Protection of Kernel Integrity with Two-Mode Protection Operation System
-
摘要: 内核rookits攻击对内核的完整性构成致命威胁,因此对内核rootkits防护是内核完整性保护的重点。当前研究主要侧重于内核rootkits探测和防护,不足之处在于:1) rootkits防护存在单一保护模式;2) 内核rootkits探测只能做探测使用,即便发现内核已经受到攻击,也无能为力。鉴于这种情况,该文设计了一种内核完整性保护方法,采用安全认证保护和探测恢复两种方式(TWPos)保护操作系统,同时具备探测和防护能力,即便内核受到攻击也能进行恢复。实验表明,TWPos系统既能全面有效的防护,而且又不牺牲系统性能,并且兼容多种OS系统。
-
[1] NGUYEN A Q, YOSHIYASU T. Towards a tamper resistant kernel rootkit detector[C]//Proceedings of the 2007 ACM Symposium on Applied Computing. Seoul, Korea: ACM, 2007. [2] PETRONI N, FRASER T, MOLINA J, et al. Copilot: a coprocessor-based kernel runtime integrity monitor[C]// Proceedings of the 13th USENIX Security Symposium. San Diego, USA: Springer, 2004. [3] PETRONI J N L, FRASER T, WALTERS A, et al. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data[C]//Proceedings of the 15th USENIX Security Symposium. Vancouver, Canada: Springer, 2006. [4] PETRONI J N L, HICKS M. Automated detection of persistent kernel control-flow attacks[C]//Proceedings of the 2007 ACM Conference on Computer and Communications Security. Alexandria, USA: ACM, 2007. [5] HOFMANN O S, DUNN A M, KIM S, et al. Ensuring operating system kernel integrity with osck[J]. ACM SIGPLAN Notices, 2011, 46(3): 279-290. [6] SESHADRI A, LUK M, QU Ning, et al. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses[J]. ACM SIGOPS Operating Systems Review, 2007, 41(6): 335-350. [7] LITTY L, LAGAR-CAVILLA H A, LIE D. Hypervisor support for identifying covertly executing binaries[C]// Proceedings of the 17th USENIX Security Symposium. California, USA: Springer, 2008: 243-258. [8] RILEY R, JIANG Xu-xian, XU Dong-yan. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing[C]//the 11th International Symposium on Recent Advances in Intrusion Detection. Cambridge, USA: Springer, 2008. [9] WANG Zhi, JIANG Xu-xian, CUI Wei-dong, et al. Countering kernel rootkits with light weight hook protection [C]//16th ACM Conference on Computer and Communications Security. New York, USA: ACM, 2009. [10] LI Jin-ku, WANG Zhi, BLETSCH T, et al. Comprehensive and efficient protection of kernel control data[J]. IEEE Transactions Information Forensics and Security, 2011, 6(4): 1404-1417. [11] SZEFER J, LEE R B. Architectural support for hypervisor-secure virtualization[J]. ACM SIGARCH Computer Architecture News, 2012, 40(1): 437-450. [12] WANG Zhi, WU C, GRACE M, et al. Isolating commodity hosted hypervisors with HyperLock[C]//ACM European Conference on Computer Systems. New York, USA: ACM, 2012. [13] BALIGA A, GANAPATHY V, IFTODE L. Automatic inference and enforcement of kernel data structure invariants[C]//the 2008 Annual Computer Security Applications Conference. Washington, USA: IEEE, 2008. [14] Sebek project site. Sebek[R/OL]. [2014-04-19]. https:// projects.honeynet.org/sebek.
点击查看大图
计量
- 文章访问数: 4881
- HTML全文浏览量: 141
- PDF下载量: 410
- 被引次数: 0