JP5989599B2 - Information processing apparatus and information processing method - Google Patents

Description

  The present invention relates to an information processing apparatus and an information processing method.

  Attacks using document files are increasing. Attach document files such as Word (registered trademark), Excel (registered trademark), PDF (Portable Document Format) with malicious attack code to e-mails, etc. By opening it, the vulnerability of the document file manipulation program is attacked, and arbitrary code is executed on the attack target person's environment.

  Here, the attack flow using a general document file will be described first. The document file used for the attack holds the attack code that attacks the vulnerability of the document file manipulation program and the execution code for performing more complicated processing after the attack succeeds in its own data section. .

  When the document file is opened by the document file operation program, the attack code attacks the vulnerability of the document file operation program, and when the attack is successful, control is transferred to the attack code. Thereafter, the attack code extracts the execution code from the data section in the document file and stores it as an executable file on the file system. When the attack code executes the executable file, a virus or the like infects the attack target computer.

  In order to detect and analyze a document file having an attack code (hereinafter, referred to as “malicious document file” as appropriate) in this way, the same method as the conventional method for detecting and analyzing malware is used.

  Broadly speaking, a dynamic detection / analysis technique that investigates by actually opening a document file containing attack code with a program for manipulating document files and executing attack code, and static that investigates without executing attack code. There are detection and analysis methods.

  As a static detection and analysis method, a document file containing attack code and a byte sequence characteristic of the attack code are stored in the form of a signature, and pattern matching is performed between the input document file and the signature. (See Non-Patent Document 1). Since this method can detect an attack without actually opening a document file, it can detect and analyze the attack at high speed and in large quantities.

  However, in this static analysis method using pattern matching, if the byte sequence in the document file is obfuscated, there is a possibility that an omission of attack detection may occur.

  This is because when the attack code in the document file is obfuscated, the apparent byte sequence changes from the original byte sequence. For example, even if XOR is performed between the attack code portion and a specific value, the apparent byte sequence changes, and an attack cannot be detected with a signature representing a conventional attack code pattern. By the way, the obfuscated document file, when the document file is opened, performs some kind of decoding processing, and the original pattern appears at the time of execution.

  On the other hand, the dynamic detection / analysis method is a method for detecting an input document file based on the behavior at that time by opening the input document file with a document file operation program (see Non-Patent Document 2). In this method, since the document file and the document file operation program are actually operated, the attack code itself can be decoded. Therefore, even if the malicious code part is obfuscated, there is no problem.

Michael Ligh et al., WILEY, Malware Analysis ’s Cookbook and DVD, 2010/11/2 Stefan Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, 03/14/2000

  However, the attack detection / analysis method based on the behavior of the document file and the document file manipulation program has the following problems.

  For one, dynamic detection / analysis methods need to define malicious behaviors that serve as detection criteria. This is because the definition of behavior differs depending on the document file type and attack type. Also, the detection criteria may be different for each version of the document file operation program. Furthermore, it is necessary to adjust the detection criteria for each attack code and malware used for the attack. For this reason, it is difficult to detect an attack of a document file including an attack code based on behavior so that there is no false detection or detection omission.

  The other is that when a document file containing attack code is opened with a document file operation program, the behavior related to the document file containing attack code and the behavior based on the program portion for document file operation, that is, normal document file operation It is difficult to distinguish it from the operation of the computer program. In order to make these distinctions, for example, a method of creating a white list and excluding the behavior of the program for manipulating the document file from the overall behavior can be considered, but in this case also a different white list is created for each program for manipulating the document file Therefore, it is not easy to create a white list with high efficiency and accuracy.

  Therefore, an object of the present invention is to solve the above-described problems and facilitate detection and analysis of an attack of a document including an attack code.

In order to solve the above-described problems, an information processing apparatus according to the present invention operates a tag adding unit that sets a tag for identifying the document file and a program to read the document file. It is executed by a program execution unit, a taint analysis unit that propagates the tag to an instruction execution result when the data set with the tag is passed to an instruction to be executed by the program execution unit, and the program execution unit It is determined whether or not the tag held by the instruction is set in the document. When the tag held in the instruction is set in the document file, the attack by the document file is performed. A determination unit that detects the occurrence of an attack, and after the detection of an attack by the determination unit, Comprising an instruction monitoring part for judging instruction having a tag set to placement file analyzed, the analyzing unit for analyzing the execution of the is determined analyzed in the instruction monitor instruction.

  An object of the present invention is to facilitate the detection and analysis of an attack on a document including an attack code.

FIG. 1 is a diagram illustrating the overall configuration of the information processing apparatus. FIG. 2 is a diagram illustrating a functional configuration of the virtual machine. FIG. 3 is a diagram illustrating an example of information stored in the shadow memory. FIG. 4 is a diagram illustrating an example of information stored in the shadow disk. FIG. 5 is a flowchart showing a procedure for detecting and analyzing an attack by an attack code by a virtual machine. FIG. 6 is a diagram for explaining the outline of the operation of the virtual machine according to the second embodiment. FIG. 7 is a diagram illustrating an outline of the operation of the virtual machine according to the third embodiment. FIG. 8 shows that a virtual machine sets a taint tag (for example, Tag = WRITTEN) to data generated by a document file operation program, and another taint tag (for example, It is a figure explaining the operation | movement outline | summary at the time of setting Tag = JIT). FIG. 9 is a diagram illustrating a computer that executes a monitoring program.

[First Embodiment]
[overall structure]
Hereinafter, modes (embodiments) for carrying out the present invention will be described. FIG. 1 is a diagram illustrating the overall configuration of the information processing apparatus. As illustrated in FIG. 1, the information processing apparatus includes hardware 1, host OS 2, virtual machine software 3, and virtual machine 10.

  The hardware 1 is an electronic circuit or a peripheral device constituting the information processing apparatus, and is, for example, a memory, a CPU (Central Processing Unit), or the like. The host OS 2 is an OS serving as a base for operating the virtual machine, and is executed using the hardware 1. The virtual machine software 3 is software that provides a virtual machine using the hardware 1, and operates the virtual machine 10 here. For example, the virtual machine software 3 allocates a virtual disk, virtual physical memory, virtual CPU, and the like to the guest OS to operate the virtual machine.

  The virtual machine 10 is, for example, an emulator-type virtual machine, and is a virtual machine that executes various processes by operating a guest OS using a virtual disk, virtual physical memory, virtual CPU, or the like provided from the virtual machine software 3. Information processing apparatus.

  In such a configuration, the information processing apparatus first sets a taint tag (tag) in a document file including an attack code. Then, the information processing apparatus operates a document file operation program for reading and manipulating the document, and opens the document file. Thereafter, when the CPU (virtual CPU) of the information processing apparatus fetches an instruction, the taint tag held by the instruction is checked. If the checked taint tag is set in the document file, an attack by this document file is detected.

  That is, even if a normal document file is opened by a document file operation program and data is written on the virtual physical memory, the written data is not executed. However, if the data written in virtual physical memory is executed, there is a high possibility that some attack code is included in the document file, that is, the execution process depends on the attack code in the document file. It can be determined that there is a high possibility of an attack.

  After such an attack is detected, if an instruction having a taint tag set in the document file is executed, the information processing apparatus sets this instruction as an analysis target. For example, the information processing apparatus analyzes an API (Application Programming Interface), a system call, a library function, and the like executed by this instruction. On the other hand, if an instruction that does not have a taint tag set in the document file is executed, the information processing apparatus excludes execution of this instruction.

  In this way, the information processing apparatus can detect and monitor an attack on a document file including an attack code.

Virtual machine configuration
Next, the configuration of the virtual machine shown in FIG. 1 will be described. Since the hardware 1, the host OS 2, and the virtual machine software 3 have the same configuration as a general configuration, detailed description thereof is omitted.

  FIG. 2 is a diagram illustrating a functional configuration of the virtual machine. As shown in FIG. 2, the virtual machine 10 includes a virtual physical memory 10a, a shadow memory 10b, a virtual disk 11a, a shadow disk 11b, a virtual CPU 12, a virtual HW controller 19, and a taint tag assigning unit 14.

  The virtual physical memory 10a is a virtual memory realized by allocating a predetermined area in the physical memory of the information processing apparatus as a memory used by the guest OS operating on the virtual machine 10. For example, the virtual physical memory 10a stores programs and data read from the virtual disk 11a by the virtual CPU 12.

  The shadow memory 10b is a data structure that holds the value of the taint tag set for the value on the virtual physical memory 10a.

  Here, an example of the shadow memory 10b will be described. FIG. 3 is a diagram illustrating an example of information stored in the shadow memory. As shown in FIG. 3, the shadow memory 10 b stores “virtual physical memory address” and “taint tag” in association with each other. The “virtual physical memory address” is position information indicating the storage position on the virtual physical memory 10a, and the “taint tag” is an identifier for identifying whether it is an analysis target or not.

  In the case of FIG. 3, the taint tag “11” is given to the program code to be analyzed stored at the addresses “0000 to 0200” of the virtual physical memory 10a. Further, it indicates that the taint tag “05” is given to the analysis target data stored in the addresses “0310 to 0350” of the virtual physical memory 10a. Note that the numerical values and the like shown in FIG. 3 are merely examples, and the values and the like are not limited.

  The virtual disk 11a is a virtual disk realized by allocating a predetermined area in a physical disk included in the information processing apparatus as an area used by the guest OS operating in the virtual machine 10. For example, the virtual disk 11a stores a program (such as a document file operation program) to be executed by the virtual CPU 12, data (such as a document file that may contain an attack code) that is to be processed by the program, and the like. Remember.

  The shadow disk 11b is a data structure that holds the value of the taint tag set for the value on the virtual disk 11a.

  The virtual CPU 12 in FIG. 2 is a virtual CPU realized by assigning a predetermined processing capability of a physical CPU included in the information processing apparatus as a CPU used by the guest OS operating in the virtual machine 10. The virtual CPU 12 includes a shadow register (not shown) that holds a taint tag held by the physical CPU. The virtual CPU 12 includes a program execution unit 13, a taint analysis unit 15, a determination unit 16, an instruction monitoring unit 17, and an analysis execution unit 18.

  The program execution unit 13 executes a program stored in the virtual disk 11a. For example, the program execution unit 13 reads a document file operation program from the virtual disk 11a, expands it in the virtual physical memory 10a, and executes it. Further, when a document file including an attack code is read by the document file operation program, the program execution unit 13 performs an execution process based on the attack code.

  The taint analysis unit 15 propagates the taint tag to the instruction execution result based on the taint tag propagation rule when the data in which the taint tag is set is passed to the instruction to be executed by the virtual CPU 12 (specifically, the program execution unit 13). Let The case where the data in which the taint tag is set is passed to the instruction to be executed by the program execution unit 13 is specifically the case where the value passed in the operand of the instruction holds the taint tag.

  The following are possible taint tag propagation rules. For example, when a machine language instruction is executed in the virtual CPU 12, a taint tag is assigned to one of the source operands when an arithmetic operation instruction, logical operation instruction, data movement instruction, or data copy instruction with one or more operands is executed. When a given value is passed, the taint tag is also set in the destination operand where the execution result of the instruction is stored.

  There are various taint tag propagation rules. However, when the execution result of an instruction is determined depending on a read value, the taint tag propagation rule is constituted by a basic rule such as propagating a taint tag. In other words, the taint analysis unit 15 performs an operation accompanied by propagation of a taint tag with respect to an instruction of the program execution unit 13 that handles data in some form.

  The determination unit 16 determines whether or not a taint tag indicating an analysis target is set in the instruction being executed by the program execution unit 13. If it is set, the determination unit 16 determines that an attack has been performed. That is, the determination unit 16 detects an attack based on the document file.

  The instruction monitoring unit 17 determines that an instruction having a taint tag set in the document file is an analysis target after the determination unit 16 detects an attack.

  The analysis execution unit 18 monitors the execution of the instruction determined to be analyzed by the instruction monitoring unit 17 and analyzes the execution content of the instruction by the attack code. For example, the analysis execution unit 18 acquires a detailed trace log regarding the execution of the instruction to be analyzed, and acquires information on the registers of the virtual CPU 12 and information on the stack together.

  The virtual HW controller 19 controls data transmission / reception between the virtual disk 11a and the virtual physical memory 10a and between the shadow disk 11b and the shadow memory 10b. For example, the virtual HW controller 19 stores the program read from the virtual disk 11a by the program execution unit 13 in the virtual physical memory 10a. The virtual HW controller 19 also stores data read from the virtual physical memory 10a by a program or the like in the virtual disk 11a. Such a virtual HW controller 19 includes a taint information propagation unit 19a that performs taint tag propagation.

  The taint information propagation unit 19a propagates taint tags between the virtual disk 11a and the virtual physical memory 10a. That is, the taint information propagation unit 19a propagates the taint tag between the shadow disk 11b and the shadow memory 10b. For example, when the virtual HW controller 18 stores data read from the virtual physical memory 10a by the program to be monitored in the virtual disk 11a, a taint tag of the read data on the shadow memory 10b is associated with this. Store on the shadow disk 11b.

  The taint tag adding unit 14 receives an input of a taint tag set in a document file to be analyzed via an input / output interface of the information processing apparatus. Then, the taint tag assigning unit 14 sets the input taint tag for a document file to be analyzed, that is, a document file that may contain an attack code. The taint tag to be set only needs to be identified as a document file. The same taint tag may be set for the entire document file, or the file format of the document file is interpreted and differs depending on the meaningful division of the file. The value of the taint tag may be set.

  The taint tag may be set for a document file stored on the virtual disk 11a before opening the analysis target document file, or the virtual physical memory 10a immediately after the analysis target document file is opened. You may set with respect to the data of the document file mapped above.

  When setting a document file stored on the virtual disk 11a, the value of the taint tag is stored in the shadow disk 11b. When setting a taint tag for data of a document file mapped on the virtual physical memory 10a, a taint tag is set for the shadow memory 10b.

  According to such a virtual machine 10, it is possible to detect a document file including an attack code and monitor a behavior based on the attack code.

[Detection and analysis procedure]
Next, a procedure for detecting and analyzing an attack using an attack code by the virtual machine 10 will be described with reference to FIG. FIG. 5 is a flowchart showing a procedure for detecting and analyzing an attack by an attack code by a virtual machine. Note that the virtual machine 10 sets a taint tag in a document file that may contain an attack code by the taint tag assigning unit 14 in advance and stores it in the virtual disk 11a.

  First, the program execution unit 13 of the virtual machine 10 operates a document file operation program and opens a document file stored in the virtual disk 11a (S1). Thereafter, the determination unit 16 confirms the taint tag held by the instruction executed by the program execution unit 13 (S2). If the taint tag is set in the document file (Yes in S3), It is determined that the attack is based on the attack code included in the document file. Thereafter, the instruction monitoring unit 17 determines an instruction having a taint tag set in the document file as an analysis target (S4), and the analysis execution unit 18 analyzes the instruction determined as the analysis target by the instruction monitoring unit 17 Is executed (S5). That is, the analysis execution unit 18 analyzes the execution content of the instruction by the attack code included in the document file. For example, the analysis execution unit 18 acquires a detailed trace log regarding the execution of the instruction to be analyzed, and acquires information on the registers of the virtual CPU 12 and information on the stack together.

  On the other hand, if the taint tag confirmed in S2 is not set in the document file in S3 (No in S3), the determination unit 16 ends the process.

  According to such a virtual machine 10, it is possible to detect a document file including an attack code and monitor a behavior based on the attack code.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. FIG. 6 is a diagram for explaining the outline of the operation of the virtual machine according to the second embodiment.

  As shown in FIG. 6, the virtual machine 10 according to the second embodiment sets a taint tag in a document file, as in the first embodiment. Then, a taint tag is set for all writing to the virtual physical memory 10a performed by the document file operation program of the virtual machine 10. That is, there is a possibility that the original code obtained by expanding the attack code in the document file and normal data other than the original code may be written in the virtual physical memory 10a. The virtual machine 10 sets taint tags in both of them. .

  Specifically, the taint tag assigning unit 14 of the virtual machine 10 sets a taint tag that can uniquely identify the document file operation program. Then, the taint analysis unit 15 sets a taint tag indicating that it is an analysis target for the writing performed by the program execution unit 13 by the document file operation program.

  In this way, in the process in which the attack code in the document file is written on the virtual physical memory 10a by the document file operation program, the taint tag set in this document file disappears, so that the behavior by the attack code is It is possible to avoid the situation where analysis is not possible.

  Note that the case where the taint tag set in the document file is lost may be that the attack code in the document file is obfuscated or encrypted. That is, when the attack code is read by the document file operation program in the virtual machine 10, the attack code is obfuscated or decrypted. In the process, the taint tag set in the document disappears, and a state where the taint tag is not set may occur in the attack code (original code) developed on the virtual physical memory 10a. Such a case is assumed.

  If the taint tag set in the document file does not disappear, the taint tag is set for the value written on the virtual physical memory 10a by the document file operation program.

  Hereinafter, the virtual machine 10 of the second embodiment will be described in detail. First, the taint tag assigning unit 14 sets a taint tag in the code portion of the document file operation program in the virtual disk 11a. The value of the taint tag set here is different from the value of the taint tag set in the document file.

  For example, the taint tag set in the document file is “Tag = DOC”, and the taint tag set in the document file operation program is “Tag = DOC_OP”. In the program execution unit 13, an instruction in which the “Tag = DOC_OP” taint tag is set performs a write operation, but the written value does not have the taint tag (Tag = DOC) set in the document file. In this case, the taint analysis unit 15 sets a taint tag “Tag = WRITTEN (or Tag = DOC)” indicating the analysis target for the write destination.

  When the instruction having a taint tag indicating the analysis target (for example, Tag = DOC or Tag = WRITTEN) is executed, the determination unit 16 determines that the attack is based on an attack code. Thereafter, the instruction monitoring unit 17 analyzes an instruction having this taint tag. On the other hand, when an instruction having no taint tag indicating the analysis target (for example, an instruction having a taint tag of Tag = DOC_OP) is executed, it is determined that the attack is not an attack code, and the instruction monitoring unit 17 analyzes the instruction. Not targeted.

  In this way, it is possible to reliably detect the attack code in the document file and analyze the behavior by the attack code.

[Third Embodiment]
In the virtual machine 10, when the document file operation program is a program having a JIT (Just In Time) compiler function, the taint tag adding unit 14 adds a predetermined taint tag to a code (byte string) generated by the JIT. (For example, Tag = JIT) may be set. Then, the determination unit 16 may determine that the attack is not an attack by an attack code when an instruction having this taint tag (for example, Tag = JIT) is executed.

  FIG. 7 is a diagram illustrating an outline of the operation of the virtual machine according to the third embodiment. As shown in FIG. 7, the virtual machine 10 sets a predetermined taint tag (for example, Tag = JIT) for the instruction sequence generated by JIT among the data written to the virtual physical memory 10a by the document file operation program. For other data, another taint tag is set. When a byte sequence in which a taint tag (for example, Tag = JIT) indicating that it is an instruction sequence generated by JIT is executed, the virtual machine 10 is excluded from the analysis target, and other than that When data with a taint tag (for example, Tag = WRITTEN) is executed, this is the analysis target.

  The document file operation program having the JIT compiler function is, for example, Acrobat Reader (registered trademark). This Acrobat Reader (registered trademark) has a Javascript (registered trademark) engine having a JIT compiler function.

  By doing so, even when a document file operation program having a JIT compiler function is used for the operation of the document file in the virtual machine 10, it is possible to detect and analyze the attack on the document file.

  That is, as described above, the determination unit 16 of the virtual machine 10 uses the document file when the data (instruction sequence) of the document file written on the virtual physical memory 10a is executed by the program execution unit 13. Detect attacks. Here, a document file operation program having a JIT compiler function (hereinafter abbreviated as “JIT” as appropriate) writes an execution binary code on the virtual physical memory 10a when executing a script in the document file and executes it.

  At this time, the taint analysis unit 15 of the virtual machine 10 sets a taint tag indicating that the instruction sequence of the script generated by JIT is an instruction sequence generated by JIT. Then, the determination unit 16 determines that the instruction holding the taint tag is an attack if it is normal, but determines that the instruction generated by this JIT is not an attack. By doing so, the virtual machine 10 can avoid erroneously determining that the instruction generated by JIT is an attack.

  The taint tag assigning unit 14 indicates that the byte sequence generated by the JIT is in a location (for example, a data section) where the byte sequence generated by the JIT of the document file operation program in the virtual disk 11a is held. Set the taint tag to indicate.

  For example, when the JIT compiler function (JIT engine) in the document file operation program holds a script → byte string conversion table as exemplified in Table 1 below, the taint tag assigning unit 14 A predetermined taint tag (for example, Tag = JIT) is set in the byte string portion.

  As a result, a predetermined taint tag (for example, Tag = JIT) is set in the part generated by the JIT of the document file operation program, and a normal taint tag (for example, Tag = WRITTEN) is set in the other part. Is done. Therefore, the determination unit 16 determines that an instruction generated by JIT among the instructions executed by the program execution unit 13 is not an attack.

  It should be noted that the taint tag set in the part generated by the JIT of the document file operation program does not necessarily need to be a “taint tag indicating that it has been generated by JIT”, but is merely a taint tag indicating that it is not subject to analysis. May be.

  Further, the virtual machine 10 sets a taint tag (for example, Tag = WRITTEN) to data generated by the document file operation program, and another taint tag (for example, Tag) is set to a part generated by JIT. = JIT) may be set.

  FIG. 8 shows that a virtual machine sets a taint tag (for example, Tag = WRITTEN) to data generated by a document file operation program, and another taint tag (for example, It is a figure explaining the operation | movement outline | summary at the time of setting Tag = JIT).

  As shown in FIG. 8, when a document file including an obfuscated attack code and a script is read by the document file operation program, the virtual machine 10 includes a predetermined instruction sequence of a script generated by JIT. A taint tag (for example, Tag = JIT) is set. Further, when the attack code is obfuscated by the document file operation program and the original code is written on the virtual physical memory 10a, the virtual machine 10 if the original code or other normal data is written. Sets the taint tag (for example, Tag = WRITTEN) set in the document file operation program to the data. Here, if the taint tag set in the document file has disappeared, that is, if the value to be written has no taint tag, the virtual machine 10 writes Tag = WRITTEN, but the taint tag has not disappeared. If it is, the propagated taint tag (Tag = DOC) is written as it is.

  The virtual machine 10 excludes the portion where the taint tag (for example, Tag = JIT) of the instruction sequence of the script generated by JIT is set as the analysis target, and sets the taint tag (for example, Tag = JIT) set in the document file operation program. WRITTEN) is set for analysis. In addition, the virtual machine 10 also sets a portion for which a propagated tag (Tag = DOC) is set as an analysis target.

  By doing so, even when the document file includes an obfuscated or encrypted attack code and the document file operation program has a JIT function, the attack code in the document file is detected and the behavior of the attack code is detected. Analysis can be performed reliably.

[Other Embodiments]
In the virtual machine 10 according to the first embodiment, when the program execution unit 13 writes an instruction in which a taint tag is set to the virtual physical memory 10a, no value is written to the virtual physical memory 10a. The taint analysis unit 15 may set a taint tag indicating the analysis target (for example, the same tag as the taint tag set in the document file).

  In the virtual machine 10 of the second and third embodiments, when the program execution unit 13 writes an instruction with a taint tag set to the virtual physical memory 10a, a document is stored in the virtual physical memory 10a. When the taint set in the file operation program or JIT is not set, the taint analysis unit 15 may set a taint tag indicating the analysis target (for example, the same tag as the taint tag set in the document file). .

  In this way, it is possible to reliably set a taint tag for data written on the virtual physical memory 10a. As a result, the virtual machine 10 can reliably detect and analyze an attack on the document file.

  Further, when an external function is called from the instruction to be analyzed by the program execution unit 13, the taint analysis unit 15 captures the time when the external function has returned, and stores the data on the virtual physical memory 10 a written by the external function. A taint tag indicating the analysis target may be set for all the data that is specified and written. In this way, even when an attack is made by calling an external function from a document, analysis can be performed.

  Further, when the instruction read by the program execution unit 13 is a branch instruction, the determination unit 16 may determine that the attack is an attack when a taint tag is set in the branch destination instruction. Further, when the branch instruction is an instruction that branches by designating an address, an attack may be determined when a taint tag indicating an analysis target is set at the designated address. The branch instruction mentioned here includes both a conditional branch instruction and an unconditional branch instruction. The determination unit 16 may sequentially check the execution of all instructions, not just the behavior before and after execution of the branch instruction as described above.

  Further, the analysis execution unit 18 may acquire a library function called from an instruction determined to be analyzed and detailed information thereof. This library function is an API, a system call, a local function, and the like, and detailed information includes a library name, a module name, an argument value and type of the library function, position information where the function is called, instance information, and the like. . The analysis execution unit 18 may capture detailed execution and output detailed information not only when the library function is called but also when execution changes from the library function to the instruction to be analyzed.

  Note that the virtual machine 10 may use a process-type virtual machine that uses Binary Instrumentation to virtualize only a specific process, and is not a virtual machine monitor that operates as an application, but Xen or KVM (Kernel-based). Virtualization such as mounting a host OS and a virtual machine monitor in the same layer, such as Virtual Machine, may be used. Further, for virtualization implementation, HW (hardware) support such as Intel (registered trademark) -VT (Virtualization Technology) may be used.

[program]
It is also possible to create a monitoring program in which the processing executed by the information processing apparatus is described in a language that can be executed by a computer. In this case, when the computer executes the monitoring program, the same effect as in the above embodiment can be obtained. Further, the monitoring program may be recorded on a computer-readable recording medium, and the monitoring program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. An example of a computer that executes a monitoring program that implements the same function as the information processing apparatus shown in FIG.

  FIG. 9 is a diagram illustrating a computer that executes a monitoring program. As illustrated in FIG. 9, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 9, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. The monitoring target program described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.

  Further, the monitoring program is stored in, for example, the hard disk drive 1090 as a program module in which a command to be executed by the computer 1000 is described. Specifically, the program execution unit 13, the taint tag assigning unit 14, the taint analysis unit 15, the determination unit 16, the instruction monitoring unit 17, and the program module in which instructions to be executed in the analysis execution unit 18 are described are hard disk drives. 1090 is stored.

  In addition, data used for information processing by the monitoring program is stored in the hard disk drive 1090 as program data, for example. Then, the CPU 1020 reads out the program module and program data stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes each procedure described above.

  Note that the program module and program data related to the monitoring program are not limited to being stored in the hard disk drive 1090, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. Also good. Alternatively, the program module and program data related to the monitoring program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the CPU 1020 via the network interface 1070. It may be read out.

DESCRIPTION OF SYMBOLS 1 Hardware 3 Virtual machine software 10 Virtual machine 10a Virtual physical memory 10b Shadow memory 11a Virtual disk 11b Shadow disk 12 Virtual CPU
13 Program Execution Unit 14 Taint Tag Assignment Unit (Tag Assignment Unit)
DESCRIPTION OF SYMBOLS 15 Taint analysis part 16 Judgment part 17 Instruction monitoring part 18 Analysis execution part 19 Virtual HW controller 19a Taint information propagation part

Claims (3)

A tag giving unit for setting a tag for uniquely identifying the document file with respect to the document file;
A program execution unit for operating the program and reading the document file;
A taint analysis unit that propagates the tag to an instruction execution result when the data set with the tag is passed to an instruction to be executed by the program execution unit;
It is determined whether the tag held by the instruction executed by the program execution unit is set in the document file , and the tag held in the instruction is set in the document file A determination unit for detecting that an attack by the document file has been performed;
After the detection of the attack by the determination unit, a command monitoring unit that determines a command having a tag set in the document file as an analysis target;
An analysis execution unit that analyzes execution of an instruction determined to be analyzed by the instruction monitoring unit ;
The tag assigning unit further includes:
Set a tag for a given program,
The taint analysis unit further includes:
In the writing process to the memory executed by the program in which the tag is set, the tag set in the document file is not set in the data to be written, and the data is set by the JIT compiler of the program. If it is data other than the command sequence of the generated script, set a tag indicating that the data is an analysis target in the data,
The determination unit further includes:
An information processing apparatus , wherein when an instruction having a tag indicating the analysis target is executed, it is detected that an attack by the document file has been performed . The taint analysis unit further includes:
When the tag set in the program is not set in the data to be written to the memory executed by the program, the same tag as the tag set in the document file is set in the data. The information processing apparatus according to claim 1 . Computer
A tag providing step for setting a tag for setting a tag for uniquely identifying the document file with respect to the document file;
Operating a program for reading the document file, and a program execution step for reading the document file;
A taint analyzing step for propagating the tag to the execution result of the instruction when the set data of the tag is passed to the instruction executed in the program execution step;
It is determined whether or not the tag held by the instruction executed in the program execution step is set in the document file , and the tag held in the instruction is set in the document file A determination step for detecting that an attack by the document file has been performed;
A command monitoring step of determining a command having a tag set in the document file as an analysis target after detection of an attack by the determination step;
An analysis execution step for analyzing the execution of the instruction determined to be analyzed in the instruction monitoring step ;
The tagging step further includes
Set a tag for a given program,
The taint analysis step further includes:
In the writing process to the memory executed by the program in which the tag is set, the tag set in the document file is not set in the data to be written, and the data is set by the JIT compiler of the program. If it is data other than the command sequence of the generated script, set a tag indicating that the data is an analysis target in the data,
The determination step further includes:
An information processing method , wherein when an instruction having a tag indicating the analysis target is executed, an attack by the document file is detected .

Images