本文關鍵詞：虛擬化平臺操作系統(tǒng)內核級Rootkits防護方法研究　出處：《北京理工大學》2016年博士論文　論文類型：學位論文

  更多相關文章： Rootkits防護 完整性保護 虛擬化 操作系統(tǒng)內核 Rootkits

【摘要】：隨著信息技術的發(fā)展,社會對信息安全的需求日益迫切,信息安全已經成為一個不容忽視的問題。而操作系統(tǒng)作為信息系統(tǒng)的基礎要素之一,其安全問題會威脅到整個信息系統(tǒng),其內核的安全是操作系統(tǒng)安全防護的主要內容,一旦遭到威脅則可能影響到整個操作系統(tǒng)甚至信息系統(tǒng)的安全。內核級Rootkits攻擊是威脅操作系統(tǒng)內核安全性的主要問題,它可以篡改操作系統(tǒng)內核代碼或數(shù)據(jù),進而控制整個操作系統(tǒng),隱藏其惡意行為。論文以對抗內核級Rootkits攻擊的防護方法為研究目標,以保護操作系統(tǒng)內核數(shù)據(jù)完整性為技術路線,首先針對多平臺構建數(shù)據(jù)訪問關系圖和函數(shù)調用關系圖;而后以此為判斷依據(jù),分別對內核中非棧數(shù)據(jù)和棧數(shù)據(jù)進行防護;再建立操作系統(tǒng)內核級Rootkits防護模型和實驗原型。論文的主要成果和創(chuàng)新點包括:1.提出了一種利用虛擬化異常機制、兼容多種平臺架構的操作系統(tǒng)內核級數(shù)據(jù)訪問和函數(shù)調用關系圖自動構建方法,該方法不依賴于其軟件結構或編譯規(guī)定,準確率和查全率高。為了給內核中非棧數(shù)據(jù)防護方法和內核中棧數(shù)據(jù)防護方法提供判斷依據(jù),提出了一種數(shù)據(jù)訪問和函數(shù)調用關系圖自動構建方法。該方法利用虛擬機監(jiān)控器的頁異常機制監(jiān)控特定內存數(shù)據(jù)的寫訪問,記錄訪問內存數(shù)據(jù)的指令,從而建立數(shù)據(jù)訪問關系圖;利用虛擬機監(jiān)控器的軟件斷點異常機制劫持內存函數(shù)的頭地址指令、調用指令和返回指令等,從而監(jiān)控內存函數(shù)間的父子調用關系,再建立從子函數(shù)到父函數(shù)的函數(shù)調用關系圖。實驗分別針對x86架構的32位Windows XP、32位Linux和x64架構的64位Windows 7進行關系圖構建,結果表明,數(shù)據(jù)訪問關系圖的構建準確率為100%;函數(shù)調用關系圖的構建準確率為100%,查全率在87%以上。該方法可兼容x86和x64處理器架構的多種操作系統(tǒng),且不依賴于其軟件結構或編譯規(guī)定。構建的這兩類關系圖可直接作為內核中非棧數(shù)據(jù)和棧數(shù)據(jù)防護方法的判斷依據(jù)。2.提出了一種以合法內核模塊代碼段、數(shù)據(jù)訪問關系圖和函數(shù)調用關系圖為可信區(qū)間的內核中非棧數(shù)據(jù)防護方法,對內核中的代碼、堆數(shù)據(jù)、數(shù)據(jù)段、BSS段等進行保護,該方法可有效對抗多種類型的Rootkits攻擊,可靠性高。為了對抗MEP、KOH和DKOM類型的Rootkits對內核中非棧數(shù)據(jù)的攻擊,提出了一種建立可信區(qū)間的內核中非棧數(shù)據(jù)防護方法。該方法以合法內核模塊代碼段建立可信區(qū)間,檢測內核中非棧數(shù)據(jù)里的離散函數(shù)指針是否指向合法內核模塊代碼段;然后以數(shù)據(jù)訪問關系圖和函數(shù)調用關系圖建立可信區(qū)間,確保內核中非棧數(shù)據(jù)里其它類型的目標數(shù)據(jù)只能由數(shù)據(jù)訪問關系圖中的指令進行修改,且調用這些指令的父函數(shù)也需要滿足函數(shù)調用關系圖。實驗針對32位Windows XP選取6種典型的惡意Rootkits并構建14種攻擊樣本進行測試,結果表明,該方法可防護各種典型的惡意Rootkits和攻擊樣本,成功地抵御了MEP、KOH和DKOM類型的Rootkits攻擊,并且能夠同時阻止頁映射攻擊,對內核中非棧數(shù)據(jù)進行了有效的保護。與同類方法相比,該方法的顯著優(yōu)勢在于對DKOM類型攻擊的防護上,它能夠阻止這類惡意代碼的運行,且防護方法更加完備、可靠。3.提出了一種通過監(jiān)控內核棧的切換、替換、創(chuàng)建和刪除等過程,將可執(zhí)行單元與其內核棧進行綁定的內核中棧數(shù)據(jù)防護方法,該方法防護能力強,作用范圍廣,能夠對內核棧中所有類型的數(shù)據(jù)進行同步保護。為了阻止“return-to-schedule”及其擴展類型的Rootkits對內核中棧數(shù)據(jù)的攻擊,提出了一種綁定可執(zhí)行單元的內核中棧數(shù)據(jù)防護方法。該方法通過監(jiān)控內核棧的切換、替換、創(chuàng)建和刪除等過程,同步地改變內核棧所在內存區(qū)域的讀寫屬性,使得可執(zhí)行單元只能修改自身的內核棧數(shù)據(jù),無法篡改其他內核棧數(shù)據(jù),從而達到將可執(zhí)行單元與其內核棧進行綁定的效果;然后依據(jù)數(shù)據(jù)訪問和函數(shù)調用關系圖對內核中的相關代碼、數(shù)據(jù)進行保護,從而保證可執(zhí)行單元不會通過執(zhí)行惡意代碼來篡改自身的內核棧數(shù)據(jù)。實驗針對32位Windows XP構建了6種攻擊內核棧數(shù)據(jù)的測試樣本進行檢驗,結果表明,該方法可以防護全部攻擊樣本,成功阻止了return-to-schedule”及其擴展類型的Rootkits攻擊,可以有效防護內核棧上的返回地址、參數(shù)、局部變量等所有類型的數(shù)據(jù)。4.構建了一個基于虛擬化技術支持多種平臺架構的內核級Rootkits防護模型,設計實現(xiàn)了其實驗原型系統(tǒng),該實驗系統(tǒng)防護能力強,占用資源少。為了抵御Rootkits對操作系統(tǒng)內核數(shù)據(jù)的攻擊,構建了一種內核級Rootkits防護模型,并設計實現(xiàn)其實驗原型系統(tǒng)。該系統(tǒng)主要利用了內核中非棧數(shù)據(jù)和棧數(shù)據(jù)防護方法來對操作系統(tǒng)內核中的內存數(shù)據(jù)進行保護;同時監(jiān)控對操作系統(tǒng)關鍵寄存器的寫操作,從而保證這些寄存器數(shù)據(jù)的完整性;為了能夠兼容多種平臺,該系統(tǒng)通過識別客戶虛擬機中操作系統(tǒng)類型,然后重構其語義信息并加以保護。實驗針對32位Windows XP選取6種典型的惡意Rootkits并構建25種攻擊樣本進行測試,結果表明,該實驗系統(tǒng)可有效抵御各種典型的Rootkits和測試樣本,性能開銷不足3.1%。同時,也可以防護64位Windows 7和32位Linux環(huán)境下的典型惡意Rootkits的攻擊。該實驗系統(tǒng)以較少的占用資源有效地保護多種操作系統(tǒng)的內核數(shù)據(jù)。
[Abstract]:With the development of information technology, the demand for information security is becoming more and more urgent, and information security has become a problem that can not be ignored. As one of the basic elements of information system, the security problem of operation system will threaten the whole information system. The safety of its kernel is the main content of the security protection of the operation system. Once threatened, it may affect the safety of the whole operation system or even the information system. The kernel level Rootkits attack is a major problem threatening the security of the operation system kernel. It can tamper with the kernel code or data of the operation system, and then control the whole operation system and hide its malicious behavior. The protection methods against the kernel level Rootkits attack as the research target, technical route to protect the operating system kernel data integrity, firstly constructing platform of data access diagram and function call graph; then take this as the basis of judging, respectively for the protection of non stack data and kernel stack data; then establish the kernel operation Rootkits system protection model and experimental prototype. The main achievements and innovations of this thesis include: 1. proposes the use of a virtual exception mechanism, compatible automatic construction method of multi platform architecture of the operating system kernel level data access and function call graph, the method does not depend on the software structure or compile regulations, high accuracy and recall. In order to provide a judgement basis for the non stack data protection method in the kernel and the stack data protection method in the kernel, a data access and function call graph automatic building method is proposed. The method uses write access monitoring page exception mechanism specific memory data of virtual machine monitor, record data memory access instructions, so as to establish a data access diagram; software breakpoint exception mechanism using virtual machine monitor memory function hijacking address instruction, with head instruction and return instruction, so as to monitor the memory function between the father and son the call, then set up from the function to the parent function call graph. Experiments were conducted on the relationship diagrams of 64 bit Windows 7 of 32 bit Windows XP, 32 bit Linux and x64 architecture for x86 architecture. The results show that the accuracy of data access diagram construction is 100%, and the accuracy rate of function call diagram construction is 100%, and the recall rate is above 87%. This method is compatible with a variety of operating systems of X86 and x64 processor architecture, and is not dependent on its software structure or compilation requirements. The two class diagrams constructed directly as the basis to determine the stack data and stack data protection method in non core. 2. we proposed a legitimate kernel module code segment, data access diagram and function call graph for the stack data protection method of non confidence intervals of the kernel, the kernel code, stack data, data and BSS sections of protection, this method can be effective against many types of Rootkits attacks, reliability high. In order to resist the attacks of MEP, KOH and DKOM type Rootkits on non stack data in the kernel, a protection method of non stack data in kernel is established, which is based on confidence interval. The method to establish legal kernel module code segment Ci, whether the discrete function pointer in the stack data to legitimate kernel module code non detection kernel; establish confidence interval graph and function call graph and then access to data, to ensure that other types of target data can only stack data by data access diagram instructions modify the non kernel, and the father of function call these instructions also need to satisfy the function call graph. Experiment on 32 Windows XP selected 6 typical malicious Rootkits and construct 14 kinds of attack samples. Results show that this method can protect all kinds of typical Rootkits attacks and malicious samples, successfully defend the MEP, KOH and DKOM type of Rootkits attacks, and can also prevent the page mapping attack on stack data the kernel has been effectively protected. Compared with similar methods, the obvious advantage of this method lies in its protection against DKOM type attacks. It can prevent such malicious code from running, and the protection method is more complete and reliable. 3. proposed a kernel stack monitoring by switching, replace, create and delete process will stack data protection method of executable unit and its kernel stack bound kernel, the method of strong protective ability, wide range, can be synchronized to protect all types of data in the kernel stack. In order to prevent return-to-schedule and its extension type Rootkits from attacking the stack data in the kernel, a method of protecting stack data in the kernel of binding executable unit is proposed. The method of monitoring by switching, kernel stack replacement, create and delete process, synchronous change kernel stack memory area where the read and write attributes, in which the executable unit can only modify the kernel stack data itself, can not be tampered with other kernel stack data, so as to achieve the executable unit and its kernel stack binding effect; then on the basis of data access and function call graph for the protection of the relevant code, the kernel data, so as to ensure the execution unit not by executing malicious code to tamper with the kernel stack data itself. Experiment on 32 Windows XP to build a test sample 6 attack kernel stack data test results show that this method can protect all samples of the attack, successfully blocked return-to-schedule and its extension type Rootkits attack, can prevent the kernel stack on the return address, parameters and local variables such as all types of data. 4., we built a kernel level Rootkits protection model based on virtualization technology to support multiple platforms. We designed and implemented its prototype system, which has strong protection ability and less resources. In order to resist Rootkits's attack on the operating system kernel data, a kernel is built.
【學位授予單位】：北京理工大學
【學位級別】：博士
【學位授予年份】：2016
【分類號】：TP309;TP316

【參考文獻】

相關期刊論文 前9條

1 羅森林;閆廣祿;潘麗敏;馮帆;劉昊辰;;基于劫持內核入口點的隱藏進程檢測方法[J];北京理工大學學報;2015年05期

2 向勇;湯衛(wèi)東;杜香燕;孫衛(wèi)真;;基于內核跟蹤的動態(tài)函數(shù)調用圖生成方法[J];計算機應用研究;2015年04期

3 閆廣祿;羅森林;;基于線程調度的隱藏進程檢測技術研究[J];信息網絡安全;2013年02期

4 王麗娜;高漢軍;劉煒;彭洋;;利用虛擬機監(jiān)視器檢測及管理隱藏進程[J];計算機研究與發(fā)展;2011年08期

5 陳林;劉波;胡華平;肖楓濤;張靜;;“In-VM”模型的隱藏代碼檢測模型(英文)[J];中國通信;2011年04期

6 李勇;王飛;胡俊;沈昌祥;;TCB可信擴展模型研究[J];計算機工程與應用;2010年13期

7 劉哲元;戴冠中;王曉伶;;基于文件系統(tǒng)異常的內核級Rootkit檢測[J];計算機應用研究;2009年08期

8 韓芳;;基于可執(zhí)行路徑分析的隱藏進程檢測方法[J];計算機與數(shù)字工程;2009年01期

9 何志;范明鈺;;基于HSC的進程隱藏檢測技術[J];計算機應用;2008年07期

，

本文編號：1338402