CN109460671B - Method for realizing webpage content tamper resistance based on operating system kernel - Google Patents
Method for realizing webpage content tamper resistance based on operating system kernel Download PDFInfo
- Publication number
- CN109460671B CN109460671B CN201811225508.6A CN201811225508A CN109460671B CN 109460671 B CN109460671 B CN 109460671B CN 201811225508 A CN201811225508 A CN 201811225508A CN 109460671 B CN109460671 B CN 109460671B
- Authority
- CN
- China
- Prior art keywords
- sys
- module
- kernel
- read
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A method for realizing webpage content tamper-proofing based on an operating system kernel relates to the technical field of information, and the necessary modules for realizing the steps of the invention comprise: the system comprises an operating system bottom layer, a kernel hijack module, a scheduling module, an initialization module, a shared memory area, a bidirectional pointer queue, a configuration file, a webpage fingerprint memory and a backup module. The invention quickly carries out authorization verification on the current operation process and the current operation directory file by intercepting the system call, and suspends the operation system of the illegal authorized process to protect the security of the directory file. The tamper-proof technology based on the kernel state of the operating system improves the technical difficulty of tampering, better prevents illegal operation on files and more effectively ensures the safety of a web server file system.
Description
Technical Field
The invention relates to the technical field of electronic information.
Background
With the development of society, the internet has gained great popularity. Governments, enterprises, individuals and the like can display the information on the internet in a webpage mode in order to promote the image and the product functions of the government, the enterprise, the individuals and the like. There are various network behaviors on the internet, such as hacking, and as long as the web page content is hacked, it is possible that the web page content is directly modified, causing a great adverse effect.
At present, webpage tamper-proofing systems in the market are not few, detection is basically carried out from a non-operating system level, and webpage tamper-proofing protection is carried out from the aspects of preventing processes from being interrupted, preventing threads from being tampered, preventing product drivers from being tampered, preventing catalogs from being changed, preventing registries from being tampered and preventing self-starting from being disturbed. The technique of preventing web pages from being tampered with from the non-operating system level has two disadvantages: one is the possibility of severely impacting the performance of the server, and the other is the slower matching speed. Aiming at the two problems, the invention directly intercepts the operation system call from the operation system kernel, greatly accelerates the matching speed and improves the safety of the web server.
Consensus technical explanation:
DMA refers to an interface technology in which an external device directly exchanges data with a system memory without passing through a CPU.
Webpage fingerprint generation, which is a commonly used common technology for reading webpage file contents through an MD5 algorithm to generate an MD5 value.
A WEB server, a server that provides storage and access to a website, is generally referred to as a WEB server.
Disclosure of Invention
The method for realizing the webpage content tamper resistance based on the operating system kernel is characterized in that the necessary modules for realizing the method comprise: the system comprises an operating system bottom layer, a kernel hijack module, a scheduling module, an initialization module, a shared memory area, a bidirectional pointer queue, a configuration file, a webpage fingerprint memory and a backup module.
The method for realizing the webpage content tamper resistance based on the operating system kernel comprises the following steps:
1) operating system bottom hijacking
Firstly, a kernel hijacking module is started together with an operating system, a symbol table sys _ call _ table of the operating system bottom layer is led out, then sys _ read of the symbol table of the operating system bottom layer is replaced, and the sys _ write function address is the kernel hijacking module address, so that the purpose of hijacking 2 functions is achieved;
secondly, the kernel hijack module creates a shared memory area in the user mode, and the kernel-mode memory area is mapped to the user mode through a DMA technology, so that the kernel-mode and user-mode programs operate the shared memory area, and the kernel-mode and user-mode programs can synchronously receive information;
and the kernel hijack module creates a bidirectional pointer queue for storing the 3 types of parameters issued by the user state: a web page file protection directory path queue, a process white list queue and a path white list queue;
2) WEB server initialization
Generating a configuration file in a WEB server, wherein the configuration file information comprises: 1) a webpage file protection directory, 2), a process white list, 3) and a path white list;
the initialization module works in a user mode of an operating system, reads information from a configuration file, transmits the information of a webpage file protection directory, a process white list and a path white list to the kernel hijack module through a DMA (direct memory access) technology, and then stores the information in a bidirectional pointer queue by the kernel hijack module; the kernel hijack module stores the webpage file protection directory in a webpage file protection directory path queue, the kernel hijack module stores a process white list in a process white list queue, and the kernel hijack module stores the path white list in a path white list queue;
the initialization module extracts fingerprints of all files in the webpage file protection directory, and the specific method comprises the steps of reading file contents to generate an MD5 value, and generating a file MD5 value list corresponding to file names and MD5 values of all files in the webpage file protection directory by the initialization module and storing the file MD5 value list in a webpage fingerprint memory; the initialization module stores all files in the webpage file protection directory in the backup module; the initialization module stores the fingerprints of all files in the webpage file protection directory in a webpage fingerprint memory;
3) daily protection
Firstly, an external user accesses a web server in a mode of URL access, illegal intrusion access and illegal transfer access, and the access of the external user is intercepted by a kernel hijacking module to sys _ read and sys _ write system for calling;
secondly, the kernel hijacking module judges the legality of the path corresponding to the read-write file:
when the kernel hijacking module acquires the destination directories called by the sys _ read and the sys _ write systems, and when the destination directories called by the sys _ read and the sys _ write systems are not in the path queue of the webpage file protection directory, executing the original system call of the operating system, and ending the operation;
when the destination directories called by the sys _ read and the sys _ write systems are in the path queue of the webpage file protection directory, the kernel hijacking module acquires the destination paths called by the sys _ read and the sys _ write systems, and when the destination paths called by the sys _ read and the sys _ write systems are not in the path white list queue, the original system calling of the operating system is executed, and the operation is finished;
when the target paths called by the sys _ read and the sys _ write systems are in the path white list queue, the kernel hijack module acquires the process names called by the sys _ read and the sys _ write systems, when the process names called by the sys _ read and the sys _ write systems are acquired by the kernel hijack module in the path white list queue, the access is allowed, the original system calling of the operating system is executed, the operation is finished, and when the process names called by the sys _ read and the sys _ write systems are not acquired by the kernel hijack module in the path white list queue, the interrupt is executed; meanwhile, the path of the operation file is required to be written into the shared memory area;
4) legitimate updating of a web page
Reading the sys _ read and sys _ write operation logs by the scheduling module, comparing whether the MD5 value of the current file in the sys _ read and sys _ write operation logs is in the file MD5 value list, and indicating that the current file in the sys _ read and sys _ write operation logs is not tampered when the MD5 value of the current file in the sys _ read and sys _ write operation logs is in the file MD5 value list;
when the MD5 value of the current file in the sys _ read and sys _ write operation logs is not in the MD5 value list, the scheduling module judges whether the current file in the sys _ read and sys _ write operation logs is generated by process operation in the process white list queue;
thirdly, when the current files in the sys _ read and sys _ write operation logs are generated by process operation in the process white list queue, namely legally updated newly added files, the scheduling module stores the legally updated newly added files in the backup module according to the directory paths to which the legally updated newly added files belong, and the scheduling module writes the names and MD5 values of the legally updated newly added files in the MD5 value list;
5) web page recovery
When the current files in the sys _ read and sys _ write operation logs are not generated by process operations in the process white list queue and indicate that the current files in the sys _ read and sys _ write operation logs are tampered, the scheduling module copies the corresponding files from the backup module to replace the current files in the sys _ read and sys _ write operation logs for recovery operation.
Advantageous effects
The invention quickly carries out authorization verification on the current operation process and the current operation directory file by intercepting the system call, and suspends the operation system of the illegal authorized process to protect the security of the directory file. The tamper-proof technology based on the kernel state of the operating system improves the technical difficulty of tampering, better prevents illegal operation on files and more effectively ensures the safety of a web server file system.
Drawings
FIG. 1 is a block diagram of the components necessary to accomplish the steps described in the present invention;
FIG. 2 is a kernel-state workflow diagram;
FIG. 3 is a user-mode workflow diagram.
Detailed Description
Referring to fig. 1 to fig. 3, a method for implementing webpage content tamper resistance based on an operating system kernel of the present invention is implemented, and is characterized in that the necessary constituent modules for implementing the present invention include: the system comprises an operating system bottom layer A, a kernel hijack module B, a scheduling module C, an initialization module D, a shared memory area 2, a bidirectional pointer queue 3, a configuration file 4, a webpage fingerprint memory E and a backup module F.
The method for realizing the webpage content tamper resistance based on the operating system kernel comprises the following steps:
1) operating system bottom hijacking
Firstly, a kernel hijacking module B is started together with an operating system, a symbol table sys _ call _ table of an operating system bottom layer A is led out, then sys _ read of the symbol table of the operating system bottom layer A is replaced, and a sys _ write function address is a kernel hijacking module address, so that the purpose of hijacking 2 functions is achieved;
secondly, the kernel hijacking module B creates a shared memory area 2 in the user mode, and maps the memory area of the kernel mode to the user mode through a DMA technology, so that programs of the kernel mode and the user mode operate the shared memory area 2, and the programs of the kernel mode and the user mode can synchronously receive information;
the kernel hijack module B creates a bidirectional pointer queue 3 for storing three types of parameters issued by the user mode: a web page file protection directory path queue 31, a process white list queue 32 and a path white list queue 33;
2) WEB server initialization
Firstly, a configuration file 4 is generated in a WEB server, and the information of the configuration file 4 comprises: 1) web page file protection directory 41, 2), process whitelist 42, 3), path whitelist 43;
the initialization module D works in a user mode of an operating system, reads information from the configuration file 4, transmits the information of the webpage file protection directory 41, the process white list 42 and the path white list 43 to the kernel hijack module B through a DMA technology, and then stores the information in the bidirectional pointer queue 3 by the kernel hijack module B; the kernel hijack module B stores the webpage file protection directory 41 in the webpage file protection directory path queue 31, the kernel hijack module B stores the process white list 42 in the process white list queue 32, and the kernel hijack module B stores the path white list 43 in the path white list queue 33;
the initialization module D extracts fingerprints of all files in the webpage file protection directory 41, and the specific method comprises the steps of reading file contents to generate an MD5 value, generating a file MD5 value list 5 corresponding to file names and MD5 values of all files in the webpage file protection directory 41 by the initialization module D, and storing the file MD5 value list in a webpage fingerprint memory E; the initialization module D stores all files in the webpage file protection directory 41 in the backup module F; the initialization module D stores the fingerprints of all files in the webpage file protection directory 41 in a webpage fingerprint memory E;
3) daily protection
Firstly, an external user accesses a WEB server in a mode of URL access, illegal intrusion access and illegal transfer access, and the access of the external user is intercepted to sys _ read and sys _ write system call by a kernel hijacking module B;
secondly, the kernel hijacking module B judges the legality of the path corresponding to the read-write file:
when the kernel hijacking module B acquires the destination directories called by the sys _ read and the sys _ write systems, and when the destination directories called by the sys _ read and the sys _ write systems are not in the webpage file protection directory path queue 31, executing the original system call of the operating system, and ending the operation;
when the destination directories called by the sys _ read and sys _ write systems are in the webpage file protection directory path queue 31, the kernel hijacking module B acquires the destination paths called by the sys _ read and sys _ write systems, and when the destination paths called by the sys _ read and sys _ write systems are not in the path white list queue 33, the original system call of the operating system is executed, and the operation is finished;
when the destination paths called by the sys _ read and the sys _ write systems are in the path white list queue 33, the kernel hijacking module B acquires the process names called by the sys _ read and the sys _ write systems, when the kernel hijacking module B acquires the process names called by the sys _ read and the sys _ write systems in the process white list queue 32, the kernel hijacking module B allows access, executes the original system call of the operating system, finishes the operation, and executes interruption when the kernel hijacking module B acquires the process names called by the sys _ read and the sys _ write systems which are not regarded as illegal users in the process white list queue 32; meanwhile, the path of the operation file is required to be written into the shared memory area 2;
4) legitimate updating of a web page
Reading the sys _ read and sys _ write operation logs by the scheduling module C, comparing whether the MD5 value of the current file in the sys _ read and sys _ write operation logs is in a file MD5 value list 5, and indicating that the current file in the sys _ read and sys _ write operation logs is not tampered when the MD5 value of the current file in the sys _ read and sys _ write operation logs is in a file MD5 value list 5;
when the MD5 values of the current files in the sys _ read and sys _ write operation logs are not in the MD5 value list 5, the scheduling module C judges whether the current files in the sys _ read and sys _ write operation logs are generated by process operations in the process white list queue 32;
when the current files in the sys _ read and sys _ write operation logs are generated by process operation in the process white list queue 32, which indicates that the current files are legally updated newly added files, the scheduling module C stores the legally updated newly added files in the backup module F according to the directory paths to which the newly added files belong, and the scheduling module C writes the names and MD5 values of the legally updated newly added files in the MD5 value list 5;
5) web page recovery
When the current files in the sys _ read and sys _ write operation logs are not generated by process operations in the process white list queue 32 and indicate that the current files in the sys _ read and sys _ write operation logs are tampered, the scheduling module C copies the corresponding files in the sys _ read and sys _ write operation logs from the backup module F to replace the current files in the sys _ read and sys _ write operation logs for recovery operation.
Claims (1)
1. A method for realizing webpage content tamper resistance based on an operating system kernel is characterized in that necessary modules for realizing the method comprise: the system comprises an operating system bottom layer, a kernel hijack module, a scheduling module, an initialization module, a shared memory area, a bidirectional pointer queue, a configuration file, a webpage fingerprint memory and a backup module;
the method for realizing the webpage content tamper-proofing based on the operating system kernel comprises the following steps:
1) operating system bottom hijacking
Firstly, a kernel hijacking module is started together with an operating system, a symbol table sys _ call _ table of the operating system bottom layer is led out, then sys _ read of the symbol table of the operating system bottom layer is replaced, and the sys _ write function address is the kernel hijacking module address, so that the purpose of hijacking 2 functions is achieved;
secondly, the kernel hijack module creates a shared memory area in the user mode, and the kernel-mode memory area is mapped to the user mode through a DMA technology, so that the kernel-mode and user-mode programs operate the shared memory area, and the kernel-mode and user-mode programs can synchronously receive information;
and the kernel hijack module creates a bidirectional pointer queue for storing the 3 types of parameters issued by the user state: a web page file protection directory path queue, a process white list queue and a path white list queue;
2) WEB server initialization
Generating a configuration file in a WEB server, wherein the configuration file information comprises: 1) a webpage file protection directory, 2), a process white list, 3) and a path white list;
the initialization module works in a user mode of an operating system, reads information from a configuration file, transmits the information of a webpage file protection directory, a process white list and a path white list to the kernel hijack module through a DMA (direct memory access) technology, and then stores the information in a bidirectional pointer queue by the kernel hijack module; the kernel hijack module stores the webpage file protection directory in a webpage file protection directory path queue, the kernel hijack module stores a process white list in a process white list queue, and the kernel hijack module stores the path white list in a path white list queue;
the initialization module extracts fingerprints of all files in the webpage file protection directory, and the specific method comprises the steps of reading file contents to generate an MD5 value, and generating a file MD5 value list corresponding to file names and MD5 values of all files in the webpage file protection directory by the initialization module and storing the file MD5 value list in a webpage fingerprint memory; the initialization module stores all files in the webpage file protection directory in the backup module; the initialization module stores the fingerprints of all files in the webpage file protection directory in a webpage fingerprint memory;
3) daily protection
Firstly, an external user accesses a web server in a mode of URL access, illegal intrusion access and illegal transfer access, and the access of the external user is intercepted by a kernel hijacking module to sys _ read and sys _ write system for calling;
secondly, the kernel hijacking module judges the legality of the path corresponding to the read-write file:
when the kernel hijacking module acquires the destination directories called by the sys _ read and the sys _ write systems, and when the destination directories called by the sys _ read and the sys _ write systems are not in the path queue of the webpage file protection directory, executing the original system call of the operating system, and ending the operation;
when the destination directories called by the sys _ read and the sys _ write systems are in the path queue of the webpage file protection directory, the kernel hijacking module acquires the destination paths called by the sys _ read and the sys _ write systems, and when the destination paths called by the sys _ read and the sys _ write systems are not in the path white list queue, the original system calling of the operating system is executed, and the operation is finished;
when the target paths called by the sys _ read and the sys _ write systems are in the path white list queue, the kernel hijack module acquires the process names called by the sys _ read and the sys _ write systems, when the process names called by the sys _ read and the sys _ write systems are acquired by the kernel hijack module in the path white list queue, the access is allowed, the original system calling of the operating system is executed, the operation is finished, and when the process names called by the sys _ read and the sys _ write systems are not acquired by the kernel hijack module in the path white list queue, the interrupt is executed; meanwhile, the path of the operation file is required to be written into the shared memory area;
4) legitimate updating of a web page
Reading the sys _ read and sys _ write operation logs by the scheduling module, comparing whether the MD5 value of the current file in the sys _ read and sys _ write operation logs is in the file MD5 value list, and indicating that the current file in the sys _ read and sys _ write operation logs is not tampered when the MD5 value of the current file in the sys _ read and sys _ write operation logs is in the file MD5 value list;
when the MD5 value of the current file in the sys _ read and sys _ write operation logs is not in the MD5 value list, the scheduling module judges whether the current file in the sys _ read and sys _ write operation logs is generated by process operation in the process white list queue;
thirdly, when the current files in the sys _ read and sys _ write operation logs are generated by process operation in the process white list queue, namely legally updated newly added files, the scheduling module stores the legally updated newly added files in the backup module according to the directory paths to which the legally updated newly added files belong, and the scheduling module writes the names and MD5 values of the legally updated newly added files in the MD5 value list;
5) web page recovery
When the current files in the sys _ read and sys _ write operation logs are not generated by process operations in the process white list queue and indicate that the current files in the sys _ read and sys _ write operation logs are tampered, the scheduling module copies the corresponding files from the backup module to replace the current files in the sys _ read and sys _ write operation logs for recovery operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811225508.6A CN109460671B (en) | 2018-10-21 | 2018-10-21 | Method for realizing webpage content tamper resistance based on operating system kernel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811225508.6A CN109460671B (en) | 2018-10-21 | 2018-10-21 | Method for realizing webpage content tamper resistance based on operating system kernel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109460671A CN109460671A (en) | 2019-03-12 |
| CN109460671B true CN109460671B (en) | 2021-10-26 |
Family
ID=65607988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811225508.6A Active CN109460671B (en) | 2018-10-21 | 2018-10-21 | Method for realizing webpage content tamper resistance based on operating system kernel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109460671B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198300B (en) * | 2019-03-13 | 2022-01-14 | 腾讯科技(深圳)有限公司 | Honeypot operating system fingerprint hiding method and device |
| CN110377436B (en) * | 2019-07-12 | 2021-04-27 | 清华大学 | Data storage access method, equipment and device of persistent memory |
| CN112346792B (en) * | 2020-06-11 | 2021-09-21 | 广州锦行网络科技有限公司 | Port multiplexing method based on Linux system |
| CN112000375B (en) * | 2020-07-13 | 2023-12-26 | 深圳市智微智能软件开发有限公司 | Method, device, equipment and storage medium for judging startup stage of android system |
| CN111539042B (en) * | 2020-07-13 | 2020-10-30 | 南京云信达科技有限公司 | Safe operation method based on trusted storage of core data files |
| CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
| CN115840938B (en) * | 2023-02-21 | 2023-05-09 | 山东捷讯通信技术有限公司 | File monitoring method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6240531B1 (en) * | 1997-09-30 | 2001-05-29 | Networks Associates Inc. | System and method for computer operating system protection |
| CN102547400A (en) * | 2010-12-08 | 2012-07-04 | 中国科学院声学研究所 | Content security protection method of embedded television terminal system |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| US9354977B1 (en) * | 2008-12-15 | 2016-05-31 | Open Invention Network Llc | System and method for hybrid kernel- and user-space incremental and full checkpointing |
| CN106933872A (en) * | 2015-12-30 | 2017-07-07 | 阿里巴巴集团控股有限公司 | A kind of method and device that cloud storage service is accessed by traditional file systemses interface |
| CN108090003A (en) * | 2017-11-20 | 2018-05-29 | 广东睿江云计算股份有限公司 | A kind of method, the system of the promotion WEB server performance based on zero-copy |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8955104B2 (en) * | 2004-07-07 | 2015-02-10 | University Of Maryland College Park | Method and system for monitoring system memory integrity |
| US7590775B2 (en) * | 2004-08-06 | 2009-09-15 | Andrew Joseph Alexander Gildfind | Method for empirically determining a qualified bandwidth of file storage for a shared filed system |
-
2018
- 2018-10-21 CN CN201811225508.6A patent/CN109460671B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6240531B1 (en) * | 1997-09-30 | 2001-05-29 | Networks Associates Inc. | System and method for computer operating system protection |
| US9354977B1 (en) * | 2008-12-15 | 2016-05-31 | Open Invention Network Llc | System and method for hybrid kernel- and user-space incremental and full checkpointing |
| CN102547400A (en) * | 2010-12-08 | 2012-07-04 | 中国科学院声学研究所 | Content security protection method of embedded television terminal system |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN106933872A (en) * | 2015-12-30 | 2017-07-07 | 阿里巴巴集团控股有限公司 | A kind of method and device that cloud storage service is accessed by traditional file systemses interface |
| CN108090003A (en) * | 2017-11-20 | 2018-05-29 | 广东睿江云计算股份有限公司 | A kind of method, the system of the promotion WEB server performance based on zero-copy |
Non-Patent Citations (1)
| Title |
|---|
| 基于事件驱动的一种网页防篡改系统;王娜 等;《电脑编程技巧与维护》;20161218(第24期);16-17 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109460671A (en) | 2019-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109460671B (en) | Method for realizing webpage content tamper resistance based on operating system kernel | |
| RU2703156C2 (en) | Computer security systems and methods using asynchronous introspection exceptions | |
| JP6378758B2 (en) | Process evaluation for malware detection in virtual machines | |
| JP6789308B2 (en) | Systems and methods for generating tripwire files | |
| JP4759059B2 (en) | Page coloring that maps memory pages to programs | |
| US8689349B2 (en) | Information flow tracking and protection | |
| CN110647754A (en) | File system view separation for data confidentiality and integrity | |
| AU2002305490B2 (en) | Systems and methods for the prevention of unauthorized use and manipulation of digital content | |
| US20160034702A1 (en) | Apparatus For And Method Of Preventing Unsecured Data Access | |
| CN111400702A (en) | Virtualized operating system kernel protection method | |
| US11537753B2 (en) | Method and device for dynamic control, at file level, of the integrity of program files in a persistent memory of a computer, computer program and computer incorporating same | |
| CN101283332A (en) | Information processing device, information processing method, and program | |
| van de Ven | New security enhancements in red hat enterprise linux v. 3, update 3 | |
| US20130332923A1 (en) | Operating system | |
| CN112541166A (en) | Method, system and computer readable storage medium | |
| US20190294760A1 (en) | Protecting an application via an intra-application firewall | |
| US20150379265A1 (en) | Systems And Methods For Preventing Code Injection In Virtualized Environments | |
| US9104876B1 (en) | Virtual file-based tamper resistant repository | |
| Allievi et al. | Windows Internals, Part 2 | |
| CN115244535A (en) | System and method for protecting folders from unauthorized file modification | |
| CN115964758A (en) | TrustZone-based kernel data integrity protection method | |
| CN102117394A (en) | Method and device for detecting whether a computer file has been copied and method and device for enabling such detection | |
| US9792431B1 (en) | Systems and methods for selectively masking data on virtual storage devices | |
| White | Identifying the unknown in user space memory | |
| US11960617B2 (en) | Hardware protection of files in an integrated-circuit device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |