JP7518954B1 - Information processing device and control method - Google Patents

Abstract

The present invention aims to suppress malware infection and improve security.
[Solution] The information processing device includes a risk state storage unit that stores information indicating a risk state indicating that a security problem may occur, and a control unit that executes processing based on a BIOS and an OS, and when the risk state is detected, stores the information indicating the risk state in a previous risk state storage unit by processing based on the BIOS. When starting the OS, if the risk state storage unit stores information indicating the risk state in processing based on the BIOS, the control unit starts a dedicated OS that is different from the OS and whose security is ensured, and restricts connection to a management network, which is a managed local network.
[Selected figure] Figure 2

Description

The present invention relates to an information processing device and a control method.

In recent years, information processing devices such as personal computers have been subject to malware attacks, and techniques for preventing malware infection are known (see, for example, Patent Document 1). Furthermore, malware exploits vulnerabilities in, for example, the OS (Operating System), and when a vulnerability that may be exploited by malware is discovered in an information processing device, a countermeasure is taken in which an update program is provided to resolve the vulnerability of the OS.

JP 2018-10499 A

However, in conventional information processing devices, for example, if a patch program that resolves a vulnerability in the OS is released but an update to apply the patch program is not performed, and the device is connected to a managed local network such as an in-house network, there is a risk that malware may spread within the managed network.

The present invention has been made to solve the above problems, and its purpose is to provide an information processing device and control method that can suppress malware infection and improve security.

In order to solve the above problem, one aspect of the present invention is an information processing device that includes a risk state storage unit that stores information indicating a risk state indicating that a security problem may occur, and a control unit that executes processing based on a BIOS (Basic Input Output System) and an OS (Operating System), and when the risk state is detected, stores information indicating the risk state in the risk state storage unit through processing based on the BIOS, and when the control unit starts the OS, if the risk state storage unit stores information indicating the risk state in the processing based on the BIOS, the control unit starts a dedicated OS that is different from the OS and whose security is ensured, and restricts connection to a management network, which is a managed local network.

In one aspect of the present invention, in the information processing device described above, the risk state includes a case where the OS is started at an interval of at least a preset period, and when starting the OS, in processing based on the BIOS, if the OS is started at an interval of at least a preset period, the control unit may store information indicating the risk state in the risk state storage unit and start the dedicated OS instead of the OS.

In one aspect of the present invention, in the information processing device, the risk state includes a case where malware is detected during a process in which a program capable of detecting malware is executed on the OS, and the control unit may store information indicating the risk state in the risk state storage unit by processing based on the BIOS when the malware is detected during the execution of the program capable of detecting the malware.

In one aspect of the present invention, in the information processing device, the control unit may execute an update process for the OS that applies the latest patch program for the OS through processing based on the dedicated OS.

In one aspect of the present invention, in the information processing device described above, when the execution of the OS update process is completed, the control unit may store information indicating that the BIOS-based process is not in the risk state in the risk state storage unit.

In one aspect of the present invention, in the information processing device described above, the risk state includes a case where an opening detection sensor that detects that the case in which the device is mounted has been opened detects that the case has been opened, and when starting the OS, if the opening detection sensor detects that the case has been opened in a process based on the BIOS, the control unit may store information indicating the risk state in the risk state storage unit and start the dedicated OS instead of the OS.

In one aspect of the present invention, in the information processing device described above, the risk state includes a case where a storage device storing the OS program has been replaced, and when the control unit detects that a storage device has been replaced in processing based on the BIOS when starting the OS, the control unit may store information indicating the risk state in the risk state storage unit and start the dedicated OS instead of the OS.

In one aspect of the present invention, in the above information processing device, when the risk state storage unit stores information indicating the risk state, the control unit may notify a security administrator of the information indicating the risk state.

In one aspect of the present invention, in the above information processing device, when the risk state storage unit stores information indicating the risk state, the control unit may further execute a detection process to determine whether or not the OS is infected with malware.

Another aspect of the present invention is a control method for an information processing device including a risk state storage unit that stores information indicating a risk state indicating that a security problem may occur, and a control unit that executes processing based on a BIOS (Basic Input Output System) and an OS (Operating System), the control unit storing information indicating the risk state in the risk state storage unit by processing based on the BIOS when the control unit detects the risk state, and the control unit starting a dedicated OS, which is different from the OS and whose security is ensured, and restricting connection to a management network, which is a managed local network, when starting the OS and the control unit stores information indicating the risk state in the processing based on the BIOS.

The above aspects of the present invention can prevent malware infections and improve security.

FIG. 2 is a diagram illustrating an example of a main hardware configuration of a notebook PC according to the present embodiment. FIG. 2 is a functional block diagram showing an example of a functional configuration of an information processing system and a notebook PC according to the present embodiment. FIG. 1 is a diagram showing an overview of security countermeasure processing for a notebook PC according to an embodiment of the present invention. 5 is a flowchart showing an example of a startup process of the notebook PC according to the present embodiment. 10 is a flowchart illustrating an example of a malware detection process for a notebook PC according to the present embodiment. 10 is a flowchart illustrating an example of recovery processing of a notebook PC according to the present embodiment.

Below, an information processing device and control method according to one embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a diagram showing an example of the main hardware configuration of a notebook PC 1 according to this embodiment. In this embodiment, the notebook PC 1 will be described as an example of an information processing device.

As shown in FIG. 1, the notebook PC 1 includes a CPU 11, a main memory 12, a video subsystem 13, a display unit 14, a chipset 21, a BIOS memory 22, an SSD 23, an audio system 24, a WLAN card 25, a USB connector 26, an embedded controller 31, an input unit 32, a power supply circuit 33, and a sensor unit 34.

In this embodiment, the CPU 11 and the chipset 21 correspond to the main control unit 10. The main control unit 10 is an example of a processor (main processor) that executes a program stored in a memory (main memory 12).

A CPU (Central Processing Unit) 11 executes various arithmetic processes under program control, and controls the entire notebook PC 1 .
The main memory 12 is a writable memory used as a read area for the execution program of the CPU 11 or as a work area for writing processing data for the execution program. The main memory 12 is composed of, for example, multiple DRAM (Dynamic Random Access Memory) chips. The execution programs include a Basic Input Output System (BIOS), an OS, various drivers for operating the hardware of peripheral devices, various services/utilities, application programs, etc.

The video subsystem 13 is a subsystem for implementing functions related to image display, and includes a video controller. This video controller processes drawing commands from the CPU 11, writes the processed drawing information to a video memory, and also reads the drawing information from the video memory and outputs it to the display unit 14 as drawing data (display data).

The display unit 14 is, for example, a liquid crystal display, and displays a display screen based on the drawing data (display data) output from the video subsystem 13.

The chipset 21 includes controllers for a Universal Serial Bus (USB), a serial AT Attachment (Serial ATA), a Serial Peripheral Interface (SPI) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express bus, and a Low Pin Count (LPC) bus, and is connected to multiple devices. In FIG. 1, a BIOS memory 22, an SSD 23, an audio system 24, a WLAN card 25, and a USB connector 26 are connected to the chipset 21 as examples of devices.

The BIOS memory 22 is composed of an electrically rewritable non-volatile memory such as an EEPROM (Electrically Erasable Programmable Read Only Memory) or a flash ROM. The BIOS memory 22 stores the BIOS and system firmware for controlling the embedded controller 31, etc.

An SSD (Solid State Drive) 23 (an example of a non-volatile storage device) stores an OS, various drivers, various services/utilities, application programs, and various data.
The audio system 24 records, reproduces, and outputs audio data.

A WLAN (Wireless Local Area Network) card 25 connects to a network via a wireless LAN and performs data communication.
The USB connector 26 is a connector for connecting peripheral devices that utilize USB.

The embedded controller 31 (an example of a sub-controller) is a one-chip microcomputer that monitors and controls various devices (peripheral devices, sensors, etc.) regardless of the system state of the notebook PC 1. The embedded controller 31 also has a power management function that controls the power supply circuit 33. The embedded controller 31 is composed of a CPU, ROM, RAM, etc. (not shown), and has A/D input terminals for multiple channels, D/A output terminals, a timer, and digital input/output terminals. The embedded controller 31 is connected to, for example, an input unit 32, a power supply circuit 33, and a sensor unit 34 via these input/output terminals, and the embedded controller 31 controls the operations of these.

The input unit 32 is, for example, an input device such as a keyboard, a pointing device, or a touch pad.
The power supply circuit 33 includes, for example, a DC/DC converter, a charge/discharge unit, a battery unit, an AC/DC adapter, etc., and converts a DC voltage supplied from the AC/DC adapter or the battery unit into a plurality of voltages required to operate the notebook PC 1. The power supply circuit 33 also supplies power to each part of the notebook PC 1 based on the control from the embedded controller 31.

The sensor unit 34 is a sensor that detects various detection data inside the notebook PC 1. The sensor unit 34 includes, for example, a temperature sensor, a three-dimensional acceleration sensor, a gyro sensor, an opening detection sensor unit 341 (see FIG. 2 ) described later, and the like.

Next, the functional configuration of the notebook PC 1 according to this embodiment will be described with reference to FIG.
2 is a functional block diagram showing an example of the functional configuration of the information processing system 100 and the notebook PC 1 according to this embodiment. Note that, in FIG. 2, only the configuration related to the present invention is shown among the functional configuration of the notebook PC 1.

As shown in FIG. 2, the information processing system 100 includes a notebook PC 1, a boot server 2, and an in-house management server 3. The notebook PC 1, the boot server 2, and the in-house management server 3 can be connected to each other via a network NW1 and a network NW2.

The boot server 2 is, for example, a server device provided by the manufacturer of the notebook PC 1 to provide various services, and is a server device for network booting. The boot server 2 provides a dedicated local OS program, which will be described later, to the notebook PC 1 via the network NW1.

The internal management server 3 is, for example, a management server that manages the internal network and the notebook PC 1. The internal management server 3 is, for example, a server device managed by a security administrator.

The network NW1 is a wide area network (WAN) or a local area network (LAN) within a company. In this embodiment, for example, a notebook PC 1, a boot server 2, and an in-house management server 3 can be connected to the network NW1.

Network NW2 is a local area network (LAN) within a company, and is an internal company network. Network NW2 is, for example, an example of a managed network, which is a managed local network. For example, devices managed within the company can be connected to network NW2, and for example, notebook PC 1 and internal management server 3 are connected to network NW2.

As shown in FIG. 2, the notebook PC 1 also includes a main control unit 10, an embedded controller 31, a memory unit 40, a network (NW) communication unit 250, and an opening detection sensor unit 341.

The NW communication unit 250 is a functional unit realized by a network device such as a WLAN card 25. The main control unit 10 can be connected to the network NW1 and the network NW2 via the NW communication unit 250.

The opening detection sensor unit 341 is a sensor that detects that the housing of the notebook PC 1 has been opened, and is used, for example, to determine whether there is a possibility of a security problem such as a hardware attack. The opening detection sensor unit 341 outputs detection data indicating that the housing of the notebook PC 1 has been opened to the main control unit 10 via the embedded controller 31.

The storage unit 40 is realized by a memory such as the BIOS memory 22 or the SSD 23, and stores, for example, various information used in various processes of the main control unit 10. The storage unit 40 includes a risk state storage unit 41 and an OS startup date and time storage unit 42.

The risk state storage unit 41 is a storage unit realized by a memory such as the BIOS memory 22, and stores information indicating a risk state indicating that a security problem may occur. The risk state storage unit 41 may store different data as information indicating a risk state depending on the case of the risk state described below.

The OS startup date and time storage unit 42 is a storage unit realized by the BIOS memory 22 or the like, and stores date and time information when the OS (e.g., Windows (registered trademark)) was last started. The date and time information stored in the OS startup date and time storage unit 42 is used to detect how long it has been since the OS was last started.

The main control unit 10 (an example of a control unit) is a functional unit that is realized by having the CPU 11 and chipset 21 execute programs stored in the BIOS memory 22 and SSD 23, and executes various processes based on the BIOS and OS.

When the main control unit 10 detects a risk state, it stores information indicating the risk state in the risk state storage unit 41 through processing based on the BIOS. Furthermore, when starting the OS, if the risk state storage unit 41 stores information indicating a risk state in processing based on the BIOS, the main control unit 10 starts a dedicated OS that is different from the OS and is secured, and restricts connection to network NW2 (managed network), which is a managed local network (e.g., an in-house network). Here, the dedicated OS is, for example, Windows PE (Preinstallation Environment) (Windows is a registered trademark), a dedicated portable OS.

When the risk state storage unit 41 stores information indicating a risk state, the main control unit 10 acquires the program of the dedicated portable OS from the boot server 2 using a network boot (HTTPs Boot), or acquires the program of the dedicated portable OS from a partition of a secure system area of the SSD 23, and starts the dedicated portable OS. In this case, the main control unit 10 also prohibits connection to the network NW2 (intra-company network).
The main control unit 10 includes a BIOS processing unit 101 , an OS processing unit 102 , and a local OS processing unit 103 .

The BIOS processing unit 101 is a functional unit that is realized by having the CPU 11 and the chipset 21 execute the BIOS program stored in the BIOS memory 22. The BIOS processing unit 101 executes processing based on the BIOS (BIOS processing).

When the BIOS processing unit 101 detects a risk state, it stores information indicating the risk state in the risk state storage unit 41 through processing based on the BIOS.
The risk state includes the following four cases.

<Case (1)>
The risk state includes case (1) where an interval of a preset period or more has elapsed since the OS was started. Case (1) is a case where, for example, three months or more have elapsed since the previous OS startup. When starting the OS, the BIOS processing unit 101 obtains date and time information of the previous OS startup from the OS startup date and time storage unit 42, and calculates the period elapsed since the previous startup based on the previous date and time information and the current date and time information. If the period elapsed since the previous startup is, for example, three months or more, the BIOS processing unit 101 stores information indicating a risk state (for example, "01") in the risk state storage unit 41.

<Case (2)>
The risk state includes, as case (2), a case where malware is detected in a process in which a program capable of detecting malware is executed on the OS. Examples of programs capable of detecting malware include EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response). When malware is detected in a process in which a program capable of detecting malware is executed, the BIOS processing unit 101 stores information indicating the risk state (e.g., "02") in the risk state storage unit 41.

<Case (3)>
The risk state includes, as case (3), a case where the opening detection sensor unit 341, which detects that the housing in which the device itself (notebook PC 1) is mounted, detects that the housing has been opened. That is, the opening detection sensor unit 341 detects that the housing of the notebook PC 1 has been opened. When starting the OS, if the opening detection sensor unit 341 detects that the housing has been opened, the BIOS processing unit 101 stores information indicating a risk state (for example, "03") in the risk state storage unit 41 and starts a dedicated OS instead of the OS.

<Case (4)>
The risk state includes, as case (4), a case where a storage device (e.g., an important part such as the SSD 23) in which an OS program is stored has been replaced. When the BIOS processing unit 101 detects that a storage device (e.g., an important part such as the SSD 23) has been replaced when starting the OS, the BIOS processing unit 101 stores information indicating a risk state (e.g., "04") in the risk state storage unit 41 and starts a dedicated OS instead of the OS.

The OS processing unit 102 is a functional unit that is realized by having the CPU 11 and the chipset 21 execute various programs, including the OS, stored in the SSD 23. The OS processing unit 102 executes processes based on the OS (OS processing) and also executes processes based on various drivers and application programs that run on the OS.

The OS processing unit 102 executes a process for running a program capable of detecting malware, such as EPP and EDR, on the OS, and when a malware infection is detected, passes the process to the BIOS processing unit 101 and stores information indicating the risk state (e.g., "02") in the risk state storage unit 41. The OS processing unit 102 may, for example, isolate the malware or prohibit connection to the network NW2 using EPP and EDR.

The local OS processing unit 103 is a functional unit that is realized by having the CPU 11 and the chipset 21 execute a program of the dedicated portable OS, and executes various processes based on the dedicated portable OS. The local OS processing unit 103 executes, for example, a recovery process from a risk state.

When the risk state is the above-mentioned case (1) or case (2), the local OS processing unit 103 executes an OS update process that applies the latest patch program for the OS by processing based on the dedicated portable OS. When the risk state is the above-mentioned case (1) or case (2), the local OS processing unit 103 executes a process of installing the latest patch program for the OS, for example, by executing the "dism.exe" program.

The local OS processing unit 103 executes "dism.exe" to prepare an environment for installing the latest patch program of the OS, and then restarts the notebook PC 1 to install the latest patch program in the SSD 23. Furthermore, when the installation of the latest patch program is completed by restarting the notebook PC 1, the local OS processing unit 103 causes the BIOS processing unit 101 to store information indicating that there is no risk state (for example, "00") in the risk state storage unit 41.

When the risk state is one of the above-mentioned cases (3) and (4), the local OS processing unit 103 notifies the security administrator of information indicating the risk state (e.g., information indicating that the housing has been opened, information on the replaced part (e.g., SSD 23, etc.)). The local OS processing unit 103 notifies the in-house management server 3 of the information indicating the risk state via the NW communication unit 250, for example, by executing an agent program.

Next, the operation of the notebook PC 1 and the information processing system 100 according to the present embodiment will be described with reference to the drawings.
FIG. 3 is a diagram showing an overview of security countermeasure processing of the notebook PC 1 according to this embodiment.

As shown in FIG. 3, the security countermeasure process of the notebook PC 1 includes the following four steps.
The process of step S1 is a "Detect" process (detection process), and the notebook PC 1 detects the above-mentioned risk state. In step S1, the main control unit 10 of the notebook PC 1 detects the risk state according to the above-mentioned cases (1) to (4), and stores information indicating the risk state in the risk state storage unit 41 by processing based on the BIOS.

Next, the process of step S2 is the "Isolate" process (isolation process), in which the main control unit 10 prohibits connection to the network NW1 (internal company network) and isolates the notebook PC 1 that is in a risk state.

Next, the process in step S3 is a "Heal" process (recovery process), in which the main control unit 10, for example, starts up a dedicated portable OS and executes an OS update process to apply the latest patch program for the OS, thereby recovering the system.

Next, the process of step S4 is a "Restore" process (restoration process), in which the main control unit 10 restores (recovers) the notebook PC 1, for example, from a risky state to a normal state.

Next, the start-up process of the notebook PC 1 according to this embodiment will be described with reference to FIG.
FIG. 4 is a flowchart showing an example of a startup process of the notebook PC 1 according to this embodiment.

As shown in FIG. 4, the main control unit 10 of the notebook PC 1 first acquires the previous OS boot date and time information (step S101). The BIOS processing unit 101 of the main control unit 10 acquires the previous OS boot date and time information from the OS boot date and time storage unit 42.

Next, the BIOS processing unit 101 determines whether or not a predetermined period of time (e.g., three months or more) has elapsed since the previous OS startup (step S102). The BIOS processing unit 101 calculates the period of time that has elapsed since the previous OS startup based on the previous OS startup date and time information and the current date and time information, and determines whether or not the period of time is three months or more. If the predetermined period of time (e.g., three months or more) has elapsed since the previous OS startup (step S102: YES), the BIOS processing unit 101 advances the process to step S105. If the predetermined period of time (e.g., three months or more) has not elapsed since the previous OS startup (step S102: NO), the BIOS processing unit 101 advances the process to step S103.

In step S103, the BIOS processing unit 101 determines whether or not the operation of the opening detection sensor unit 341 has been detected. That is, the BIOS processing unit 101 determines whether or not the housing of the notebook PC 1 has been opened, based on whether or not the operation of the opening detection sensor unit 341 has been detected. If the operation of the opening detection sensor unit 341 has been detected (the housing has been opened) (step S103: YES), the BIOS processing unit 101 advances the process to step S105. If the operation of the opening detection sensor unit 341 has not been detected (the housing has not been opened) (step S103: NO), the BIOS processing unit 101 advances the process to step S104.

In step S104, the BIOS processing unit 101 determines whether the SSD 23 has been replaced. That is, the BIOS processing unit 101 detects the SSD 23 by the BIOS, and determines whether the device information (parameters) of the SSD 23 has been changed. If the SSD 23 has been replaced (step S104: YES), the BIOS processing unit 101 advances the process to step S105. If the SSD 23 has not been replaced (step S104: NO), the BIOS processing unit 101 advances the process to step S106.

In step S105, the BIOS processing unit 101 stores information indicating the risk state in the risk state storage unit 41. The BIOS processing unit 101 stores information (risk information) indicating the risk state corresponding to each of the above-mentioned cases (1), (3), and (4), for example, in the risk state storage unit 41. After processing in step S105, the BIOS processing unit 101 advances the processing to step S106.

In step S106, the BIOS processing unit 101 determines whether the risk information is information indicating a risk state. The BIOS processing unit 101 obtains risk information from the risk state storage unit 41, and determines whether the risk information is information indicating a risk state (for example, any of "01" to "04"). If the risk information is information indicating a risk state (step S106: YES), the BIOS processing unit 101 proceeds to step S107. If the risk information is not information indicating a risk state (the risk information is, for example, "00") (step S106: NO), the BIOS processing unit 101 proceeds to step S108.

In step S107, the BIOS processing unit 101 executes the startup of a dedicated local OS (dedicated portable OS). The BIOS processing unit 101 obtains a program for the dedicated portable OS (for example, Windows PE (Windows is a registered trademark)) from an HTTPs boot or a partition in a secure system area of the SSD 23, and starts the dedicated portable OS.

In step S108, the BIOS processing unit 101 executes normal OS startup. The BIOS processing unit 101 obtains an OS (e.g., Windows (registered trademark)) program from the SSD 23 and starts the OS.

Next, a malware detection process of the notebook PC 1 will be described with reference to FIG.
FIG. 5 is a flowchart showing an example of a malware detection process of the notebook PC 1 according to this embodiment.

As shown in FIG. 5, the main control unit 10 of the notebook OC1 determines whether or not malware infection has been detected in the OS (step S201). The OS processing unit 102 of the main control unit 10 determines whether or not malware infection has been detected in the OS by executing a program such as EPP or EDR, for example. If the OS processing unit 102 detects malware infection in the OS (step S201: YES), the process proceeds to step S202. If the OS processing unit 102 does not detect malware infection in the OS (step S201: NO), the process returns to step S201.

In step S202, the OS processing unit 102 stores information indicating the risk state (for example, "02" corresponding to case (2)) in the risk state storage unit 41. The OS processing unit 102 stores the information indicating the risk state in the risk state storage unit 41 via the BIOS processing unit 101.

Next, the recovery process of the notebook PC 1 according to this embodiment will be described with reference to FIG.
6 is a flow chart showing an example of recovery processing of the notebook PC 1 according to this embodiment. Note that the recovery processing shown in FIG. 6 is processing after the processing of step S107 in FIG.

As shown in FIG. 6, the main control unit 10 of the notebook PC 1 first restricts connection to the in-house network (network NW2) (step S301). The local OS processing unit 103 of the main control unit 10, for example, prohibits connection to the in-house network (network NW2). Note that the processing of step S301 corresponds to the isolation processing of step S2 described above.

Next, the local OS processing unit 103 determines whether the operation of the opening detection sensor unit 341 has been detected (step S302). The local OS processing unit 103 determines whether the operation of the opening detection sensor unit 341 has been detected based on whether the risk information stored in the risk state storage unit 41 is information ("03") corresponding to case (3). If the operation of the opening detection sensor unit 341 has been detected (the risk information is information ("03") corresponding to case (3)) (step S302: YES), the local OS processing unit 103 advances the process to step S304. If the operation of the opening detection sensor unit 341 has not been detected (the risk information is not information ("03") corresponding to case (3)) (step S302: NO), the local OS processing unit 103 advances the process to step S303.

In step S303, the local OS processing unit 103 determines whether the SSD 23 has been replaced. The local OS processing unit 103 determines whether the SSD 23 has been replaced based on whether the risk information stored in the risk state storage unit 41 is information ("04") corresponding to case (4). If the SSD 23 has been replaced (the risk information is information ("04") corresponding to case (4)) (step S303: YES), the local OS processing unit 103 proceeds to step S304. If the SSD 23 has not been replaced (the risk information is not information ("04") corresponding to case (4)) (step S303: NO), the local OS processing unit 103 proceeds to step S305.

In step S304, the local OS processing unit 103 notifies the security administrator of information indicating that the notebook PC 1 is in a risk state (e.g., information indicating that the case has been opened, information on replaced parts (e.g., SSD 23, etc.)). The local OS processing unit 103 notifies the in-house management server 3 of the information indicating the risk state, for example, via the NW communication unit 250 and the network NW1. After processing in step S304, the local OS processing unit 103 terminates the processing.

In step S305, the local OS processing unit 103 updates the OS to the latest version. For example, the local OS processing unit 103 executes the "dism.exe" program to execute a process to install the latest patch program for the OS. After preparing an environment for installing the latest patch program for the OS by executing "dism.exe", the local OS processing unit 103 restarts the notebook PC 1 and installs the latest patch program in the SSD 23.

Next, the local OS processing unit 103 stores information indicating that the system is not in a risk state in the risk state storage unit 41 (step S306). When the installation of the latest patch program is completed by rebooting, the local OS processing unit 103 causes the BIOS processing unit 101 to store information indicating that the system is not in a risk state (for example, "00") in the risk state storage unit 41.

Next, the local OS processing unit 103 restarts the notebook PC 1 (step S307). In this case, the main control unit 10 executes the startup process shown in FIG. 4, and restores the startup to a normal state (a state that is not at risk) (the startup state of step S108 shown in FIG. 4). After the process of step S307, the main control unit 10 ends the process.

As described above, the notebook PC 1 (information processing device) according to this embodiment includes a risk state storage unit 41 and a main control unit 10 (control unit). The risk state storage unit 41 stores information indicating a risk state that indicates that a security problem may occur. The main control unit 10 is a control unit that executes processing based on the BIOS and OS, and when a risk state is detected, stores information indicating the risk state in the risk state storage unit 41 by processing based on the BIOS. Furthermore, when starting the OS, if the risk state storage unit 41 stores information indicating a risk state in processing based on the BIOS, the main control unit 10 starts a dedicated portable OS (dedicated OS) that is secured unlike the OS, and restricts connection to the network NW2 (managed network), which is a managed local network.

As a result, when the notebook PC 1 (information processing device) according to this embodiment is in a risky state where security problems may occur, it starts up a dedicated portable OS (dedicated OS) that ensures security, and restricts connection to the network NW2 (management network), which is a managed local network. Therefore, the notebook PC 1 according to this embodiment can suppress malware infection and improve security.

For example, in cases where a patch program that resolves a vulnerability in the OS has been released but no updates to apply the patch program have been made and no measures have been taken for a long time, the notebook PC 1 according to this embodiment can treat this as a risk state by starting up a dedicated portable OS (dedicated OS) and appropriately restricting connection to the network NW2 (management network). Therefore, even in such a case, the notebook PC 1 according to this embodiment can reduce the possibility of malware spreading within the network NW2 (management network).

In the notebook PC 1 according to this embodiment, a secure dedicated portable OS (dedicated OS) is started up instead of using an OS that may cause security problems, so recovery and restoration can be performed safely.

In this embodiment, the risk state also includes a case where the OS has not been started for a predetermined period of time or more (case (1)). When starting the OS, in a process based on the BIOS, if the OS has not been started for a predetermined period of time or more (e.g., three months or more), the main control unit 10 stores information indicating a risk state (e.g., "01") in the risk state storage unit 41 and starts a dedicated portable OS (dedicated OS) instead of the OS.

As a result, the notebook PC 1 according to this embodiment determines that, for example, a notebook PC 1 that has not been started for a long period of time is a device (dark endpoint) that may pose a security problem, thereby appropriately suppressing malware infection and improving security.

In this embodiment, the risk state also includes a case where malware is detected during processing of a program capable of detecting malware executed on the OS (case (2)). When malware is detected during execution of a program capable of detecting malware (e.g., EPP and EDR), the main control unit 10 stores information indicating the risk state (e.g., "02") in the risk state storage unit 41 through processing based on the BIOS.

As a result, the notebook PC 1 according to this embodiment, for example, when executing a program capable of detecting malware (such as EPP and EDR), determines that the device is one in which security issues may arise, thereby appropriately suppressing malware infection and improving security.

In addition, in this embodiment, the main control unit 10 executes an OS update process that applies the latest patch program for the OS through processing based on the dedicated portable OS.

As a result, the notebook PC 1 according to this embodiment automatically applies the latest OS patch program to devices in a risky state, so that devices in a risky state can be appropriately restored to a safe state.

In addition, in this embodiment, when the OS update process is completed, the main control unit 10 stores information indicating that the BIOS-based process is not at risk (e.g., "00") in the risk state storage unit 41.

As a result, the notebook PC 1 according to this embodiment can properly resolve the risk state and safely restore (recover) to the normal state.

In this embodiment, the risk state also includes a case where an opening detection sensor (opening detection sensor unit 341) that detects that the housing in which the device is mounted has been opened detects that the housing has been opened (case (3)). When starting the OS, if the opening detection sensor unit 341 detects that the housing has been opened in a process based on the BIOS, the main control unit 10 stores information indicating a risk state (e.g., "03") in the risk state storage unit 41 and starts a dedicated portable OS (dedicated OS) instead of the OS.

As a result, the notebook PC 1 according to this embodiment can determine that a device may have security issues if, for example, the case is opened, and can appropriately prevent malware infection and improve security.

In this embodiment, the risk state also includes a case where the storage device (e.g., SSD 23) in which the OS program is stored has been replaced (case (4)). When the main control unit 10 detects in the BIOS-based processing when starting the OS that the storage device (e.g., SSD 23) has been replaced, it stores information indicating the risk state (e.g., "04") in the risk state storage unit 41 and starts a dedicated portable OS (dedicated OS) instead of the OS.

As a result, the notebook PC 1 according to this embodiment can appropriately prevent malware infection and improve security by determining that a device that may pose a security problem may be present if, for example, a storage device (e.g., SSD 23) is illegally replaced.

In addition, in this embodiment, when the risk state storage unit 41 stores information indicating a risk state, the main control unit 10 notifies the security administrator of information indicating the risk state (for example, information indicating that the housing has been opened (for example, "03" or "04"), information on replaced parts (for example, SSD 23, etc.)).

As a result, the notebook PC 1 according to this embodiment notifies the security administrator of information indicating a risky state (for example, information indicating that the case has been opened (for example, "03" or "04"), information on parts that have been replaced (for example, SSD 23, etc.)), thereby further improving security.

In addition, in this embodiment, when the risk state storage unit 41 stores information indicating a risk state (e.g., "03" or "04"), the main control unit 10 further executes a detection process to determine whether or not the OS is infected with malware.

As a result, the notebook PC 1 according to this embodiment can further improve security by executing a detection process to determine whether the OS of a device that may pose a security problem is infected with malware.

The control method according to this embodiment is a control method for a notebook PC 1 including a risk state storage unit 41 that stores information indicating a risk state indicating that a security problem may occur, and a main control unit 10 that executes processing based on the BIOS and OS, and includes a risk state detection step and a restriction step. In the risk state detection step, if the main control unit 10 detects a risk state, information indicating the risk state is stored in the risk state storage unit 41 by processing based on the BIOS. In the restriction step, when the main control unit 10 starts the OS, if the risk state storage unit 41 stores information indicating a risk state in the processing based on the BIOS, the main control unit 10 starts a dedicated OS that is different from the OS and is secured, and restricts connection to the network NW2, which is a managed local network.

As a result, the control method according to this embodiment has the same effect as the notebook PC 1 described above, and can suppress malware infections and improve security.

The present invention is not limited to the above-described embodiment, and can be modified without departing from the spirit of the present invention.
For example, in the above embodiment, the information processing device is the notebook PC 1 by way of example, but is not limited thereto, and may be, for example, another information processing device such as a tablet terminal device or a desktop PC.

In the above embodiment, the OS of the notebook PC 1 is described as Windows (registered trademark), but this is not limited to this, and other OSs such as Android (registered trademark), iOS (registered trademark), etc. may also be used.

In the above embodiment, an example was described in which the dedicated local OS retrieves and starts a program from a partition in a secure system area of the boot server 2 or the SSD 23, but this is not limited to this, and the program may be retrieved from a memory that cannot be tampered with, such as the BIOS memory 22 or a ROM.

In addition, in the above embodiment, an example was described in which the information processing system 100 has a separate boot server 2 and in-house management server 3, but this is not limited to this, and the boot server 2 and in-house management server 3 may be configured as a single server device.

In the above embodiment, the BIOS processing unit 101 determines that the OS is in a risk state when, for example, three months or more have elapsed since the last OS startup. However, this is not limited to this, and the BIOS processing unit 101 may determine that the OS is in a risk state when, for example, another period of time has elapsed, such as one month or more, six months or more, etc.

Each of the components of the notebook PC 1 described above has an internal computer system. A program for implementing the functions of each of the components of the notebook PC 1 described above may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read into a computer system and executed to perform processing in each of the components of the notebook PC 1 described above. Here, "reading a program recorded on a recording medium into a computer system and executing it" includes installing the program into a computer system. The "computer system" referred to here includes hardware such as an OS and peripheral devices.
Furthermore, a "computer system" may include a plurality of computer devices connected via a network including the Internet or communication lines such as a WAN, LAN, or dedicated line. Furthermore, a "computer-readable recording medium" refers to portable media such as a flexible disk, a magneto-optical disk, a ROM, or a CD-ROM, or a storage device such as a hard disk built into a computer system. In this manner, the recording medium storing the program may be a non-transitory recording medium such as a CD-ROM.

The recording medium also includes an internal or external recording medium accessible from a distribution server to distribute the program. The program may be divided into multiple parts, downloaded at different times, and then combined with each component of the notebook PC 1, or each divided program may be distributed by a different distribution server. Furthermore, the term "computer-readable recording medium" also includes a recording medium that holds a program for a certain period of time, such as a volatile memory (RAM) inside a computer system that becomes a server or client when a program is transmitted over a network. The program may also be a recording medium for implementing part of the above-mentioned functions. Furthermore, the program may be a so-called differential file (differential program) that can realize the above-mentioned functions in combination with a program already recorded in the computer system.

In addition, some or all of the above-mentioned functions may be realized as an integrated circuit such as an LSI (Large Scale Integration). Each of the above-mentioned functions may be individually processed, or some or all of the functions may be integrated into a processor. The integrated circuit method is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. Furthermore, if an integrated circuit technology that can replace LSI appears due to advances in semiconductor technology, an integrated circuit based on that technology may be used.

1. Notebook PC
2 Boot server 3 In-house management server 10 Main control unit 11 CPU
12 Main memory 13 Video subsystem 14 Display unit 21 Chipset 22 BIOS memory 23 SSD
24 Audio system 25 WLAN card 26 USB connector 31 Embedded controller (EC)
32 Input unit 33 Power supply circuit 34 Sensor unit 40 Storage unit 41 Risk state storage unit 42 OS startup date and time storage unit 100 Information processing system 101 BIOS processing unit 102 OS processing unit 103 Local OS processing unit 250 NW communication unit 341 Opening detection sensor unit NW1, NW2 Network

Claims (10)

a risk state storage unit that stores information indicating a risk state indicating that a security problem may occur;
a control unit that executes processing based on a basic input output system (BIOS) and an operating system (OS), and when the risk state is detected, causes information indicating the risk state to be stored in the risk state storage unit through processing based on the BIOS;
The control unit, when starting the OS, in processing based on the BIOS, if the risk state memory unit stores information indicating the risk state, starts a dedicated OS that is different from the OS and is guaranteed to be secure, and restricts connection to a management network, which is a managed local network. The risk state includes a case where the OS has not been started for a predetermined period of time or longer,
The information processing device of claim 1, wherein when the control unit starts the OS, if, in processing based on the BIOS, the OS starts after an interval of at least a predetermined period, the control unit stores information indicating the risk state in the risk state memory unit and starts the dedicated OS instead of the OS. The risk state includes a case where malware is detected in a process in which a program capable of detecting malware is executed on the OS,
The information processing device according to claim 1 , wherein when the malware is detected during execution of a program capable of detecting the malware, the control unit stores information indicating the risk state in the risk state memory unit by processing based on the BIOS. The information processing apparatus according to claim 1 , wherein the control unit executes an update process of the OS that applies a latest patch program for the OS by a process based on the dedicated OS. The information processing device according to claim 4 , wherein the control unit, when execution of the OS update process is completed, stores information indicating that the BIOS-based process is not in the risk state in the risk state storage unit. The risk state includes a case where an opening detection sensor detects that a housing in which the device is mounted has been opened, and the case detects that the housing has been opened,
The information processing device of claim 1, wherein when the control unit starts the OS, if the opening detection sensor detects that the housing has been opened in processing based on the BIOS, the control unit stores information indicating the risk state in the risk state memory unit and starts the dedicated OS instead of the OS. The risk state includes a case where a storage device in which the OS program is stored is replaced,
2. The information processing device of claim 1, wherein when the control unit detects that a storage device has been replaced in processing based on the BIOS when starting the OS, the control unit stores information indicating the risk state in the risk state memory unit and starts the dedicated OS instead of the OS. The information processing device according to claim 6 or 7, wherein the control unit, when the risk state storage unit stores information indicating the risk state, notifies a security administrator of the information indicating the risk state. The information processing device according to claim 8 , wherein the control unit, when the risk state storage unit stores information indicating the risk state, further executes a detection process for detecting whether or not the OS is infected with malware. A method for controlling an information processing device including a risk state storage unit that stores information indicating a risk state indicating that a security problem may occur, and a control unit that executes processing based on a BIOS (Basic Input Output System) and an OS (Operating System), comprising:
a step of causing the control unit to store information indicating the risk state in the risk state storage unit by processing based on a BIOS when the control unit detects the risk state;
A control method comprising: when the control unit starts the OS, if the risk state memory unit stores information indicating the risk state in processing based on the BIOS, starting a dedicated OS that is different from the OS and whose security is ensured, and restricting connection to a management network, which is a managed local network.

Images