This application is based upon and claims the benefit of priority from the prior Japanese Patent Application No. 2024-2629, filed on Jan. 11, 2024, the entire contents of which are incorporated herein by reference.
An embodiment described here generally relates to an information processing apparatus and a monitoring method for an information processing apparatus.
Antimalware software to monitor program falsification includes a monitoring program using a white list. The white list is a list in which a pair of file path and hash value is stored for each program. When the monitoring program detects execution of a program, the monitoring: program determines integrity of the program by using the white list.
However, some programs are activated earlier than the monitoring program. Therefore, with the monitoring program using the white list, it is difficult to monitor falsification in a program activated earlier than the monitoring program in some cases.
In accordance with an embodiment, a determination processor and an output processor are provided. The determination processor executes a determination operation of determining integrity of a program. The output processor outputs an alarm regarding the program that has failed the determination operation. In addition, the determination processor includes a first processor and a second processor. The first determination processor determines, in accordance with activation of the determination processor, integrity of a first program that is executed before activation of the determination processor. The second determination processor determines, in accordance with execution of a second program that is executed after activation of the determination processor, integrity of the second program.
Hereinafter, the information processing apparatus according to the embodiment will be described with reference to the drawings. In the drawings, the same reference signs denote the same or similar parts.
The information processing apparatus according to the embodiment is a computer that has security requirements for integrity of a program and a peripheral equipment thereof. Specifically, for example, the information processing apparatus according to the embodiment is a multifunction peripheral (MFP). Moreover, for example, the information processing apparatus according to the embodiment may be office equipment such as a point of sale (POS) terminal.
First of all, a configuration of the information processing apparatus according to the embodiment will be described.
The control circuit 11 is a circuit that comprehensively controls components of the information processing apparatus 1. The control circuit 11 includes a processor, a memory, etc. The processor is, for example, a central processing unit (CPU). The memory includes, for example, a random access memory (RAM), a read only memory (ROM), etc. The CPU of the control circuit 11 controls the entire information processing apparatus 1 in accordance with a program stored in the ROM of the control circuit 11. The RAM of the control circuit 11 has a working area for the CPU of the control circuit 11. The ROM of the control circuit 11 stores a program (monitoring program) and the like used by the information processing apparatus 1 for monitoring processing. The monitoring processing is processing of monitoring whether or not there is falsification in a program to be monitored. The monitoring processing includes first determination processing and second determination processing. The monitoring processing will be described later in detail.
The storage 12 includes, for example, a hard disk drive (HDD) or a solid state drive (SSD). The storage 12 stores information used for monitoring processing in the information processing apparatus 1.
The communication module 13 is a circuit used for data transmission/reception between the information processing apparatus 1 and a network (not shown).
The user interface 14 is an apparatus for communication between the information processing apparatus 1 and a user. The user interface 14 includes an input apparatus and an output apparatus. The input apparatus includes, for example, a touch panel, an operation button, etc. The output apparatus includes, for example, a printer, a loudspeaker, a display, etc. In a case where the information processing apparatus 1 is an MFP, the output apparatus may be, for example, an operation panel forming a part of the printer.
The drive 15 is an apparatus for reading software stored in the storage medium 16. The drive 15 includes, for example, a compact disk (CD) drive or a digital versatile disk (DVD) drive.
The storage medium 16 is a medium for storing the software by an electrical, magnetic, optical, mechanical, or chemical action. The storage medium 16 may store the monitoring program.
As shown in
Accordingly, the information processing apparatus 1 functions as a computer including a management processor 21, a determination processor 22, and an output processor 23. Moreover, the information processing apparatus 1 stores a first list 24 and a second list 25 in the storage 12.
The management processor 21 is a functional block that manages execution of various programs. The management processor 21 activates a startup program and the monitoring program in accordance with activation (powering-on) of the information processing apparatus 1. The startup program includes an already executed program and a currently executed program with respect to the time of activating the monitoring program. Moreover, the management processor 21 executes a dedicated program after activation of the information processing apparatus 1. In a case where the information processing apparatus 1 is an MFP, the dedicated program is, for example, a program for the information processing apparatus 1 to function as the MFP. The dedicated program is a program scheduled to be executed with respect to the time of activating the monitoring program. The number of dedicated programs can be significantly larger than the number of startup programs.
The management processor 21 notifies the determination processor 22 of the start of executing a program to be monitored. When the management processor 21 receives a notice indicating that there is a possibility of falsification in a currently executed program of programs to be monitored from the determination processor 22, the management processor 21 stops the program. When the management processor 21 receives the notice indicating that there is a possibility of falsification in a program scheduled to be executed of the programs to be monitored, the management processor 21 rejects execution of the program from the determination processor 22.
The determination processor 22 is a functional block that executes the monitoring processing. The determination processor 22 determines integrity of the program to be monitored in the monitoring processing. Specifically, the determination processor 22 includes a first determination processor 31 and a second determination processor 32.
The first determination processor 31 is a functional block that executes first determination processing on the basis of the first list 24. The first determination processing is processing of determining integrity of a startup program of the programs to be monitored.
As shown in
In the example in
In a case where it is determined that there is a possibility of falsification in the startup program to be monitored, the first determination processor 31 sends to the output processor 23 a notice indicating that there is a possibility of falsification. Moreover, in a case where it is determined that there is a possibility of falsification in a currently executed program of the startup programs to be monitored, the first determination processor 31 further sends to the management processor 21 the notice indicating that there is a possibility of falsification.
The second determination processor 32 is a functional block that executes the second determination processing on the basis of the second list 25. The second determination processing is processing of determining whether or not there is a possibility of falsification in a dedicated program of the programs to be monitored.
As shown in
In the example in
In a case where it is determined that there is a possibility of falsification in the dedicated programs to be monitored, the second determination processor 32 sends to the output processor 23 and the management processor 21 the notice indicating that there is a possibility of falsification.
When the output processor 23 receives the notice indicating that there is a possibility of falsification in the program to be monitored (i.e., a notice indicating that it has failed the determination processing) from the determination processor 22, the output processor 23 outputs an alarm including information indicating that there is a possibility of falsification to the user via the user interface 14. In a case where the information processing apparatus 1 is an MFP, the output processor 23 displays, for example, an alarm on the operation panel of the printer. The output processor 23 may output an alarm sound in connection with the display of the alarm.
Next, an operation of the information processing apparatus according to the embodiment will be described.
When the information processing apparatus 1 is powered on (start), the management processor 21 executes the startup program to start the information processing apparatus 1. Moreover, the management processor 21 further activates the monitoring program (ACT 1). After activation of the monitoring program, the startup program can include both the already executed program and the currently executed program.
After the processing in ACT 1, the first determination processor 31 executes the first determination processing (ACT 2). The first determination processor 31 executes the first determination processing in ACT 2 in a predetermined time. The predetermined time is an upper limit value of the time required for activating the information processing apparatus 1 and is, for example, a value defined as a specification of the information processing apparatus 1. That is, the first determination processor 31 executes the first determination processing while meeting a restriction regarding the activation time of the information processing apparatus 1.
After the processing in ACT 2, the second determination processor 32 executes the second determination processing along with the start of executing the dedicated program (ACT 3). The second determination processor 32 executes the second determination processing after the startup of the information processing apparatus 1 is completed.
When the second determination processing in ACT 3 ends, the monitoring processing ends (end).
When the monitoring program is activated (start), the first determination processor 31 refers to the first list 24 (ACT 11).
The first determination processor 31 selects an entry from the first list 24 (ACT 12).
The first determination processor 31 determines whether or not a program corresponding to an entry is present on a file path (specified path) specified by the entry (selected entry) selected in the processing in ACT 12 (ACT 13).
In a case where the program corresponding to the selected entry is present on the specified path (Yes in ACT 13), the first determination processor 31 calculates a hash value of the program corresponding to the selected entry (ACT 14).
The first determination processor 31 determines whether or not the hash value calculated in the processing in ACT 14 is identical to the hash value stored in the selected entry (ACT 15).
In a case where the hash value calculated in the processing in ACT 14 is not identical to the hash value stored in the selected entry (No in ACT 15), the first determination processor 31 determines whether or not the program corresponding to the selected entry is under execution (ACT 16).
In a case where the program corresponding to the selected entry is under execution (Yes in ACT 16), the first determination processor 31 notifies the management processor 21 of the fact that there is a possibility of falsification in the program corresponding to the selected entry.
When the management processor 21 receives the notice indicating that there is a possibility of falsification, the management processor 21 stops the execution of the program corresponding to the selected entry (ACT 17).
In a case where no program corresponding to the selected entry is present on the specified path (No in ACT 13), in a case where the program corresponding to the selected entry is not under execution (No in ACT 16) or after the processing in ACT 17, the first determination processor 31 further notifies the output processor 23 of the fact that there is a possibility of falsification in the program corresponding to the selected entry.
When the output processor 23 receives the notice indicating that there is a possibility of falsification, the output processor 23 outputs an alarm regarding the program corresponding to the selected entry to the user (ACT 18). More specifically, in a case where no program corresponding to the selected entry is present on the specified path (No in ACT 13), the output processor 23 displays an alarm screen indicating that no startup program is present on the display or the operation panel. In a case where the program corresponding to the selected entry is not under execution (No in ACT 16) or after the processing in ACT 17 (i.e., in a case of no in ACT 15), the output processor 23 outputs an alarm indicating that there is a possibility of falsification in the program corresponding to the selected entry to the user.
In a case where the hash value calculated in the processing in ACT 14 is identical to the hash value stored in the selected entry (Yes in ACT 15) or after the processing in ACT 18, the first determination processor 31 determines whether or not all entries in the first list 24 have been selected (ACT 19).
In a case where an entry has not been selected in the first list 24 (No in ACT 19), the first determination processor 31 selects the not-selected entry from the first list 24 (ACT 12). Then, the first determination processor 31, the management processor 21, and the output processor 23 execute the subsequent processing in ACT 13 to ACT 19. In this manner, the first determination processor 31, the management processor 21, and the output processor 23 repeat the processing in ACT 12 to ACT 19 until all entries in the first list 24 are selected.
In a case where all entries in the first list 24 are selected (Yes in ACT 19), the first determination processing ends (end).
When the first determination processing ends (start), the second determination processor 32 waits for the management processor 21 to detect the start of executing the dedicated program (ACT 21).
When the management processor 21 detects the start of executing the dedicated program, the management processor 21 notifies the second determination processor 32 of the dedicated program scheduled to start to be executed as a program to be monitored.
When the second determination processor 32 receives the notice about the program to be monitored, the second determination processor 32 refers to the second list 25 (ACT 22).
The second determination processor 32 selects, from the second list 25, an entry (entry to be monitored) corresponding to the program to be monitored about which the second determination processor 32 has received the notice (ACT 23).
The second determination processor 32 determines whether or not the program to be monitored is present on the file path (specified path) specified by the entry to be monitored (ACT 24).
In a case where the program to be monitored is present on the specified path (Yes in ACT 24), the second determination processor 32 calculates a hash value of the program to be monitored (ACT 25).
The second determination processor 32 determines whether or not the hash value calculated in the processing in ACT 25 is identical to the hash value stored in the entry to be monitored (ACT 26).
In a case where the program to be monitored is not present on the specified path (No in ACT 24) or in a case where the hash value calculated in the processing in ACT 26 is not identical to the hash value stored in the entry to be monitored (No in ACT 26), the second determination processor 32 notifies the management processor 21 of the fact that there is a possibility of falsification in the program to be monitored.
When the management processor 21 receives the notice indicating that there is a possibility of falsification, the management processor 21 rejects execution of the program to be monitored (ACT 27).
After the processing in ACT 27, the second determination processor 32 further notifies the output processor 23 of the fact that there is a possibility of falsification in the program to be monitored.
When the output processor 23 receives the notice indicating that there is a possibility of falsification, the output processor 23 outputs an alarm regarding the program to be monitored to the user (ACT 28). More specifically, in a case where the program to be monitored is not present on the specified path (No in ACT 24), the output processor 23 displays an alarm screen indicating that no dedicated program is present on the display or the operation panel. In a case where the hash value calculated in the processing in ACT 26 is not identical to the hash value stored in the entry to be monitored (No in ACT 26), the output processor 23 outputs an alarm indicating that there is a possibility of falsification in the program to be monitored to the user.
In a case where the hash value calculated in the processing in ACT 26 is identical to the hash value stored in the entry to be monitored (Yes in ACT 26) or after the processing in ACT 28, the second determination processor 32 determines whether or not to terminate the monitoring by the second determination processing (ACT 29).
In a case where the monitoring by the second determination processing should be continued (No in ACT 29), the second determination processor 32 waits for the management processor 21 to detect the start of executing the dedicated program (ACT 21). Then, the second determination processor 32, the management processor 21, and the output processor 23 execute the subsequent processing in ACT 22 to ACT 29. In this manner, the second determination processor 32, the management processor 21, and the output processor 23 repeat the processing in ACT 21 to ACT 29 until the monitoring by the second determination processing ends.
In a case where the monitoring by the second determination processing should be terminated (Yes in ACT 29), the second determination processing ends (end).
According to the embodiment, the first determination processor 31 executes the first determination processing of determining integrity of the startup program executed before activation of the monitoring program, referring to the first list 24 in accordance with the activation of the monitoring program. Accordingly, it is possible to monitor whether or not there is falsification in all programs that can be executed before activation of the monitoring program. It should be noted that the first determination processor 31 executes the first determination processing in a restriction that is the activation time of the information processing apparatus 1. Therefore, it is possible to make a rapid determination of the integrity of the startup program while meeting requirements for the activation time of the information processing apparatus 1.
Moreover, the second determination processor 32 executes the second determination processing of determining the integrity of the dedicated program every time in accordance with execution of the dedicated program executed after activation of the monitoring program, referring to the second list 25. Accordingly, as for the program executed after activation of the monitoring program, it is possible to monitor whether or not there is falsification for each program at a timing at which the execution should be performed. Therefore, it is no longer necessary to determine all programs in the second list 25 at once, and it is possible to distribute the load of the determination processing.
Various variants can be applied to the above-mentioned embodiment.
In the above-mentioned embodiment, the case where the determination processor 22 executes each of the first determination processing and the second determination processing on the basis of the first list 24 and the second list 25 different from each other has been described, though not limited thereto. For example, the determination processor 22 may execute the first determination processing and the second determination processing on the basis of the same list.
Hereinafter, configurations and operations different from those of the embodiment will be mainly described. Descriptions of configurations and operations equivalent to those of the embodiment will be omitted as appropriate.
The first determination processor 33 is a functional block that executes the first determination processing on the basis of the third list 26. In a case where it is determined that there is a possibility of falsification in the startup program to be monitored, the first determination processor 33 sends to the output processor 23 a notice indicating that there is a possibility of falsification. Moreover, in a case where it is determined that there is a possibility of falsification in the currently executed program of the startup programs to be monitored, the first determination processor 33 further sends to the management processor 21 the notice indicating that there is a possibility of falsification.
The second determination processor 34 is a functional block that executes the second determination processing on the basis of the third list 26. In a case where it is determined that there is a possibility of falsification in the dedicated programs to be monitored, the second determination processor 32 sends to the output processor 23 and the management processor 21 the notice indicating that is there a possibility of falsification.
As shown in
In the example in
When the monitoring program is activated (start), the first determination processor 33 refers to the third list 26 (ACT 31).
The first determination processor 33 selects an entry specifying the predetermined file path from the third list 26 (ACT 32). The predetermined file path is “/bin/X” in the example in
The first determination processor 33 calculates a hash value of a program corresponding to the entry (selected entry) selected in the processing in ACT 32 (ACT 33).
The first determination processor 33 determines whether or not the hash value calculated in the processing in ACT 33 is identical to the hash value stored in the selected entry (ACT 34).
In a case where the hash value calculated in the processing in ACT 33 is not identical to the hash value stored in the selected entry (No in ACT 34), the first determination processor 33 determines whether or not the program corresponding to the selected entry is under execution (ACT 35).
In a case where the program corresponding to the selected entry is under execution (Yes in ACT 35), the first determination processor 33 notifies the management processor 21 of the fact that there is a possibility of falsification in the program corresponding to the selected entry.
When the management processor 21 receives the notice indicating that there is a possibility of falsification, the management processor 21 stops the execution of the program corresponding to the selected entry (ACT 36).
In a case where the program corresponding to the selected entry is not under execution (No in ACT 35) or after the processing in ACT 36, the first determination processor 33 further notifies the output processor 23 of the fact that there is a possibility of falsification in the program corresponding to the selected entry.
When the output processor 23 receives the notice indicating that there is a possibility of falsification, the output processor 23 outputs an alarm regarding the program corresponding to the selected entry to the user (ACT 37). More specifically, in a case where the program corresponding to the selected entry is not under execution (No in ACT 35) or after the processing in ACT 36 (i.e., in a case of no in ACT 34), the output processor 23 outputs an alarm indicating that there is a possibility of falsification in the program corresponding to the selected entry to the user.
In a case where the hash value calculated in the processing in ACT 33 is identical to the hash value stored in the selected entry (Yes in ACT 34) or after the processing in ACT 37, the first determination processor 33 determines whether or not all entries corresponding to the predetermined file path in the third list 26 have been selected (ACT 38).
In a case where there is an entry corresponding to the predetermined file path in the third list 26, which has not been selected (No in ACT 38), the first determination processor 33 selects the not-selected entry from the third list 26 (ACT 32). Then, the first determination processor 33, the management processor 21, and the output processor 23 execute the subsequent processing in ACT 33 to ACT 38. In this manner, the first determination processor 33, the management processor 21, and the output processor 23 repeat the processing in ACT 32 to ACT 39 until all entries corresponding to the predetermined file path in the third list 26 are selected.
In a case where all entries corresponding to the predetermined file path in the third list 26 have been selected (Yes in ACT 38), the first determination processing ends (end).
According to the modified example, the first determination processor 33 executes the first determination processing on all programs in the predetermined path, referring to the predetermined path in the third 26. The second determination processor 34 executes the second determination processing of determining the integrity of the dedicated program every time in accordance with execution of the dedicated program executed after activation of the monitoring program, referring to the third list 26. Accordingly, it is possible to execute processing equivalent to that of the embodiment without having two or more types of lists storing the pairs of the file path and the hash value. Therefore, it is no longer necessary to manage a plurality of types of data structures for the security and it is possible to reduce the security management cost.
While certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the inventions. Indeed, the novel embodiments described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the embodiments described herein may be made without departing from the spirit of the inventions. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the inventions.
Number | Date | Country | Kind |
---|---|---|---|
2024-002629 | Jan 2024 | JP | national |