after startup is hooked as described later.

  Note that the development of each program file in the RAM 3 is performed at the time of activation as follows, for example. A startup process of the information processing apparatus 100 will be described with reference to FIG. First, when the power is turned on, the 16-bit real mode BIOS 211 is loaded from the flash ROM 21 to the 0 to 1 MBite area 34 of the RAM 3 and activated (step S1). Next, a POST (Power On Self Test) process for initializing available peripheral devices is executed (step S3).

Subsequently, a load process to the area 33 of the monitoring module which is the operation monitoring unit 6 is executed (step S5). First, an MBR (Master Boot Record) is loaded into the RAM 3 from the head sector of the HDD 22 by the BIOS 211, and then the control of the CPU 10 is transferred to the MBR, and is stored in advance in the active partition table of the HDD 22 by the MBR. A dedicated loader 60 serving as a loading unit is loaded into the RAM 3. A temporary GDT is created in the area 34 by this dedicated loader, and the privilege level is set to ring R = 0 for the area 33 by this GDT. In this state, first, 16 bits from outside the file system of the HDD 22 Starting from the real mode, the monitoring module of the operation monitoring unit 6 is loaded into the area 33 using the unreal mode as is well known. Thereafter, the dedicated loader 60 transitions to the 32-bit protect mode and executes the monitoring module. The monitoring module further starts the OS after transitioning to the IA32e 64-bit mode. (Note that the monitoring module can be operated with a predetermined operation even in the 32-bit state.)
Next, the monitoring module of the operation monitoring unit 6 performs monitoring environment setting processing, that is, creation of a system table, an interrupt handler, and the like (both not shown). The CPU mode refers to each mode in which the bit width handled by the CPU 10 is 16 bits, 32 bits, and 64 bits.

  When the loading process of the operation monitoring unit 6 in each mode of the CPU 10 is completed (step S7), the control of the CPU 10 is transferred to the operation monitoring unit 6, and the process proceeds to the subsequent monitoring operation and the boot process of the OS 5 (step S9). ).

  First, a boot loader (OS loader) set in the operation monitoring unit 6 is activated (step S11), and boot processing of the OS 5 to the area 32 is performed by this boot loader (step S13).

  In the boot process of the OS 5, the ring R = 3 is set as the privilege level in the area 32, and the OS 5 in the 16-bit real mode is first loaded into the area 32, and then the ring R = 2 is set as the privilege level in the area 32. Then, the OS5 in the 32-bit protect mode and the OS5 in the IA32e 64-bit mode are loaded. In addition, a system table (the last system table 51 is shown in FIG. 2) in each CPU mode is created. When it is determined that the booting of the IA32e 64-bit mode OS has been completed in this way (step S15), the necessary application programs APP1, APP2,... Is loaded with ring R = 3 as a privilege level (step S17).

  In addition, the monitoring module of the operation monitoring unit 6 receives the end of booting of the OS 5 and starts monitoring the mode switching of the CPU 10 (after the OS booting) using, for example, the first page fault after starting the OS booting as a trigger. The monitoring module of the operation monitoring unit 6 allows the mode of the CPU 10 to be temporarily switched to the real mode until the booting of the OS is finished, while the CPU 10 is finished after the booting of the OS5, as illustrated in FIG. This mode is disabled by hooking using a general protection exception (#GP) or the like.

  Returning to FIG. 2, the CPU 10 functions as the process monitoring unit 61, the result processing unit 62, and the contract information unit 63 when the monitoring module that is the operation monitoring unit 6 is read from the HDD 22 and executed. Hereinafter, the operation description of the process monitoring unit 61 is related to monitoring after the OS boot.

  The process monitoring unit 61 monitors the application program APP to be executed (for example, APP1) read from the HDD 22 to the RAM 3 by the OS 5, as will be described later. More specifically, the process monitoring unit 61 at least monitors the issuance of a specific execution code (including API and syscall) that rewrites an environment setting value of a specific register of the register group 12 of the chipset 1. For example, an execution code for setting an environment setting value for switching the CPU mode to the real mode is included as a monitoring target for a register that controls the mode of the CPU 10. The rewriting of the environment setting value will be described later. The execution code to be monitored is stored, for example, in the contract information unit 63.

  When the execution target code to be monitored is about to be executed, the result processing unit 62 performs processing for invalidating execution of the execution code (operation stop processing, prohibition processing, rewriting processing to valid contents, etc.).

  As shown in FIG. 4 for explaining the execution procedure of the execution code, for example, when the execution of the execution program instructed to be executed by the user is started, the execution codes constituting the execution program are sequentially executed. The execution code is composed of an operation code and its parameters, and is sequentially set as an instruction set in the microcode 11 of the CPU 10. For the execution code to be monitored, the operation monitoring unit 6 interrupts the operation immediately after the execution code is set in the microcode 11 and the NTDLL. The set contents (execution code and parameters) are taken in by the DLL, and the execution of the execution code is invalidated by the result processing unit 62 (operation stop process, prohibition process, rewrite process to valid contents, etc.). . In this embodiment, since OS 5 has ring R = 2, rewrite access (execution code) to environment setting values such as API and Syscall is a privilege violation and is subject to hooking.

  Next, a monitoring operation (after OS boot) by the monitoring module of FIG. 5 will be described. Here, the monitored access is an execution code for switching the mode of the CPU 10 to the real mode, and invalidates the execution code.

  The CPU 10 loads the BIOS 211 in a 16-bit real mode at the time of startup (power on or reboot), and executes the startup process. Similarly, in the case of OS5, the boot loader starts booting from the 16-bit real mode at the time of booting, and the boot is performed by switching in the order of 32-bit protected mode and IA32e64-bit mode. By following the steps, the IA32e 64-bit mode, 32-bit protect mode, and 16-bit real mode are switched in this order.

  Normally, the CPU 10 operates in an IA32e 64-bit mode or a 32-bit protect mode, and mode switching between 64-bit and 32-bit is easily performed. For example, switching from the IA32e 64-bit mode to the 32-bit protected mode can be performed by switching the segment register CS to a 32-bit code segment and transferring control to a 32-bit program. Also, switching between the 32-bit protect mode and the 16-bit real mode is possible by following a predetermined procedure. OS5 operates in a state where the CPU 10 is in the 16-bit real mode, the transition process to the 16-bit real mode, and the transition process to the IA32e 64-bit because the 16-bit program operates with the ring R = 0. Cannot be recognized. In addition, the 16-bit real mode area, which is the area 34 of the RAM 3, is originally a storage area for the BIOS 211 and the like and is not normally used. Therefore, after the OS 5 is booted, the real mode is not normally changed. .

  On the other hand, since the behavior of the program in the area 34 is not recognized by the OS 5, illegal processing (data deletion, falsification, leakage, etc.) or illegal program files are loaded (for example, an illegal program is infected with the BIOS). Can be made). Accordingly, in the IA32e 64-bit mode, which is the normal CPU mode, a device that uses a security hole such as a bug is provided in various places, waits for a long time, and then takes the control of the CPU 10 and moves to the real mode. There is an attempt. Many of these types of standby malicious programs or their execution are detected by other anti-virus software and can be disabled. On the other hand, the transition to the 16-bit real mode by switching the mode of the CPU 10 is possible through a predetermined process unlike the standby type.

  In FIG. 5, the monitoring module first determines whether or not the mode of the CPU 10 on the OS 5 side has been changed from the IA32e 64-bit mode to the 32-bit protect mode (step S21). If the mode of the CPU 10 remains in the IA32e 64-bit mode, the same determination process is repeated with no change. On the other hand, if the mode of the CPU 10 is changed from the IA32e 64-bit mode to the 32-bit protected mode, the monitoring module similarly changes the mode of the CPU 10 on the monitoring module side from the IA32e 64-bit mode to the 32-bit protected mode ( Step S23).

  Next, the monitoring module determines whether or not there is an execution code (access) for switching the CPU mode on the OS 5 side to the 16-bit real mode (step S25). Specifically, in the 32-bit protect mode, whether or not the sequential execution code temporarily suspended by the microcode 11 is an access execution code for turning off the paging flag PG of the control register CR0 for controlling the CPU 10. A determination is made, and if so, processing for invalidating the access is executed (step S27). On the other hand, if not, step S27 is skipped, that is, the execution code is allowed to be executed as it is.

  Next, it is determined whether or not the mode of the CPU 10 on the OS5 side has returned from the 32-bit protect mode to the IA32e64-bit mode (step S29), and if so, the mode of the CPU 10 on the monitoring module side is changed from the 32-bit protect mode to IA32e64. Return to bit mode and return to step S21. On the other hand, if the CPU mode has not returned, the process returns to step S25, and the monitoring and response processing for the execution code (access) for switching the CPU mode to the 16-bit real mode is repeated (steps S25 to S29).

  In the embodiment, as a method of invalidating the access for switching to the real mode, the access at the stage where the paging flag of the control register CR0 is turned off “0” is monitored. However, the present invention is not limited to this. Subsequent to such monitoring, as a procedure procedure rule (registered in the contract information section 63), an access for converting the page table for the 32-bit protect mode and an access for turning off the IA32e 64-bit mode enable flag to “0” are included. It is good also as an aspect. In this manner, the transition to the IA32e compatible 32-bit mode during the transition from the IA32e 64-bit mode to the 32-bit protect mode is monitored, and the transition to the 32-bit protect mode which cannot be performed normally is monitored. It becomes possible. Further, as an access for switching the CPU mode to the real mode, monitoring may be performed according to the procedural procedure rule including an access to transition from the 32-bit protect mode to the 16-bit real mode. For example, the access to load the IDT and GDT for 32-bit protect mode is included in the monitoring target, the access to shift the code segment (CS) to protect mode, the access to shift TSS to protect mode, the control register CR0 An access to turn off the paging flag PG and the protect mode flag PE to “0” can be further included in the monitoring target.

  In addition, although the said embodiment demonstrated in the aspect of the virtualization assistance technology (VT-x) unused environment, it is not limited to this, The application to the aspect of a virtualization assistance technology (VT-x) usage environment is also possible. It is. In this case, the monitoring module of the operation monitoring unit 6 may be set as ring R = -1, OS 5 as ring R = 0, and APP as ring R = 3. In this case, an execution code that is an access for changing the control register CR0 may be registered in the contract information unit 63 as a hook target. The execution code can include a so-called hook process triggered by the occurrence of an exception, violation, interrupt, or the like, an API, and a syscall as a trigger.

  More specifically, in the environment where the virtualization support technology (VT-x) is used, the execution code to be monitored is registered as a fault event to be a hook target, and the control of the CPU 10 is passed to the VMM (host software) in the VMXroot mode. It is possible to perform monitoring and response processing using the Exit command, and the Entry command that transfers the control of the CPU 10 to the guest OS side and sets the VMXnon-root mode. In each aspect, such access can be monitored. In the above-described embodiment, the CPU module mode is changed on the OS 5 side from the IA32e64-bit mode to the 32-bit protected mode, and the CPU mode changing process is also performed on the monitoring module side. In the technology (VT-x) usage environment, the monitoring module side may remain in the IA32e 64-bit mode.

DESCRIPTION OF SYMBOLS 100 Information processing apparatus 1 Chip set 10 CPU
12 register group 22 HDD
3 RAM
5 OS
60 Dedicated loader (monitoring module loading means)
6 Operation monitoring unit (monitoring module)
61 Process monitoring unit (monitoring means)
62 Result processing unit (invalid processing means)
63 Contract information section (monitoring means)

Claims (9)

Monitoring means for detecting issuance of access for switching the CPU mode to the real mode;
An information processing monitoring apparatus comprising invalidation processing means for invalidating an access operation for the access detected after the OS is booted. A monitoring module loading means for loading the monitoring module into the main memory with a higher privilege level than the OS;
The information processing monitoring apparatus according to claim 1, wherein the monitoring module includes the monitoring unit and the invalidation processing unit. The information processing monitoring apparatus according to claim 1, wherein the access is an execution code for switching the CPU mode from the protected mode to the real mode. The monitoring means detects an issuance of an execution code for switching from the protect mode to the real mode in a state where the CPU mode is switched from the 64-bit mode to the 32-bit protect mode mode. The information processing monitoring apparatus described. The information processing monitoring apparatus according to claim 4, wherein the access is an execution code that invalidates a page table. Monitoring means for detecting issuance of access for switching the CPU mode to the real mode;
A monitoring program that causes an information processing apparatus to function as invalid processing means for invalidating an access operation with respect to the access detected after the OS is booted. A monitoring step for detecting issuance of access for switching the CPU mode to the real mode;
An information processing monitoring method comprising: an invalid step for invalidating an access operation for the access detected after the OS is booted. Monitoring means for detecting issuance of access for switching the CPU mode to the real mode;
A computer-readable recording medium storing a program that causes an information processing apparatus to function as invalid processing means for invalidating an access operation with respect to the access detected after the OS is booted. An information processing apparatus comprising: a main memory in which an OS is booted; a CPU that executes the OS booted on the main memory; and the information processing monitoring apparatus according to claim 1.

Images