JP2012078953A - Falsification detection device and falsification detection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a falsification detection device and a falsification detection method allowing a reduction in the time required for starting a program.SOLUTION: A provided falsification detection device comprises: hash value storage means 507 for storing block program identification information and a comparison hash value that is obtained by applying a predetermined hash function to a block program, in association with each other; selection means 502 for selecting, when a target program is started by a compound machine 100, specific block program identification information 702 stored in the hash value storage means 507 in parallel with the start of the target program; hash value calculation means 508 for calculating a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information 702; and detection means 510 for comparing the corresponding hash value and the comparison hash value and detecting falsification of the target program when both of them do not match.

Description

  The present invention relates to a falsification detection device and a falsification detection method, and more particularly to a falsification detection device and a falsification detection method that can reduce the time required for starting a program.

  In recent years, image forming apparatuses such as copiers and multifunction machines that have realized functions as a copy, a printer, a scanner, and a facsimile machine in a single device have come to be marketed. The image forming apparatus includes hardware such as an imaging unit, a printing unit, and a communication unit, and four types of software corresponding to a copy, a printer, a scanner, and a facsimile. When the software is appropriately switched according to a user request or instruction, the image forming apparatus functions as a copy, a printer, a scanner, or a facsimile.

  In order for the image forming apparatus to function for each function, various programs (firmware and other software) such as applications and platforms are required. The program is stored in advance in the storage medium of the image forming apparatus, or is updated to a new program when a new version of the program is developed.

  However, since the above-described program is always stored in the storage medium of the image forming apparatus, a malicious user can access the storage medium in anticipation of an unpopular period and tamper (modify) the program. Garbled characters, etc.). In the updatable program, since the image forming apparatus sends and receives a new program via a general-purpose memory card or network, the program may be falsified as described above during the transfer.

  In order to solve such a problem, Japanese Patent Application Laid-Open No. 2004-299389 (Patent Document 1) discloses a storage medium storing a program for causing the image forming apparatus to function, and the program stored in the storage medium. An image forming apparatus including an update storage medium setting unit for setting an update storage medium in which a program for updating the program is stored is disclosed. The image forming apparatus obtains the program stored in the storage medium from the update storage medium on condition that the electronic signature related to the program obtained from the update storage medium is valid. The program update means for updating is provided. With this configuration, when the program that causes the image forming apparatus to function is updated to a new program, the reliability of the new program can be improved.

  Japanese Patent Laid-Open No. 2004-334392 (Patent Document 2) reads from a recording medium to be read a recording information including a predetermined program and summary encryption information obtained by summarizing and encrypting the predetermined program. Means, and when the first summary information obtained by decrypting the summary encryption information matches the second summary information obtained by newly summarizing the predetermined program, the predetermined program is executed. In addition, there is disclosed a recording medium reading device including a control unit that controls not to execute the predetermined program when they do not match. According to this configuration, it is possible to provide a recording medium reading device having an excellent effect of preventing unauthorized use of the recording medium.

  Japanese Patent Application Laid-Open No. 2008-112443 (Patent Document 3) is an electronic device that performs a hash calculation based on a memory and authenticated memory contents to generate a valid hash value. An electronic device is disclosed that includes a microprocessor that periodically performs a hash calculation on content to generate a check hash value. The microprocessor further authenticates the valid hash value, compares the check hash value with the authenticated valid hash value to detect unauthorized access to the memory, and the check hash value is authenticated. If it does not match the valid hash value, the electronic device is stopped to prevent unauthorized memory access. According to this configuration, it is possible to confirm that the contents of the electronic memory in the electronic device are not tampered (tampered).

JP 2004-299389 A JP 2004-334392 A JP 2008-112443 A

  However, in each of the techniques described in Patent Documents 1-3, a predetermined hash function is applied to the entire program that is subject to alteration detection, and the alteration detection of the program is performed based on the hash value obtained by the application. Is running. Here, when a predetermined hash function is applied to the whole program, if the size of the whole program is enormous, the calculation load (calculation load) of the hash value of the CPU increases, and the calculation speed (calculation speed) Calculation efficiency (calculation efficiency) decreases. As a result, there is a problem that the time required to calculate the hash value (hash value calculation time) is prolonged (for example, several minutes to several tens of minutes).

  When detecting the alteration of the program, it is usually executed when the program is started. Therefore, if the calculation time of the hash value is prolonged as described above, the time required to start the program, that is, the program The time (program activation time) from the start of activation to detection of program falsification, program (data) reading, and program execution is also prolonged. As a result, the technique described in Patent Documents 1-3 described above has a problem that the startup time of the program is prolonged.

  On the other hand, when the program is falsified, the subsequent program of the falsified data in the entire program (binary data which is the substance of the program) is changed to data completely different from the subsequent program before the falsification. That is, even if the hash function is not applied to the entire program, if the hash function is applied to a part of the program changed by the alteration, the alteration of the program can be detected. If such a situation is appropriately used, the calculation time of the hash value described above may be shortened.

  Therefore, the present invention has been made to solve the above-described problem, and an object thereof is to provide a falsification detection device and a falsification detection method capable of reducing the time required for starting a program.

  In order to solve the above-described problems and achieve the object, the falsification detection device according to the present invention is a falsification detection device that detects whether or not the program of the device has been falsified. In the falsification detection device, the entire program Hash value storage means for storing the block program identification information of the block program obtained by dividing the block program into a predetermined number of blocks and the comparison hash value obtained by applying a predetermined hash function to the block program in association with each other; When the apparatus activates the program, it comprises selection means for selecting specific block program identification information stored in the hash value storage means in parallel with the activation of the program. Further, the falsification detection device includes a hash value calculation unit that calculates a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information, the corresponding hash value, and the comparison hash Detecting means for determining the presence or absence of tampering by comparing the values.

  With this configuration, the alteration of the program is detected in parallel with the activation of the program of the apparatus. Therefore, the time required for detecting the alteration of the program, for example, the calculation time of the hash value, is deleted from the startup time of the program, and the entire startup time of the program can be greatly shortened. In addition, the alteration detection of the program that is performed in parallel with the start of the program is not calculated by calculating the corresponding hash value from the entire program but by calculating the corresponding hash value from the block program that is a part of the entire program. The Therefore, the calculation load (calculation load) of the hash value is reduced, the calculation speed (calculation speed) and the calculation efficiency (calculation efficiency) are improved, the calculation time of the hash value is shortened, and the response speed of detecting the alteration of the program It is possible to speed up the process.

  In addition, when the device starts the program, the selection unit sets a predetermined setting until all block program identification information stored in the hash value storage unit is selected during execution of the program. It is possible to continue to select block program identification information different from the already selected block program identification information every time.

  Further, when selecting the specific block program identification information, the selection means prioritizes the block program identification information of the block program including data from half to the end of the entire program over other block program identification information. Can be selected.

  Further, when the detection unit detects the alteration of the program, the block program identification information corresponding to the mismatch hash value is temporarily stored in the priority selection storage unit, and when the altered program is restored, A function stop unit for erasing the stored block program identification information from the priority selection storage unit; and the selection unit is configured to store the block program identification information when the block program identification information is temporarily stored in the priority selection storage unit. It can be configured to select the identification information with priority.

  In addition, the function stopping means stops the operation of the apparatus and displays an error screen on the operation unit provided in the apparatus, and analyzes the falsification of the block program of the block program identification information corresponding to the mismatched comparison hash value Processing stored in storage means, access log to the program or communication log from the network to the program stored in the falsification analysis storage means, access to user information storage means storing user information or network It is possible to configure to execute at least one of the processes for prohibiting access.

  The hash value storage means stores a hash value obtained by applying the hash function to the program after adding predetermined additional information to the block program as a comparison hash value, and the hash value calculation means The corresponding hash value can be calculated by applying the hash function to the program after the additional information is added to the block program.

  In addition, the present invention can provide an image forming apparatus including the falsification detection device.

  In addition, the present invention can be provided as a tampering detection method for detecting whether or not the device program has been tampered with. That is, in the tampering detection method, when the apparatus starts the program, in parallel with the start of the program, block program identification information of a block program obtained by dividing the entire program into a predetermined number of blocks, A reference step for referring to a hash value storage means for storing a comparison hash value obtained by applying a predetermined hash function to the block program, and specific block program identification information stored in the hash value storage means; A selection step of selecting. Further, the falsification detection method includes a hash value calculation step of calculating a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information, and the corresponding hash value and the comparison hash And a detection step of determining whether the program has been tampered with by comparing the value. Even with this configuration, the same effect as described above can be obtained.

  According to the falsification detection device and the falsification detection method of the present invention, it is possible to reduce the time required for starting the program.

1 is a conceptual diagram illustrating an overall configuration inside a multifunction peripheral according to the present invention. It is an enlarged view of the image reading part which concerns on this invention. It is a conceptual diagram which shows the whole structure of the operation part which concerns on this invention. It is a figure which shows the structure of the control system hardware of the multifunctional device and tampering detection part which concern on this invention. 2 is a functional block diagram of a multifunction peripheral and an operation unit in the embodiment of the present invention. FIG. It is a flowchart for showing the execution procedure of the embodiment of the present invention. FIG. 7A shows an example of an initial screen displayed on the touch panel according to the embodiment of the present invention (FIG. 7A), and FIG. 7B shows an example of a hash value table according to the embodiment of the present invention (FIG. 7B). ). FIG. 8A shows an example of a block program according to the embodiment of the present invention (FIG. 8A), FIG. 8B shows an example of a program before falsification according to the embodiment of the present invention, and a program after falsification (FIG. 8). (B)). FIG. 9B is a diagram showing an example of a priority selection table according to the embodiment of the present invention (9A), and FIG.

  Hereinafter, an embodiment of an image forming apparatus provided with a tampering detection apparatus according to the present invention will be described with reference to the accompanying drawings for understanding of the present invention. In addition, the following embodiment is an example which actualized this invention, Comprising: The thing of the character which limits the technical scope of this invention is not. In addition, the alphabet “S” added in front of the numbers in the flowcharts means steps.

<Image forming apparatus and falsification detection apparatus>
Hereinafter, an image forming apparatus (for example, a multi-function peripheral) including a tamper detection apparatus (for example, a tamper detection unit) according to the present invention will be described.

  FIG. 1 is a conceptual diagram showing an overall internal configuration of a multifunction machine according to the present invention. However, details of each part not directly related to the present invention are omitted.

  The multifunction peripheral 100 of the present invention corresponds to, for example, a printer, a single scanner, or a multifunction peripheral including a printer, a copy, a scanner, a fax machine, and the like. As an example, the operation of the multifunction device 100 when providing a document copy function using the multifunction device will be briefly described.

  When the user prints, for example, an original P using the multifunction device 100, when the power of the multifunction device 100 is turned on, a control unit (not shown) of the multifunction device 100 is stored in a storage unit (not shown). Start a program related to image formation. When the control unit starts the program, in parallel with the start (execution) of the program, a tampering detection unit (not shown) incorporated in (connected to) the multifunction device 100 detects whether the program has been tampered with. Perform detection.

  The control unit causes each of the following units (drive units) to transition (transfer) to a normal state in which image formation can be performed, or cause the operation unit 103 to display a screen (initial screen) related to image formation. When the falsification detection unit detects falsification of the program, the control unit receives all the falsification results from the falsification detection unit, stops all the functions related to image formation, and closes the document table 101. An error screen is displayed on the operation unit 103 provided for the above.

  On the other hand, when the tampering detection unit does not detect the tampering of the program, the control unit starts the program and then receives the user's instruction (for example, pressing of a power-off key, etc.) to execute the program Until the program is stopped, detection of falsification of the program is repeatedly executed at predetermined time intervals.

  Now, while viewing the initial screen, the user places the original P on the original table 101 or the mounting table 102 shown in FIG. 1, inputs the copy conditions via the initial screen, and instructs printing. The configuration of the operation unit 103 will be described later. When there is an instruction for printing, the drive unit operates to perform printing.

  That is, as shown in FIG. 1, the multifunction peripheral 100 of the present invention includes a main body 104 and a platen cover 105 attached above the main body 104. A document table 101 is provided on the upper surface of the main body 104, and the document table 101 is opened and closed by a platen cover 105. The platen cover 105 is provided with an automatic document feeder 106, a placement table 102, and a sheet discharge table 107.

  The automatic document feeder 106 includes a document conveyance path 108 formed in the platen cover 105, a pickup roller 109 and conveyance rollers 110A and 110B provided in the platen cover 105, and the like. The document conveyance path 108 is a document conveyance path that leads from the mounting table 102 to the paper discharge table 107 via a reading position X where reading is performed by the image reading unit 111 provided in the main body 104.

  The automatic document feeder 106 pulls out documents one by one from a plurality of documents placed on the table 102 to the inside of the conveyance path 108 by a pickup roller 109, and passes the document drawn by the conveyance rollers etc. through the reading position X. Then, the paper is discharged onto the paper discharge tray 107 by the transport roller 110B. When the document passes through the reading position X, the document is read by the image reading unit 111.

  The image reading unit 111 is provided below the document table 101, and its details are shown in FIG. The image reading unit 111 includes a first light source 112 that illuminates the document table 101 in the scanning direction, a slit 113 that selectively allows light from the document table, and a mirror 114 that guides light from the document table. The movable carriage 115, the second movable carriage 117 including mirrors 116A and 116B that reflect the reflected light from the first movable carriage 115 again, and the lens group 118 that optically corrects the light guided by the mirror, An image sensor 119 that receives light corrected by the lens group 118, and an image data generator 120 that converts the light received by the image sensor 119 into an electrical signal and performs correction processing, image quality processing, compression processing, and the like as necessary. It consists of and.

  When reading a document on the automatic document feeder 106, the light source 112 moves to a position where the reading position X can be irradiated and emits light. Light from the light source 112 is reflected by a document that passes through the document table 101 and passes through the reading position X, and is guided to the image sensor 119 by the slit 113, mirrors 114, 116A, and 116B, and the lens group 118. The image sensor 119 converts the received light into an electrical signal and transmits it to the image data generation unit 120. The light received by the image sensor 119 is input to the image data generation unit 120 as analog electrical signals of R (red), G (green), and B (blue), where analog-digital conversion is performed. Digitized. Further, the image data generation unit 120 uses the sequentially converted digital signal as unit data, and generates image data including a plurality of unit data by performing correction processing, image quality processing, compression processing, and the like on the unit data.

  Further, the image reading unit 111 can read not only a document conveyed by the automatic document feeder 106 but also a document placed on the document table 101. When reading the document placed on the document table 101, the first carriage 114 moves in the sub-scanning direction while emitting the light source 112, so that the optical path length from the light source 112 to the image sensor 119 is constant. The second moving carriage 117 moves in the direction of the image sensor 119 at a half speed of the first moving carriage 115.

  The image sensor 119 electrically outputs the light from the document placed on the document table 101 based on the light guided to the mirrors 114, 116 A, and 116 B, as in the case of the document conveyed to the automatic document feeder 106. Based on this, the image data generation unit 120 generates image data and stores the image data in the image storage unit 120B.

  An image forming unit 121 that prints image data is provided below the image reading unit 111 of the main body 104. The image data that can be printed by the image forming unit 121 is generated by the image data generating unit 120 as described above, or from a terminal such as a personal computer connected to the MFP 100 and a network such as a LAN. (Network interface, not shown). The communication unit is used for a facsimile transmission / reception function, an electronic mail transmission / reception function, and the like.

  As a printing method performed by the image forming unit 121, an electrophotographic method is used. That is, the photosensitive drum 122 is uniformly charged by the charger 123, and then a latent image is formed on the photosensitive drum 122 by irradiating the photosensitive drum 122 with a laser 124, and toner is attached to the latent image by the developing device 125. In this method, a visual image is formed and the visible image is transferred to a transfer medium by a transfer roller.

  Note that in a multi-function device that supports full-color images, the developing device (rotary developing device) 125 is rotated in the circumferential direction around a rotation axis that is configured in a direction perpendicular to the paper surface of FIG. The developing unit storing the toner is disposed at a position facing the photosensitive drum 122. In this state, the latent image on the photosensitive drum 122 is developed with toner stored in the developing device 125 and transferred to the intermediate transfer belt 126A. The developing unit 125 includes four developing units 125 (Y), (C), (M), and yellow (Y), cyan (C), magenta (M), and black (K), respectively. (K). By repeating the transfer to the intermediate transfer belt 126A for each color, a full color image is formed on the intermediate transfer belt 126A.

  A transfer medium on which a visible image is printed, that is, a sheet, is placed on a sheet feeding tray such as a sheet feeding cassette 132, 133, or 134.

  When the image forming unit 121 performs printing, one transfer medium is pulled out from any one of the paper feed trays by using the pickup roller 135, and the transferred transfer medium is intermediate transfer belt by the transport roller 136 or the registration roller 137. It is fed between 126A and the transfer roller 126B.

  When the visible image on the intermediate transfer belt 126A is transferred to the transfer medium fed between the intermediate transfer belt 126A and the transfer roller 126B, the image forming unit 121 uses the transport belt 127 to fix the visible image. The transfer medium is sent to the fixing unit 128 (fixing device). The fixing unit 128 includes a heating roller 129 with a built-in heater and a pressure roller 130 pressed against the heating roller 129 with a predetermined pressure. When the transfer medium passes between the heating roller 129 and the pressure roller 130, the visible image is fixed to the transfer medium by heat and a pressing force to the transfer medium. The fixed transfer medium is discharged to a discharge tray 131.

  Through the above procedure, the multifunction peripheral 100 provides the user with a copy function process. The falsification detection unit detects falsification of the program when the control unit activates a program related to image formation. For example, when the control unit activates a predetermined program (such as a facsimile function program). Similarly, in parallel with the activation of the program, the alteration detection unit detects the alteration of the program.

  FIG. 3 is a conceptual diagram showing the overall configuration of the operation unit according to the present invention.

  The user uses the operation unit 103 to input setting conditions for image formation as described above, and to confirm the input setting conditions. When the setting conditions and the like are input, a touch panel 301 (operation panel), a touch pen 302, and operation keys 303 provided in the operation unit 103 are used.

  The touch panel 301 employs an analog resistance film method, and has a structure in which a translucent upper film and a lower glass substrate are overlapped via a spacer, and each of the upper film and the lower glass substrate. A transparent electrode layer made of ITO (Indium Tin Oxide) or the like is provided on the facing surface. Further, when the upper film is pressed by the user, the transparent electrode layer on the upper film side and the transparent electrode layer on the lower glass substrate side corresponding to the pressed position are in contact with each other. By applying a voltage to the upper film or the lower glass substrate and taking out a voltage value corresponding to the pressed position from the lower glass substrate or the upper film, a coordinate value (pressed position) corresponding to the voltage value is detected. When the detected pressed position is included in a display area such as a character key in the keyboard screen displayed on the touch panel, the character is input. The same applies to, for example, keyboard keys and setting condition keys in addition to character keys.

  In addition, a display unit such as an LCD (Liquid Crystal Display) is provided below the lower glass substrate, and the display unit displays, for example, an error screen or an initial screen when a program alteration is detected. By displaying, a specific screen is displayed on the touch panel. Thereby, the touch panel 301 has both a function for inputting setting conditions and the like and a function for displaying the screen.

  In addition, a touch pen 302 is provided in the vicinity of the touch panel 301. When the user touches the touch pen 301 with the tip of the touch pen 302, the coordinate value corresponding to the contact position (pressed position) is the same as described above. Then, the user can press and select the displayed character key or the like with the touch pen 302.

  Further, a predetermined number of operation keys 303 are provided in the vicinity of the touch panel 301, and for example, a numeric keypad 304, a start key 305, a clear key 306, a stop key 307, a reset key 308, and a power key 309 are provided.

  Next, the configuration of the control system hardware of the MFP 100 and the falsification detection unit will be described with reference to FIG. FIG. 4 is a diagram illustrating a configuration of control system hardware of the multifunction peripheral and the falsification detection unit according to the present invention. However, details of each part not directly related to the present invention are omitted.

  The control circuit of the MFP 100 includes a CPU (Central Processing Unit) 401, a ROM (Read Only Memory) 402, a RAM (Random Access Memory) 403, an HDD (Hard Disk Drive) 404, and a driver 405 corresponding to each drive unit. They are connected by a bus 406. The CPU 401 uses, for example, the RAM 403 as a work area, executes a program stored in the ROM 402, the HDD 404, and the like, and data from the driver 405, the operation unit 103, and the falsification detection unit 408 based on the execution result. And instructions are given, and the operation of each drive unit shown in FIG. 1 is controlled. Further, each means (shown in FIG. 5) other than the driving unit described later is realized by the CPU 401 executing the program.

  An internal interface 407 is also connected to the internal bus 406 of the control circuit, and the internal interface 407 connects the control circuit of the falsification detection unit 408 and the control circuit of the multifunction device 100. The CPU 401 receives a command signal from the control circuit of the falsification detection unit 408 via the internal interface 407 and transmits a command signal, data, and the like to the control circuit of the falsification detection unit 408.

  The control circuit of the tampering detection unit 408 includes an internal bus 412, a CPU 409, a ROM 410, a RAM 411, and an internal interface 413. When the CPU 401 of the multifunction device 100 starts a predetermined program stored in the ROM 402 or RAM 403 of the multifunction device 100, the CPU 409 of the falsification detection unit 408 falsifies from the CPU 401 of the multifunction device 100 via the internal interface 413. A detection command signal is received, or a command signal related to program activation is received. The functions of the CPU 409, the ROM 410, and the RAM 411 of the falsification detection unit 408 are the same as described above, and the respective means (shown in FIG. 5) described later are realized by the CPU 409 executing the program. The ROM 410 and RAM 411 store programs and data for realizing each means described below.

<Embodiment of the present invention>
Next, an execution procedure according to the embodiment of the present invention will be described with reference to FIGS. FIG. 5 is a functional block diagram of the MFP and the falsification detection unit of the present invention. FIG. 6 is a flowchart for illustrating the execution procedure of the present invention.

  When the user turns on the power of the multifunction device 100, the control unit 501 of the multifunction device 100 starts to start a preset initial program (for example, a program related to image formation) (FIG. 6: S101).

  When the program is started, the control unit 501 notifies the selection unit 502 of the alteration detection unit 408 that the alteration of the program is detected. Next, the control unit 501 obtains the entire program corresponding to specific program identification information (for example, the name of the program “initial program”) from the program storage unit 503 without obtaining a result of whether or not the program has been tampered with. The data is read and the program is executed.

  FIG. 7A is a diagram showing an example of an initial screen displayed on the touch panel according to the embodiment of the present invention.

  The control unit 501 that has executed the initial program causes the display accepting unit 504 to display an initial screen related to image formation (FIG. 7A) on the touch panel, or causes the image forming unit 505 to place the drive unit related to image formation in a normal state. Or move to. Then, while viewing the initial screen displayed on the touch panel, the user inputs setting conditions related to image formation or presses the start key to cause the multifunction peripheral 100 to execute image formation processing.

  On the other hand, the selection unit 502 that has received the notification by the control unit 501 performs the program identification information (the program identification information of the program to be detected by the control unit 501 in parallel with the activation (execution) of the program by the control unit 501. "Initial program"). Next, the selection unit 502 refers to the priority selection storage unit 506 and determines whether block program identification information (described later) corresponding to the acquired program identification information is temporarily stored in the priority selection storage unit 506. (FIG. 6: S102).

  In this way, the time required for detecting the alteration of the program, for example, the calculation time of the hash value, is deleted from the startup time of the program, and the overall startup time of the program can be greatly reduced. It becomes.

  When the block program identification information corresponding to the program identification information is temporarily stored as a result of the determination (FIG. 6: S102 YES), the selection unit 502 selects the block program identification information with the highest priority. This will be described later (FIG. 6: S104).

  On the other hand, if the block program identification information corresponding to the program identification information is not temporarily stored as a result of the determination (FIG. 6: S102 NO), the selection unit 502 uses the hash stored in advance in the hash value storage unit 507. The value table is referred to (FIG. 6: S103).

  FIG. 7B is a diagram showing an example of a hash value table according to the embodiment of the present invention. FIG. 8A is a diagram showing an example of a block program according to the embodiment of the present invention.

  In the hash value table 700, as shown in FIG. 7B, the program identification information 701 (for example, “initial program” 701a) and a predetermined number (the number of divisions, for example, “10”) of the entire program are included. Block program identification information 702 (for example, “A001” 702a) of a block program obtained by dividing into blocks, and a comparison hash value 703 (for example, “98765”) obtained by applying a predetermined hash function to the block program. 703a, also referred to as digest information).

  Here, as shown in FIG. 8 (A), the block program 706 stores the entire program 801 (corresponding to binary data that is the substance of the program) in a predetermined number (in order from the data group including the top data 802). It is obtained by dividing equally into (number of divisions) blocks. The predetermined number of block programs 803 is the time required to calculate the hash value when the hash function is calculated by applying the hash function to the divided block program 803 (the calculation time of the hash value). Is determined to be less than a predetermined time (for example, several seconds to several tens of seconds) set in advance.

  As a result, it is possible to control the time required for calculating the hash value so as not to be longer than necessary. The predetermined number of the block programs 803 is appropriately determined according to the size of the entire program (the entire binary data). For example, in the case of an initial program (for example, several tens of MB), the predetermined number is 10 to 100. It is determined.

  The block program identification information 702 is information indicating in which area the block program 803 is located in the entire program 801 of the division source (for example, an address indicating the area or position of the memory in which the program is stored). ).

  In FIG. 8A, the block program 803a including the top data 802 of the program is assigned “A001” indicating the first order as block program identification information. Further, with the block program 803a including the head data 802 as a reference, the succeeding block program 803b is assigned block program identification information (for example, “A002” immediately after “A001”) in order. Yes. In FIG. 8A, since the predetermined number is 10, block program identification information (“A010”) indicating the last rank is assigned to the block program 803z including the trailing data. Thereby, it becomes possible to specify the area | region or position of a block program based on block program identification information.

  The selection unit 502 that refers to the hash value table 700 compares the previously acquired program identification information (“initial program”) with the program identification information 701 in the hash value table 700 and matches the program identification information 701 (“ A predetermined number of block program identification information 702 belonging to "initial program" 701a) is specified. Next, the selection unit 502 selects specific block program identification information 702 from a predetermined number of block program identification information 702 (FIG. 6: S104).

  Here, when the selection unit 502 selects the specific block program identification information 702, it may be selected in any way. For example, a selection number set in advance according to the type, purpose, and use of the program. The block program identification information (for example, one) is selected.

  With this configuration, if the number of block program identification information to be selected increases, the calculation time of the hash value increases, but the safety can be further improved. For example, if the program prioritizes safety over speeding up (address book function program including user information), the number of selections may be increased (for example, five) to ensure safety. However, if the program prioritizes quick startup over safety (an initial program that does not include any user information), the number of selections can be reduced to shorten startup time. Note that the number of selections may be configured so that a specific user such as an administrator appropriately sets the number according to the type, purpose, and usage of the program.

  Further, the selection unit 502 selects, for example, block program identification information of a block program including data from half to the end of the entire program in preference to other block program identification information. Specifically, the selection unit 502 selects the lowest rank block program identification information (“A010”) as specific block program identification information.

  FIG. 8B is a diagram showing an example of a program before falsification and a program after falsification according to the embodiment of the present invention.

  When the data of a predetermined part of the entire program is falsified, the program subsequent to the falsified data is changed according to the falsified data (contents). For example, as shown in FIG. 8B, when the data 804 in the central portion of the entire program is falsified and new predetermined data 805 is added, the data of the falsified data is added by the added amount 805. The subsequent program 806 shifts backward, and the subsequent program 806 is completely different from the subsequent program 807 before falsification. If predetermined data is deleted from the central data 804, the subsequent data of the falsified data is shifted forward by that amount, and as a result, the subsequent data is This data is completely different from the subsequent data.

  Then, the corresponding hash value of the block program 808 including at least a part of the subsequent data 806 after the falsification is completely different from the comparison hash value of the block program 809 before the falsification corresponding to the block program 808.

  Further, the block program having the lowest rank block program identification information surely corresponds to a program subsequent to half of the entire program. Therefore, it is highly likely that the block program includes a part of the subsequent program after falsification. By adopting the above-described configuration, the selection unit 502 can select block program identification information of a block program that is susceptible to data change due to tampering. As a result, even if detection of alteration of the program is executed in parallel with the activation (execution) of the program, detection of alteration of the program can be detected at an early stage. It is assumed that the altered data is equivalent (same number of bits) as compared with the data before the alteration, but in this case, since it is rare, there is no problem with the above-described configuration.

  When the selection unit 502 selects specific block program identification information (“A010”), the selection unit 502 notifies the hash value calculation unit 508 to that effect. The hash value calculation unit 508 that has received the notification acquires program identification information (“initial program”) and specific block program identification information (“A010”) from the selection unit 502. Next, the hash value calculation unit 508 corresponds to specific block program identification information (“A010”) from the entire program corresponding to the program identification information (“initial program”) from the program storage unit 503 of the multifunction peripheral 100. A block program is acquired (FIG. 6: S105). Then, the hash value calculation unit 508 refers to the hash function stored in advance in the hash function storage unit 509 and calculates the corresponding hash value by applying the hash function to the acquired block program (binary data) (see FIG. 6: S106).

  Here, when the hash value calculation unit 508 calculates the corresponding hash value, the size of the block program is a part (small) compared to the size of the entire program (for example, if the predetermined number is 10). For example, the calculation load (calculation load) of the hash value is reduced, and the calculation speed (calculation speed) can be improved and the calculation efficiency (calculation efficiency) can be improved. Furthermore, the hash value calculation time for a given block program is significantly reduced compared to the hash value calculation time for the entire program. For example, when the calculation time of the hash value corresponding to the entire program data is several minutes, the calculation time of the hash value corresponding to the block program is about several seconds. Thereby, it is understood that the calculation time of the hash value is remarkably shortened.

  Now, when the hash value calculation means 508 calculates the corresponding hash value, it notifies the detection means 510 to that effect. Upon receiving the notification, the detection unit 510 refers to the hash value table 700 of the hash value storage unit 509 and acquires a comparison hash value (“65432”) corresponding to the specific block program identification information (“A010”). . Then, the detection unit 510 compares the calculated corresponding hash value with the acquired comparison hash value to determine whether or not tampering has occurred (FIG. 6: S107).

  As a result of the comparison (determination), if the two match (FIG. 6: S107 YES), the program has not been tampered with. In this case, the detection unit 510 notifies the selection unit 502 to that effect. Upon receipt of the notification, the selection unit 502 refers to the hash value table 700 during execution (starting up and operating) of the program, and stores all the block program identification information stored in the hash value table 700. It is determined whether or not it has been selected (FIG. 6: S108).

  Note that, as a result of the comparison, if the corresponding hash value does not match the comparison hash value (FIG. 6: S107 NO), it will be described later.

  The determination method of whether or not all the block program identification information stored in the hash value table 700 has been selected is, for example, the block program identification information in the hash value table 700 that the selection unit 502 refers to and the block that has already been selected. The comparison is made with the program identification information, and whether or not the inconsistent block program identification information exists in the hash value table 700 is determined.

  If all the block program identification information stored in the hash value table 700 has not been selected as a result of the determination (FIG. 6: S108 NO), the selection unit 502 starts a predetermined timer 511 provided in advance. Then, the elapsed time from the time when the detection unit 510 receives the result of the presence or absence of alteration of the predetermined block program is measured (FIG. 6: S109). Then, the selection unit 502 acquires the set time stored in advance in the set time storage unit 512, and waits until the elapsed time exceeds the set time (FIG. 6: S110 NO).

  Here, the set time is appropriately set by a specific user such as an administrator in accordance with the type, purpose, application, and size of the program. For example, when the program is an initial program and the predetermined number of block programs is 10, the set time is set to 6 minutes so that the alteration of the block program is detected 10 times per hour.

  When the elapsed time exceeds the set time (FIG. 6: S110 YES), the selection unit 502 determines from the hash value table 700 block program identification information that is different from the already selected block program identification information (block program that has not been selected yet). (Identification information) is selected (FIG. 6: S104).

  As a result, during the execution of the program by the control means 501, the selection of unselected block program identification information is repeated every predetermined time until all block program identification information is selected, and the entire program is altered. Can be reliably detected. In addition, by detecting such alteration of the block program repeatedly during the execution of the program (starting and operating), if the alteration is made during the execution of the program, the alteration is performed almost in real time. It can be detected and captured. Here, “being executed” includes the time when the multifunction device 100 is in the low power state by the control unit 501 executing a predetermined program that shifts to the power saving state after a predetermined time has elapsed.

  When the selection unit 502 selects specific block program identification information (FIG. 6: S104), the lowest block program identification information (“A010”) has already been selected. Therefore, the selection unit 502 selects the next lower rank block program identification information (“A009”). That is, the selection unit 502 selects block program identification information in descending order from the lowest rank block program identification information (“A010”) to the highest rank block program identification information (“A001”). Since the selection is the same as described above (FIG. 6: S105), the description is omitted.

  In S108, when the selection unit 502 selects all the block program identification information stored in the hash value table 700 (FIG. 6: S108 YES), as a result of detecting alteration of the entire program, the program is It has not been tampered with. Therefore, the selection unit 502 completes detection of alteration of the program.

  On the other hand, in S107, if the corresponding hash value and the comparison hash value do not match as a result of the comparison (FIG. 6: S107 NO), the program activated (executed) by the control unit 501 is It has been altered for some reason. Therefore, the detection unit 510 detects that the program has been tampered with and notifies the function stop unit 513 to that effect. Upon receiving the notification, the function stopping unit 513 receives the block program identification information (“A010”) corresponding to the non-matching comparison hash value and the program identification information (“initial program”) corresponding to the block program identification information (“A010”). ”) From the hash value table 700 of the hash value storage unit 507, and the acquired block program identification information and program identification information are temporarily stored in the above-described priority selection storage unit 506 as a priority selection table (FIG. 6). : S111).

  FIG. 9A is a diagram showing an example of a priority selection table according to the embodiment of the present invention.

  In the priority selection table 900, as shown in FIG. 9A, the program identification information 901 (“initial program”) of the altered program and the block program identification of the block program in which alteration has been detected in the entire program. Information 902 (“A010”) is temporarily stored in association with each other.

  As a result, when the selection unit 502 selects specific block program identification information in the program identification information of the altered program in S102, the block program identification information (priority selection table 900) is stored in the priority selection storage unit 506. Since it is temporarily stored (FIG. 6: S102 YES), the selection unit 502 selects the temporarily stored block program identification information 902 from the priority selection storage unit 506 (FIG. 6: S104). .

  Therefore, for example, once a program alteration is detected (FIG. 6: 107 NO), the user restarts, resets the power, etc., and the control means 501 starts the altered program again. (FIG. 6: S101), the selection unit 502 reliably selects the block program identification information 902 of the block program in which tampering is detected (FIG. 6: S102 YES → S104), and the detection unit 510 tampers with the program. Is detected (FIG. 6: 107 NO). As a result, it is possible to reliably stop execution of the program after the alteration.

  In S111, the function stop unit 513 next notifies the control unit 501 that the operation of the multifunction peripheral 100 is stopped and the display reception unit 504 displays an error screen. Upon receiving the notification, the control unit 501 stops energization from the power source (main power source) to the drive unit related to image processing (FIG. 6: S112), and the display receiving unit 504 displays an error screen on the touch panel (FIG. 6). 6: S113).

  FIG. 9B is a diagram showing an example of an error screen according to the embodiment of the present invention.

  In the error screen 903, as shown in FIG. 9B, a message 904 indicating that the program has been tampered with, a message 905 indicating that all the functions of the multifunction peripheral 100 have been stopped, and calling a serviceman to the user. A message 906 for prompting the user, a contact information 907 of the service person, and the name 908 of the altered program are displayed. As a result, it is possible to notify the user that the program has been tampered with and to contact the service person.

  Further, the function stopping unit 513 acquires the block program corresponding to the block program identification information (“A010”) of the corresponding hash value that has been inconsistent from the program storage unit 503 and stores it in the falsification analysis storage unit 514 (FIG. 6). : S114). The falsification analysis storage unit 514 is configured to be accessible by a specific user, for example, an administrator, a service person, and the like, and is further configured to be removable from the falsification detection unit 408 and the multifunction peripheral 100. Yes. As a result, a specific user can analyze the contents (data) of the falsification analysis storage unit 514 to know the falsified data, the intention of falsification by the falsifier performing the falsification, and the like.

  Then, the function stop unit 513 acquires an access log to the altered program from the program storage unit 503 or a predetermined memory of the multifunction peripheral 100. The function stopping unit 513 acquires an access log (communication log) from the network (not shown) to the program from the network. Then, the function stop unit 513 stores the acquired access log in the falsification analysis storage unit 514 (FIG. 6: S115). Thus, by analyzing the contents of the alteration analysis storage unit 514, a specific user can further know the program change history and the accessor before and after the alteration, and can prompt the identification of the alteration executor. It becomes.

  Further, the function stopping unit 513 prohibits access to the user information storage unit 515 storing user information out of the memory mounted in the multi-function device 100 and prohibits the communication unit from accessing the network. (FIG. 6: S116). Thereby, for example, the program after the tampering is a program for leaking the user information, and the control unit 501 executes the program after the tampering so that the user information stored in the user information storage unit 515 is changed. It is possible to prevent a situation in which the data leaks to another terminal device via the network. As a result, sufficient safety can be ensured.

  Thereby, the processing when the alteration of the program is detected is completed.

  Now, when a falsified program is repaired, it becomes as follows.

  That is, according to the user's notification, a specific user such as a serviceman connects a regular program storage unit (not shown) for storing a regular program with the program storage unit 503 of the multi-function peripheral 100, and the display receiving unit 504. Then, a key for executing restoration of the altered program is input to the control means 501. Receiving the key input, the control unit 501 rewrites (changes) the altered program stored in the program storage unit 503 with a regular program.

  After the rewriting is completed, when the control unit 501 displays a screen indicating that the restoration of the altered program has been completed via the display receiving unit 504, a specific user can confirm the confirmation key (for example, OK) displayed on the screen. Key). Upon receiving the key input, the control unit 501 notifies the function stop unit 513 to that effect. Upon receiving the notification, the function stopping unit 513 acquires program identification information corresponding to the restored program from the control unit 501 (or the program storage unit 503), refers to the priority selection storage unit 506, and stores the priority selection storage. The priority selection table 900 corresponding to the restored program is deleted from the means 506.

  As a result, when the control unit 501 starts the restored program (FIG. 6: S101), the selection unit 502 refers to the hash value table (FIG. 6: S102 NO → S103), and the lowest rank Block program identification information is selected one by one in descending order from the block program identification information (“A010”) to the highest order block program identification information (“A001”) (FIG. 6: S104), and the alteration of the program is detected. Will resume normally.

  Thus, in the embodiment of the present invention, the block program identification information 702 of the block program obtained by dividing the entire program into a predetermined number of blocks and the predetermined hash function are applied to the block program. A hash value storage unit 507 that associates and stores a comparison hash value 703 and a specific block stored in the hash value storage unit 507 in parallel with the activation of the program when the MFP 100 activates the program. Selection means 502 for selecting program identification information 702, hash value calculation means 508 for calculating a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information 702, and the correspondence Hash value and the comparison hash value By compare, if they do not match, and a detecting means 510 for detecting said program is tampered.

  Thereby, the alteration of the program is detected in parallel with the activation of the program of the multifunction peripheral 100. Therefore, the time required for detecting the alteration of the program, for example, the calculation time of the hash value, is deleted from the startup time of the program, and the entire startup time of the program can be greatly shortened. In addition, the alteration detection of the program that is performed in parallel with the start of the program is not calculated by calculating the corresponding hash value from the entire program but by calculating the corresponding hash value from the block program that is a part of the entire program. The Therefore, the calculation load (calculation load) of the hash value is reduced, the calculation speed (calculation speed) and the calculation efficiency (calculation efficiency) are improved, the calculation time of the hash value is shortened, and the response speed of detecting the alteration of the program It is possible to speed up the process.

  In the embodiment of the present invention, the hash value storage means 507 stores the comparison hash value obtained by applying the hash function to a block program as it is, and the hash value calculation means 508 stores a specific block program identification. Although the hash function is directly applied to the block program corresponding to the information to calculate the corresponding hash value, other configurations may be used.

  For example, the hash value storage unit 507 applies the hash function to a program after adding predetermined additional information (for example, additional information unique to the MFP 100 or the falsification detection unit 408) to the block program. The obtained hash value is stored as a comparison hash value, and the hash value calculation means 508 applies the hash function to the program after adding the additional information to the block program when calculating the corresponding hash value. You may comprise so that a hash value may be calculated.

  Here, when adding the additional information to the block program, the additional information may be added to the head of the block program (the additional information added to the head may be referred to as a prefix) or added to the tail of the block program. (Additional information added to the tail may be referred to as a suffix). Even if the hash function is acquired by the falsification executor by the configuration, the falsification executor can compare the hash value and the corresponding hash value based on the program and the hash function due to the presence of the additional information. Therefore, it is possible to further improve safety.

  The additional information is preferably stored in a memory that cannot be changed or read from outside the tampering detection unit 408. As the memory, for example, a tamper-resistant memory (integrated circuit) or the like in which information stored in the memory is lost when the memory is removed and disassembled can be employed.

  In the embodiment of the present invention, the selection unit 502 is configured to select one specific block program identification information. However, when a plurality of selections are made, the hash value calculation unit 508 selects the specific block program selected. For each piece of identification information, the hash function is applied to the corresponding block program to calculate a corresponding hash value, and the detection unit 510 calculates the corresponding hash value and the comparison hash value for each selected specific block program identification information. It goes without saying that the presence / absence of tampering is determined by comparing.

  In the embodiment of the present invention, the selection unit 502 sets the block program identification information in descending order from the lowest block program identification information (“A010”) to the highest block program identification information (“A001”). Although selected to be selected one by one, other configurations may be used. That is, even if the selection means 502 sequentially selects specific block program identification information randomly from the predetermined block program identification information, the specific block program identification information is set in a predetermined order (such as ascending order). You may select sequentially.

  In the embodiment of the present invention, the function stop unit 513 stops the operation of the multifunction peripheral 100 and displays an error screen on the touch panel when the detection unit 510 detects the alteration of the program. Processing for storing the block program corresponding to the comparison hash value of the mismatch in the alteration analysis storage means 514, processing for storing the access log to the program or the communication log from the network to the program in the alteration analysis storage means 514, the multifunction device Of the 100 predetermined memories, it is configured to execute all of the processing for prohibiting access to the user information storage means 515 storing user information or access to the network, but other configurations may be used. .

  That is, the function stopping unit 513 may be configured to execute at least one of the above-described plurality of processes. Further, the function stop unit 513 may be configured to execute a specific process among the above-described plurality of processes in accordance with the type, purpose, and application of the program in which tampering is detected. For example, when the program is a program that transmits image data via a network (telephone line) (for example, a “facsimile function program”), the function stopping unit 513 performs processing related to the network. If the program is a program that displays a user's destination based on user information (for example, “address book function program”), the function stop unit 513 is related to the user information. You may comprise so that a process may be performed.

  In the embodiment of the present invention, the tampering detection unit 408 (tampering detection device) mounted on the multifunction peripheral 100 is configured to include each unit. However, a program that realizes each unit is stored in a storage medium, and A storage medium may be provided. In this configuration, the falsification detection device is made to read the program, and the falsification detection device implements the above-described means. In that case, the program itself read from the recording medium exhibits the effects of the present invention. Furthermore, it is possible to provide the steps executed by each means as a falsification detection method. The program can be distributed in a state where it is recorded on a computer-readable recording medium such as a CD-ROM.

  As described above, the falsification detection apparatus and the falsification detection method according to the present invention are useful not only for multifunction devices but also for electronic devices such as copiers and printers, and for falsification that can reduce the time required to start a program. It is effective as a detection device and a falsification detection method.

100 MFP 408 Tampering Detection Unit 501 Control Unit 502 Selection Unit 503 Program Storage Unit 504 Display Reception Unit 505 Image Forming Unit 506 Priority Selection Storage Unit 507 Hash Value Storage Unit 508 Hash Value Calculation Unit 509 Hash Value Function Storage Unit 510 Detection Unit 511 Timer 512 Set time storage means 513 Function stop means 514 Tamper analysis storage means 515 User information storage means

Claims (8)

In the falsification detection device that detects whether or not the program of the device has been falsified,
Hash value storage for storing block program identification information of a block program obtained by dividing the entire program into a predetermined number of blocks and a comparison hash value obtained by applying a predetermined hash function to the block program in association with each other Means,
When the apparatus activates the program, a selection unit that selects specific block program identification information stored in the hash value storage unit in parallel with the activation of the program,
Hash value calculating means for calculating a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information;
A tamper detection apparatus comprising: a detection unit that determines whether or not tampering has occurred by comparing the corresponding hash value and the comparison hash value. When the apparatus starts up the program, the selection unit selects every block program identification information stored in the hash value storage unit during execution of the program every predetermined set time. The tampering detection apparatus according to claim 1, wherein selection of block program identification information different from the already selected block program identification information is continued. When the selection means selects specific block program identification information, the block program identification information of a block program including data from half to the tail of the entire program is selected with priority over other block program identification information. The falsification detection device according to claim 1 or 2. Further, when the detection unit detects the alteration of the program, the block program identification information corresponding to the mismatch hash value is temporarily stored in the priority selection storage unit, and when the altered program is restored, A function stop means for erasing the stored block program identification information from the priority selection storage means,
The falsification according to any one of claims 1 to 3, wherein the selection unit preferentially selects the block program identification information when the block program identification information is temporarily stored in the priority selection storage unit. Detection device. The function stop means is a process for stopping the operation of the apparatus and displaying an error screen on an operation unit provided in the apparatus, and a falsification analysis storage means for a block program of block program identification information corresponding to a mismatch hash value that does not match Processing to store data, access log to the program or communication log from the network to the program in the falsification analysis storage means, access to user information storage means storing user information or access to network The tampering detection apparatus according to claim 4, wherein at least one of the processes for prohibiting is executed. The hash value storage means stores, as a comparison hash value, a hash value obtained by applying the hash function to a program after adding predetermined additional information to the block program,
The falsification detection according to any one of claims 1 to 5, wherein the hash value calculation unit calculates a corresponding hash value by applying the hash function to a program after the additional information is added to the block program. apparatus.   An image forming apparatus comprising the falsification detection device according to claim 1. In the falsification detection method for detecting whether or not the device program has been falsified,
When the apparatus starts the program, in parallel with the start of the program, block program identification information of a block program obtained by dividing the entire program into a predetermined number of blocks, and a predetermined hash function for the block program A reference step for referring to hash value storage means for storing the hash value in association with the comparison hash value obtained by applying
A selection step of selecting specific block program identification information stored in the hash value storage means;
A hash value calculating step of calculating a corresponding hash value by applying the hash function to a block program corresponding to the selected specific block program identification information;
And a detection step of determining whether the program has been altered by comparing the corresponding hash value with the comparison hash value.

Images