JP2006330864A - Server computer system control method - Google Patents

Abstract

[PROBLEMS] To detect and judge a plurality of sets of system calls (allowable set) a plurality of times, thereby realizing more accurate monitoring with reduced missed detection without increasing false detection of malicious programs. be able to.
Means for dividing an AP to be monitored into processing phases, elapsed time, and other time-dependent elements in a server computer system, and creating a permissible set for each processing phase (for each time segment). In this way, each allowed set is kept small. As the processing phase of the monitoring target program changes, the OS monitors the execution of the system call sequence by using an allowable set prepared for each phase. That is, the execution of the monitoring target AP is monitored while replacing a plurality of allowed sets. More specifically, the OS is notified (synchronized) that the processing phase of the monitoring target AP is changed by a specific system call caused by the monitoring target program.
[Selection] FIG.

Description

  The present invention relates to a technology for detecting an unauthorized program that has entered a server computer system or caused by a virus infection, and in particular, monitors the operation of the program to detect an unauthorized program, a program that develops due to a virus infection, and other programs with defects. It is related with the technology to detect.

In a server computer system connected to the Internet, a running application program is exposed to various accesses via the Internet. These accesses include not only those that request the original service, but also unauthorized access that attempts to control and operate arbitrary programs in the server computer system by entering from an unprotected part of the application program. is there.
For such unauthorized access, 1) an attack program intrudes an execution format module into an application program, and this module program acts illegally in the server computer system. 2) An unauthorized program file attached to an e-mail, etc. When executed, there is a server computer system in which an unauthorized program causes an unauthorized operation.

If unauthorized access is successful, the server computer system that has received the intrusion executes a program (unauthorized program) different from the original application.
Non-Patent Document 1 is a technique for detecting a difference in program behavior caused by execution of a malicious program. The problem with such a detection system is that errors in detection and judgment are likely to occur. In other words, there is an oversight that it is judged to be abnormal even though it is actually normal operation, and conversely, it is not possible to detect fraud because it is normal even though it is actually abnormal operation. Frequently appear.
In Patent Document 1, statistically monitoring the execution status of a plurality of system calls is performed. For example, when an index different from the normal time is calculated by statistically processing the contents of a large number of system calls exceeding 10,000 times, it is determined that an abnormality has occurred. In such a method, it is difficult to set a threshold value for allowing an abnormality in the index. If the threshold is set strictly so that a slight difference can be detected, the probability of erroneous detection increases. If the threshold value is set gently so as to allow some errors, the risk of overlooking unauthorized access increases.

For the sake of safety of judgment, an operation that allows a certain amount of false detection and reduces oversight is also assumed. However, if the original process cannot be executed without any injustice, the general user cannot be satisfied. In particular, in a platform program such as an operating system (OS), “usability (usability)” is considered an indispensable condition.
The behavior of the application when viewed from the OS is observed as a service request to the OS, that is, a sequence of system calls.
The so-called access control is for determining whether or not each service request can be executed based on the contents of the service request (sequence of system calls) and access restriction information given in advance. In this control method, if an attempt is made to execute a system call that is prohibited in advance, this can be detected as an unauthorized intrusion.

Non-Patent Document 2 shows one solution for reducing false detection. In the stricter behavior monitoring technique shown here, the monitoring target is a sequence of several system calls that are continuously executed by the monitoring target program.
Since the monitored program does not generate a specific system call sequence, the occurrence of the specific system call sequence is determined to be abnormal. Conversely, if it is a sequence of system calls that are scheduled to appear, the execution is allowed.

In such a behavior monitoring method, there is a problem that it is difficult to obtain and use complete information regarding a sequence of system calls to be executed by a monitored program. As a symptomatic treatment, a list of allowable columns that can be executed is created based on the sequence of system calls observed when the monitored program is operated. In such symptomatic therapy, since it is usually difficult to collect all allowable columns, a system call column that operates differently from the allowable column in the list even if it is normal is erroneously detected as a virus intrusion. It will end up.
In Non-Patent Document 2, the source code and execution code of the monitoring target program are statically analyzed to complete the list of allowable columns. Note that reducing the oversight of illegal operations in behavior monitoring usually has a trade-off relationship with reducing false detections.

US Pat. No. 6,681,331 S.Forrest et al. “Self-Nonself Discrimination in a Computer” Proceedings of the IEEE Symposium on Research in Security and Privacy, pp.202-212 (1994) D. Wagner et al. "Intrusion Detection via Static Analysis" Proceedings of the IEEE Symposium on Research in Security and Privacy, pp.156-168 (2001)

  An object of the present invention is to reduce oversight while keeping a false detection rate of illegal behavior of a program low.

There is provided means for dividing the application program to be monitored into processing phases, elapsed time and other time-dependent elements in the server computer system, and creating an allowable set for each processing phase (each time segment). In this way, each allowable set is kept small (FIG. 14).
Here, “allowable set” means a set of “allowable columns”, “allowable column” means a column of allowed system calls, and “allowed” means execution of a column of system calls that are expected to appear. To forgive.

As the processing phase of the monitoring target program changes, the OS monitors the execution of the system call sequence by using an allowable set prepared for each phase. That is, the execution of the application program to be monitored is monitored while replacing a plurality of allowed sets.
More specifically, the OS is notified (synchronized) that the processing phase of the monitoring target application program changes due to a specific system call caused by the monitoring target program.
In order to synchronize the switching of processing phases, a) provide a dedicated system call that explicitly requests the OS to switch the phase from the application program, or b) at a certain timing from a general system call A specific system call is used as a “cue” (synchronization signal) for phase switching. More specifically, a method of setting / selecting at the source code level, a method of embedding a dedicated system call in the form of a patch or the like in the executable code, and a means for the OS to discriminate the system call as a switching signal is executable code The method provided in is used.
Note that advanced program analysis technology is required to select the switching point of the processing phase. FIG. 14 shows a comparison between the conventional monitoring model using the allowable set and the monitoring model using the allowable set of the present invention. Conventionally, it is possible to detect a row of illegal system calls that have been missed by the present invention.

  According to the present invention, a plurality of system call sets (allowable sets) are detected and judged a plurality of times, so that more accurate monitoring is achieved without increasing the number of false detections of malicious programs and reducing oversight. Can be realized.

Have complete information about system calls of application programs to be monitored and switching of application program processing phases in advance, and allow the allowable set to be sufficiently small at the time of processing phase switching, and sandwich the switching points. It is desirable to appropriately set the phase switching point of the application program so that the common part of the allowed set is sufficiently small.
Further, it is desirable to apply the method of the present invention to a hardware resource with a margin so that even if the system call determination process is executed lightly, the server performance is not significantly reduced.

FIG. 1 shows the configuration of a server system to which the present invention is applied.
The server computer system 100 is equipped with a processor 110 and an external storage device 120 is connected thereto. The OS 130 controls the running of the application program 150. The application program 150 issues a system call 160 as required to request a service of the OS 130.
The OS 130 determines whether or not the execution of the service requested by the system call 160 is appropriate in the system call examination module 140. The system call examination module 140 determines the validity of the system call by using the information related to the requested system call 160 and the information in the determination tables 141, 142, and 143 previously expanded on the memory.
The determination tables 141, 142, and 143 are created based on the determination information 121, 121, and 123 obtained for each phase (FIG. 8) by analyzing the application program 150 in advance. The determination information 121, 122, 123 is stored in the external storage device 120 before the execution of the application program 150 is started.

FIG. 2 shows an example of one fragment of a program made up of a combination of a plurality of system calls. The determination information A121 (FIG. 1), the determination information B122, and the determination information C123 (not shown) are a series of system calls (in this case, two It consists of a system call pair consisting of system calls.
Large white circles 210 to 214 and 260 to 252 in which characters are written indicate system call issue locations. Black circles 220, 221, 270, and 271 represent branch points and junctions of conditional branches. A small white circle 230 represents a procedure call.
The program is executed according to the control flow 200. An example is shown in which there is a branch 220 after the system call A 210 and the system call B 211 is executed and the system calls C 212 and D 213 are executed. In this case, (A, B) and (A, C) are extracted as a pair of system calls. If three consecutive system calls are extracted, they become (A, B, X) and (A, C, D), respectively.
Since there is a procedure call after the system call B211, and the system call X250 is executed after that, the system call column (B, X) is extracted. After executing the system call Y261 or the system call Z262, the system returns to the calling point 230 and executes the system call E214, so that the system call sequences (Y, E) and (Z, E) are extracted.

FIG. 3 lists the column of system calls extracted in this way.
FIG. 4 shows an example of a data format when the information of FIG. 3 is stored in the external storage device 120 as determination information A121 to determination information C123. The determination information 400 has one line entry for one system call number 410, and each entry has a system call number field 420 and system call number fields 421, 422, which are allowed to be executed subsequently to the system call. It consists of ... FIG. 4 shows the entries in each row with the same length, but the length of the entries may be increased depending on the number of subsequent allowed system calls.

FIG. 5 is a conceptual diagram showing details of determination table A141 to determination table C143 (143 is not shown) in which determination information A121 to determination information C123 are expanded on a memory.
The process control block 590 has a current determination table address 591 indicating an address field of the current determination table, and points to the determination table 141 relating to the application program 150 (FIG. 1) being executed. The process control block 590 has a previous system call number field 592 so that the number of the system call executed by this process can be recorded.
There are a plurality of determination tables A141, a determination table B142, and a determination table C143 (not shown), each corresponding to a plurality of execution phases (FIG. 8) of the application program 150 (FIG. 1). The next determination table address field 520 of the determination table A141 points to the second determination table B142. Each determination table has a determination table identifier field 510, which can be used to control the determination table. The determination table A 141 includes a column 530 for head determination entries, and head determination entries 540 are arranged.

FIG. 6 shows the structure of the first determination entry 540 and the determination entry 650.
The determination entry related to one system call is a list starting from the first determination entry 540, and the determination entry 650 is continued in the next determination entry address field 642. The first determination entry 540 includes an allowable subsequent system call number field 641. 641 stores the number of the system call that is permitted to be executed subsequent to the current system call, as indicated by the previous system call number 592 (FIG. 5). Furthermore, the top determination entry 540 includes a determination table switching control information field 643, which is used for controlling determination table switching processing described later.

FIG. 7 is a flowchart showing an outline of the system call examination processing 700 in the system call examination module 140 when a system call is issued in the application program 150 (FIG. 1).
In step 710, the address of the first determination entry corresponding to the last system call is obtained from the current determination table address 591 (FIG. 5) and the previous system call number 592. This can be obtained by using the previous system call number 592 as an index from the column of the first determination entry in the current determination table A141. Thus, the first determination entry 540 (FIG. 6) is obtained.

In step 720, it is checked whether or not the number of the system call issued to the OS from the normal or unauthorized program this time coincides with the subsequent system call number allowed in the obtained determination entry 540. If they match, it can be determined that the system call is allowed (YES), and the process proceeds to step 730.
In step 730, the number of the system call currently being processed is stored in the previous system call number field 592, and then the process returns to normal.

On the other hand, if it is not confirmed in step 720 that the system call being executed is allowed (NO), the next determination entry is checked. That is, in step 740, it is checked whether or not the next determination entry address field 642 is zero. If it is not zero (NO), the value is the address of the next determination entry (step 760). Step 720 and subsequent steps are repeated.
In step 740, if the system call being executed is not permitted even by the last determination entry (YES), it means that an abnormal system call sequence has been detected, so that the process proceeds to step 750 and processing at the time of abnormality detection is performed. Do. For example, the generated abnormality is recorded in the security log, the running process is stopped, and the resources are released.

FIG. 8 is a flowchart illustrating a process 800 in which the application program 150 notifies the OS of the phase change when the process phase is changed.
Step 810 shows processing in the initial setting phase in the application program. For example, processing such as securing a working memory, securing a communication path, and opening a necessary file.
In step 820, upon completion of the initial setting phase 810, phase switching notification is performed.
In step 830, processing of the service phase of the application program is performed. Specific processing varies depending on the server computer system. Typically, this is a process using resources prepared in the initial setting phase, and there are few securing of a new communication path, and many reading and writing of files.
In step 840, the service phase 830 is left and before the end phase 850 is entered, a phase switch is notified.
In the end phase of step 850, the secured memory is released and the file and communication path are closed.

The process phase switching notifications 820 and 840 are made via an interface from the application program to the OS, and are specifically realized through a system call.
A dedicated system call can be used. In this case, a system call for explicit notification is created in the source program so that a dedicated system call can be issued while the application program is running.
In addition, a dedicated system call may be embedded at an appropriate location in the application program execution file.
The former method has an advantage that it is easy to identify the switching point of the execution phase, but has a disadvantage that it cannot be applied to an application program distributed as an execution file. The latter has the advantage that it can be applied to the application program after distribution, but the phase switching point must be identified.
In the method using a dedicated system call, only the system call needs to be processed in consideration of phase switching. Compared to a method that does not use a dedicated system call, which will be described later, there is an advantage that the control is easy and the performance is not lowered. Furthermore, by adding an argument to the dedicated system call, finer control becomes possible. For example, when there is a possibility of transition from phase A to phase C as well as phase B, the transition destination phase can be specified from the program by an argument.

The method for the OS to know the switching of the processing phase without using the dedicated system call is the system call type, issue address, etc. at the timing of switching the processing phase among the system calls originally executed by the application program. This is a method in which information is checked in advance and given to the OS, and when the OS executes a system call, it is determined that the system call is applicable and the phase is switched.
This method has the advantage that it is not necessary to change the application program, but has the disadvantage that an overhead for determining whether or not the OS is a corresponding system call at the time of execution occurs. In addition, it is necessary to identify in advance which system call is at the timing of phase switching. This takes the same effort as the problem in the method of embedding the dedicated system call in the application program.

FIG. 9 is a flowchart showing the processing 900 of the OS in response to the processing phase switching notification by the dedicated system call in Step 820 (FIG. 8) or Step 840.
In step 910, the validity of the phase switching notification is checked. When an application program is subjected to an unauthorized attack and an unauthorized intrusion is made, if the phase switching process is arbitrarily executed by the attack program, the protection level may be lowered. Therefore, safety is checked by checking the state of the application program when the switching notification is issued. This is determined by confirming that the information regarding the normal state that has been investigated in advance matches the actual state at the time of notification.
Examples of the state include a stack state at the time of notification. By examining the stack, you can see the sequence of subroutine call addresses in your program, and make sure that it matches the one you have examined in advance. It is advantageous in terms of management that the preliminary survey information described here is stored on the storage 120 together with the determination information A121 to the determination information C123.

If the validity is confirmed as a result of the check in step 910 (YES), the determination table is changed in step 930. Although it is necessary to determine which decision table to switch to, it is assumed here that the determination table is switched to the next decision table in the current determination table according to a predetermined order. In FIG. 5, the determination table A 141 and the determination table B 142 are managed by connecting a plurality of determination tables in this order. The determination table used so far is the determination table A141, and it is specified from the process management block as described above.
The next determination table is the determination table B 142 (FIG. 5), which is designated by the pointer from the inside of the determination table A 141 as described above. The decision table switching process 930 is achieved by taking the address of the decision table B 142 from the next decision table address field 530 of the decision table A 141 and storing it in the current decision table address field 591 of the process management block 590. Thus, the switching process returns to normal.
If it is determined in step 910 that the notification is not valid, the process proceeds to step 920 to execute fraud notification processing. As the fraud notification execution process, the process is stopped and released.

FIG. 10 is a flowchart showing an OS process 1000 for a process phase switching notification when an argument indicating the change destination phase is specified in the dedicated system call in Step 820 (FIG. 8) and Step 840. is there.
The notification validity check processing step 1010 is the same as step 910. The decision table switching process step 1030 is a part that is affected by the change destination designation. In FIG. 5, each of the determination table A 141 and the determination table B 142 has a determination table identifier field 510. While following the chain of the decision table constituted by the first decision table address field 593 and the next decision table address field 520 of each decision table, the decision table corresponding to the designated change destination is changed to the decision table identifier field 510 of each decision table. Search while investigating. Thereby, the determination table to be used next can be selected. If the determination table is selected, the address is stored in the current determination table address field 591. If the judgment table cannot be selected, it is an error and the application program is forcibly terminated.

FIG. 11 is a flowchart showing a switching determination process 1100 in the case where the OS determines switching of processing phases when a specific system call is issued among existing system calls without using a dedicated system call. This process is executed as part of the system call process.
Whether a system call is the trigger for switching processing is defined by the type of system call and the state of the application process when the system call is issued, for example, the address in the application program that requested the system call remaining on the stack If the condition is confirmed, the OS executes the switching process.
A determination entry 540 at the top of FIG. 6 exists for each type of system call. In the determination table switching control information field 643 of the determination entry 540 at the head of the system call that triggers switching, a target flag 661 that indicates that the type of system call is a system call that triggers switching, and a system call are displayed. Address information 662 in the application program at the time of calling is stored. These are given as designation information for the OS when the OS is initially set. At the time of execution, it is determined whether or not it is a switching opportunity based on these pieces of information.
In the switching determination process 1100 (FIG. 11), in step 1110, it is determined with reference to the target flag 661 (FIG. 6) that the system call being processed is a specific system call. If it is not the target (NO), return as it is. If YES in step 1120, the flow advances to step 1120 to determine whether the system call is a system call for phase switching by comparing the call address of the system call with address information 662 (FIG. 6) registered in advance. judge. If not the target (NO), return. If it is the target (YES), the judgment table is switched in step 1130. This is executed by storing the address of the newly selected determination table B 142 in the current determination table address field 591 (FIG. 5). Then return.

FIG. 12 is a block diagram showing an information flow from setting a given application program to setting a process phase switching point of the program.
Information relating to the application program includes source code 1210, execution code 1211, additional information 1212, and manpower information 1213. With these as inputs, the phase analysis processing 1200 analyzes the phase transition of the application program and outputs phase switching point information 1230. With this as an input, the phase switching point setting processing 1240 reflects the phase switching point information in the application program and OS control information so that the OS can know the transition of the application program when the application program is executed.
The source code 1210 includes the source code of the library called by the application program in addition to the server source code. In general, the source code can be analyzed in detail and accurately, but the source code is rarely available in normal operation. If the source code is not available, the execution code 1211 can be used as an alternative. In general, analysis of executable code is more difficult than analysis of source code, and platform-specific knowledge such as machine instruction specifications is required, but there is an advantage that the user can always use it. After all, the execution code of the called library is included in the input as well as that of the application program. In addition to these, a part of information that has been analyzed before can be used as additional information 1212 to shorten the processing time, or to manually add information that assists analysis, Make analysis results more accurate. The manpower information 1213 is given in the form of a parameter file and can be inserted as a so-called directive in the source code. Additional information includes analysis information about the library.

The process performed in the phase analysis process 1200 (FIG. 12) will be described with reference to FIG.
When the processor transfers control to the entry point 1310, the instruction sequence A1311 is successively executed. The sequential instruction sequence means an instruction sequence in which there is no branch instruction and control is not transferred to the instruction in any branch instruction. Control of the program encounters branch point 1312 as it sequentially exits instruction sequence A. The branch points include all points where sequential instruction execution is interrupted, such as calling a subroutine or returning from a subroutine, in addition to a general conditional branch. From the branch point 1312, control is transferred to the entry point 1320 or the entry point 1330.
The instruction sequence B1321 is sequentially executed following the entry point 1320, and there is a possibility of branching to the entry point 1350 at the branch point 1322. Similarly, the instruction sequence C 1331 is sequentially executed from the entry point 1330, and a branch to the entry point 1350 occurs at the branch point 1332.
If the branch point 1332 is not branched, the instruction sequence D1341 is sequentially executed, and a branch to the entry point 1360 occurs at the branch point 1342.
On the other hand, following the entry point 1350, the instruction sequence E is sequentially executed. Thereafter, since there is an entry point 1360, the sequential instruction sequence E ends the processing.

As described above, the entire program to be executed is decomposed into a sequential instruction sequence sandwiched between branch points or entry points, and adjacent execution order information is extracted. The execution order between the sequential instruction sequences can be obtained from the adjacent execution order information between the extracted sequential instruction sequences. Considering the execution order of sequential instruction sequences, a set of system call sequences that can be executed (allowable set) is obtained from the set of sequential instruction sequences.
When a specific sequential instruction sequence S is specified, a set of sequential instruction sequences (called the second half) that may be executed after the sequential instruction sequence is determined, and may be executed before the second half. A set of sequential instruction sequences (referred to as the first half) is obtained. They can have a common part. Each allowed set is obtained from the first half and the second half.
Let B (S) be the original number of allowed sets in the first half and A (S) be the number of allowed sets in the second half. Theoretically, it is considered that S in which B (S) and A (S) become the smallest simultaneously is suitable as a phase break. This is because the most severe monitoring is performed before and after that.
In addition, it is desirable for the phase break to have a smaller common part between the first and second allowance sets. This is because the type of system call used before and after that changes greatly, so it is considered that the nature of processing will change. Otherwise, the similarity of the allowable set before and after increases, and the allowable set of This is because the exchange effect is considered to be small.

  In general, such a sequential instruction sequence may not be found. In order to prepare for such a case, a sequential instruction sequence of phase breaks may be determined by setting appropriate selection criteria or by manual adjustment. For example, if it is determined that the risk in the second half is high, it may be possible to select to reduce the allowable set in the second half. In the above description, the phases are divided into the first half and the second half. However, for example, the first half can be further divided by the same processing. In this case, there are three phases, and two switching points are designated.

In the process phase switching point setting process 1240 (FIG. 12), the process to be performed differs depending on the control method at the time of execution. First, when embedding a system call dedicated to phase switching notification in the source code, a process for issuing this system call is inserted into the corresponding part of the application program. When embedding the system call dedicated to phase switching notification in the execution file, the corresponding code is embedded in the corresponding part of the execution file of the application program. This can be done in the same way as putting a patch. If you want to avoid static changes to the executable file, you can embed the corresponding code in memory when loading the application program.
On the other hand, when a general system call is used as an opportunity for phase switching, a specific system call used as an opportunity is changed to another system call (including a system call having the same system call number issued from another location). Is required to be stored on the storage medium 120 as part of the determination information A121 to the determination information C123.

  The present invention is suitable for enhancing monitoring of abnormal behavior of a program.

It is a figure which shows the structure of the server computer system to which this invention is applied. It is a figure which shows the example of execution of 1 fragment of a program which consists of a combination of a several system call. It is the figure which showed the string of the system call obtained by extracting. It is a figure showing an example of a data format at the time of storing a system call sequence as judgment information A121-judgment information C123 in external storage device 120. It is a figure which shows the data format of the determination table expand | deployed on the memory. It is a figure which shows the data structure of a determination entry. 7 is a flowchart showing an outline of a system call examination process 700 in the system call examination module 140. 6 is a flowchart for notifying process phase switching in an application program 150; 10 is a flowchart showing an OS process 900 in response to a phase switching notification by a dedicated system call. 10 is a flowchart showing an OS process 1000 for a phase switching notification when an argument indicating a change-destination phase is specified in a dedicated system call. It is a flowchart of the phase switching process using the existing system call. It is a block diagram which extracts the phase switching point in an application program. It is a schematic diagram of the fragment | piece of a program explaining a phase analysis process by extraction of a sequential instruction sequence. It is explanatory drawing which compares the monitoring model using the conventional allowance set, and the monitoring model using the allowance set of this invention.

Explanation of symbols

100 server computer system 130 operating system (OS)
150 Application program 121, 122, 123 Determination information A to C on storage
141, 142, 143 Judgment tables A to C on the memory
200 Fragment of processing of application program 300 Example of content of permissible information 400 Permissible information in judgment information 590 Process control block 540 First judgment entry 650 Subsequent judgment entry 700 System call examination process 800 Server process 900, 1000 Phase switching process 1100 Switching judgment processing 1200 Phase analysis processing

Claims (7)

A server computer,
Data storage means accessible from the server computer;
An operating system for controlling the server computer;
A control method for a server computer system comprising an application program executed on the server computer under the control of the operating system,
The system call column issued by the application program is monitored, and when a column other than the scheduled system call column is detected using the determination table including the scheduled system call column, the system In the one that stops the execution of the call queue,
The system call sequence issued by the application program is divided into a plurality of determination tables in advance for each processing phase, and each scheduled system call column is stored in each determination table.
The operating system compares a system call column issued by the application program with a system call column in the first determination table;
The operating system, upon a specific system call, compares a system call column issued by the application program with a system call column in the second determination table,
The server computer system control method according to claim 1, wherein when a column other than the scheduled system call column is detected in each comparison, execution of the system call column is stopped. In the control method of the server computer system according to claim 1,
The method of controlling a server computer system, wherein the specific system call is a dedicated system call. In the control method of the server computer system according to claim 2,
The server system control method, wherein the dedicated system call is made by a call process explicitly inserted into the source program of the application program. In the control method of the server computer system according to claim 2,
The dedicated system call is a control method for a server computer system, which is performed by inserting an instruction sequence for calling into an execution program of the application program. In the control method of the server computer system according to claim 4,
The server computer system control method includes inserting an instruction sequence for calling the execution program when the execution program is loaded. In the control method of the server computer system according to claim 1,
The server computer system control method, wherein the specific system call is a system call specified by a predetermined system call type and address for the application program. In the control method of the server computer system according to claim 1,
A control method for a server computer system, wherein the application program issues the specific system call when it starts accepting access.

Images