基于内核函数监控的Linux系统防护方法的研究与实现

doi:10.3969/j.issn.1671-1122.2018.03.004

信息网络安全 ›› 2018, Vol. 18 ›› Issue (3): 26-38.doi: 10.3969/j.issn.1671-1122.2018.03.004

基于内核函数监控的Linux系统防护方法的研究与实现

翟高寿¹(), 刘晨¹, 向勇²

1. 北京交通大学计算机与信息技术学院,北京100044
2. 清华大学计算机科学与技术系,北京100084

收稿日期:2017-10-01 出版日期:2018-03-15 发布日期:2020-05-11
作者简介:
作者简介：翟高寿（1971—),男,山西,副教授,博士,主要研究方向为操作系统与系统安全、系统软件设计、算法分析与设计;刘晨（1993—）,男,湖北,硕士研究生,主要研究方向为操作系统安全;向勇（1967—）,男,重庆,副教授,博士,主要研究方向为操作系统、无线自组网和计算机协同工作。
基金资助:
国家自然科学基金[61672092]

Study and Implementation of Systematic Protection by Monitoring Abnormal Invocation of Linux Kernel Functions

Gaoshou ZHAI¹(), Chen LIU¹, Yong XIANG²

1. School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
2. School of Computer Science and Technology, Tsinghua University, Beijing 100084, China

Received:2017-10-01 Online:2018-03-15 Published:2020-05-11

摘要/Abstract

摘要：

伴随Linux操作系统在服务器市场所占份额的迅速增长及其内核漏洞曝光率的不断增加,Linux内核安全已成为计算机系统安全领域的研究焦点之一。文章以运行Linux系统的服务器为研究对象,提出了一种基于内核函数监控的系统防护模型,试图通过限制相关服务进程所能访问的内核函数范围,使恶意攻击的难度加大进而增强Linux内核安全,同时通过对内核函数各种异常调用情况的分级分类实时处理,从而提升整个服务器系统的安全水平。原型实验结果表明,文章所提方法能够及时检测到相关服务进程对内核函数的异常调用情况,并给以适当的报警或拦截处理,而且由此带来的额外开销完全可以承受,从而验证了本文方法的可行性和有效性。与内核安全防护的其他研究工作相比,文章所提方法所涉内核防护覆盖范围更大且无需重新编译构建内核映像,并切实做到了监测与防护的有机结合。

关键词: 操作系统安全, 内核安全, 系统防护方法, 服务进程, 内核函数调用

Abstract:

With the wide application of Linux operating systemin the servers and the continuous exposure of kernel vulnerabilities, Linux kernel security has become one of the research focuses in the fields of computer system security. As for the server running Linux system, this paper proposed a system protection model by the way of monitoring kernel functions. It limits the kernel functions that can be accessed by the related daemons and increases the difficulty of malicious attacksso as to enhance the security of Linux kernel.Moreover, some real-time categorical processing is introduced for various abnormal invocations to the kernel functions so that the security level of the entire server system is promoted. Experimental results show that the proposed method can indeed detect the abnormal invocations of the kernel functions timely followed by some appropriate alarming or interception measures. Furthermore, the additional overloads are not too much such that the method is verified to be feasible and effective. Compared with other research work about kernel security, this method can protectbroader kernel coverage and it eliminates the need to recompile and reconstruct the kernel image while kernel monitoring and protection mechanisms are integrated organically.

Key words: security of operating systems, security of kernel, systematic protection, daemon, invocation of kernel functions

中图分类号:

TP309.1

翟高寿, 刘晨, 向勇. 基于内核函数监控的Linux系统防护方法的研究与实现[J]. 信息网络安全, 2018, 18(3): 26-38.

Gaoshou ZHAI, Chen LIU, Yong XIANG. Study and Implementation of Systematic Protection by Monitoring Abnormal Invocation of Linux Kernel Functions[J]. Netinfo Security, 2018, 18(3): 26-38.

图/表 16

图1

图2

图3

图4

表1

表2

图5

图6

图7

图8

图9

表3

表4

图10

图11

图12

参考文献 24

[1]	Common Vulnerabilities and Exposures [EB/OL]. .
[2]	STEVEN A, HOFMEYR, STEPHANIE F,et al.Intrusion Detection Using Sequences of System Calls[J]. Journal of Computer Security, 1998(6):151-180.
[3]	卿斯汉,程伟,杜超. Windows操作系统的安全风险可控性分析[J]. 信息网络安全,2015(4):5-12.
[4]	MURTAZA S S, KHREICH W, HAMOU-LHADJA B, et al.A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules[C] // IEEE Computer Society. 2013 24th IEEE International Symposium on Software Reliability Engineering (ISSRE 2013), November 4-7, 2013, Pasadena, CA, United states. Washington DC: IEEE Computer Society, 2013: 431-440.
[5]	黄飞. 基于进程行为的主机异常检测系统[D]. 扬州:扬州大学, 2008.
[6]	李汶洋. Android操作系统恶意软件检测技术研究[J]. 信息网络安全,2015(9):62-65.
[7]	GIDEON C, HU Jiankun.A Semantic Approach to Host-based Intrusion Detection Systems Using Contiguous and Discontiguous System Call Patterns[J]. IEEE Transactions on Computers, 2014, 63(4):807-819.
[8]	MA W, DUAN P, LIU S, et al.Shadow Attacks: Automatically Evading System-call-behavior Based Malware Detection[J]. Journal in Computer Virology, 2012, 8(1-2):1-13.
[9]	宋新龙,郑东,杨中皇. 基于AOSP与SELinux的移动设备管理系统[J]. 信息网络安全,2017(9):103-106.
[10]	赵旭,陈丹敏,颜学雄,等. 沙箱技术研究综述[J]. 中原工学院学报,2014,25(4):1-5.
[11]	程香鹏,陈莉君. 基于LSM的沙箱模块设计与实现[J]. 计算机与数字工程,2014,42(8):1521-1525.
[12]	黄义文. Linux操作系统内核裁剪的分析[J]. 中国民航飞行学院学报, 2010, 21(3):56-59.
[13]	徐晨辉. 嵌入式Linux内核裁剪及移植的研究与实现[D]. 上海:东华大学, 2009.
[14]	KURMUS A, SORNIOTTI A, KAPITZA R.Attack Surface Reduction for Commodity OS Kernels: Trimmed Garden Plants May Attract Less Bugs[C] // ACM Special Interest Group on Operating Systems (SIGOPS). 4th Workshop on European Workshop on System Security (EUROSEC'11), April 10, 2011, Salzburg, Austria.New York: Association for Computing Machinery, 2011: 168-192.
[15]	KURMUS A, DECHAND S, KAPITZA R.Quantifiable Run-time Kernel Attack Surface Reduction[C] // Nominet, Kaspersky Lab, Huawei, HP Labs Bristol, GCHQ, et al. 11th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2014), July 10-11, 2014, Egham, United kingdom. New York: Springer Verlag, 2014:212-234.
[16]	武成岗,李建军. 控制流完整性的发展历程[J]. 中国教育网络, 2016(4):52-55.
[17]	RAFIK F, MICHEL D.Efficient Conditional Tracepoints in Kernel Space[J]. The Open Cybernetics &Systemics Journal,2012, 6(1):11-25.
[18]	JIM K, PRASANNA S P, MASAMI H. Kernel Probes (Kprobes) [EB/OL]., 2017-7-15.
[19]	黄杰,翟高寿. 针对内核非控制数据攻击的在线监测方法研究[J]. 计算机应用与软件,2017,34(2):325-333.
[20]	Zabbix-百度百科[EB/OL]. .
[21]	蒋卫华,李伟华,杜君. 缓冲区溢出攻击:原理,防御及检测[J]. 计算机工程, 2003,29(10):5-7.
[22]	黄志军,郑滔. 基于Return-Oriented Programming的程序攻击与防护[J]. 计算机科学,2012,39(6):1-5.
[23]	CVE. CVE-2015-8660 [EB/OL]. , 2015-12-23.
[24]	CVE. CVE-2016-8655 [EB/OL]. , 2016-10-12.

基于内核函数监控的Linux系统防护方法的研究与实现

Study and Implementation of Systematic Protection by Monitoring Abnormal Invocation of Linux Kernel Functions

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 16

参考文献 24

相关文章 4

编辑推荐

Metrics

本文评价

[1]	翟高寿, 翟瑞霞, 刘峰, 李红辉. 设备驱动故障注入方法的研究与实现[J]. 信息网络安全, 2019, 19(6): 19-27.
[2]	谭茁, 翟高寿. 设备驱动非内核化通信架构的研究与实现[J]. 信息网络安全, 2016, 16(11): 57-65.
[3]	卿斯汉. 关键基础设施安全防护[J]. 信息网络安全, 2015, 15(2): 1-6.
[4]	李科. 服务器操作系统的测评方法[J]. , 2012, 12(Z): 0-0.