TW201830282A - Computer system and file access control method capable of reducing danger that an unauthorized file, such as a malware, is accessed or executed - Google Patents

Abstract

The object of the present invention is to reduce dangers of an unauthorized file, such as a malware, from being accessed (executed). The solution of the present invention is to provide a computer system which has a safe environment that is connected to a safe network and is not connected to a dangerous network, and a dangerous environment that is connected to the dangerous network and is not connected to the safe network. The computer system accepts file access from one of the environments, and determines whether the issuing source of the file is the safe environment or the dangerous environment. If the issuing source comes from the safe environment, the computer system adds the access path and the access type of the file access which originates from the safe environment into a white list which is a list of file information associated with an access permit.

Description

Computer system and file access control method

[0001] The present invention mainly relates to control of file access.

[0002] With the spread of the Internet, there are also many cases in which an intranet connected to the Internet is constructed within an enterprise. However, in the various kinds of information that can be obtained from the Internet, there are cases where malicious programs (typically, programs with malicious purposes) are included. In the case of such a program, there is a case where the software of the information processing device that has acquired the program is destroyed or the information is stolen, which is harmful to the acquirer, and how the company enjoys the Internet. The convenience of the Internet and the exclusion of the threat of malicious programs as much as possible are a major issue. The so-called whitelist type control method is known as the limitation of the execution of the program (for example, Patent Document 1). [Prior Art Document] [Patent Document] [0003] [Patent Document 1] Japanese Patent Laid-Open Publication No. 2014-96142

[Problems to be Solved by the Invention] [0004] According to the correspondence method disclosed in Patent Document 1, by registering a program that satisfies a specific criterion in a white list, it is expected that there is a malicious presence. The suppression of the implementation of the program. [0005] However, in the correspondence method disclosed in Patent Document 1, when the reference is not appropriate, there is a risk that a malicious program such as a malicious program is registered in the white list and is implemented. . [0006] The object of the present invention is to reduce the risk of accessing (implementing) an unauthorized file, such as a malicious program. [Means for Solving the Problem] [0007] A computer system has a safe environment in which it is connected to a secure network and is not connected to a dangerous network. A dangerous environment in an environment that is connected to a dangerous network and is not connected to a secure network. The computer system accepts file access from one of the environments and determines which source of the file access is a safe environment and a dangerous environment. When the distribution source is in a secure environment, the computer system adds the access path and the access type based on the file access from the secure environment to the object that is related to the access permission. A white list of the list of information for the file. [0008] In the present invention, a "file" may also include a file in which a program is stored. Further, in the present invention, "access" may include the execution of a program in the file in addition to the reference and update. [Effect of the Invention] According to the present invention, it is possible to reduce the risk that a fraudulent file such as a malicious program is registered in a white list.

[0011] In the following description, the "intermediate face" includes one or more interfaces. The interface of 1 or more may be the same type of interface device of 1 or more (for example, 1 or more NIC (Network Interface Card)), or 2 or more different types of interface devices (for example, NIC and HBA (Host Bus Adapter) ). [0012] In the following description, the "memory unit" includes one or more memories. At least one of the memories may be a volatile memory or a non-volatile memory. The memory unit is mainly used when it is processed by the processor unit. [0013] In the following description, the "processor unit" includes one or more processors. At least one processor is typically a microprocessor like a CPU (Central Processing Unit). Each of the above 1 processors may be a single core or a multi-core. The processor may also include hardware circuitry that performs some or all of the processing. [0014] In the following description, the processing unit (function) is described by the expression "kkk", but the processing unit can be executed by the processor unit. The above computer program can be realized by a hardware circuit of one or more (for example, an FPGA (Field-Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). When the processing unit is implemented by the processor unit, the processing to be performed is performed by using the memory unit and/or the face (for example, communication port), and the processing unit can be used. It is set to at least part of the processor unit. The processing described by the processing unit as a main word may be a processor unit or a processing performed by a device including the processor unit. Further, the processor unit may include a hardware circuit that performs part or all of the processing. The program can also be installed into the processor from the source of the program. The source of the program, for example, may also be a program publishing computer or a computer readable recording medium (eg, a non-transitory recording medium). The description of each processing unit is merely an example, and the processing unit of the plurality of processing units may be integrated into one processing unit, or one processing unit may be divided into a plurality of processing units. [0015] In the following description, the "computer system" is a computer including one or more physical ones. At least one physical computer may be a virtual computer (for example, VM (Virtual Machine)) or SDx (Software-Defined anything). As SDx, for example, SDS (Software Defined Storage) (an example of a virtual storage device) or SDDC (Software-defined Datacenter) can be used. [0016] Hereinafter, one embodiment of the present invention will be described. 1 is a configuration diagram of an information processing device according to an embodiment of the present invention. [0018] The information processing device 101 is an example of a computer system. The information processing device 101 includes an I/F (interface) 161 and a memory device 105 (for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) auxiliary memory device), and a memory 106, and The processor 100 is connected to the ones. I/F161 is an example of a face. The memory device 105 and the memory 106 are examples of the memory unit. The processor 100 is an example of a processor unit. The I/F 161 is connected to the intranet 151 and the Internet 152. The intranet 151 is an example of a network having high reliability in terms of relativity, and the Internet 152 is an example of a network having low relative reliability. [0019] The environment in the information processing device 101 is imaginarily divided into plural environments. In the present embodiment, the plural environment is a whitelist creation environment 204 and a business environment 205. The whitelist is an environment and is one of the safe environments. The business environment is one of the dangerous environments. The whitelist creation environment 204 and the business environment 205 are present on the same OS (operation system) 104, and are configured to share the memory device 105 and the memory 106 between the environments 102 and 103. For example, in the Windows OS (registered trademark of Windows), an environment in which the user A logs in and can only access the secure intranet 151 can be set as the whitelist creation environment 204, and An environment in which the user B logs in and can only access the dangerous Internet 152 is configured as the business environment 205. [0020] In the present embodiment, in the whitelist creation environment 204, rules for restricting file access (whitelist file 215 and blacklist file 216) are created, and the business environment is used according to the rule. The processing program executed in 205 is controlled to enable file access that is as secure as the whitelist creation environment 204 even in the business environment 205. [0021] Hereinafter, this embodiment will be described in detail. 2 is a configuration diagram showing an environment and functions of the information processing apparatus 101. [0023] In FIG. 2, the information processing device 101 can use the OS 104 in a virtual manner. The information processing device 101 is provided with a whitelist creation environment 204 which is an example of a safe environment, and a business environment 205 which is an example of a dangerous environment. [0024] Further, the OS 104 is installed with the file system driver 203, and is provided with filtering management for filtering the file I/O request packet 209 generated from the processing program 206 and the processing program 207 by the OS 104. 210. Further, in the OS 104, there is an I/O detecting function 211 that accepts the file I/O request packet 209 by the filter manager 210. The I/O detection function 211 is a function that is performed by the processor 100 to execute a computer program, and the program may be, for example, a program that is added to the filter manager 210. The I/O detection function 211 is provided with a processing program search function 212 for confirming the environment of the program in which the source of the transmission is executed based on the accepted file I/O request packet 209, and can be explored by the processing program. When the function 112 confirms that the processing program is the implementer in the business environment 205, the access control function 213 for access control according to the whitelist file 215 and the blacklist file 216, and when When the program search function 212 confirms that the handler is the implementer in the whitelist creation environment 204, the information is recorded in the whitelist setting function 214 in the whitelist file 215. Further, a setting tool 217 for recording, editing, or deleting the files prohibited in the business environment 205 for execution, reference, and update in the blacklist file 216 is provided. The setting tool 217, for example, is installed into the OS 104 and executed in the whitelist creation environment 204, and is not implemented in the business environment 205. [0026] There are processing programs (for example, applications) such as Excel (registered trademark) or Internet Explorer (registered trademark). In FIG. 2, the component code 206 is attached to the processing program activated in the whitelist creation environment 204, and the component symbol 207 is attached to the processing program activated in the business environment 205. That is, the processing program 206, when the access rule of the processing program is recorded in the whitelist file 215, is, for example, a processing program activated by the user from the whitelist creation environment 204. On the other hand, when the processing program 207 performs the check by the whitelist file 215 and the blacklist file 216 for the processing program, for example, the processing initiated from the business environment 205 by the user is performed. program. When one of the processing program 206 and the processing program 207 performs I/O for the file, the same applies to the OS 104, which generates an archive of information including the contents of the I/O and the processing of the I/O source. The I/O requires the packet 209 and is delivered to the archive system driver 203 via the filter manager 210. [0027] Before the processing procedure is executed, at the filter manager 210, the I/O detection function 211 is registered. Thereby, the OS 104 can deliver the file I/O request packet 209 to the I/O detecting function 211 when the file I/O request packet 209 arrives at the filter manager 210. [0028] The call with the handler search function 212 is performed through the I/O detection function 211 registered in the filter manager 210. The handler search function 212 determines whether the execution source of the processing program is a whitelist creation environment 204 or a business environment based on the information (the processing information of the I/O source) included in the file I/O request packet 209. 205. The handler search function 212 calls the whitelist setting function 214 when the handler for specifying the I/O issue source is in the case of the handler 206 executed by the whitelist creation environment 204. On the other hand, the handler search function 212 calls the access control function 213 when the handler for specifying the I/O issue source is the handler 207 that is executed from the service environment 205. [0029] When the whitelist setting function 214 is called, the whitelist setting function 214 records the file name of the file accessed by the processing program 206 in the whitelist file 215. By this, the whitelist setting function 214 can record all of the files accessed by the processing program 206 activated in the whitelist creation environment 204 in the whitelist file 215. [0030] When the access control function 213 is called, the access control function 213 performs permission or rejection for the file I/O request packet 209 according to the whitelist file 215 and the blacklist file 216. Access control. Thereby, the access control function 213 is capable of applying the file created by the whitelist file 215 and the blacklist file 216 to the file accessed by the processing program 207 activated from the business environment 205. Take control. Moreover, since the access control function 213 does not refer to the whitelist file 215 and the blacklist file 216 but does not update the files 215 and 216, the processing initiated from the business environment 205 is performed. The program 107 does not update any of the whitelist file 215 and the blacklist file 216. By this control, the processing program 207 executed from the business environment 205 is capable of following the whitelist file 215 and the blacklist file 216 created in the whitelist creation environment 204 (that is, a secure environment). Secure file access. [0031] FIG. 3 is a block diagram of a whitelist file 215. [0032] The whitelist file 215 is a file with a whitelist. The whitelist file 215 is, for example, a table, and has an entry for each of the files of the access permission object. Each entry maintains information such as a rule number 302 that becomes a management number, an access path 303 that represents a file of an access target, and an access permission definition 304 that represents a permitted access type. [0033] The access path 303 is an archive path (character string) containing the file name. The access path 303 is specified in the file unit, but may be a directory. The value to be registered as the access permission definition 304 is, for example, "execution" (permission execution), "reference" (no permission is required for update but permission for reference), and "reference, update" (license reference and Both sides of the update). In addition, the term "implementation" refers to the implementation of a file containing a program (that is, the implementation of a program). [0034] FIG. 4 is a block diagram of a blacklist file 216. [0035] The blacklist file 216 is a file with a blacklist. The blacklist file 216 is, for example, a table, and has an entry for each of the files of the access prohibition object. Each entry maintains a rule number 402 that becomes a management number, an access path 403 that represents an access target file or a directory, and an access prohibition definition 404 that represents a prohibited access type. News. [0036] The access path 403 is an archive path including a file name or a directory path (text column) including a directory name. The value to be registered as the access prohibition definition 404, for example, "execution" (prohibition of execution), "reference, update" (both prohibition of reference and update), and "update" (not prohibited but reference) Update is forbidden). [0037] Hereinafter, a plurality of processes performed by the present embodiment will be described. [0038] FIG. 5 is a flow chart of the processing of the file I/O request packet 209. [0039] The filter manager 210 is a received file I/O request packet 209 (file access) (step 501), and sends the file I/O request packet 209 to the I/O detection function 211 (step 502). ). [0040] FIG. 6 is a flowchart of a processing program search process. [0041] The handler search function 212 is called by the I/O detection function 211 that accepts the file I/O request packet 209, and obtains the source processing program from the file I/O request packet 209 (I). The handler information of the /O issue source processing program (step 602). [0042] Next, the processing program search function 212 determines that the distribution source processing program is the processing program 206 (the processing program started in the whitelist creation environment 204) based on the processing program information obtained at step 602. It is also a processing program 207 (a processing program that is started in the business environment 205) (step 603). [0043] When the result of the determination in step 603 is that the distribution source processing program is in the case of the processing program 206, the processing program search function 212 calls the white list setting function 214 (step 606). On the other hand, when the result of the judgment of step 603 is that the distribution source processing program is in the case of the processing program 207, the call access control function 213 is called (step 607). [0045] FIG. 7 is a flowchart of a whitelist setting process. [0046] The called whitelist setting function 214 obtains an access request from the file I/O request packet 209 accepted by the I/O detecting function 211 (step 702). [0047] Next, the whitelist setting function 214 determines whether the access request obtained by step 702 is an execution request (step 703). [0048] When the access request is performed as a result of the determination in step 703, the whitelist setting function 214 is used as the value of the access permission definition 304 as "execution" and "reference". And recorded in the memory 106 (step 706). [0049] When the result of the determination in step 703, the access request is not the case where the request is implemented, the whitelist setting function 214 determines whether the access request is an update request (step 705). [0050] When the access request is a result of the update request, the whitelist setting function 214 records the value of the access permission definition 304 as "update, reference". In memory 106 (step 708). On the other hand, when the result of the determination in step 705 is that the access request is not the update request, the whitelist setting function 214 is used as the "access" as the value of the access permission definition 304. The matter is recorded in the memory 106 (step 709). [0052] The result of the above step 706, 708 or 709 is the value recorded in the whitelist file 215 as the access permission definition 304 according to the access request of the file I/O request packet 209, and is recorded in the memory. 106 on. [0053] Next, the whitelist setting function 214 obtains an access path from the file I/O request packet 209, and determines whether the obtained access path and the whitelist file 215 are access paths. 303 coincide with each other (step 710). [0054] When the result of the determination in step 710 is that there is no mutually consistent access path 303, the whitelist setting function 214 is for the whitelist file 215 and will represent the above obtained The access path access path 303 and the access permission definition 304 corresponding to the access path (the value recorded in the memory 106 in step 706, step 708, or step 709) are added to the whitelist file 215. in. On the other hand, when the result of the determination in step 710 is that there is a mutually consistent access path 303, the whitelist setting function 214 is in the access corresponding to the access path 303. In the license definition 304, the value recorded in the memory 106 in step 706, step 708, or step 709 is added. For example, when there is a "reference" in the access permission definition 304 and the added value is "update", the value of the access permission definition 304 is changed from "reference" to "reference". Update". [0056] FIG. 8 is a flow chart of an access control process. [0057] The called access control function 213 obtains an access path from the file I/O request packet 209 accepted by the I/O detection function 211, and determines whether the acquired access path is The access paths 303 of any of the whitelist files 215 coincide with each other (step 801). [0058] When the result of the determination in step 801 is that there is no mutually consistent access path 303, the access control function 213 will follow the access of the file I/O request packet 209 ( File I/O) is prohibited (step 809). On the other hand, when the result of the determination in step 801 is that there is a mutually consistent access path 303, the access control function 213 determines that the file I/O request packet 209 is stored. Whether or not the requested access type conforms to the access permission definition 304 corresponding to the mutually identical access path 303 (step 803). [0060] When the result of the determination in step 803 is that the result of the matching is not obtained, the access control function 213 executes step 809. On the other hand, when the result of the determination in step 803 is that the result of the matching is obtained, the access control function 213 determines whether the access path obtained by the file I/O request packet 209 is black or not. The access paths 403 of any of the list files 216 are identical to each other (step 805). [0062] When the result of the determination in step 805 is that there is no mutually consistent access path 403, the access control function 213 is for accessing the file I/O request packet 209. The resulting access type access (file I/O) is granted (step 810). That is, the access control function 213 delivers the file I/O request packet 209 accepted by the I/O detection function 211 to the file system driver 203. On the other hand, when the result of the determination in step 805 is that there is a mutually consistent access path 403, the access control function 213 determines that the file I/O request packet 209 is stored. Whether or not the requested access type conforms to the access prohibition definition 404 corresponding to the mutually identical access path 403 (step 807). [0064] When the result of the determination in step 807 does not result in a match result, the access control function 213 performs step 810. On the other hand, when the result of the determination in step 807 is that the result of the matching is obtained, the access control function 213 executes step 809. According to the present embodiment, the whitelist file 215 can be set by the processing program 206 activated by the whitelist creation environment 204 existing in the information processing device 101, and is present in the same device 101. The business environment 205 follows the whitelist file 215 and the blacklist file 216 and applies access control to the file I/O request packet 209. [0067] Hereinafter, the present embodiment will be summarized. In the present embodiment, the term "environment" refers to a program execution environment in which a program (processing program) on the OS 104 such as a web browser, a document creation application, or a table calculation application is executed. [0069] The term "safe environment" refers to an environment defined as safe. In the present embodiment, the "safe environment" is an environment that is connected to a secure network and is not connected to a dangerous network. An example of a secure network is a private network like the intranet 151. A dangerous network is a network with low reliability compared to a secure network. One example of a dangerous network is a public network like the Internet 152. [0070] The term "dangerous environment" refers to an environment that is defined as a dangerous environment, in other words, an environment in which the reliability is low compared to a safe environment. In the present embodiment, the "dangerous environment" is an environment that is connected to a dangerous network and is not connected to a secure network. [0071] For example, an environment (secure environment) capable of communication via the intranet 151 may be an environment existing in the information processing apparatus 101. Connecting to the Internet 152 in such an environment is likely to be a general risk of causing the influx of malicious programs. The secure environment is not connected to the Internet 152 because it is connected to the intranet 151. Therefore, for a secure environment, it is desirable to be able to exclude malicious programs as much as possible. Therefore, in the present embodiment, an environment that can be connected to the Internet 152 is added to the information processing device 101, and an I/O detection function 211 is added to the information processing device 101 (processing program search function) 212. Access control function 213 and whitelist setting function 214). The environment in which the addition is made is defined as a dangerous environment, and file access (including program execution) from a dangerous environment is controlled by the access control function 213. The dangerous environment may be an environment that is mainly used as the business environment 205, and a safe environment may be an environment that is used as a whitelist creation environment 204 for updating the whitelist file 215. [0072] In a secure environment, the path name of the file for accessing the license object is in the whitelist file 215, and is associated with the permitted access type (eg, only the license reference, the license reference, and the update). The path name of the file for accessing the prohibited object is registered in addition to each other, and is in the blacklist file 216, and is prohibited from being accessed (for example, only the update, the prohibition of reference, and the update are prohibited). Logging in with mutual relevance, [0073] Specifically, when a file access from a secure environment is performed, at the whitelist setting function 214, access is made to The path name of the file and the access type thereof are added to the whitelist file 215. That is, the whitelist file 215 is automatically updated as appropriate in response to file access from a secure environment. That is to say, when the processing program executed in a dangerous environment is infected by a malicious program, it is difficult to judge whether the file access from the processing program is justified, but because it is in a safe environment. The executed handler is secure, so access from such a handler is considered safe and the whitelist file 215 is automatically updated. [0074] On the other hand, the blacklist file 216 is automatically updated by the setting tool 217 that is executed in a secure environment, or manually updated by the user. For example, when it is desired to prohibit access to a file in a part of a directory in which the access is permitted in the whitelist file 215, the path name and the access prohibition type of the file may be borrowed. It is added to the blacklist file 216 by the setting tool 217. [0075] The whitelist file 215 and the blacklist file 216 are both stored in a memory resource that can be accessed from both a secure environment and a dangerous environment (a memory resource shared by a secure environment and a dangerous environment). )in. [0076] File access from a dangerous environment is controlled by the access control function 213 using both the whitelist file 215 and the blacklist file 216. Specifically, the following access control is performed. (1) The access path and the access type that follow the file access are consistent with the access path 303 and the access permission definition 304 registered in the whitelist file 215, and are not registered with When the access path 403 and the access prohibition definition 404 in the blacklist file 216 match, the file access system is permitted. (1) The access path and the access type according to the file access are matched with the access path 303 and the access permission definition 304 registered in the whitelist file 215, but are also registered with When the access path 403 and the access prohibition definition 404 in the blacklist file 216 match, the file access system is disabled. (1) When the access path and the access type of the file access are followed, the access path 303 and the access permission definition 304 registered in the whitelist file 215 are not matched, regardless of the access path. And whether the access type is also consistent with the access path 403 and the access prohibition definition 404 registered in the blacklist file 216, the file access is prohibited. According to the present embodiment, in the information processing apparatus 101, a dangerous environment and a safe environment coexist, and in accordance with file access (including program execution) in a secure environment, the whitelist file 215 is Self-action update. Since the file access in a secure environment is secure access, it is possible to prevent the improper file from being registered in the whitelist file 215. Moreover, it is possible to reduce the number of procedures and improve the accuracy by creating a whitelist file by using other information processing devices that are completely independent. Further, according to the present embodiment, the blacklist file 216 is used, and the file access system is restricted. Specifically, it is prohibited to update (write) from a dangerous environment or to refer to (read) from a dangerous environment. Therefore, it is possible to reduce the risk of having a malicious file from a dangerous environment or the risk of external information flowing out of the company written by a safe environment. The above is a description of one embodiment of the present invention. However, the present invention is only intended to be illustrative of the present invention, and the scope of the present invention is not limited to the embodiment. The present invention can also be implemented in other various forms. For example, whitelists and blacklists can also be used as a list of logical differences in the same file instead of being in a different list of different files.

[0080]

101‧‧‧Information processing device

104‧‧‧Operating system

204‧‧‧White list environment

205‧‧‧Business environment

210‧‧‧Filter Manager

211‧‧‧I/O detection function

212‧‧‧Processing program exploration function

213‧‧‧Access control function

214‧‧‧White list setting function

215‧‧‧White List File

216‧‧‧Blacklist file

217‧‧‧Setting tools

[ Fig. 1] Fig. 1 is a configuration diagram of an information processing apparatus according to an embodiment of the present invention. Fig. 2 is a block diagram showing the environment and functions of the information processing apparatus according to one embodiment of the present invention. Fig. 3 is a block diagram showing a white list file of one embodiment of the present invention. Fig. 4 is a block diagram showing a blacklist file of one embodiment of the present invention. [Fig. 5] is a flow chart of the processing of the file of the file I/O request packet. [Fig. 6] A flowchart showing the processing of the processing program. [Fig. 7] A flowchart showing a whitelist setting process. [Fig. 8] A flowchart showing an access control process.

Claims (6)

A computer program characterized by: having a secure environment that is connected to a secure network and not connected to a dangerous network, and is connected to the aforementioned dangerous network and A computer system that is not in a dangerous environment for an environment connected to the aforementioned secure network, performs the following steps: accepting file access from one of the environments; determining that the source of the file access is the aforementioned The security environment and the aforementioned dangerous environment; when the source of the distribution is in the aforementioned secure environment, the access is based on the first access of the file access from the secure environment. The path and the access type are added to the white list of the list of information related to the file of the access permission object. The computer program according to claim 1, wherein when the source of the issue is in a dangerous environment, the computer system further performs the following steps: (A1) determining that the body is based on Whether the access route and the access type due to the second access of the file access from the dangerous environment are registered in the white list; and when the judgment result of (A1) is false, (B) The aforementioned second access is prohibited. The computer program according to claim 2, wherein when the source of the issue is in a dangerous environment, the computer system further performs the following steps: (A2) when (A1) When the result of the determination is true, it is determined whether or not the registration is based on the list of information related to the file of the access prohibition object and is listed as the list of the access path and the access type. The access path and the access type due to the second access; (B) when the judgment result of (A2) is true, and the case where the judgment result of (A2) is false 2 access. The computer program according to claim 3, wherein when the source of the distribution is in the safe environment, the whitelist is updated, and when the source of the distribution is in the dangerous environment. The aforementioned whitelist and the aforementioned blacklist are not updated. A file access control method characterized by: having a secure environment in an environment that is connected to a secure network and not connected to a dangerous network, and is connected to the aforementioned dangerous network In a computer system that is connected to a dangerous environment that is not connected to the aforementioned secure network: accepting file access from one of the environments; determining that the source of the file access is secure as described above The environment and the dangerous environment; when the source of the distribution is in the safe environment, the access path is based on the first access that is the file access from the secure environment and The access type is added to the white list of the list of information related to the file of the access permission object. A computer system characterized by: a security environment that is connected to a secure network and not connected to a dangerous network; and is connected to the aforementioned dangerous network And a dangerous environment that is not connected to the aforementioned secure network; and means for accepting file access from one of the environments; and determining that the source of the file access is the aforementioned secure environment And the means of the above-mentioned dangerous environment; and when the source of the foregoing is the aforementioned secure environment, the access is based on the first access that is the file access from the secure environment. The path and the type of access are added to the white list of the list of information related to the file of the access permit.