Patent Application
20230229766
The present disclosure relates to a backdoor inspection device, a backdoor inspection method, and a computer-readable medium.
Infrastructures and enterprise systems have become complicated. Thus, the infrastructure or enterprise system is constituted by not only the devices of a single company but by procuring devices of various enterprises from outside suppliers and combining the procured devices.
However, in recent years, numerous incidents have been reported in which hidden functions that users are not aware of or unexpected functions for users in terms of software (firmware) and hardware of such devices are found. In other words, numerous incidents related to “backdoors” have been reported. A “back door” can be defined, for example, as a feature incorporated as a part of software that includes multiple functions and which is undisclosed to and unwanted by users.
A method of detecting a specific type of backdoor is disclosed in, for example, Non-Patent Literature 1.
The inventors of the present disclosure have found that there are, for example, a need for equipment manufacturers to prove that their equipment in which software is installed does not contain backdoors in the installed software and a need for equipment manufactures to obfuscate software installed in their equipment from the perspective of intellectual property protection. That is, the inventors of the present disclosure have found that there is a need to realize both proof of software trustability and obfuscation of software. Note that obfuscation processing includes, for example, software encrypting processing, embedding processing of dummy codes in software, or the like.
An object of the present disclosure is to provide a backdoor inspection device, a backdoor inspection method, and a computer-readable medium that can realize both proof of software trustability and obfuscation of software.
According to a first aspect of the present disclosure, a backdoor inspection device includes:
identifying means for identifying a plurality of code blocks included in software to be inspected;
inspection means for executing backdoor inspection processing on the software to be inspected for the plurality of the code blocks that are identified;
processing means for executing adjustment processing including obfuscation processing on the software to be inspected;
certificate generation means for generating a first certificate containing at least information on a result of the backdoor inspection processing; and
output means for outputting the software to be inspected on which the adjustment processing has been performed together with the first certificate.
According to a second aspect of the present disclosure, a backdoor inspection method includes:
identifying a plurality of code blocks included in software to be inspected;
executing backdoor inspection processing on the software for the plurality of the code blocks that are identified;
executing adjustment processing including obfuscation processing on the software;
generating a first certificate containing at least information on a result of the backdoor inspection processing; and
outputting the software on which the adjustment processing has been performed together with the first certificate.
According to a third aspect of the present disclosure, a non-transitory computer-readable medium stores a program for causing a backdoor inspection device to perform processes of:
identifying a plurality of code blocks included in software to be inspected;
executing backdoor inspection processing on the software for the plurality of the code blocks that are identified;
executing adjustment processing including obfuscation processing on the software;
generating a first certificate containing at least information on a result of the backdoor inspection processing; and
outputting the software on which the adjustment processing has been performed together with the first certificate.
According to the present disclosure, it is possible to provide a backdoor inspection device, a backdoor inspection method, and a computer-readable medium that can realize both proof of software trustability and obfuscation of software.
The following will describe example embodiments of the present invention with reference to the drawings. Note that in each drawing, the same or corresponding elements are designated by the same signs, and duplicate description will be omitted
The backdoor inspection device 10 shown in
The identifying unit 11 identifies a plurality of “code blocks” included in the target software. The “code blocks” may be functional blocks corresponding to the functions included in the target software or may be basic blocks whose unit is smaller than that of the functional blocks.
The inspection unit 12 executes backdoor inspection processing on the target software for the plurality of the code blocks that are identified by the identifying unit 11. Here, there are technical difficulties in executing the inspection processing on the target software for which obfuscation processing has been performed. However, since the inspection unit 12 executes the inspection processing on the target software for which “obfuscation processing” is not performed yet, it is possible to reliably execute the inspection processing.
The adjustment processing unit 13 executes “adjustment processing” including “obfuscation processing” on the target software. As described above, “obfuscation processing” includes software encrypting processing, embedding processing of dummy codes in target software, or the like. Note that the adjustment processing unit 13 may execute adjustment processing when the result of the backdoor inspection processing indicates that there are no code blocks, which are backdoors, in the target software and execute adjustment processing when the result of the backdoor inspection processing indicates that there are code blocks, which are backdoors, in the target software.
The certificate generation unit 14 generates a certificate containing at least information on the result of the inspection processing (hereinbelow also referred to as a “first certificate”). Information on the result of the inspection processing includes, for example, information indicating whether or not there are code blocks, which are backdoors, in the target software.
The output unit 15 outputs the target software on which adjustment processing has been performed together with the first certificate. Accordingly, the software on which adjustment processing has been performed and the first certificate are transmitted together to the equipment manufacturer.
The configuration of the backdoor inspection device 10 described above allows for realization of both proof of software trustability and obfuscation of software. Incidentally, when the equipment manufacturer performs obfuscation processing of the target software after receiving the certificate regarding trustability of the target software, the certificate would be meaningless. On the other hand, the backdoor inspection device 10 allows for realization of both proof of software trustability and obfuscation of software and thus the aforementioned problem does not occur.
Note that the backdoor inspection device 10 executes the backdoor inspection method. The backdoor inspection method includes: identifying a plurality of code blocks included in software, which is a target of inspection; executing backdoor inspection processing on the software for the plurality of the code blocks that are identified; executing adjustment processing including obfuscation processing on the software; generating a first certificate containing at least information on the result of the backdoor inspection processing; and outputting the software on which adjustment processing has been performed together with the first certificate.
A second example embodiment relates to a more specific example embodiment.
<Configuration Example of Backdoor Inspection Device>
The hash value calculation unit 21 calculates a hash value of a target software on which adjustment processing has been performed by the adjustment processing unit 13.
The certificate generation unit 22 generates a first certificate containing information on the result of the inspection processing and a hash value calculated by the hash value calculation unit 21. For example, the certificate generation unit 22 generates, at the timing when the inspection processing has been completed by the inspection unit 12, a certificate containing at least information on the result of the inspection processing (hereinbelow also referred to as a “second certificate”). Then, the certificate generation unit 22 generates, at the timing when the hash value has been calculated by the hash value calculation unit 21, the first certificate by appending the hash value to the second certificate. That is, the first certificate in the second example embodiment contains the result of the backdoor inspection processing and the hash value that associates the result of the backdoor inspection processing with the target software on which adjustment processing has been performed.
<Example of Operation of Backdoor Inspection Device>
An example of processing operation of the backdoor inspection device 20 having the aforementioned configuration will be described.
The identifying unit 11 identifies, in the door inspection device 20, a plurality of code blocks included in the target software (Step S101).
The inspection unit 12 executes backdoor inspection processing on the target software for the plurality of the code blocks that are identified (Step S102).
The certificate generation unit 22 generates a second certificate containing the result of the backdoor inspection processing (Step S103).
The adjustment processing unit 13 executes adjustment processing on the target software (Step S104).
The hash value calculation unit 21 calculates the hash value of the target software on which adjustment processing has been performed (Step S105).
The certificate generation unit 22 generates the first certificate by appending the hash value to the second certificate (Step S106).
The output unit 15 outputs the target software on which adjustment processing has been performed together with the first certificate (Step S107).
According to the second example embodiment described above, the hash value calculation unit 21 of the backdoor inspection device 20 calculates the hash value of the target software on which adjustment processing has been performed by the adjustment processing unit 13. The certificate generation unit 22 generates the first certificate containing information on the result of the backdoor inspection processing and a hash value calculated by the hash value calculation unit 21.
The configuration of the backdoor inspection device 20 described above allows generation of a first certificate containing information on the result of the backdoor inspection processing and a hash value that associates the information on the result of the backdoor inspection processing with the target software on which adjustment processing has been performed, whereby it is possible to enhance trustability of the information on the result of the backdoor inspection processing (that is, trustability of the first certificate).
<1> Note that the adjustment processing may include, in addition to or in place of the obfuscation processing, “security function addition processing” performed by rewriting codes. For example, the adjustment processing unit 13 may embed, in the target software, a “function” in accordance with which the memory of own device is scanned on a periodic basis and checked for tampering as “security function addition processing”. Specifically, the adjustment processing unit 13 may re-write the target software so as to add, to the target software, an execution code for a function in accordance with which tampering is checked for so that the added execution code is called.
Further, the adjustment processing may include, in addition to or in place of the obfuscation processing, “deletion processing of debugging information” included in the target software. Examples of debugging information include a function name, a variable name, and information in association with lines of a source code. For example, when the target software is Linux (registered trademark), the adjustment processing unit 13 may delete these using a strip command.
<2> The certificate generation unit 22 may include, in the first certificate, the signature of the inspection authority where the backdoor inspection device 20 is installed. Further, the certificate generation unit 22 may include the signature of the backdoor inspection device 20 in the first certificate. Further, the certificate generation unit 22 may include the hash value or the name of the target software on which adjustment processing is not performed yet in the first certificate. Further, the certificate generation unit 22 may include, in the first certificate, the version of the backdoor inspection device 20, the ID of the analyst who performed the analysis by using the backdoor inspection device 20, the signature of the analyst, the organization to which the analyst belongs, the name of the analyst, and the like. Further, the certificate generation unit 22 may include, in the first certificate, information about the positions of the code blocks, which are backdoors, in the target software as the information on the result of the backdoor inspection processing.
A third example embodiment relates to a configuration example of an identifying unit.
The identification processing unit 11A identifies the “specific code blocks” corresponding to the “predetermined specific functions” in the target software. Examples of the “predetermined specific functions” include an “interface function”, an “authentication function (authentication routine)” and a “command function (server routine)”. That is, the “predetermined specific functions” are functions that are followed by various functions. That is, the “predetermined specific functions” correspond to the code blocks, each code block serving as a starting point in a control flow graph of the target software.
The identification processing unit 11A may identify the specific code blocks by using, for example, an “identification rule table (a first identification table)” in which a plurality of the specific functions and the characteristics of the specific code blocks corresponding to the specific functions are associated with each other. In this case, the identification processing unit 11A identifies a part of the software that matches the characteristics of the specific code blocks retained in the identification rule table as the specific code block. Further, the identification processing unit 11A may identify the specific code blocks by executing one or a plurality of algorithms or modules for identifying the specific functions instead of using the identification rule table.
The structural analysis unit 11B analyzes the configuration of the target software and identifies the code blocks corresponding to the functions other than the specific code function by proceeding in accordance with the control flow that starts from the specific code block identified by the identification processing unit 11A. For example, the structural analysis unit 11B creates a control flow graph like the one shown in
Then, for example, the inspection unit 12 detects “a path (a rogue path)” leading to the code blocks identified by the structural analysis unit 11B (i.e. execution parts of the identified code blocks which require authentication) without passing through the code block for the authentication function in the control flow graph created by the structural analysis unit 11B.
Further, the inspection unit 12 detects, in the control flow graph created by the structural analysis unit 11B, code blocks including commands (or functions) that are not prescribed in the specification document.
The backdoor inspection devices 10, 20 according to the first and the second example embodiments, respectively, may have the hardware configuration shown in
The program can be stored by using any of various types of non-transitory computer-readable media and supplied to the backdoor inspection devices 10, 20. Examples of non-transitory computer-readable media include magnetic storage media (e.g., flexible disks, magnetic tapes, and hard disk drives), magneto-optical storage media (e.g., magneto-optical disks). Examples of non-transitory computer-readable media further include CD-ROM (Read Only Memory), CD-R, and CD-R/W. Further, examples of non-transitory computer-readable media include semiconductor memory. Examples of semiconductor memory include mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM)), flash ROM, and RAM (Random Access Memory). The program may also be supplied to the backdoor inspection devices 10, 20 through any of various types of transitory computer-readable media. Examples of the transitory computer-readable media include electrical signals, optical signals, and electromagnetic waves. The transitory computer-readable media can supply the program to the backdoor inspection devices 10, 20 via a wired communication path, such as an electric wire and an optical fiber, or a wireless communication path.
Although the present invention has been described with reference to the example embodiments, the present invention is not limited to the above. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the present invention.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2020/021920 | 6/3/2020 | WO |
