本文關(guān)鍵詞：虛擬化平臺操作系統(tǒng)內(nèi)核級Rootkits防護方法研究　出處：《北京理工大學(xué)》2016年博士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： Rootkits防護 完整性保護 虛擬化 操作系統(tǒng)內(nèi)核 Rootkits

【摘要】：隨著信息技術(shù)的發(fā)展,社會對信息安全的需求日益迫切,信息安全已經(jīng)成為一個不容忽視的問題。而操作系統(tǒng)作為信息系統(tǒng)的基礎(chǔ)要素之一,其安全問題會威脅到整個信息系統(tǒng),其內(nèi)核的安全是操作系統(tǒng)安全防護的主要內(nèi)容,一旦遭到威脅則可能影響到整個操作系統(tǒng)甚至信息系統(tǒng)的安全。內(nèi)核級Rootkits攻擊是威脅操作系統(tǒng)內(nèi)核安全性的主要問題,它可以篡改操作系統(tǒng)內(nèi)核代碼或數(shù)據(jù),進(jìn)而控制整個操作系統(tǒng),隱藏其惡意行為。論文以對抗內(nèi)核級Rootkits攻擊的防護方法為研究目標(biāo),以保護操作系統(tǒng)內(nèi)核數(shù)據(jù)完整性為技術(shù)路線,首先針對多平臺構(gòu)建數(shù)據(jù)訪問關(guān)系圖和函數(shù)調(diào)用關(guān)系圖;而后以此為判斷依據(jù),分別對內(nèi)核中非棧數(shù)據(jù)和棧數(shù)據(jù)進(jìn)行防護;再建立操作系統(tǒng)內(nèi)核級Rootkits防護模型和實驗原型。論文的主要成果和創(chuàng)新點包括:1.提出了一種利用虛擬化異常機制、兼容多種平臺架構(gòu)的操作系統(tǒng)內(nèi)核級數(shù)據(jù)訪問和函數(shù)調(diào)用關(guān)系圖自動構(gòu)建方法,該方法不依賴于其軟件結(jié)構(gòu)或編譯規(guī)定,準(zhǔn)確率和查全率高。為了給內(nèi)核中非棧數(shù)據(jù)防護方法和內(nèi)核中棧數(shù)據(jù)防護方法提供判斷依據(jù),提出了一種數(shù)據(jù)訪問和函數(shù)調(diào)用關(guān)系圖自動構(gòu)建方法。該方法利用虛擬機監(jiān)控器的頁異常機制監(jiān)控特定內(nèi)存數(shù)據(jù)的寫訪問,記錄訪問內(nèi)存數(shù)據(jù)的指令,從而建立數(shù)據(jù)訪問關(guān)系圖;利用虛擬機監(jiān)控器的軟件斷點異常機制劫持內(nèi)存函數(shù)的頭地址指令、調(diào)用指令和返回指令等,從而監(jiān)控內(nèi)存函數(shù)間的父子調(diào)用關(guān)系,再建立從子函數(shù)到父函數(shù)的函數(shù)調(diào)用關(guān)系圖。實驗分別針對x86架構(gòu)的32位Windows XP、32位Linux和x64架構(gòu)的64位Windows 7進(jìn)行關(guān)系圖構(gòu)建,結(jié)果表明,數(shù)據(jù)訪問關(guān)系圖的構(gòu)建準(zhǔn)確率為100%;函數(shù)調(diào)用關(guān)系圖的構(gòu)建準(zhǔn)確率為100%,查全率在87%以上。該方法可兼容x86和x64處理器架構(gòu)的多種操作系統(tǒng),且不依賴于其軟件結(jié)構(gòu)或編譯規(guī)定。構(gòu)建的這兩類關(guān)系圖可直接作為內(nèi)核中非棧數(shù)據(jù)和棧數(shù)據(jù)防護方法的判斷依據(jù)。2.提出了一種以合法內(nèi)核模塊代碼段、數(shù)據(jù)訪問關(guān)系圖和函數(shù)調(diào)用關(guān)系圖為可信區(qū)間的內(nèi)核中非棧數(shù)據(jù)防護方法,對內(nèi)核中的代碼、堆數(shù)據(jù)、數(shù)據(jù)段、BSS段等進(jìn)行保護,該方法可有效對抗多種類型的Rootkits攻擊,可靠性高。為了對抗MEP、KOH和DKOM類型的Rootkits對內(nèi)核中非棧數(shù)據(jù)的攻擊,提出了一種建立可信區(qū)間的內(nèi)核中非棧數(shù)據(jù)防護方法。該方法以合法內(nèi)核模塊代碼段建立可信區(qū)間,檢測內(nèi)核中非棧數(shù)據(jù)里的離散函數(shù)指針是否指向合法內(nèi)核模塊代碼段;然后以數(shù)據(jù)訪問關(guān)系圖和函數(shù)調(diào)用關(guān)系圖建立可信區(qū)間,確保內(nèi)核中非棧數(shù)據(jù)里其它類型的目標(biāo)數(shù)據(jù)只能由數(shù)據(jù)訪問關(guān)系圖中的指令進(jìn)行修改,且調(diào)用這些指令的父函數(shù)也需要滿足函數(shù)調(diào)用關(guān)系圖。實驗針對32位Windows XP選取6種典型的惡意Rootkits并構(gòu)建14種攻擊樣本進(jìn)行測試,結(jié)果表明,該方法可防護各種典型的惡意Rootkits和攻擊樣本,成功地抵御了MEP、KOH和DKOM類型的Rootkits攻擊,并且能夠同時阻止頁映射攻擊,對內(nèi)核中非棧數(shù)據(jù)進(jìn)行了有效的保護。與同類方法相比,該方法的顯著優(yōu)勢在于對DKOM類型攻擊的防護上,它能夠阻止這類惡意代碼的運行,且防護方法更加完備、可靠。3.提出了一種通過監(jiān)控內(nèi)核棧的切換、替換、創(chuàng)建和刪除等過程,將可執(zhí)行單元與其內(nèi)核棧進(jìn)行綁定的內(nèi)核中棧數(shù)據(jù)防護方法,該方法防護能力強,作用范圍廣,能夠?qū)?nèi)核棧中所有類型的數(shù)據(jù)進(jìn)行同步保護。為了阻止“return-to-schedule”及其擴展類型的Rootkits對內(nèi)核中棧數(shù)據(jù)的攻擊,提出了一種綁定可執(zhí)行單元的內(nèi)核中棧數(shù)據(jù)防護方法。該方法通過監(jiān)控內(nèi)核棧的切換、替換、創(chuàng)建和刪除等過程,同步地改變內(nèi)核棧所在內(nèi)存區(qū)域的讀寫屬性,使得可執(zhí)行單元只能修改自身的內(nèi)核棧數(shù)據(jù),無法篡改其他內(nèi)核棧數(shù)據(jù),從而達(dá)到將可執(zhí)行單元與其內(nèi)核棧進(jìn)行綁定的效果;然后依據(jù)數(shù)據(jù)訪問和函數(shù)調(diào)用關(guān)系圖對內(nèi)核中的相關(guān)代碼、數(shù)據(jù)進(jìn)行保護,從而保證可執(zhí)行單元不會通過執(zhí)行惡意代碼來篡改自身的內(nèi)核棧數(shù)據(jù)。實驗針對32位Windows XP構(gòu)建了6種攻擊內(nèi)核棧數(shù)據(jù)的測試樣本進(jìn)行檢驗,結(jié)果表明,該方法可以防護全部攻擊樣本,成功阻止了return-to-schedule”及其擴展類型的Rootkits攻擊,可以有效防護內(nèi)核棧上的返回地址、參數(shù)、局部變量等所有類型的數(shù)據(jù)。4.構(gòu)建了一個基于虛擬化技術(shù)支持多種平臺架構(gòu)的內(nèi)核級Rootkits防護模型,設(shè)計實現(xiàn)了其實驗原型系統(tǒng),該實驗系統(tǒng)防護能力強,占用資源少。為了抵御Rootkits對操作系統(tǒng)內(nèi)核數(shù)據(jù)的攻擊,構(gòu)建了一種內(nèi)核級Rootkits防護模型,并設(shè)計實現(xiàn)其實驗原型系統(tǒng)。該系統(tǒng)主要利用了內(nèi)核中非棧數(shù)據(jù)和棧數(shù)據(jù)防護方法來對操作系統(tǒng)內(nèi)核中的內(nèi)存數(shù)據(jù)進(jìn)行保護;同時監(jiān)控對操作系統(tǒng)關(guān)鍵寄存器的寫操作,從而保證這些寄存器數(shù)據(jù)的完整性;為了能夠兼容多種平臺,該系統(tǒng)通過識別客戶虛擬機中操作系統(tǒng)類型,然后重構(gòu)其語義信息并加以保護。實驗針對32位Windows XP選取6種典型的惡意Rootkits并構(gòu)建25種攻擊樣本進(jìn)行測試,結(jié)果表明,該實驗系統(tǒng)可有效抵御各種典型的Rootkits和測試樣本,性能開銷不足3.1%。同時,也可以防護64位Windows 7和32位Linux環(huán)境下的典型惡意Rootkits的攻擊。該實驗系統(tǒng)以較少的占用資源有效地保護多種操作系統(tǒng)的內(nèi)核數(shù)據(jù)。
[Abstract]:With the development of information technology, the demand for information security is becoming more and more urgent, and information security has become a problem that can not be ignored. As one of the basic elements of information system, the security problem of operation system will threaten the whole information system. The safety of its kernel is the main content of the security protection of the operation system. Once threatened, it may affect the safety of the whole operation system or even the information system. The kernel level Rootkits attack is a major problem threatening the security of the operation system kernel. It can tamper with the kernel code or data of the operation system, and then control the whole operation system and hide its malicious behavior. The protection methods against the kernel level Rootkits attack as the research target, technical route to protect the operating system kernel data integrity, firstly constructing platform of data access diagram and function call graph; then take this as the basis of judging, respectively for the protection of non stack data and kernel stack data; then establish the kernel operation Rootkits system protection model and experimental prototype. The main achievements and innovations of this thesis include: 1. proposes the use of a virtual exception mechanism, compatible automatic construction method of multi platform architecture of the operating system kernel level data access and function call graph, the method does not depend on the software structure or compile regulations, high accuracy and recall. In order to provide a judgement basis for the non stack data protection method in the kernel and the stack data protection method in the kernel, a data access and function call graph automatic building method is proposed. The method uses write access monitoring page exception mechanism specific memory data of virtual machine monitor, record data memory access instructions, so as to establish a data access diagram; software breakpoint exception mechanism using virtual machine monitor memory function hijacking address instruction, with head instruction and return instruction, so as to monitor the memory function between the father and son the call, then set up from the function to the parent function call graph. Experiments were conducted on the relationship diagrams of 64 bit Windows 7 of 32 bit Windows XP, 32 bit Linux and x64 architecture for x86 architecture. The results show that the accuracy of data access diagram construction is 100%, and the accuracy rate of function call diagram construction is 100%, and the recall rate is above 87%. This method is compatible with a variety of operating systems of X86 and x64 processor architecture, and is not dependent on its software structure or compilation requirements. The two class diagrams constructed directly as the basis to determine the stack data and stack data protection method in non core. 2. we proposed a legitimate kernel module code segment, data access diagram and function call graph for the stack data protection method of non confidence intervals of the kernel, the kernel code, stack data, data and BSS sections of protection, this method can be effective against many types of Rootkits attacks, reliability high. In order to resist the attacks of MEP, KOH and DKOM type Rootkits on non stack data in the kernel, a protection method of non stack data in kernel is established, which is based on confidence interval. The method to establish legal kernel module code segment Ci, whether the discrete function pointer in the stack data to legitimate kernel module code non detection kernel; establish confidence interval graph and function call graph and then access to data, to ensure that other types of target data can only stack data by data access diagram instructions modify the non kernel, and the father of function call these instructions also need to satisfy the function call graph. Experiment on 32 Windows XP selected 6 typical malicious Rootkits and construct 14 kinds of attack samples. Results show that this method can protect all kinds of typical Rootkits attacks and malicious samples, successfully defend the MEP, KOH and DKOM type of Rootkits attacks, and can also prevent the page mapping attack on stack data the kernel has been effectively protected. Compared with similar methods, the obvious advantage of this method lies in its protection against DKOM type attacks. It can prevent such malicious code from running, and the protection method is more complete and reliable. 3. proposed a kernel stack monitoring by switching, replace, create and delete process will stack data protection method of executable unit and its kernel stack bound kernel, the method of strong protective ability, wide range, can be synchronized to protect all types of data in the kernel stack. In order to prevent return-to-schedule and its extension type Rootkits from attacking the stack data in the kernel, a method of protecting stack data in the kernel of binding executable unit is proposed. The method of monitoring by switching, kernel stack replacement, create and delete process, synchronous change kernel stack memory area where the read and write attributes, in which the executable unit can only modify the kernel stack data itself, can not be tampered with other kernel stack data, so as to achieve the executable unit and its kernel stack binding effect; then on the basis of data access and function call graph for the protection of the relevant code, the kernel data, so as to ensure the execution unit not by executing malicious code to tamper with the kernel stack data itself. Experiment on 32 Windows XP to build a test sample 6 attack kernel stack data test results show that this method can protect all samples of the attack, successfully blocked return-to-schedule and its extension type Rootkits attack, can prevent the kernel stack on the return address, parameters and local variables such as all types of data. 4., we built a kernel level Rootkits protection model based on virtualization technology to support multiple platforms. We designed and implemented its prototype system, which has strong protection ability and less resources. In order to resist Rootkits's attack on the operating system kernel data, a kernel is built.
【學(xué)位授予單位】：北京理工大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2016
【分類號】：TP309;TP316

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 羅森林;閆廣祿;潘麗敏;馮帆;劉昊辰;;基于劫持內(nèi)核入口點的隱藏進(jìn)程檢測方法[J];北京理工大學(xué)學(xué)報;2015年05期

2 向勇;湯衛(wèi)東;杜香燕;孫衛(wèi)真;;基于內(nèi)核跟蹤的動態(tài)函數(shù)調(diào)用圖生成方法[J];計算機應(yīng)用研究;2015年04期

3 閆廣祿;羅森林;;基于線程調(diào)度的隱藏進(jìn)程檢測技術(shù)研究[J];信息網(wǎng)絡(luò)安全;2013年02期

4 王麗娜;高漢軍;劉煒;彭洋;;利用虛擬機監(jiān)視器檢測及管理隱藏進(jìn)程[J];計算機研究與發(fā)展;2011年08期

5 陳林;劉波;胡華平;肖楓濤;張靜;;“In-VM”模型的隱藏代碼檢測模型(英文)[J];中國通信;2011年04期

6 李勇;王飛;胡俊;沈昌祥;;TCB可信擴展模型研究[J];計算機工程與應(yīng)用;2010年13期

7 劉哲元;戴冠中;王曉伶;;基于文件系統(tǒng)異常的內(nèi)核級Rootkit檢測[J];計算機應(yīng)用研究;2009年08期

8 韓芳;;基于可執(zhí)行路徑分析的隱藏進(jìn)程檢測方法[J];計算機與數(shù)字工程;2009年01期

9 何志;范明鈺;;基于HSC的進(jìn)程隱藏檢測技術(shù)[J];計算機應(yīng)用;2008年07期

，

本文編號：1338402