Patent Application
20070275694
Like reference symbols in the various drawings indicate like elements.
The CPU 1000 and the graphic controller 1075 access the RAM 1020 at a high transfer rate. The host controller 1082 interconnects the RAM 1020, the CPU 1000, and the graphic controller 1075. The CPU 1000 works on the basis of programs stored in the BIOS 1010 and the RAM 1020, and controls each part. The graphic controller 1075 acquires image data generated by the CPU 1000 or the like in a frame buffer provided in the RAM 1020, and causes a display device 1080 to display images corresponding to the image data. The display device 1080 displays results of operations executed by the CPU 1000. More specifically, the display device 1080 may display several windows, each displaying the operation results and each receiving user operations, in order to realize a multi-window system.
The I/O controller 1084 interconnects the host controller 1082 and relatively high-speed I/O devices, such as the communication device 1030, the HDD 1040, the input device 1045, and the CD-ROM drive 1060. The communication device 1030 communicates with external devices via a network. The HDD 1040 is an example of a storage device employed in an embodiment of the present invention, and stores programs and data used by the information processing apparatus 10. The input device 1045 informs the I/O chip 1070 of content of operations received thereby. For example, the input device 1045 may be a keyboard or a mouse, and may inform the I/O chip 1070 of an ID of the pressed key or an ID of the clicked button of the mouse. The CD-ROM drive 1060 reads programs or data from a CD-ROM 1095, and supplies the programs or data to the RAM 1020 or the HDD 1040.
The BIOS 1010 and relatively low-speed I/O devices, such as the FD drive 1050 and the I/O chip 1070, are connected to the I/O controller 1084. The BIOS 1010 stores a boot program executed by the CPU 1000 at the time of booting of the information processing apparatus 10 and hardware-dependent programs that are dependent on the hardware of the information processing apparatus 10. The FD drive 1050 reads programs or data from a flexible disk 1090, and supplies the programs or data to the RAM 1020 or the HDD 1040 through the I/O chip 1070.
Programs are stored on a storage medium, such as the flexible disk 1090, the CD-ROM 1095, or an IC (integrated circuit) card, and supplied to the information processing apparatus 10 by users. The programs are read out from the storage medium through the I/O chip 1070 and/or the I/O controller 1084, and installed in the information processing apparatus 10, and are executed. Operations that the programs cause the information processing apparatus 10 or the like to execute will be described with reference to
The programs described above may be stored on external storage media. The storage media can include the flexible disk 1090, the CD-ROM 1095, an optical storage medium such as DVD (digital versatile disk) or a PD (phase change rewritable disk), a magneto-optical storage medium such as an MD (minidisk), a tape medium, and a semiconductor memory such as an IC card. In addition, the programs may be supplied to the information processing apparatus 10 via a network using a storage device, such as an HDD or a RAM, provided in a server system connected to a private communication network or the Internet as the storage medium.
The permission information storage area 210 serves as a permission information storage section employed in an embodiment of the present invention. The permission information storage area 210 stores identification information of processes having permission to communicate, using the communication device 1030, regardless of the relation to the operations received by the input device 1045. In addition, the permission information storage area 210 stores identification information of processes permitted to access the HDD 1040, regardless of the relation to the operations received by the input device 1045. That is, a controller 350, which will be described in further detail below, permits communication according to a communication request issued by the process whose identification information is stored in the permission information storage area 210. Similarly, the controller 350 permits access according to an access request issued by the process having the identification information stored in the permission information storage area 210. Here, preferably, the identification information of the process may be, for example, a hash value of binary data of a program, executed by the process, stored in an executable file. Alternatively, the identification information of the process may be, for example, a process ID, a path of an executable file for executing the process, or a command (including an option given to the command) causing execution of the executable file. Users can exclude processes from targets of unauthorized access detection by storing the identification information of the trusted processes in the permission information storage area 210.
In one embodiment, the first operation detector 300, the second operation detector 320, and the third operation detectors 325-1 to 2 serve as operation detecting sections and detect operations received by the input device 1045. The operations may be, for example, a key input operation performed on a keyboard and a click or drag-and-drop operation performed on a mouse. More specifically, the first operation detector 300 works in a memory space in which the process 30-1 works, and is realized by hooking the messages, which indicate contents of the operations that the input device 1045 has received, transferred to the process 30-1 from the OS 35. The messages indicating the operation contents include, for example in Windows®, WM_KEYDOWN indicating pressing of a key of a keyboard corresponding to the input device 1045, and WM_LBUTTONDOWN indicating pressing of a left button of the mouse, which is the input device 1045.
The first operation detector 300 starts working when these messages are transmitted from the OS 35 to the process 30-1. After starting working, the first operation detector 300 causes the second operation detector 320 to verify whether the input device 1045 is actually operated by the user. The second operation detector 320 is realized by a device driver that works in a kernel space. The second operation detector 320 detects whether the user actually has operated the input device 1045 when the messages, indicating the contents of the operations received by the input device 1045, are transmitted from the OS 35 to the process 30-1. For example, the second operation detector 320 determines that the input device 1045 has not been operated when a key operation emulation is performed by a virtual keyboard device driver. To realize this, the second operation detector 320 detects, for example, other device drivers belonging in the same layer as the device driver for the input device 1045, such as a keyboard and a mouse. The second operation detector 320 determines that the input device 1045 has not been operated when the detected device driver is not the predetermined proper device driver. As described above, it may be possible to increase the accuracy of the operation detection by checking the device driver layer.
Alternatively, the first operation detector 300 and the second operation detector 320 may determine that the input device 1045 has been operated if the elapsed time, from the input device 1045 receiving the operation until one of the processes receiving the content of the operation, is equal to or shorter than a reference period. More specifically, the second operation detector 320 first stores the time at which the input device 1045 is actually operated in a storage device. The first operation detector 300 then calculates a time difference between the time at which the process 30-1 receives the message indicating the content of the operation and the time stored in the storage device, and thereby measures the elapsed time between these time points. The first operation detector 300 and the second operation detector 320 then determine that the input device 1045 has received the operation if the measured time period is equal to or shorter than the reference period. By means of this procedure, regardless of the fabrication of the messages, only the contents of the operations likely to be actually received can be transmitted as a message to the process, thus it is possible to accurately determine whether the communication or the access relates to the user operation.
The second operation detector 320 determines that the input device 1045 has not been operated when the process 30-1 receives the message indicating the operation content but the input device 1045 has not received the operation. For example, when the virtual keyboard device driver, which by software emulates the operation performed on a keyboard, transmits the message to the process 30-1, the second operation detector 320 determines that the input device 1045 has not received the operation. When the input device 1045 is determined to have received the operation, the first operation detector 300 transmits the message indicating the operation content to the process 30-1 without any change. The first operation detector 300 also informs the relation determiner 340 of information such as the message reception time.
The third operation detector 325-1 is provided for the process 30-1, and the third operation detector 325-2 is provided for the process 30-2. Each of the third operation detectors 325-1 to 2 works when a key operation emulation request is transmitted to the OS 35 from the corresponding process. Each of the third operation detectors 325-1 to 2 is realized by hooking APIs (application programming interfaces) requesting the OS 35 to emulate the key operation transmitted from the corresponding process. This is realized by, for example, hooking a function for emulating the key operation, such as a SendInput function in Windows®, and by confirming the function is not called. Upon detecting the key operation emulation request to the OS 35, each of the third operation detectors 325-1 to 2 cancels the key operation emulation request (fails the API call). However, such a request may be permitted only to a predetermined process that realizes remote operations. That is, each of the third operation detectors 325-1 to 2 may determine that the input device 1045 has received the operation when the operation content is supplied to another process on the basis of the operation of the predetermined process that remotely operates the information processing apparatus 10 even if the input device 1045 has not been operated.
The request detector 330, the relation determiner 340, the controller 350, and the permission information manager 360 work in the same memory space as the process 30-2. The request detector 330 detects communication requests given to the communication device 1030 from one of the processes (e.g., the process 30-2) executed by the CPU 1000. The request detector 330 also detects access requests to the HDD 1040 from one of the processes (e.g., the process 30-2) executed by the CPU 1000. More specifically, the request detector 330 is realized by hooking APIs used by the process 30-2 to send the communication requests and APIs used by the process 30-1 to send the access requests. The APIs used for sending the communication requests include, for example in Windows®, “sendto” for requesting data transmission according to UDP (user datagram protocol), “send” for requesting data transmission according to TCP (transmission control protocol), “recv” for requesting data reception according to TCP, and “recvfrom” for requesting data reception according to UDP. The APIs used for sending the access requests include, for example in Windows®, “ReadFile” for requesting reading of data from a file and “CreateFile” for requesting newly creating a file.
The relation determiner 340 determines a relation between the operation detected by the first operation detector 300 and the communication request detected by the request detector 330. The relation determiner 340 also determines the relation between the operation that the first operation determiner 300 has detected and the access request that the request detector 330 has detected. For example, the relation determiner 340 may determine the detected operation and the detected communication request are related to each other if the period from the input device 1045 receiving the operation until the communication device 1030 receiving the communication request is shorter than a predetermined reference period. Similarly, the relation determiner 340 may determine that the detected operation is related to the detected access request if the period from the input device 1045 receiving the operation until the HDD 1040 receiving the access request is shorter than the reference period.
The relation determiner 340 may further determine the relation between the detected operation and the detected communication request or access request on the basis of the relation between the processes 30-1 and 30-2. More specifically, the relation determiner 340 may determine that the detected operation is related to the detected communication request or access request on the further condition that the processes 30-1 and 30-2 are the same. Furthermore, the relation determiner 340 may determine that the detected operation and the detected communication request are related to each other if the process 30-1 directly or indirectly communicates with the process 30-2. Here, a state in which “the process 30-1 indirectly communicates with the process 30-2” is referred to as a case where the process 30-1 communicates with a mediation process, and the mediation process communicates with the process 30-2. There may be several mediation processes. As another example, the relation determiner 340 may determine that the detected operation and the detected communication request or access request are related if ancestor processes that have directly or indirectly generated the processes 30-1 and 30-2 are the same. Here, “directly or indirectly generating a process” means generating the process as a child process or generating a child process that further generates a descendant process, i.e., the process. For example, the relation determiner 340 may determine that the detected operation is related to the detected communication request or access request if both processes 30-1 and 30-2 are generated by a common parent process.
The controller 350 prevents communication performed by the communication device 1030 according to the communication request if there is no relation between the operation detected by the first operation detector 300 and the second operation detector 320 and the communication request detected by the request detector 330. The controller 350 permits the communication according to the communication request if the detected operation and the detected communication request are related. Similarly, the controller 350 prevents access to the HDD 1040 according to the access request if the operation detected by the first operation detector 300 and the second operation detector 320 is unrelated to the access request detected by the request detector 330. The controller 350 permits the access according to the access request, if the detected operation and the detected access request are related to each other. More specifically, if the relation is determined to exist, the controller 350 causes the request detector 330 to execute the hooked API without any change.
The controller 350 permits the communication or the access based on the communication request or the access request issued by the process whose identification information is stored in the permission information storage area 210 regardless of the relation to the operation. In addition, the controller 350 may inquire of the user of the information processing apparatus 10 whether to permit the communication or the access, when the controller 350 prevents the communication or the access due to the lack of a relation between the operation and the request. The inquiry may be performed by, for example, displaying a dialog box on a screen of the display device 1080. The dialog box shows a message alerting the user together with buttons for indicating permission and prevention of the communication. The message may say “communication highly likely to be unauthorized is requested by the process XX. Do you permit this communication?” Using this configuration, it is possible to ask the user to make a determination regarding a communication that may be highly possibly unauthorized, and to prevent leakage of confidential information and personal information.
The permission information manager 360 stores identification information of the process having issued the communication request or the access request in the permission information storage area 210, when the relation determiner 340 determines the operation is related to the communication request or the access request. As a result, once a process has been determined to have performed access relating to the operation, the process can freely perform subsequent communication or access. By means of this configuration, the load of the CPU 1000 and the operation load of the user through the dialog box can be reduced by omitting the above determination for processes less likely to perform unauthorized operations.
As described above, an example of determining a relation between the operation received by the process 30-1 and the communication request issued by the process 30-2 has been described with reference to
The first operation detector 300, the second operation detector 320, and each of the third operation detectors 325-1 to 2 determine whether the detected operation is occurred not because the process 30-1 only receives a message indicating the operation content but because the input device 1045 is directly operated (step S410). If the input device 1045 is not directly operated, the first operation detector 300, the second operation detector 320, and the third operation detectors 325-1 to 2 determine whether or not the message is input from a predetermined process that controls the remote operation of the information processing apparatus 10 (step S420). The predetermined process that controls the remote operation may be a process that transmits images of display screens of the information processing apparatus 10 to other information processing apparatus and that transmits messages indicating the contents of the operation that the other information processing apparatuses have received to a process of the information processing apparatus 10. For example, in Windows®, the predetermined process is a process that realizes a terminal server function, and the name of the executable file of the process is “svchost.exe”.
If the input device 1045 is not directly operated and the message indicating the operation content is not input from the predetermined process, the first operation detector 300, the second operation detector 320, and the third operation detectors 352-1 to 2 terminate the processing shown in this figure. At this time, the third operation detectors 325-1 to 2 may cancel the request, such as key input emulation, and may fail the API call realizing such a request. On the other hand, if the input device 1045 is directly operated or the message indicating the operation content is input from the predetermined process, the first operation detector 300, the second operation detector 320, and the third operation detectors 325-1 to 2 continuously perform the following processing. First, the first operation detector 300 determines whether one of the windows displayed on the screen of the display device 1080 belongs to the process (i.e., the process 30-1) that receives the message (step S430). This window is used by the process 30-1 for displaying the processing result or for receiving the input to the process 30-1.
If the process 30-1 has the window, the first operation detector 300 determines whether the window is set to the foreground at the time that the input device 1045 received the operation (step S440). The foreground window means, for example, a window that is displayed in the foreground such that the foreground window covers other windows displayed on the screen of the display device 1080. If the window is not set as the foreground, the first operation detector 300 determines whether the window is at the target of the drag-and-drop operation of the mouse, which is the input device 1045 (step S450). If the window is not set to the foreground and is not at the target of the drag-and-drop operation, the first operation detector 300 terminates the processing shown in
On the other hand, if the window is set to the foreground or the window is at the target of the drag-and-drop operation, the first operation detector 300 performs the following processing to detect the operation that the input device 1045 has received. First, the first operation detector 300 stores identification information of the process (e.g., the process 30-1) that has received the message indicating the operation content in the temporary storage area (step S460). The identification information is used to determine a relation between processes at step S650, which is described below. The first operation detector 300 then stores the detection time of the operation received by the input device 1045 in the temporary storage area (step S470). The detection time is used for the calculation of the elapsed time at step S630, which is described below.
In the event that the process is not permitted for the communication or the access, the relation determiner 340 performs the following processing. First, the relation determiner 340 determines the relation between the operation detected at step S400 and the communication or access request detected at step S500 (step S520). If there is no relation, the controller 350 prevents communication according to the communication request or the access to the HDD 1040 according to the access request (step S560). Before this step, the controller 350 may inquire of the user whether to prevent the communication or the access, and may prevent the communication or the access under the agreement of the user. When preventing the communication or the access, the controller 350 may further issue a warning to the user, may terminate the API for transmitting the communication request in a failure state, or may abort the process that has issued the communication request. In addition to this, the controller 350 may delete the executable file of the process from the HDD 1040.
On the other hand, if the relation exists, the permission information manager 360 stores the identification information of the process having issued the communication request or the access request in the permission information storage area 210 (step S540). The controller 350 then permits the communication or the access performed by the process (step S550).
For example, the relation determiner 340 may determine whether the processes 30-1 and 30-2 are the same process, or whether the process 30-1 directly or indirectly communicates with the process 30-2. Furthermore, the relation determiner 340 may determine whether both processes 30-1 and 30-2 are generated by a common parent process. If the process 30-1 is related to the process 30-2, the relation determiner 340 determines that the detected operation is related to the detected request (step S660). On the other hand, if the process 30-1 is not related to the process 30-2, the relation determiner 340 determines that the detected operation and the detected request are unrelated (step S670).
As described above with reference to
The invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
Furthermore, the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
A data processing system suitable for storing and/or executing program code will include at least one processor coupled directly or indirectly to memory elements through a system bus. The memory elements can include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
Input/output or I/O devices (including but not limited to keyboards, displays, pointing devices, etc.) can be coupled to the system either directly or through intervening I/O controllers.
Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters.
Although the present invention has been described using exemplary embodiments, the technical scope of the present invention is not limited to the scope described in the above embodiments. It is obvious for those skilled in the art that various modifications or improvements can be added to the above-described embodiments. It is obvious from the appended claims that such modifications or improvements can be also included within the technical scope of the present invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| JP2006-105044 | Apr 2006 | JP | national |
