|
|
- 2015
基于TWPos内核完整性保护
|
Abstract:
内核rookits攻击对内核的完整性构成致命威胁,因此对内核rootkits防护是内核完整性保护的重点。当前研究主要侧重于内核rootkits探测和防护,不足之处在于:1) rootkits防护存在单一保护模式;2) 内核rootkits探测只能做探测使用,即便发现内核已经受到攻击,也无能为力。鉴于这种情况,该文设计了一种内核完整性保护方法,采用安全认证保护和探测恢复两种方式(TWPos)保护操作系统,同时具备探测和防护能力,即便内核受到攻击也能进行恢复。实验表明,TWPos系统既能全面有效的防护,而且又不牺牲系统性能,并且兼容多种OS系统。
| [1] | LITTY L, LAGAR-CAVILLA H A, LIE D. Hypervisor support for identifying covertly executing binaries[C]// Proceedings of the 17th USENIX Security Symposium. California, USA: Springer, 2008: 243-258. |
| [2] | WANG Zhi, JIANG Xu-xian, CUI Wei-dong, et al. Countering kernel rootkits with light weight hook protection [C]//16th ACM Conference on Computer and Communications Security. New York, USA: ACM, 2009. |
| [3] | Sourceforge site. Lmbench[R/OL]. [2014-03-19]. http:// sourceforge.net/ projects/lmbench/. |
| [4] | OpenWall Organization. Adore-ng[R/OL]. [2014-04-19]. http://stealth. openwall.net/rootkits/. |
| [5] | Codeforge webset. Sk2rc2[R/OL]. [2014-04-19]. http:// www.codeforge.com/ s/3/sk2rc2-code. |
| [6] | Superkit international company. Superkit[R/OL]. [2014-04-19]. http://www.superkit.com/. |
| [7] | Sebek project site. Sebek[R/OL]. [2014-04-19]. https:// projects.honeynet.org/sebek. |
| [8] | NGUYEN A Q, YOSHIYASU T. Towards a tamper resistant kernel rootkit detector[C]//Proceedings of the 2007 ACM Symposium on Applied Computing. Seoul, Korea: ACM, 2007. |
| [9] | PETRONI N, FRASER T, MOLINA J, et al. Copilot: a coprocessor-based kernel runtime integrity monitor[C]// Proceedings of the 13th USENIX Security Symposium. San Diego, USA: Springer, 2004. |
| [10] | PETRONI J N L, FRASER T, WALTERS A, et al. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data[C]//Proceedings of the 15th USENIX Security Symposium. Vancouver, Canada: Springer, 2006. |
| [11] | WANG Zhi, WU C, GRACE M, et al. Isolating commodity hosted hypervisors with HyperLock[C]//ACM European Conference on Computer Systems. New York, USA: ACM, 2012. |
| [12] | BALIGA A, GANAPATHY V, IFTODE L. Automatic inference and enforcement of kernel data structure invariants[C]//the 2008 Annual Computer Security Applications Conference. Washington, USA: IEEE, 2008. |
| [13] | Xen Project. Xen[R/OL]. [2014-04-19]. http://www. xen.org/. |
| [14] | Fr33project. Enyelkm[R/OL]. [2014-04-19]. http://www. Fr33project. org/pages/projects/enyelkm.htm. |
| [15] | Open code lib. Mood-nt[R/OL]. [2014-04-19]. http:// darkangel.antifork. org/codes/. |
| [16] | Moodledoc site. Override[R/OL]. [2014-04-19]. http:// docs.moodle.org/23/en/Override_permissions. |
| [17] | SZEFER J, LEE R B. Architectural support for hypervisor-secure virtualization[J]. ACM SIGARCH Computer Architecture News, 2012, 40(1): 437-450. |
| [18] | DANIEL P. Berrangé. Virtual machine manager[R/OL]. [2014-03-29]. http://virt-manager.org/. |
| [19] | PETRONI J N L, HICKS M. Automated detection of persistent kernel control-flow attacks[C]//Proceedings of the 2007 ACM Conference on Computer and Communications Security. Alexandria, USA: ACM, 2007. |
| [20] | HOFMANN O S, DUNN A M, KIM S, et al. Ensuring operating system kernel integrity with osck[J]. ACM SIGPLAN Notices, 2011, 46(3): 279-290. |
| [21] | SESHADRI A, LUK M, QU Ning, et al. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses[J]. ACM SIGOPS Operating Systems Review, 2007, 41(6): 335-350. |
| [22] | RILEY R, JIANG Xu-xian, XU Dong-yan. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing[C]//the 11th International Symposium on Recent Advances in Intrusion Detection. Cambridge, USA: Springer, 2008. |
| [23] | LI Jin-ku, WANG Zhi, BLETSCH T, et al. Comprehensive and efficient protection of kernel control data[J]. IEEE Transactions Information Forensics and Security, 2011, 6(4): 1404-1417. |
