Patent Application
20230401083
The present disclosure relates to data processing technologies and, in particular, information processing apparatuses and information processing methods.
Various memory protection technologies have been proposed to deal with risks of unauthorized seizure of system rights by attacks that exploit software vulnerabilities. Examples of such protection technologies include StackCanary, CFI (Control Flow Integrity), and DEP (Data Execution Prevention). Patent literature 1 below proposes a technology for checking whether a function call returns to a whitelisted address and preventing a jump to an address that is not predefined.
In the technology of Patent literature 1, abnormal function jumps can be prevented. However, there is a disadvantage in that, when the technology is applied to a program operating in a privileged layer such as an OS (Operating System), the function responsive to an abnormality can similarly be under attack so that a stable abnormality respondent process cannot be guaranteed.
The present disclosure addresses the issue described above, and a purpose thereof is to provide a technology that realizes a stable abnormality respondent process responsive to an abnormality occurring in a system.
An information processing apparatus according to an aspect of the present disclosure is an information processing apparatus in which a first VM (Virtual Machine) and a second VM operate on a HV (HyperVisor), wherein the first VM includes: a detection unit that detects an abnormality in a process in the first VM; and a notification unit that, when the detection unit detects an abnormality, notifies the second VM of information related to the abnormality via the HV. The second VM includes: a respondent unit that executes a process responsive to the abnormality, based on the information related to the abnormality provided from the first VM.
Another aspect of the present disclosure also relates to an information processing apparatus. The apparatus is an information processing apparatus in which a HV and a secure OS operate on a secure monitor, and one or more VMs operate on the HV, wherein the HV includes: a detection unit that detects an abnormality in a process in the HV; and a notification unit that, when the detection unit detects an abnormality, notifies the secure OS of information related to the abnormality via the secure monitor. The secure OS includes: a respondent unit that executes a process responsive to the abnormality, based on the information related to the abnormality provided from the HV.
Still another aspect of the present disclosure relates to an information processing method. The method is an information processing method executed by a computer in which a first VM and a second VM operate on a HV, including: detecting, using the first VM, an abnormality in a process in the first VM, and notifying, when an abnormality is detected, the second VM of information related to the abnormality via the HV, and executing, using the second VM, a process responsive to the abnormality, based on the information related to the abnormality provided from the first VM.
Yet another aspect of the present disclosure also relates to an information processing method. The method is an information processing method executed by a computer in which a HV and a secure OS operate on a secure monitor, and one or more VMs operate on the HV, including: detecting, using the HV, an abnormality in a process in the HV, and notifying, when an abnormality is detected, the secure OS of information related to the abnormality via the secure monitor, and executing, using the secure OS, a process responsive to the abnormality, based on the information related to the abnormality provided from the HV.
Optional combinations of the aforementioned constituting elements, and implementations of the present disclosure in the form of systems, computer programs, recording mediums encoded with computer programs, and vehicles carrying an information processing apparatus may also be practiced as additional modes of the present disclosure.
Embodiments will now be described, by way of example only, with reference to the accompanying drawings which are meant to be exemplary, not limiting, and wherein like elements are numbered alike in several Figures, in which:
The invention will now be described by reference to the preferred embodiments. This does not intend to limit the scope of the present invention, but to exemplify the invention.
The device or the entity that executes the method according to the disclosure is provided with a computer. By causing the computer to run a program, the function of the device or the entity that executes the method according to the disclosure is realized. The computer is comprised of a processor that operates in accordance with the program as a main hardware feature. The disclosure is non-limiting as to the type of the processor so long as the function is realized by running the program. The processor is comprised of one or a plurality of electronic circuits including a semiconductor integrated circuit (IC) or a large-scale integration (LSI). The terms IC and LSI may change depending on the level of integration, and the processor may be comprised of a system LSI, a Very Large Scale Integration (VLSI), or an Ultra Large Scale Integration (ULSI). A field programmable gate array (FPGA), which is programmed after an LSI is manufactured, or a reconfigurable logic device, in which connections inside the LSI can be reconfigured or circuit compartments inside the LSI can be set up, can be used for the same purpose. The plurality of electronic circuits may be integrated in one chip or provided in a plurality of chips. The plurality of chips may be aggregated in one device or provided in a plurality of apparatuses. The program may be recorded in a non-transitory recording medium such as a computer-readable read only memory (ROM), optical disk, and hard disk drive or recorded in a non-transitory storage medium. The program may be stored in a recording medium in advance or supplied to a recording medium via a wide area communication network including the Internet.
A summary of an exemplary embodiment will be given before. Conventionally, a technology to protect software from attacks that exploit software vulnerabilities (for example, memory protection technology to prevent abnormal function jumps) has been proposed. However, there is a disadvantage in that, when such conventional technology is applied to a program operating in a privileged layer such as an OS, the function responsive to an abnormality can similarly be under attack so that a stable abnormality respondent process cannot be guaranteed. In the information processing apparatus (ECU 12 described later) of the exemplary embodiment, a stable abnormality respondent process in response to an abnormality occurring in a system is realized by isolating the entity executing an abnormality respondent process from the entity detecting an abnormality and, further, isolating a detection result of the memory protection technology from a protected program.
In addition, various data related to abnormalities (hereinafter also referred to as “abnormality information”) must be collected and provided outside for analysis in order to fix software vulnerabilities. Since the size of management data is large in system software such as OS, it is necessary to collect and provide abnormality information efficiently. The information processing apparatus (ECU 12 described later) of the exemplary embodiment realizes efficient collection and provision of abnormality information by scoring the degree of abnormality when an abnormality is detected.
Details of the exemplary embodiment will be described.
The blocks shown in the block diagrams of the present disclosure are implemented in hardware such as devices and mechanical apparatus exemplified by a CPU and a memory of a computer, and in software such as a computer program.
For example, a computer program including modules corresponding to at least some of the plurality of functional blocks of the ECU 12 shown in
The ECU 12 includes a hypervisor (HV 14) and a plurality of virtual machines (VM 16 and VM 18) operating on the HV 14. The HV 14 executes processes of allocating various hardware resources provided in the ECU 12 to the VM 16 and the VM 18. The VM 16 is, for example, a VM that provides the TCU function and, in the exemplary embodiments, is the first VM targeted in an attack. The VM 18 is, for example, a VM that provides the ADAS function and, in the exemplary embodiment, is a second VM that analyzes and responds to an abnormality caused by an attack. In addition, the VM 16 and the VM 18 share a memory.
The VM 16 includes a guest OS 20 and processes of a plurality of applications (in the exemplary embodiment, an App process 22 and an App process 24) executed on the guest OS 20. In other words, the program of the guest OS 20 (hereinafter also referred to as “OS program”) is executed in the VM 16, and the programs of a plurality of applications are executed in the VM 16 under the management of the guest OS 20.
The App process 22 includes a privileged process request unit 26. The privileged process request unit 26 transmits a privileged process request generated in an application process to the guest OS 20. The privileged process request can be said to be a system call and may request a process of the guest OS 20 (for example, file opening) by calling the API (Application Programming Interface) of the guest OS 20.
The guest OS 20 includes a request reception unit 28, a kernel process unit 30, an abnormality notification unit 32, and an abnormality information storage unit 34. The request reception unit 28 receives the privileged process request transmitted from the App process 22 (privileged process request unit 26). The kernel process unit 30 executes a kernel process (for example, file opening) in response to the privileged process request received by the request reception unit 28. The kernel process unit 30 includes a first detection unit 36, a second detection unit 38, and a statistical information acquisition unit 40.
The first detection unit 36 and the second detection unit 38 detect an abnormality in a process in the VM 16. Specifically, the first detection unit 36 and the second detection unit 38 detect an abnormality in a process (which can be said to be a process in a privileged mode) in the guest OS 20 of the VM 16. The first detection unit 36 and the second detection unit 38 differ from each other in the method of detecting an abnormality. In the exemplary embodiment, the first detection unit 36 detects an abnormality in a process in the guest OS 20 according to a StackCanary mechanism. The second detection unit 38 detects an abnormality in a process in the guest OS 20 according to a CFI mechanism.
Referring back to
When an abnormality is detected by at least one of the first detection unit 36 or the second detection unit 38, the abnormality notification unit 32 acquires various data (abnormality information) related to the abnormality from the kernel process unit 30 and stores the data in the abnormality information storage unit 34. The abnormality information includes the process ID and the process name of the OS program in which the abnormality is detected, the type of detection unit in which the abnormality is detected (in the embodiment, the first detection unit 36 or the second detection unit 38), the register information, the position of and the data for the OS program in which the abnormality is detected, the stack trace data, and the information on the App process that called the OS program in which the abnormality is detected. The abnormality information storage unit 34 stores statistical information and abnormality information related to the detected abnormality.
Further, when an abnormality is detected at least one of the first detection unit 36 or the second detection unit 38, the abnormality notification unit 32 provides information related to the abnormality (hereinafter also referred to as “notification information”) to the VM 18 via the HV 14. In the exemplary embodiment, the abnormality notification unit 32 passes notification information to the HV 14 by calling a predetermined API of the HV 14. The notification information of the exemplary embodiment includes data necessary for acquiring the abnormality information stored in the abnormality information storage unit 34. For example, the notification information may include address data indicating the storage position of the abnormality information in the abnormality information storage unit 34.
The HV 14 includes a transfer unit 42. The transfer unit 42 receives the notification information output from the VM 16 (guest OS 20) and transfers the notification information to the VM 18 (guest OS 44).
The VM 18 includes a guest OS 44 and one or more application processes (App process 46 in the exemplary embodiment) running on the guest OS 44.
The guest OS 44 includes a request reception unit 48, a kernel process unit 50, and an interrupt reception unit 52. The request reception unit 48 and the kernel process unit 50 correspond to the request reception unit 28 and the kernel process unit 30 of the guest OS 20. The interrupt reception unit 52 receives the notification information passed by an interrupt from the HV 14 and passes the notification information to the App process 46.
The App process 46 executes, as a respondent unit, a respondent process responsive to the abnormality, based on the information on the abnormality (notification information in the exemplary embodiment) provided from the VM 16. In the exemplary embodiment, the App process 46 executes a respondent process responsive to the abnormality, based on the information on the abnormality in a process in the guest OS 20 acquired from the VM 16. The App process 46 includes an abnormality analysis unit 54 and an abnormality respondent unit 56.
The abnormality analysis unit 54 receives the notification information relating to the abnormality in the guest OS 20 output from the guest OS 20 of the VM 16 and transferred by the HV 14 (transfer unit 42) and the guest OS 44 (interrupt reception unit 52). The abnormality analysis unit 54 reads the abnormality information and the statistical information related to the abnormality from the VM 16 (abnormality information storage unit 34) based on the address data indicated by the notification information. The abnormality analysis unit 54 derives a degree of abnormality based on the abnormality information and the statistical information read from the VM 16 (abnormality information storage unit 34).
When the degree of abnormality derived by the abnormality analysis unit 54 is less than a predetermined threshold, the abnormality respondent unit 56 restarts the process of the application (App process 22 in the exemplary embodiment) that requested the process of the guest OS 20. When the degree of abnormality derived by the abnormality analysis unit 54 is greater than or equal to the above threshold value, on the other hand, the abnormality respondent unit 56 aborts the process of the above application.
Further, when the degree of abnormality derived by the abnormality analysis unit 54 is greater than or equal to a predetermined threshold, the abnormality respondent unit 56 transmits data related to the abnormality to an external apparatus. When the degree of abnormality derived by the abnormality analysis unit 54 is less than the above threshold value, on the other hand, the abnormality respondent unit 56 does not transmit data related to the abnormality to the external apparatus, and, in other words, suppresses transmission to the external apparatus. The external apparatus may be an apparatus external to the ECU 12, an apparatus external to the vehicle 10, or an apparatus that stores and analyzes the abnormality information on the ECU 12.
The operation of the ECU 12 of the exemplary embodiment having the above configuration will be described.
During the process in the privileged mode in the kernel process unit 30, the first detection unit 36 checks for an abnormality according to a StackCanary mechanism (S12). When the first detection unit 36 does not detect an abnormality (N in S13), the second detection unit 38 checks for an abnormality according to a CFI mechanism (S14). When the second detection unit 38 does not detect an abnormality (N in S15), the kernel process unit 30 returns the result of the process in the privileged mode to the requesting App process 22 (S16).
When the first detection unit 36 detects an abnormality (Y of S13) or when the second detection unit 38 detects an abnormality (Y of S15), the kernel process unit 30 executes an abort process related to the process in the privileged mode executed so far (S17). The abnormality notification unit 32 stores abnormality information related to the detected abnormality in the abnormality information storage unit 34 (S18). The abnormality notification unit 32 transmits notification information related to the detected abnormality to the VM 18 (i.e., a further VM that executes a process responsive to an abnormality) via the HV 14 (S19).
The request reception unit 28 of the guest OS 20 provides information related to the privileged process request received from the App process 22 to the statistical information acquisition unit 40, although the feature is not shown in
When the abnormality information indicates that the second detection unit 38 has detected an abnormality, i.e., when the first detection unit 36 has not detected an abnormality and the second detection unit 38 has detected an abnormality (Y in S22), the abnormality analysis unit 54 increments an abnormality score (+1 in the exemplary embodiment) (S23). The anomaly score is an index value indicating the degree of abnormality in the VM 16 (guest OS 20). When the abnormality information indicates that the first detection unit 36 has detected an abnormality (N in S22), the process in S23 is skipped. Thus, an appropriate respondent process according to the type of attack is executed by increasing the degree of abnormality when an attack that avoids abnormality detection by the first detection unit 36 is received.
The abnormality analysis unit 54 analyzes the abnormality information and the statistical information and determines whether or not an abnormal operation different from normal is recorded as an operation of the App process 22 calling the OS program (S24). When the number of times or frequency of privileged process requests from the App process 22 indicated by the statistical information is greater than a predetermined threshold, or when the number of times or frequency of privileged process requests from the App process 22 failing in a format check is greater than a predetermined threshold, for example, the abnormality analysis unit 54 may determine that an abnormal operation is recorded. When an abnormal operation of the App process 22 is recorded (Y in S25), the abnormality analysis unit 54 increments the abnormality score (+1 in the exemplary embodiment) (S26). When an abnormal operation of the App process 22 is not recorded (N in S25), the process in S26 is skipped.
It is determined that, as a result of the steps up to S26, the anomaly score is “0” when the degree of abnormality is low, “1” when the degree of abnormality is medium, and “2” when the degree of abnormality is high. The abnormality respondent unit 56 executes a process responsive to the abnormality according to the abnormality score (S27).
When the abnormality score is greater than or equal to the first threshold and less than the second threshold (“2” in the exemplary embodiment), i.e., when the abnormality score is “1”, the abnormality respondent unit 56 restarts the App process 22 of the VM 16 that called the OS program in which the abnormality is detected. At the same time, the abnormality respondent unit 56 stores the abnormality information acquired from the VM 16 in a predetermined storage area (for example, a memory area for the VM 18) and transmits security incident data including the abnormality information to the external apparatus.
When the abnormality score is greater than or equal to the second threshold, i.e., when the abnormality score is “2”, the abnormality respondent unit 56 aborts the App process 22 of the VM 16 that called the OS program in which the abnormality is detected, and operates the VM 16 in the fallback mode. For example, the VM 18 may store a pre-generated command file that includes content that forcibly aborts the App process 22, and the abnormality respondent unit 56 may execute the command file. At the same time, the abnormality respondent unit 56 stores the abnormality information acquired from the VM 16 in a predetermined storage area (for example, a memory area for the VM 18) and transmits security incident data including the abnormality information to the external apparatus.
In the ECU 12 of the exemplary embodiment, a VM that detects an abnormality and a VM that executes a process responsive to the abnormality are isolated (in the exemplary embodiment, the former is the VM 16 and the latter is the VM 18). This makes it possible to avoid the function that executes the process responsive to the abnormality from being attacked and to execute the process responsive to the abnormality stably. When the guest OS 20 of the VM 16 is attacked in the ECU 12, for example, the process responsive to an abnormality in a process of the guest OS 20 can be stably executed. In the ECU 12, it is also possible, by scoring the degree of abnormality at the time of abnormality detection, to select whether it is necessary to notify the external apparatus of the abnormality according to the degree of abnormality so as to, for example, suppress the frequency of or the amount of data for abnormality notification provided to the external apparatus.
The present disclosure has been described above based on an exemplary embodiment. The exemplary embodiment is intended to be illustrative only and it will be understood by those skilled in the art that various modifications to combinations of constituting elements and processes of the exemplary embodiment are possible and that such modifications are also within the scope of the present disclosure.
The first variation will be described.
The ECU 12 of the first variation includes a secure monitor 70, an HV 14 operating on the secure monitor 70, and a secure OS 72. Further, the ECU 12 of the first variation includes a VM 16 and a VM 18 operating on the HV 14 as in the exemplary embodiment.
The secure monitor 70 and the secure OS 72 are collectively referred to as a “secure world part”. The secure world part typically executes security-related processes such as authentication. The execution environment of the HV 14, the VM 16, and the VM 18 is also called a normal world, and a process in the normal world can access a process in the secure world part only by calling an API predetermined in the secure world part. The secure world part (secure monitor 70 and secure OS 72) is an execution environment with a higher reliability than the HV 14, the VM 16, and the VM 18.
The secure monitor 70 includes a transfer unit 88. The transfer unit 88 corresponds to the transfer unit 42 of the HV 14 of the exemplary embodiment.
The HV 14 includes a request reception unit 74, an HV processing unit 76, an abnormality notification unit 78, and an abnormality information storage unit 80. The HV processing unit 76 executes various processes related to VM management. The HV processing unit 76 includes a first detection unit 82, a second detection unit 84, and a statistical information acquisition unit 86. The request reception unit 74, the abnormality notification unit 78, the abnormality information storage unit 80, the first detection unit 82, the second detection unit 84, and the statistical information acquisition unit 86 correspond to the request reception unit 28, the abnormality notification unit 32, the abnormality information storage unit 34, the first detection unit 36, the second detection unit 38, and the statistical information acquisition unit 40 provided in the guest OS 20 of the exemplary embodiment.
The secure OS 72 includes an interrupt reception unit 90 and a respondent unit 92. The interrupt reception unit 90 corresponds to the interrupt reception unit 52 provided in the VM 18 of the exemplary embodiment. The respondent unit 92 corresponds to the App process 46 provided in the VM 18 of the exemplary embodiment. The respondent unit 92 includes an abnormality analysis unit 94 and an abnormality respondent unit 96. The abnormality analysis unit 94 and the abnormality respondent unit 96 correspond to the abnormality analysis unit 54 and the abnormality respondent unit 56 provided in the App process 46 of the exemplary embodiment.
As shown in
For example, the first detection unit 82 and the second detection unit 84 of the HV 14 detect an abnormality in a process in the HV 14. When an abnormality is detected by the first detection unit 82 or the second detection unit 84, the abnormality notification unit 78 of the HV 14 notifies the secure OS 72 of information related to the abnormality via the secure monitor 70. The respondent unit 92 of the secure OS 72 executes a process responsive to the abnormality, based on information on the information related to the abnormality provided from the HV 14.
The operation of the ECU 12 of the first variation having the above configuration will be described. The privileged process request unit 26 of the App process 22 transmits a privileged process request generated in an application process to the guest OS 20. The guest OS 20 executes a process in the privileged mode based on the privileged process request from the App process 22, and during the execution, transmits a request for a hypervisor process (also referred to as a “hypercall”) to the HV 14. The request reception unit 74 of the HV 14 receives a hypercall, and the HV processing unit 76 starts a hypervisor process based on the hypercall.
During the hypervisor process in the HV processing unit 76, the first detection unit 82 checks for an abnormality according to a StackCanary mechanism. When the first detection unit 82 does not detect an abnormality, the second detection unit 84 checks for an abnormality according to a CFI mechanism. When the second detection unit 84 does not detect an abnormality, the HV processing unit 76 returns the result of the hypervisor process to the requesting guest OS 20, and the guest OS 20 returns the result of the process in the privileged mode to the requesting App process 22.
When the first detection unit 82 detects an abnormality or the second detection unit 84 detects an abnormality, the HV processing unit 76 executes an abort process related to the hypervisor process executed so far. The abnormality notification unit 78 stores abnormality information related to the detected abnormality in the abnormality information storage unit 80. The abnormality information here includes, in addition to information related to a process in the guest OS 20 that directly called the HV program in which the abnormality is detected, information related to the App process 22 that indirectly called the HV program. The abnormality notification unit 78 transmits notification information related to the detected abnormality to the secure OS 72 via the secure monitor 70.
The request reception unit 74 of the HV 14 provides information related to the hypercall received from the guest OS 20 to the statistical information acquisition unit 86. The statistical information acquisition unit 86 stores statistical information (for example, the number of times of requests, request frequency, error information, error frequency, etc.) related to the hypercall from the guest OS 20 in the abnormality information storage unit 80.
The abnormality analysis unit 94 of the respondent unit 92 running in the secure OS 72 receives the notification information output from the HV 14 and transferred by the secure monitor 70 and the interrupt reception unit 90. The abnormality analysis unit 94 reads the abnormality information from the abnormality information storage unit 80 of the HV 14, based on the notification information. Further, the abnormality analysis unit 94 further reads, from the abnormality information storage unit of the HV 14, statistical information related to the process of the guest OS 20 or the App process 22 indicated by the abnormality information as having called the HV program in which the abnormality is detected.
The abnormality analysis unit 94 increments an abnormality score (+1) indicating the degree of abnormality in the HV 14, when the abnormality information indicates that the second detection unit 84 has detected an abnormality, i.e., when the first detection unit 82 has not detected an abnormality and the second detection unit 84 has detected an abnormality. When the abnormality information indicates that the first detection unit 82 has detected an abnormality, the process of incrementing the abnormality score is skipped.
The abnormality analysis unit 94 analyzes the abnormality information and statistical information and determines whether or not an abnormal operation different from normal is recorded as an operation of the guest OS 20 process or the App process 22 calling the HV program. When an abnormal operation of the guest OS 20 process or the App process 22 is recorded, the abnormality analysis unit 94 increments the abnormality score (+1). When an abnormal operation of the guest OS 20 process or the App process 22 is not recorded, the process of incrementing the abnormality score is skipped.
The abnormality respondent unit 96 executes a process responsive to the abnormality according to the abnormality score. When the abnormality score is less than the first threshold value (in this case, “1”), i.e., when the abnormality score is “0”, the abnormality respondent unit 96 restarts the App process 22 of the VM 16 that indirectly called the HV program in which the abnormality is detected. In one variation, the abnormality respondent unit 96 may restart the VM 16 including the process of the guest OS 20 that directly called the HV program in which the abnormality is detected. The abnormality respondent unit 56 does not transmit security incident data to the external apparatus.
When the abnormality score is greater than or equal to the first threshold and less than the second threshold (in this case, “2”), i.e., when the abnormality score is “1”, the abnormality respondent unit 96 restarts the App process 22 of the VM 16 that indirectly called the HV program in which the abnormality is detected. In one variation, the abnormality respondent unit 96 may restart the VM 16 including the process of the guest OS 20 that directly called the HV program in which the abnormality is detected. Further, the abnormality respondent unit 96 stores the abnormality information acquired from the HV 14 in a predetermined storage area (for example, a memory area for the secure OS 72) and transmits security incident data including the abnormality information to the external apparatus.
When the abnormality score is greater than or equal to the second threshold, i.e., when the abnormality score is “2”, the abnormality respondent unit 96 aborts the App process 22 of the VM 16 that called the HV program in which the abnormality is detected, and operates the VM 16 in the fallback mode. In one variation, the abnormality respondent unit 96 may abort the VM 16 including the process of the guest OS 20 that directly called the HV program in which the abnormality is detected. Further, the abnormality respondent unit 96 stores the abnormality information acquired from the HV 14 in a predetermined storage area (for example, a memory area for the secure OS 72) and transmits security incident data including the abnormality information to the external apparatus.
When an abnormality is detected in the normal world in the ECU 12 of the first variation, the secure world unit (secure OS 72) isolated from the normal world executes the process responsive to the abnormality. This makes it possible to avoid the function that executes the process responsive to the abnormality from being attacked and to execute the process responsive to the abnormality stably. When the HV 14 is attacked, for example, the process responsive to the abnormality in the process in the HV 14 can be executed stably in the ECU 12. It is also possible, in the ECU 12, to select the necessity of abnormality notification to the external apparatus according to the degree of abnormality, by scoring the degree of abnormality at the time of abnormality detection. For example, the frequency of or the amount of data for abnormality notification to the external apparatus can be suppressed.
The second variation will be described. The ECU 12 of the second variation comprises a combination of the configuration of the ECU 12 of the exemplary embodiment shown in
In the ECU 12 of the second variation, the guest OS 20 of the VM 16 detects an abnormality in the guest OS 20, and the App process 46 (respondent unit) of the VM 18 deals with the abnormality in the guest OS 20. Stated otherwise, an abnormality in the OS on a given VM is dealt with by a further VM. In further accordance with the ECU 12 of the second variation, the HV 14 detects an abnormality in the HV 14, and the secure OS 72 deals with the abnormality in the HV 14.
In the second variation, the abnormality respondent unit 56 of the VM 18 transmits the abnormality information and the statistical information related to the abnormality in the guest OS 20 acquired from the abnormality information storage unit 34 of the VM 16 to the secure OS 72 (abnormality analysis unit 94) via the secure monitor 70 (transfer unit 88). The abnormality analysis unit 94 of the secure OS 72 stores abnormality information and statistical information related to the abnormality of the guest OS 20 transmitted from the abnormality respondent unit 56 of the VM 18 in a predetermined storage area (for example, a storage area for the secure OS 72).
In addition to the abnormality information and the statistical information related to the abnormality in the HV 14 acquired from the abnormality information storage unit 80 of the HV 14, the abnormality analysis unit 94 of the secure OS 72 derives an abnormality score related to the abnormality in the HV 14, based on the abnormality information and the statistical information related to the abnormality in the guest OS 20 transmitted from the abnormality respondent unit 56 of the VM 18. For example, as described in the first variation, the abnormality analysis unit 94 may increment the abnormality score based on the abnormality information and the statistical information related to the abnormality in the HV 14, and also, as described in the exemplary embodiment, increment the abnormality score based on the abnormality information and the statistical information related to the abnormality in the guest OS 20. The abnormality respondent unit 96 may execute the process responsive to abnormality to further enhance the safety of the ECU 12 as the abnormality score increases.
The ECU 12 of the second modification provides both the benefit provided by the ECU 12 of the exemplary embodiment and the benefit provided by the ECU 12 of the first variation. In further accordance with the second variation, it is possible to realize the ECU 12 capable of dealing with both an attack against the guest OS 20 of the VM 16 (abnormality in the guest OS 20) and an attack against the HV 14 (abnormality in the HV 14).
A third variation will be described. In the exemplary embodiment described above, the abnormality notification unit 32 of the VM 16 transmits notification information indicating the storage position of the abnormality information to the VM 18, and the abnormality analysis unit 54 of the VM 18 reads the abnormality information from the VM 16 based on the storage position indicated by the notification information. In one variation, the abnormality notification unit 32 of the VM 16 may transmit the abnormality information itself to the VM 18 instead of the notification information. In a combination with the first variation, the abnormality notification unit 78 of the HV 14 may transmit the abnormality information itself to the secure OS 72 instead of the notification information.
A fourth variation will be described. The abnormality information may include data (for example, an executable file) for the OS program of the guest OS 20 in which the abnormality is detected. Further, the VM 18 (abnormality analysis unit 54) may store a pre-generated hash value of the regular OS program of the guest OS 20. The abnormality analysis unit 54 of the VM 18 may generate a hash value of the data for the OS program data included in the abnormality information and compare the generated hash value with the hash value of the regular OS program stored in advance. The abnormality respondent unit 56 of the VM 18 may transmit security incident data including a result of checking the hash values (data indicating a match or mismatch) to the external apparatus. This makes it possible to detect an incidence of the OS program of the guest OS 20 being rewritten by an attack and notify the external apparatus of the incident. In a combination with the first variation, the abnormality analysis unit 94 and the abnormality respondent unit 96 of the secure OS 72 may execute these processes.
A fifth variation will be described. The abnormality respondent unit 56 may append an electronic signature defined by secret information associated with the App process 46 (respondent unit) to the security incident data transmitted to the external apparatus. This makes it possible to prevent spoofing by a third party and falsification of security incident data. The secret information associated with the App process 46 (respondent unit) may be a secret key assigned in advance to the App process 46, the abnormality analysis unit 54, or the abnormality respondent unit 56.
A sixth variation will be described. The abnormality respondent unit 56 may abort the VM 16 in cooperation with the HV 14, i.e., may abort the App process 22, the App process 24, and the guest OS 20 in response to the abnormality in the guest OS 20 of the VM 16. The abnormality respondent unit 56 may abort the VM 16 when the abnormality score is high, i.e., when the abnormality is serious. For example, when the anomaly score is less than the first threshold value, the abnormality respondent unit 56 may restart the App process 22 and not report. When the anomaly score is greater than or equal to the first threshold value and less than the second threshold value, the abnormality respondent unit 56 may abort the App process 22 and report. When the abnormality is greater than or equal to the second threshold value, the abnormality respondent unit 56 may abort the VM 16 and report. Further, when it is detected that the OS program of the guest OS 20 has been rewritten by finding a mismatch of the hash values as described in the fourth variation, the abnormality respondent unit 56 may determine that the abnormality is serious and abort the VM 16 regardless of the abnormality score.
In a combination with the first variation, the abnormality respondent unit 96 may abort the HV 14 in response to the abnormality in the HV 14. For example, the abnormality respondent unit 96 may restart the App process 22 when the abnormality score is low, abort the App process 22 when the abnormality score is medium, abort the VM 16 when the abnormality score is high, and abort the HV 14 when the abnormality score is extremely high.
Any combination of the exemplary embodiment and the variation described above will also be useful as an embodiment of the present disclosure. New embodiments created by the combination provide the advantages of exemplary embodiment and the variation combined. It will also be understood by skilled persons that the functions that the constituting elements recited in the claims should achieve are implemented either alone or in combination by the constituting elements shown in the exemplary embodiment and the variations.
The technologies according to the embodiment and variations may be defined by the following items.
While various embodiments have been described herein above, it is to be appreciated that various changes in form and detail may be made without departing from the spirit and scope of the invention(s) presently or hereafter claimed.
This application is based upon and claims the benefit of priority from the prior Japanese Patent Application No. 2021-029959, filed on Feb. 26, 2021, the entire contents of which are incorporated herein by reference.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2021-029959 | Feb 2021 | JP | national |
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/JP2021/047509 | Dec 2021 | US |
| Child | 18236819 | US |
