JP2006172003A - Program execution monitoring apparatus, program execution monitoring method, and program creation method - Google Patents

Abstract

A program execution monitoring apparatus that can be applied to a program that dynamically generates an instruction sequence of a processor, detects a buffer overflow, and monitors the operation of the program.
A program execution monitoring apparatus 100 sets a data input path from the outside of a program and a memory area to be monitored before executing the program, and externally during execution of the program. Storage means 101b for storing the processing result using the value input through the data input path in the memory area, and detecting means 101c for detecting the execution transition when the execution transition occurs in the memory area.
[Selection] Figure 1

Description

  The present invention relates to a program execution monitoring apparatus, a program execution monitoring method, and a program creation method.

  If there is a deficiency in the program to be executed on the computer, a malicious user can take this deficiency, take over the execution of the software, and cause the computer to perform any operation. A typical example of an act of causing a computer to perform arbitrary operations in this way is a buffer overflow attack (see, for example, Non-Patent Document 1). Has been proposed.

  As a technique for preventing the buffer overflow, for example, whether or not the transition destination memory address of the execution transition instruction included in the program is the start memory address of the function in the source code of the program, the return destination of the return instruction A method for preventing the execution of a program from being taken by checking whether the memory address is the memory address after the call instruction is disclosed (for example, see Patent Document 1).

  In addition, buffer overflow is established by including an instruction sequence in data input by an attacker from the outside and executing execution transition to the data sequence. However, focusing on this point, a method for preventing buffer overflow is also disclosed. (See, for example, Non-Patent Document 2).

Specifically, in the method disclosed in Non-Patent Document 2, a processor that executes a program is modified, and a mark is added to a memory area into which data flows from a network or an external file in advance. The mark is propagated repeatedly by marking the memory address that is copied from the marked memory area and the memory address that stores the operation result using the marked memory area. This is a method of detecting a buffer overflow when trying to execute malicious code when an execution transition is made to a memory area to which a mark is added.
US Patent application No.20040133777 Smashing The Stack For Fun And Profit, www. phrack. org, Phrack Vol. 49 Secure Program Execution via Dynamic Information Flow Tracking, G. Edward Suh, Jae W. Lee, and S. Devadas MIT, ACM Architectural Support for Programming Languages and Operating Systems (asplos) 20044.

  However, the methods disclosed in Patent Document 1 and Non-Patent Document 2 have a problem that they cannot be applied to software that dynamically generates an execution code. A script that is executed after the contents described in a virtual machine such as Java (registered trademark) or a human-readable format such as Perl / Python are directly converted into an instruction sequence executable by the processor. In the case of a language execution system, an instruction sequence is generated from data flowing in from the outside, stored in the data area, and execution transitions to the data area. For this reason, in the method of Patent Document 1, it is assumed that the execution transition is to a function that is not defined in advance, and even though non-Patent Document 1 is a normal operation, execution to data derived from data that flows from outside Since it is erroneously detected as a transition, it cannot be applied.

  Therefore, in view of the above problems, the present invention can be applied to a program that dynamically generates a processor instruction sequence, detects a buffer overflow, and monitors the operation of the program. An object is to provide an execution monitoring method and a program creation method.

  In order to achieve the above object, a first feature of the present invention is a program execution monitoring apparatus for monitoring execution of a program, wherein (a) a data input path from the outside of the program and monitoring are executed before the program is executed. A setting means for setting a target memory area; (b) a storage means for storing a processing result using a value input through an external data input path during execution of the program in the memory area; c) The gist of the present invention is that it is a program execution monitoring device comprising detection means for detecting an execution transition when an execution transition occurs in the memory area.

  The program execution monitoring apparatus according to the first feature is applicable to a program that dynamically generates a processor instruction sequence, and can detect a buffer overflow and monitor the operation of the program.

  The detecting means of the program execution monitoring apparatus according to the first feature may detect an execution transition when the size of the memory area is larger than a predetermined size.

  According to this program execution monitoring device, in order for the instruction sequence sent by the attacker to operate the computer as the attacker intended, a command sequence of a corresponding length is required. If the size of the memory area where the acquired value is stored and the execution has been transitioned is smaller than a predetermined size, it is possible to reduce the false detection rate by determining erroneous detection.

  Further, the program execution monitoring apparatus according to the first feature is a contamination indicating whether or not the value stored at each address in the memory area is a value derived from data input from an input path from outside the program. A program information holding unit that holds information may be further provided, and the detection unit may update the contamination information in accordance with execution of the program.

  According to this program execution monitoring apparatus, the memory area to be monitored can be updated, and contamination information can be propagated.

  A second feature of the present invention is a program execution monitoring method for monitoring execution of a program. (A) Before executing a program, a data input path from the outside of the program and a memory area to be monitored are A setting step; and (b) a step of storing a processing result using a value acquired via an external data input path in a memory area during execution of the program; and (c) an execution transition to the memory area. The gist of the present invention is a program execution monitoring method including a step of detecting the execution transition.

  The program execution monitoring method according to the second feature can be applied to a program that dynamically generates an instruction sequence of a processor, and can detect a buffer overflow and monitor the operation of the program.

  The third feature of the present invention is that, during execution of a program, a processing result using a value obtained through a data input path from the outside of the program is stored in a memory area to be monitored, and execution transition to the memory area is performed. Is a program creation method for creating a program to be executed in the program execution monitoring device that detects the execution transition, the data input path from the outside of the program, and the method for updating the memory area to be monitored; Is a program creation method including a step of previously describing in a program file.

  According to the program creation method according to the third feature, since the data input path from the outside of the program and the updating method of the monitoring target memory area can be stored in the program file simultaneously with the instruction sequence, the program can be easily started. can do.

  In the program creation method according to the third feature, a method for updating a memory area to be monitored may be described using a system call provided by the operating system.

  According to this program creation method, the execution of a program can be monitored using a system call.

  According to the present invention, a program execution monitoring apparatus, a program execution monitoring method, and a program creation method that can be applied to a program that dynamically generates an instruction sequence of a processor, detects a buffer overflow, and monitors the operation of the program. Can be provided.

  Next, embodiments of the present invention will be described with reference to the drawings. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals. However, it should be noted that the drawings are schematic.

(Program execution monitoring device)
As shown in FIG. 1, the program execution monitoring apparatus 100 according to the present embodiment includes a processor 101 that executes an instruction sequence, a memory 102 that stores a program to be executed, and a program information holding that stores information on the program being executed. Unit 103.

  The processor 101 includes a setting unit 101a for setting a data input path from the outside of the program and a memory 102 area to be monitored before the execution of the program, and a data input path from the outside during the execution of the program. A storage unit 101b for storing the processing result using the input value in the memory 102 area and a detection unit 101c for detecting the execution transition when the execution transition occurs in the memory 102 area are provided.

  The detection unit 101c may detect an execution transition when the size of the memory area is larger than a predetermined size. Furthermore, the detection unit 101c updates contamination information, protection information, and exception information, which will be described later, according to the execution of the program.

  When the memory 102 is given an address to be stored and a read instruction from the processor 101, the memory 102 outputs the value stored at the address and returns it to the processor 101. Further, the memory 102 stores a value at the storage address when given an address to be stored, a write instruction, and a value from the processor 101. The memory 102 may be configured by a general storage device such as a DRAM.

  In the present embodiment, a 32-bit address is used and one byte can be stored per address. However, the gist of the present invention is not limited to this address width and stored data size.

  The program information holding unit 103 holds contamination information 104, protection information 105, and exception information 106. The program information holding unit 103 is isolated from the program being monitored, and for example, an operating system jurisdiction memory that controls the execution of the entire program execution monitoring apparatus 100 so that the contents cannot be directly referenced or updated by the program being executed. It shall be realized in space.

  The contamination information 104 is information indicating whether or not the value stored at each address in the memory 102 is a value derived from “data input from an input path from outside the program”. In the following description, the memory address storing “data input from the input path from outside the program” is expressed as being contaminated, and 1 is described in the contamination information 104, and 0 is described otherwise. Shall.

  Therefore, in order to realize the contamination information 104, it is sufficient to prepare an area that can store 1 bit indicating whether or not the address of the memory 102 is contaminated. For example, when the contamination information 104 is realized in a continuous memory space, information indicating whether or not the address X on the memory 102 is contaminated is expressed as Y (X) mod 8, Z as (XY) / If it is 8, it can be realized by storing in the Y bit of the Z byte.

  The protection information 105 is information indicating whether or not each address in the memory 102 should store “data input from the data input path from the outside of the program”. This protection information 105 can be set according to the intention of the program creator. If the meaning represented by each bit is interpreted as described above, the protection information 105 can be realized in the same format as the contamination information 104.

  In this embodiment, the contamination information 104 is realized by 1 bit indicating whether or not it is contaminated for each memory address, but this is expressed by a plurality of bits and propagated in the program information holding unit 103. You may determine whether it is contaminated using the threshold value provided separately.

  For example, each memory address is represented by 8 bits, and the degree of contamination of the memory address directly input from the outside is set to 0xff. If the value is copied as it is, the contamination degree of the copy destination may be the same as the contamination degree of the copy source. If the value is calculated with other memory address values and the calculation result is stored, both It is also possible to use the average contamination degree as the contamination degree of the calculation result. Also, depending on the complexity of the operation, in the case of OR operation, the contamination degree of the operation result is changed to a higher value of the operation source contamination degree, and in the case of multiplication, the average value of the operation source contamination degree is changed. It is also possible.

  Hereinafter, in this embodiment, it is expressed that a memory address that is determined not to store data via a data input path from the outside is protected, and 1 is set to a corresponding bit of the protection information 105. If not, enter 0.

  The exception information 106 is information indicating whether or not the execution of the area of the memory 102 is permitted when each address in the memory 102 stores “data input from the data input path from outside the program”. . If the meaning represented by each bit is interpreted as described above, the exception information 106 can be realized in the same format as the contamination information 104.

  The processor 101 executes the instruction sequence stored in the memory 102. In the process of executing the program, when updating the value of the memory 102, the contamination information 104 is updated, and information indicating whether or not the address of the memory 102 is contaminated is propagated. If the processor 101 has a configuration as shown in Non-Patent Document 1, it is easy to realize the propagation of information about whether or not it is tainted, but here it is simply copied from the tainted memory address or its value. Assume that the memory address that newly stores a value is also contaminated when an operation using is stored at a new address.

  In this embodiment, the procedure for monitoring the execution of one program will be described. However, when monitoring a plurality of programs, a plurality of program information including an ID for identifying the program being executed is prepared in the program information. When switching the execution of a plurality of programs, the program information may be switched based on this ID.

(Program creation method)
Next, a program creation method according to the present embodiment will be described with reference to FIGS. The program to be executed on the program execution monitoring apparatus 100 described above is created by the method described below.

  3 and 4 are based on the premise that the operating system newly provides 12 system calls in order to execute the program. The names of the 12 system calls to be added to the operating system, the system call numbers, Examples of functions and implementation methods are shown in FIG.

  The name and system call number of the additional system call shown in FIG. 5 need only be able to be uniquely identified, and may be realized using different names and system numbers. Of the 12 system calls, four of sys_startSpuriousRegion (), sys_endSpuriousRegion (), sys_releaseSpuriousRegion (), and sys_allocSpuriousRegion () are used to update the pollution information 104. For example, data acquired via a network or file If the storage area is designated to set the contamination information to 1, these four system calls may not be required.

  FIG. 2 shows an example of the source code of the program described in this embodiment. In the present embodiment, whether or not the storage memory area of each variable is protected or contaminated is stored in the source code, or data via an external data input path is stored. It is necessary to describe information about whether or not to permit. There are several possible forms of this implementation, but in the example of FIG. 2, C language comment statements are used, and this information is described before variable declaration. Hereinafter, in this embodiment, adding the comment / * protected * / and the comments / * spurious * / and / * except * / is called adding the protected annotation, the contamination annotation, and the exception annotation, respectively. .

  3 and 4 show only the difference between the normal program creation method and the program creation method of the present invention when the assembler code is created from one source code file. Regarding the contents shown as a normal program creation method in this embodiment, a method for creating one program from a plurality of source codes, a method for converting from an assembler language to a program composed of byte strings, and terms such as tokens “Compilers Principles, Techniques, and Tools AV Aho, R. Sethi, and JD Ullman” (hereinafter referred to as Non-Patent Document 3).

  First, in step S101 in FIG. 3, the source code is parsed and a token is read from the source code, as in the case of creating a normal program.

  Next, in step S102, it is determined whether or not the token is empty. If the token is empty, it is determined that the analysis of the source code is ended, and the program creation procedure is ended. On the other hand, if the token is not empty in step S102, the process proceeds to step S103 to determine whether the token is a function declaration.

  If it is not a function declaration in step S103 and a global variable declaration to which a protection annotation or a contamination annotation is added in step S109, the procedure shown in FIG. 4 is executed, and the global variable declared at the start of program execution is changed. The protection information, contamination information, or exception information corresponding to the memory address to be stored is changed to 1.

  Specifically, in step S201 of FIG. 4, the global variable is set to X, the head storage address in the memory area to which X is allocated is set to Xa, and the size thereof is set to Xs. Since the address Xa and the size Xs can be obtained from the type information of the global variable declaration, the system calls sys_allocProtectedRegion (Xa, Xs), sys_allocSpuriousRegion (Xa, Xs), and sys_allocExceptRegion (Xa, Xs) should be called. . That is, when a protection annotation is added to X in step S202, a code for calling the system call sys_allocProtectedRegion (Xa, Xs) is added to the initialization process of the program in step S203. In step S204, if a taint annotation is added to X, a code for calling the system call sys_allocSpuriousRegion (Xa, Xs) is added to the initialization process of the program in step S205. If an exception annotation is added to X in step S206, a code for calling the system call sys_allocExceptRegion (Xa, Xs) is added to the initialization process of the program in step S207.

  If the token is not a function declaration in step S103 of FIG. 3 and the annotation is not a global variable declaration with an annotation, normal code generation is performed in step S311.

  On the other hand, if the token is a function declaration in step S103, the variable declared at the head is set to X in order to sequentially process the variables declared in the function.

  Next, in step S105, it is determined whether or not X exists. If X does not exist, that is, if there is no variable declared in the function, normal code generation is performed until the end of the function declaration in step S112. . In step S113, code for calling the system calls sys_releaseProtectedRegion (), sys_releaseSpuriousRegion (), and sys_releaseExeptRegion () when the function declaration ends is generated, and the process returns to step S101 to read the next token and continue the processing.

  On the other hand, if X exists in step S105, that is, if a variable declared in the function exists, it is determined in step S106 whether an annotation is added to the variable.

  If no annotation is added in step S106, a code for subtracting the value of the stack pointer by the size of X is generated in step S107 in order to secure an area necessary for storing the variable X on the stack. That is, the stack pointer is moved by the size of X, and a code for preparing an X storage area on the stack is generated. In step S108, the variable declared next in the function is set as X, and the processing in steps S105 to 108 is repeated.

  If a protection annotation, a contamination annotation, or an exception annotation is added in step S106, the process proceeds to step S114, and a code for calling the system call sys_startXXXXRegion () is generated according to the type of annotation. Thereafter, in step S315, an area necessary for storing the variable X is secured on the stack. Subsequently, in step S116, a code for calling the system call sys_endXXXXRegion () is generated, and the process proceeds to step S108. At this time, if the annotation added to the variable X is a protection annotation, it is Protected, if it is a tainted annotation, it is Spurious, and if it is an exception annotation, it is Except.

  FIG. 6 shows an example in which the source code of the program shown in FIG. 2 is converted into an assembler code in accordance with the procedure shown in FIGS. Although details of the function fullfill are not shown in FIG. 6, it is assumed here that the contents of the variable b are copied to the area given by the argument. In the present embodiment, the system call is implemented by the software interrupt 80H by assigning the system call number to the register% eax.

  In this way, an assembler code is generated from the source code of the program, and the assembler code is further converted into a program by a method disclosed in Non-Patent Document 3. When the program is not executed, it is stored as a single file as shown in FIG. In the configuration example of FIG. 7, the program file 700 includes a program header 701, a text area 702, and a data area 703.

  The program header 701 stores information such as where the text area 702 and the data area 703 are stored in the file, how large the file is, and in which memory area the data area 703 is stored. For example, as shown in FIG. 8, the program header 701 has an offset 701a in the file in which the head of the text area is stored, the size of the text area 701b, and the start of the head when the text area is mapped to memory at the time of execution. The address 701c, the offset 701d in the file in which the data area is stored, the size 701e of the data area, the start start address 701f when the data area is mapped to the memory at the time of execution, and the like.

  The text area 702 stores an instruction sequence converted from an assembler code generated according to the procedure shown in FIGS.

  The data area 703 stores a variable in which a storage address is statically determined and an initial value is substituted.

(Program execution monitoring method)
Next, the program execution monitoring method according to the present embodiment will be described with reference to FIG.

  First, in step S301, when the program execution monitoring apparatus 100 starts executing a program, the program execution monitoring apparatus 100 starts from the program file 700 to start execution, and based on the information in the program header 701 in the program file, the text area in the file. 702 and the data area 703 are mapped on the memory. At this time, the contamination information 104, the protection information 105, and the exception information 106 are initialized and set to all zero.

  In step S302, the program execution monitoring apparatus 100 starts executing the instruction sequence from the beginning of the text area 702 mapped on the memory. A program initialization process is stored at the head of the text area 702. If there is an area for storing a variable with a taint annotation, a protection annotation, or an exception annotation in the data area 703, an instruction for the initialization process is stored. The column includes the update processing of contamination information, protection information, and exception information. For this reason, in the initialization process of the program, update processing of the contamination information 104 corresponding to the corresponding memory area, the protection information 105, and the exception information 106 is also performed.

  After completing the initialization process, the program execution monitoring apparatus 100 extracts and executes each instruction sequence of the program body. Specifically, in step S303, the instruction at the head of the text area 702 is set to X, and in step S304, it is determined whether or not the instruction X exists. If the instruction X exists, the process proceeds to step S305, and the instruction X is executed.

  In step S305, along with the execution of the instruction X, the contamination information 104 is updated. In order to update the contamination information 104, a processor configuration as shown in Non-Patent Document 1 may be used. Further, since the instruction sequence includes a process for updating the storage area of the variable whose storage address is dynamically determined by the program creation method of FIGS. 3 and 4, the protection information 105 is also updated sequentially. .

  Next, in step S306, it is determined whether or not the protection area is contaminated by execution of the instruction X. If it is contaminated, the process proceeds to step S308 to detect the execution transition, and outside the program execution monitoring apparatus 100. Inform. If the protected area is not contaminated, the process proceeds to step S307, where it is determined whether the instruction X is an execution transition instruction and the execution transition destination is not an exception area but is contaminated. If applicable, the process proceeds to step S308 to detect an execution transition and notify the outside of the program execution monitoring apparatus 100. If the condition in step S307 is not satisfied, in step S309, the next instruction is taken out from the text area and newly set as X, and the processes in and after step S304 are repeated until X disappears.

  Also, in step S307, for example, if the memory address of the execution transition destination is X, the contaminated memory address smaller than X is nearest Y, and the nearest uncontaminated memory address larger than X is Z, ZY is preliminarily set. If it is larger than the predetermined value N, it may be detected. Here, the value N may be held in advance by the program execution monitoring apparatus 100 or stored in, for example, the program header 701 of the program file 700, acquired at the time of execution, and added to the program information.

  Next, a normal operation when a program having an assembler code as shown in FIG. 6 as the text area 702 is executed based on the procedure of FIG. 9 will be specifically described with reference to FIG. 6 and FIGS. .

  10 to 12 show the state of the memory at the time of program execution, and the upper side of the figure shows a young address. A diagonal diagonal line next to the memory indicates that the memory area is contaminated, a checkered pattern indicates that it is protected, and a horizontal line indicates an exception area. Represents something. Each of these marks is a visualization of the contamination information 104, the protection information 105, and the exception information 106 for explanation.

  First, after arranging the text area 702 and the data area 703 in the memory 102 based on the information of the program header 701, the initialization process at the head of the text area 702 is executed (portion 601 in FIG. 6). Here, an area of the variable b that is statically secured is secured, and since the contamination annotation is designated for the variable b, this is reflected in the contamination information 104. The memory at this time is as shown in FIG. The contamination information 104 describes that a program stack is formed in the lower layer of the memory and the storage area of the variable b is contaminated.

  Next, the main function that is the main body of the program is executed. The stack base address% ebp of the caller of the main function is saved on the stack, and the areas of variable x and variable buf are secured on the stack (portions 602, 603, and 604 in FIG. 6). At this time, since the protection annotation and the exception annotation are added to the variable x and the variable buf, respectively, the protection information 105 and the exception information 106 are updated, and the state of the memory is as shown in FIG.

  When the execution of the function main is advanced, the arguments are stacked on the stack and the function funcA is called (portion 605 in FIG. 6). In the function funcA, the stack frame is stored (portion 606 in FIG. 6), and an area for a variable is secured (portion 607 in FIG. 6). Since no annotation is added to the variable in the function funcA, an area for storing the variable is secured by an assembler code as indicated by reference numeral 607 in FIG. The state of the memory at this time is as shown in FIG.

  The function funcA calls the function fulfill, but by copying the value from the global variable b to the area indicated by the argument, the function fulfill indicates that the storage area of buf2 given as the argument of the function A is contaminated. 104 is reflected. Further, since the value of buf2 is copied to buf3, the storage area of buf3 is also contaminated, and the state of the memory is as shown in FIG. After completing the execution of the function funcA, the return address is extracted from the stack and the execution transition is made. After funcA ends, call the function run that executes the instruction sequence stored in buf.

  Next, in the operation described above, when the function fulfill is called from the function funcA, an operation in which a buffer overflow occurs in the function fulfill will be specifically described with reference to FIG.

  In the above-described operation, when the function fulfill is called from the function funcA, it is assumed that a buffer overflow occurs in the function fulfill and the value of the variable ptr3 is falsified to point to the variable buf.

  In this case, as shown in FIG. 12A, the state of the memory is contaminated even though it is a protected area. In the present embodiment, this is detected and notified to the outside that an exception has occurred.

If no protection area contamination is detected here, the value is copied from the area pointed to by the variable ptr2 to the area pointed to by the variable ptr3 after the function fulfill is completed. This is because the variable ptr3 points to the variable buf. Therefore, the value is duplicated from buf2 to buf. Since the data of the variable buf2 is duplicated from the global variable b in the fullfill, both the variable buf2 and the storage area of the variable buf are contaminated. The state of the memory at this time is as shown in FIG. After the execution of the function fulfill, when the funcA processing is finished, returning to the call and trying to execute the function run, the buf is contaminated but it continues execution because it is an exception area.
(Action and effect)
According to the program execution monitoring apparatus 100 and the program execution monitoring method according to the present embodiment, it can be applied to a program such as a virtual machine or a program that dynamically generates an instruction sequence of a processor at the time of execution, such as a buffer overflow. It is possible to detect and monitor whether the program is operating as intended by the program creator.

  The detection unit 101c of the program execution monitoring apparatus 100 can detect an execution transition when the size of the memory area is larger than a predetermined size. For this reason, in order for the command sequence sent by the attacker to operate the computer as the attacker intended, a command sequence of an appropriate length is required, so the value obtained from the data input path from the outside of the program If the size of the memory area that has been stored and the execution has been transitioned is smaller than a predetermined size, it is possible to reduce the false detection rate by determining that it is a false detection.

  Further, the detection unit 101c of the program execution monitoring apparatus 100 according to the present embodiment can update the contamination information, the protection information, and the exception information according to the execution of the program. For this reason, contamination information can be propagated.

  Further, according to the program creation method according to the present embodiment, the data input path from the outside of the program and the monitored memory area can be stored in the program file at the same time as the instruction sequence, thereby facilitating the start of program execution. Can do.

  Further, in the program creation method according to the present embodiment, the monitoring target memory area update method can be described using a system call provided by the operating system. Therefore, the execution of the program can be monitored using a system call.

It is a block diagram of the configuration of the program execution monitoring apparatus according to the present embodiment. It is an example of the source code of the program concerning this embodiment. It is a flowchart which shows the program creation method which concerns on this embodiment (the 1). It is a flowchart which shows the program creation method which concerns on this embodiment (the 2). It is an additional example of the system call which the operating system which concerns on this embodiment provides. 3 is an example in which the source code of FIG. 2 is converted into an assembler code. It is a structural example of the program file which concerns on this embodiment. It is a structural example of the program header of FIG. It is a flowchart which shows the program execution monitoring method which concerns on this embodiment. It is a figure which shows the mode of the memory of the program execution monitoring process which concerns on this embodiment (the 1). It is a figure which shows the mode of the memory of the program execution monitoring process which concerns on this embodiment (the 2). It is a figure which shows the mode of the memory of the program execution monitoring process which concerns on this embodiment (the 3).

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Program execution monitoring apparatus 101 ... Processor 101a ... Setting means 101b ... Storage means 101c ... Detection means 102 ... Memory 103 ... Program information holding part 104 ... Contamination information 105 ... Protection information 106 ... Exception information 700 ... Program file 701 ... Program header 702 ... Text area 703 ... Data area

Claims (6)

A program execution monitoring device for monitoring program execution,
Setting means for setting a data input path from the outside of the program and a memory area to be monitored before execution of the program;
Storage means for storing a processing result using a value input via the data input path from the outside during execution of the program in the memory area;
A program execution monitoring apparatus comprising: a detecting unit that detects an execution transition when an execution transition occurs in the memory area.   The program execution monitoring apparatus according to claim 1, wherein the detection unit detects the execution transition when the size of the memory area is larger than a predetermined size. A program information holding unit for holding contamination information indicating whether or not the value stored at each address in the memory area is a value derived from data input from an input path from outside the program;
The program execution monitoring apparatus according to claim 1, wherein the detection unit updates the contamination information according to the execution of the program. A program execution monitoring method for monitoring program execution,
Before executing the program, setting a data input path from the outside of the program and a memory area to be monitored;
Storing the processing result using the value acquired through the external data input path in the memory area during the execution of the program;
And a step of detecting the execution transition when an execution transition occurs in the memory area. During execution of the program, the processing result using the value acquired through the data input path from the outside of the program is stored in the memory area to be monitored, and if an execution transition occurs in the memory area, the execution transition A program creation method for creating the program to be executed in a program execution monitoring device for detecting
A method for creating a program, comprising: a step of describing a data input path from the outside of the program and a method for updating a memory area to be monitored in a program file in advance. 6. The program creation method according to claim 5, wherein a method of updating the memory area to be monitored is described using a system call provided by an operating system.

Images