WO2017148289A1 - Active defense method and device - Google Patents
Active defense method and device Download PDFInfo
- Publication number
- WO2017148289A1 WO2017148289A1 PCT/CN2017/074122 CN2017074122W WO2017148289A1 WO 2017148289 A1 WO2017148289 A1 WO 2017148289A1 CN 2017074122 W CN2017074122 W CN 2017074122W WO 2017148289 A1 WO2017148289 A1 WO 2017148289A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- heterogeneous
- system call
- versions
- list
- version
- Prior art date
Links
- 230000007123 defense Effects 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006870 function Effects 0.000 claims description 50
- 238000013507 mapping Methods 0.000 claims description 19
- 238000001514 detection method Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003278 mimic effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
Definitions
- the present application relates to, but is not limited to, the field of software security, and more particularly to an active defense method and apparatus.
- the embodiment of the invention provides an active defense method and device, which can improve the security of the application.
- an embodiment of the present invention provides an active defense method, where the method includes:
- the step of generating a plurality of different heterogeneous versions by compiling according to the service source code includes:
- a heterogeneous version corresponding to the service source code is formed according to the generated business image file and the kernel image file.
- the step of generating a header file of a new system call includes:
- Reading a system call header file wherein the system call header file records a mapping relationship between a system call number and a system call function
- the generated random number is used as the system call number corresponding to the current system call function; and the mapping relationship between the current system call function and the system call number is recorded in the new system call header file.
- the step of writing the heterogeneous version into multiple devices according to multiple different heterogeneous versions includes:
- the random number is an integer and is less than or equal to the number of heterogeneous versions in the current to-be-released version list, and the Na heterogeneous version in the to-be-released version list is written to the device according to the random number Na;
- the method before the generating a random number, the method further includes:
- the step of generating a random number is performed.
- the application further provides a computer readable storage medium storing computer executable instructions that are implemented when the computer executable instructions are executed.
- an embodiment of the present invention further provides an active defense device, where the device includes:
- a heterogeneous compilation unit configured to generate a plurality of different heterogeneous versions by compiling according to the business source code
- a heterogeneous version is written to a unit that is set to write heterogeneous versions to multiple devices based on multiple different heterogeneous versions.
- the heterogeneous compilation unit includes:
- a header file generation module configured to generate a header file of a new system call
- the service image module is configured to compile the service source code according to the header file of the new system call, and generate a corresponding service image file;
- the kernel image module is configured to compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file;
- the compiling module is configured to form a heterogeneous version corresponding to the service source code according to the generated business image file and the kernel image file.
- the header file generating module includes:
- Reading a submodule configured to read a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;
- the random number module is configured to generate a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system calling functions;
- the mapping relationship record module is configured to use the generated random number as the system call number corresponding to the current system call function; and record the mapping relationship between the current system call function and the system call number in the new system call header file.
- the heterogeneous version writing unit includes:
- the to-be-published list module is configured to add a plurality of different heterogeneous versions generated by the heterogeneous compilation unit to the list of to-be-released versions;
- the module is configured to generate a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na.
- the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na.
- a published list module set to write to the heterogeneous version of the device, the heterogeneous version This moves from the list of releases to be released to the list of published versions and updates the number of versions in both versions.
- the to-be-published list module is further configured to
- the notification selection module selects the Na heterogeneous version.
- the technical solution provided by the embodiment of the present invention includes: generating multiple different heterogeneous versions by compiling according to the service source code; and writing the heterogeneous version to multiple devices according to multiple different heterogeneous versions.
- FIGS. 1A, 1B, and 1C are flowcharts of an active defense method according to an embodiment of the present invention.
- FIG. 2A is a flowchart of an active defense method according to an embodiment of the present invention.
- 2B is a schematic diagram of a list of releases to be released and a list of published versions
- FIG. 3 is a schematic structural diagram of an active defense device according to an embodiment of the present invention.
- processor performance is lower than that of IT systems; real-time or key business performance indicators are high; embedded systems require long-term Continuous operation does not require dedicated maintenance. Therefore, the security problems of embedded systems are difficult to solve by using the IT security domain (such as virus scanning, frequent update patches).
- attack steps are divided into: system detection, vulnerability mining, system breakthrough, system control and so on.
- Attackers in each link need to rely on fixed, predictable, and consistent rules in the system.
- the system detection phase can collect system version information to confirm whether there is a known security vulnerability; in system breakthrough and system control Aspects can obtain fixed privileged interfaces to implement system control and system breakthroughs.
- the open source community more and more embedded devices use open source software, but it also brings a lot of convenience to attackers, and it is easier to obtain system vulnerabilities and attack scenarios.
- an embodiment of the present invention provides an active defense method, where the method includes:
- Step 100 Generate multiple different heterogeneous versions by compiling according to the service source code.
- Step 200 Write the heterogeneous version to multiple devices according to multiple different heterogeneous versions.
- step 100 includes:
- Step 110 generating a header file of a new system call
- Step 120 Compile the service source code according to the header file of the new system call, and generate a corresponding service image file.
- Step 130 Compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file.
- Step 140 Form a heterogeneous version corresponding to the service source code according to the generated service image file and the kernel image file.
- Different heterogeneous versions are formed according to steps 110 to 140 until the number of heterogeneous versions reaches a predetermined number of heterogeneous versions set in advance.
- step 110 includes:
- Step 111 reading a system call header file, where a mapping relationship between a system call number and a system call function is recorded in the system call header file;
- Step 112 whether to complete the traversal of all system call functions in the system call header file; if the traversal of all system call functions in the system call header file is not completed, step 113 is performed;
- Step 113 Generate a random number for the current system call function, where one of the system call functions that the current system call function does not traverse;
- the random number is dynamically generated.
- Step 114 Check whether the random number has been occupied by other system calling functions; if the random number is not occupied by other system calling functions, execute step 115; if the random number has been occupied by other system calling functions, execute Step 113;
- Step 115 The generated random number is used as a system call number corresponding to the current system call function; and the mapping relationship between the current system call function and the system call number is recorded in the new system call header file.
- Table 2 shows the mapping relationship between the system call number and the system call function recorded in the new system call header file generated according to steps 112 to 115; in the new system call header file, each system call number is different. , that is, the random number 1, the random number 2, and the random number N are all different.
- step 200 writing a heterogeneous version to multiple devices according to multiple different heterogeneous versions includes:
- Step 210 Add multiple generated heterogeneous versions to the list of to-be-released versions
- Step 220 determining whether the number of heterogeneous versions in the release version list is 0, if it is 0, then executing step 230, if not 0, executing step 240;
- Step 230 Add all the heterogeneous versions in the published version list to the to-be-released version list, and update the number of the heterogeneous versions in the published version list and the to-be-released version list correspondingly;
- Step 240 Select one of the to-be-published version lists, and write the heterogeneous version to the device.
- step 240 a random number is generated, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na.
- the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na.
- writing the heterogeneous version to the device specifically writes the heterogeneous version into the device.
- Step 250 Obtain hardware information (such as a MAC address, a hardware device ID, and the like) corresponding to the device for the heterogeneous version written to the device, and record the device information to the installed device information corresponding to the currently selected heterogeneous version. Move the heterogeneous version from the list of published versions to the list of published versions and update the number of versions in both versions.
- hardware information such as a MAC address, a hardware device ID, and the like
- steps 240 and 250 may be replaced.
- Step 260 whether to complete the writing of all devices, if it is completed, it ends, if not, then step 220 is performed.
- FIG. 2B it is a schematic diagram of a list of releases to be released and a list of published versions.
- the operation phase may be It is seen that different devices use different software versions, including operating systems and business systems, which are heterogeneous systems.
- the heterogeneous system protects the system call interface of the open source operating system to the outside world.
- the operating system manages the system's core resources and privileged operations. An attacker cannot predict the operating system's external interface and therefore cannot access critical resources and perform privileged operations.
- an attacker uses a brute force attack to obtain the external interface of a single device, the interface obtained by brute force cracking is not applicable to other devices, and cannot provide a unified attack solution, and cannot cause a scale threat to the device.
- the system does not add any security processing procedures (such as real-time scanning, intrusion monitoring, and the like in the IT security device). Therefore, the embodiment of the present invention does not affect the real-time performance of the system and the key service performance indicators during the operation. It is also conducive to the rapid deployment of this patented solution to the original embedded system to improve product safety.
- security processing procedures such as real-time scanning, intrusion monitoring, and the like in the IT security device. Therefore, the embodiment of the present invention does not affect the real-time performance of the system and the key service performance indicators during the operation. It is also conducive to the rapid deployment of this patented solution to the original embedded system to improve product safety.
- the embodiment of the present invention does not need to change the original service system, introduces random characteristics through the underlying basic software (operating system, compiler) and version release mechanism, and destroys the attack chain to improve the security of the system.
- the original system service since the original system service is not modified, the real-time performance and key service performance of the system are not affected; and the randomness and heterogeneous features also enable the original system to have active defense features, which can effectively prevent illegal access to key resources of the kernel. Attacks with illegal privileged operations.
- Embodiments of the present invention further provide a computer readable storage medium storing computer executable instructions that are implemented when the computer executable instructions are executed.
- an active defense device according to an embodiment of the present invention includes:
- the heterogeneous compilation unit 10 is configured to generate a plurality of different heterogeneous versions by compiling according to the service source code;
- the heterogeneous version writing unit 20 is configured to write the heterogeneous version to a plurality of devices according to a plurality of different heterogeneous versions.
- the heterogeneous coding unit 10 includes:
- a header file generating module 11 configured to generate a header file of a new system call
- the service mirroring module 12 is configured to compile the service source code according to the header file of the new system call, and generate a corresponding service image file.
- the kernel mirroring module 13 is configured to perform an operating system according to a header file of the new system call. Compile and generate the corresponding kernel image file;
- the compiling module 14 is configured to form a heterogeneous version corresponding to the service source code according to the generated service image file and the kernel image file.
- the header file generating module 11 includes:
- Reading a submodule configured to read a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;
- the random number module is configured to generate a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system calling functions;
- the mapping relationship record module is configured to use the generated random number as the system call number corresponding to the current system call function; and record the mapping relationship between the current system call function and the system call number in the new system call header file.
- the heterogeneous version writing unit 20 includes:
- the to-be-published list module 21 is configured to add a plurality of different heterogeneous versions generated by the heterogeneous compilation unit to the list of to-be-released versions;
- the module 22 is configured to generate a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na. Enter into the device;
- the published list module 23 is configured to move the heterogeneous version from the list of to-be-released lists to the published version list for the heterogeneous version written to the device, and update the number of versions in the two version lists.
- the to-be-published list module 21 is further configured to
- the notification selection module selects the Na heterogeneous version.
- computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer.
- communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
- the technical solution provided by the embodiment of the present invention includes: generating multiple different heterogeneous versions by compiling according to the service source code; and writing the heterogeneous version to multiple devices according to multiple different heterogeneous versions.
Abstract
Active defense method and device, the method comprising: generating, on the basis of a service source code, and by means of compiling, a plurality of different heterogeneous versions (100); and writing, on the basis of the plurality of different heterogeneous versions, the heterogeneous versions to a plurality of devices (200).
Description
本申请涉及但不限于软件安全领域,尤指一种主动防御方法和装置。The present application relates to, but is not limited to, the field of software security, and more particularly to an active defense method and apparatus.
据相关机构统计,我国80%的关键基础设施(电力、交通、能源)依靠嵌入式系统自动化作业,在2020年物联网设备将达到500亿规模。随着嵌入式系统的发展也发现了越来越多问题,各种恶意软件、病毒、木马威胁个人、行业以及国家的安全。已暴露的漏洞和攻击方法逐年增长,未暴露的问题可能更多,高速发展的嵌入式系统面临很多未知的安全隐患。According to the statistics of relevant institutions, 80% of China's key infrastructure (electricity, transportation, energy) relies on embedded system automation, and in 2020, IoT equipment will reach 50 billion. With the development of embedded systems, more and more problems have been discovered. Various malware, viruses, and Trojans threaten individuals, industries, and countries. The exposed vulnerabilities and attack methods have been increasing year by year, and the problems that are not exposed may be more. The high-speed development of embedded systems faces many unknown security risks.
发明概述Summary of invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提出了一种主动防御方法和装置,能够提高应用程序的安全性。The embodiment of the invention provides an active defense method and device, which can improve the security of the application.
为了达到上述目的,本发明实施例提出了一种主动防御方法,该方法包括:In order to achieve the above object, an embodiment of the present invention provides an active defense method, where the method includes:
根据业务源代码,通过编译生成多个不同的异构版本;Generate multiple different heterogeneous versions by compiling according to the business source code;
根据多个不同的异构版本,将异构版本写入到多个设备中。Write heterogeneous versions to multiple devices based on several different heterogeneous versions.
可选的,所述根据业务源代码,通过编译生成多个不同的异构版本的步骤包括:Optionally, the step of generating a plurality of different heterogeneous versions by compiling according to the service source code includes:
生成新的系统调用的头文件;Generate a header file for the new system call;
根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;Compiling the service source code according to the header file of the new system call, and generating a corresponding service image file;
根据新的系统调用的头文件,对操作系统进行编译,生成对应的内核镜
像文件;Compile the operating system according to the header file of the new system call to generate the corresponding kernel mirror
Like a file;
根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。A heterogeneous version corresponding to the service source code is formed according to the generated business image file and the kernel image file.
可选的,所述生成新的系统调用的头文件的步骤包括:Optionally, the step of generating a header file of a new system call includes:
读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Reading a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;
针对系统调用头文件中记录的任意一个系统调用功能,生成一个随机数;其中,所述随机数没有被其他系统调用功能占用;Generating a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system call functions;
将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。The generated random number is used as the system call number corresponding to the current system call function; and the mapping relationship between the current system call function and the system call number is recorded in the new system call header file.
可选的,所述根据多个不同的异构版本,将异构版本写入到多个设备中的步骤包括:Optionally, the step of writing the heterogeneous version into multiple devices according to multiple different heterogeneous versions includes:
将生成的多个不同的异构版本加入到待发布版本列表中;Add multiple different heterogeneous versions generated to the list of releases to be released;
生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中;Generating a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current to-be-released version list, and the Na heterogeneous version in the to-be-released version list is written to the device according to the random number Na;
对于写入到设备的将该异构版本,将该异构版本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。For the heterogeneous version written to the device, move the heterogeneous version from the list of published versions to the list of published versions and update the number of versions in both versions.
可选的,在所述生成一个随机数之前,所述方法还包括:Optionally, before the generating a random number, the method further includes:
判断发布版本列表中异构版本的数目是否为0;Determine whether the number of heterogeneous versions in the release version list is 0;
如果为0,则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;If it is 0, all the heterogeneous versions in the published version list are added to the list of to-be-released versions, and the number of heterogeneous versions in the published version list and the to-be-released list is updated correspondingly;
如果不为0,则执行所述生成一个随机数的步骤。If not 0, the step of generating a random number is performed.
本申请另外提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述方法。The application further provides a computer readable storage medium storing computer executable instructions that are implemented when the computer executable instructions are executed.
为了达到上述目的,本发明实施例还提出了一种主动防御装置,所述装置包括:
In order to achieve the above object, an embodiment of the present invention further provides an active defense device, where the device includes:
异构编译单元,设置成根据业务源代码,通过编译生成多个不同的异构版本;a heterogeneous compilation unit, configured to generate a plurality of different heterogeneous versions by compiling according to the business source code;
异构版本写入单元,设置成根据多个不同的异构版本,将异构版本写入到多个设备中。A heterogeneous version is written to a unit that is set to write heterogeneous versions to multiple devices based on multiple different heterogeneous versions.
可选的,所述异构编译单元包括:Optionally, the heterogeneous compilation unit includes:
头文件生成模块,设置成生成新的系统调用的头文件;a header file generation module configured to generate a header file of a new system call;
业务镜像模块,设置成根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;The service image module is configured to compile the service source code according to the header file of the new system call, and generate a corresponding service image file;
内核镜像模块,设置成根据新的系统调用的头文件,对操作系统进行编译,生成对应的内核镜像文件;The kernel image module is configured to compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file;
编译模块,设置成根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。The compiling module is configured to form a heterogeneous version corresponding to the service source code according to the generated business image file and the kernel image file.
可选的,所述头文件生成模块包括:Optionally, the header file generating module includes:
读取子模块,设置成读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Reading a submodule, configured to read a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;
随机数模块,设置成针对系统调用头文件中记录的任意一个系统调用功能,生成一个随机数;其中,所述随机数没有被其他系统调用功能占用;The random number module is configured to generate a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system calling functions;
映射关系记录模块,设置成将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。The mapping relationship record module is configured to use the generated random number as the system call number corresponding to the current system call function; and record the mapping relationship between the current system call function and the system call number in the new system call header file.
可选的,所述异构版本写入单元包括:Optionally, the heterogeneous version writing unit includes:
待发布列表模块,设置成将异构编译单元生成的多个不同的异构版本加入到待发布版本列表中;The to-be-published list module is configured to add a plurality of different heterogeneous versions generated by the heterogeneous compilation unit to the list of to-be-released versions;
选取模块,设置成生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中;The module is configured to generate a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na. Into the device;
已发布列表模块,设置成对于写入到设备的将该异构版本,将该异构版
本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。a published list module, set to write to the heterogeneous version of the device, the heterogeneous version
This moves from the list of releases to be released to the list of published versions and updates the number of versions in both versions.
可选的,所述待发布列表模块还设置成Optionally, the to-be-published list module is further configured to
判断发布版本列表中异构版本的数目是否为0;Determine whether the number of heterogeneous versions in the release version list is 0;
如果为0,则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;If it is 0, all the heterogeneous versions in the published version list are added to the list of to-be-released versions, and the number of heterogeneous versions in the published version list and the to-be-released list is updated correspondingly;
如果不为0,则通知选取模块选取所述第Na个异构版本。If not 0, the notification selection module selects the Na heterogeneous version.
本发明实施例提供的技术方案包括:根据业务源代码,通过编译生成多个不同的异构版本;根据多个不同的异构版本,将异构版本写入到多个设备中。通过本申请的方案,对于不同的设备安装相同的业务软件时,使用不同的异构版本,将动态、多样、随机等特征集成到软件系统中,打破攻击链所依赖的固定的、可预期的、一致性的规律,使软件系统具备拟态主动防御的能力,从而增加攻击者对系统的不确定性和明显的攻击复杂度,减少攻击者的机会时间窗口,并增加攻击者探测和进行攻击的花销。The technical solution provided by the embodiment of the present invention includes: generating multiple different heterogeneous versions by compiling according to the service source code; and writing the heterogeneous version to multiple devices according to multiple different heterogeneous versions. Through the solution of the present application, when installing the same business software for different devices, different heterogeneous versions are used, and dynamic, diverse, random and other features are integrated into the software system, breaking the fixed and predictable dependence of the attack chain. The law of consistency enables the software system to have the ability to mimic active defense, thereby increasing the attacker's uncertainty on the system and the obvious attack complexity, reducing the attacker's opportunity time window, and increasing the attacker's detection and attack. Spend.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
下面对本发明实施例中的附图进行说明,实施例中的附图是用于对本发明实施例的进一步理解,与说明书一起用于解释本发明,并不构成对本申请保护范围的限制。The drawings in the embodiments of the present invention are described below, and the accompanying drawings are used to explain the present invention, and are not intended to limit the scope of the present application.
图1A、图1B和图1C分别为本发明实施例提供的主动防御方法的流程图;1A, 1B, and 1C are flowcharts of an active defense method according to an embodiment of the present invention;
图2A为本发明实施例提供的主动防御方法的流程图;2A is a flowchart of an active defense method according to an embodiment of the present invention;
图2B为待发布版本列表和已发布版本列表的示意图;2B is a schematic diagram of a list of releases to be released and a list of published versions;
图3为本发明实施例提供的主动防御装置的结构组成示意图。FIG. 3 is a schematic structural diagram of an active defense device according to an embodiment of the present invention.
详述
Detailed
为了便于本领域技术人员的理解,下面结合附图对本发明实施例作进一步的描述,并不能用来限制本申请的保护范围。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。In order to facilitate the understanding of those skilled in the art, the embodiments of the present invention are further described below in conjunction with the accompanying drawings, and are not intended to limit the scope of the application. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
在嵌入式系统领域除了需要面对这些未知的安全隐患,还有存在自身的特点:处理器性能相对IT系统的处理器性能低;实时性或关键业务性能指标要求较高;嵌入式系统要求长期持续运行并无需专人维护。因此嵌入式系统的安全问题难以使用IT安全领域的方式(例如病毒扫描、经常更新补丁)解决。In the field of embedded systems, in addition to facing these unknown security risks, there are also their own characteristics: processor performance is lower than that of IT systems; real-time or key business performance indicators are high; embedded systems require long-term Continuous operation does not require dedicated maintenance. Therefore, the security problems of embedded systems are difficult to solve by using the IT security domain (such as virus scanning, frequent update patches).
通过对已知的攻击过程进行分析研究,可以发现攻击步骤分为:系统探测、漏洞挖掘、系统突破、系统控制等几个环节。每个环节中攻击者都需要依赖系统中固定的、可预期的、一致性的规律,例如系统探测阶段可收集系统版本信息,确认是否存在某个已知的安全漏洞;在系统突破和系统控制方面可获取固定的特权接口实施系统控制和系统突破。随着开源社区的发展,越来越多的嵌入式设备使用开源软件,但也给攻击者带来了很多便利,更容易获取到系统的漏洞和攻击方案。Through analysis and research on the known attack process, it can be found that the attack steps are divided into: system detection, vulnerability mining, system breakthrough, system control and so on. Attackers in each link need to rely on fixed, predictable, and consistent rules in the system. For example, the system detection phase can collect system version information to confirm whether there is a known security vulnerability; in system breakthrough and system control Aspects can obtain fixed privileged interfaces to implement system control and system breakthroughs. With the development of the open source community, more and more embedded devices use open source software, but it also brings a lot of convenience to attackers, and it is easier to obtain system vulnerabilities and attack scenarios.
参见图1A,本发明实施例提出了一种主动防御方法,所述方法包括:Referring to FIG. 1A, an embodiment of the present invention provides an active defense method, where the method includes:
步骤100,根据业务源代码,通过编译生成多个不同的异构版本;Step 100: Generate multiple different heterogeneous versions by compiling according to the service source code.
步骤200,根据多个不同的异构版本,将异构版本写入到多个设备中。Step 200: Write the heterogeneous version to multiple devices according to multiple different heterogeneous versions.
可选地,参见图1B,步骤100包括:Optionally, referring to FIG. 1B, step 100 includes:
步骤110,生成新的系统调用的头文件; Step 110, generating a header file of a new system call;
步骤120,根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;Step 120: Compile the service source code according to the header file of the new system call, and generate a corresponding service image file.
步骤130,根据新的系统调用的头文件,对操作系统进行编译,生成对应的内核镜像文件;Step 130: Compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file.
步骤140,根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。Step 140: Form a heterogeneous version corresponding to the service source code according to the generated service image file and the kernel image file.
按照步骤110~步骤140形成不同的异构版本,直至异构版本的数目达到预先设置的异构版本预定数目。
Different heterogeneous versions are formed according to steps 110 to 140 until the number of heterogeneous versions reaches a predetermined number of heterogeneous versions set in advance.
下面对步骤110中生成新的系统调用的头文件的过程进行说明。The process of generating a header file for a new system call in step 110 will be described below.
参见图1C,步骤110包括:Referring to FIG. 1C, step 110 includes:
步骤111,读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Step 111: reading a system call header file, where a mapping relationship between a system call number and a system call function is recorded in the system call header file;
步骤112,是否完成所述系统调用头文件中全部系统调用功能的遍历;如果没有完成所述系统调用头文件中全部系统调用功能的遍历,则执行步骤113; Step 112, whether to complete the traversal of all system call functions in the system call header file; if the traversal of all system call functions in the system call header file is not completed, step 113 is performed;
步骤113,针对该当前系统调用功能,生成一个随机数;其中,当前系统调用功能未遍历的系统调用功能中的一个;Step 113: Generate a random number for the current system call function, where one of the system call functions that the current system call function does not traverse;
其中随机数是动态生成的。The random number is dynamically generated.
步骤114,检查该随机数是否已经被其他的系统调用功能占用;如果该随机数没有被其他的系统调用功能占用,则执行步骤115;如果该随机数已经被其他的系统调用功能占用,则执行步骤113;Step 114: Check whether the random number has been occupied by other system calling functions; if the random number is not occupied by other system calling functions, execute step 115; if the random number has been occupied by other system calling functions, execute Step 113;
步骤115,将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。Step 115: The generated random number is used as a system call number corresponding to the current system call function; and the mapping relationship between the current system call function and the system call number is recorded in the new system call header file.
下面结合一个具体的示例进行说明。如表1所示,为步骤111中读取的系统调用头文件中记录的系统调用号和系统调用功能之间的映射关系。The following is described in conjunction with a specific example. As shown in Table 1, the mapping relationship between the system call number recorded in the system call header file read in step 111 and the system call function is shown.
| 系统调用功能System call function | 系统调用号System call number |
| 调用功能1Call function 1 | 调用号1Call number 1 |
| 调用功能2Call function 2 | 调用号2Call number 2 |
| …... | …... |
| 调用功能NCall function N | 调用号NCall number N |
表1系统调用头文件中系统调用号和系统调用功能之间的映射关系Table 1 mapping relationship between the system call number and the system call function in the system call header file
表2为根据步骤112~步骤115生成的新的系统调用头文件中记录的系统调用号和系统调用功能之间的映射关系;新的系统调用头文件中,每一个系统调用号都是不同的,即随机数1、随机数2…以及随机数N都是不同的。
Table 2 shows the mapping relationship between the system call number and the system call function recorded in the new system call header file generated according to steps 112 to 115; in the new system call header file, each system call number is different. , that is, the random number 1, the random number 2, and the random number N are all different.
| 系统调用功能System call function | 系统调用号System call number |
| 调用功能1Call function 1 | 随机数1Random number 1 |
| 调用功能2Call function 2 | 随机数2Random number 2 |
| …... | …... |
| 调用功能NCall function N | 随机数NRandom number N |
表2新的系统调用头文件中系统调用号和系统调用功能间的映射关系Table 2 Mapping between system call number and system call function in the new system call header file
参见图2A,其中,步骤200中根据多个不同的异构版本,将异构版本写入到多个设备中包括:Referring to FIG. 2A, in step 200, writing a heterogeneous version to multiple devices according to multiple different heterogeneous versions includes:
步骤210、将生成的多个不同的异构版本加入到待发布版本列表中;Step 210: Add multiple generated heterogeneous versions to the list of to-be-released versions;
步骤220、判断发布版本列表中异构版本的数目是否为0,如果为0,则,执行步骤230,如果不为0,则执行步骤240; Step 220, determining whether the number of heterogeneous versions in the release version list is 0, if it is 0, then executing step 230, if not 0, executing step 240;
步骤230、则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;Step 230: Add all the heterogeneous versions in the published version list to the to-be-released version list, and update the number of the heterogeneous versions in the published version list and the to-be-released version list correspondingly;
步骤240、选取待发布版本列表中的一个,将该异构版本写入到设备中。Step 240: Select one of the to-be-published version lists, and write the heterogeneous version to the device.
步骤240中,生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中。In step 240, a random number is generated, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na. In the device.
可选地,将该异构版本写入到设备中具体为将异构版本烧写到设备中。Optionally, writing the heterogeneous version to the device specifically writes the heterogeneous version into the device.
步骤250、对于写入到设备的将该异构版本,获取设备对应的硬件信息(例如MAC地址、硬件设备ID等),将此设备信息记录到当前选择的异构版本对应的已安装设备信息中,将该异构版本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。Step 250: Obtain hardware information (such as a MAC address, a hardware device ID, and the like) corresponding to the device for the heterogeneous version written to the device, and record the device information to the installed device information corresponding to the currently selected heterogeneous version. Move the heterogeneous version from the list of published versions to the list of published versions and update the number of versions in both versions.
可选地,步骤240和步骤250的顺序可以更换。Alternatively, the order of steps 240 and 250 may be replaced.
步骤260、是否完成所有设备的写入,如果完成,则结束,如果没有完成,则执行步骤220。 Step 260, whether to complete the writing of all devices, if it is completed, it ends, if not, then step 220 is performed.
如图2B所示,为待发布版本列表和已发布版本列表的示意图。As shown in FIG. 2B, it is a schematic diagram of a list of releases to be released and a list of published versions.
本发明实施例中,对于运行相同业务软件的不同设备,在运行阶段可以
看到不同设备使用不同的软件版本,包括操作系统和业务系统都属于异构系统。通过异构系统保护了开源操作系统对外界的系统调用接口,在攻击者可以获取到操作系统的源代码并分析到系统的漏洞的情况下,仍然无法获取到正确的系统调用号。操作系统管理系统的核心资源和特权操作,攻击者无法预知操作系统对外接口因此无法访问关键资源和执行特权操作。当攻击者使用暴力破解方式获取单个设备的外部接口,但暴力破解获取的接口不适用于其他设备,无法提供统一的攻击方案,不能对设备造成规模性的威胁。In the embodiment of the present invention, for different devices running the same service software, the operation phase may be
It is seen that different devices use different software versions, including operating systems and business systems, which are heterogeneous systems. The heterogeneous system protects the system call interface of the open source operating system to the outside world. When the attacker can obtain the source code of the operating system and analyze the vulnerability of the system, the correct system call number cannot be obtained. The operating system manages the system's core resources and privileged operations. An attacker cannot predict the operating system's external interface and therefore cannot access critical resources and perform privileged operations. When an attacker uses a brute force attack to obtain the external interface of a single device, the interface obtained by brute force cracking is not applicable to other devices, and cannot provide a unified attack solution, and cannot cause a scale threat to the device.
本发明实施例在运行阶段系统未新增任何安全处理流程(例如IT安全手段中实时扫描、入侵监测等),因此本发明实施例在运行时不影响系统实时性以及关键业务性能等指标,同时也有利于原有嵌入式系统快速部署本专利方案提高产品安全性。In the embodiment of the present invention, the system does not add any security processing procedures (such as real-time scanning, intrusion monitoring, and the like in the IT security device). Therefore, the embodiment of the present invention does not affect the real-time performance of the system and the key service performance indicators during the operation. It is also conducive to the rapid deployment of this patented solution to the original embedded system to improve product safety.
本发明实施例无需改变原有业务系统,通过底层基础软件(操作系统、编译器)和版本发布机制引入随机性特征,破坏攻击链提高系统的安全性。本发明实施例由于不修改原有系统业务,因此不影响系统的实时性、关键业务性能;同时随机性和异构特征也使得原有系统具备主动防御的特征,可以有效防止非法访问内核关键资源和非法特权操作的攻击行为。The embodiment of the present invention does not need to change the original service system, introduces random characteristics through the underlying basic software (operating system, compiler) and version release mechanism, and destroys the attack chain to improve the security of the system. In the embodiment of the present invention, since the original system service is not modified, the real-time performance and key service performance of the system are not affected; and the randomness and heterogeneous features also enable the original system to have active defense features, which can effectively prevent illegal access to key resources of the kernel. Attacks with illegal privileged operations.
本发明实施例另外提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述方法。Embodiments of the present invention further provide a computer readable storage medium storing computer executable instructions that are implemented when the computer executable instructions are executed.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种主动防御装置,参见图3,本发明实施例提出的一种主动防御装置包括:Based on the same or similar concepts as the above embodiments, the embodiment of the present invention further provides an active defense device. Referring to FIG. 3, an active defense device according to an embodiment of the present invention includes:
异构编译单元10,设置成根据业务源代码,通过编译生成多个不同的异构版本;The heterogeneous compilation unit 10 is configured to generate a plurality of different heterogeneous versions by compiling according to the service source code;
异构版本写入单元20,设置成根据多个不同的异构版本,将异构版本写入到多个设备中。The heterogeneous version writing unit 20 is configured to write the heterogeneous version to a plurality of devices according to a plurality of different heterogeneous versions.
本发明实施例中,所述异构编译单元10包括:In the embodiment of the present invention, the heterogeneous coding unit 10 includes:
头文件生成模块11,设置成生成新的系统调用的头文件;a header file generating module 11 configured to generate a header file of a new system call;
业务镜像模块12,设置成根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;The service mirroring module 12 is configured to compile the service source code according to the header file of the new system call, and generate a corresponding service image file.
内核镜像模块13,设置成根据新的系统调用的头文件,对操作系统进行
编译,生成对应的内核镜像文件;The kernel mirroring module 13 is configured to perform an operating system according to a header file of the new system call.
Compile and generate the corresponding kernel image file;
编译模块14,设置成根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。The compiling module 14 is configured to form a heterogeneous version corresponding to the service source code according to the generated service image file and the kernel image file.
本发明实施例中,所述头文件生成模块11包括:In the embodiment of the present invention, the header file generating module 11 includes:
读取子模块,设置成读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Reading a submodule, configured to read a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;
随机数模块,设置成针对系统调用头文件中记录的任意一个系统调用功能,生成一个随机数;其中,所述随机数没有被其他系统调用功能占用;The random number module is configured to generate a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system calling functions;
映射关系记录模块,设置成将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。The mapping relationship record module is configured to use the generated random number as the system call number corresponding to the current system call function; and record the mapping relationship between the current system call function and the system call number in the new system call header file.
本发明实施例中,所述异构版本写入单元20包括:In the embodiment of the present invention, the heterogeneous version writing unit 20 includes:
待发布列表模块21,设置成将异构编译单元生成的多个不同的异构版本加入到待发布版本列表中;The to-be-published list module 21 is configured to add a plurality of different heterogeneous versions generated by the heterogeneous compilation unit to the list of to-be-released versions;
选取模块22,设置成生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中;The module 22 is configured to generate a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na. Enter into the device;
已发布列表模块23,设置成对于写入到设备的将该异构版本,将该异构版本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。The published list module 23 is configured to move the heterogeneous version from the list of to-be-released lists to the published version list for the heterogeneous version written to the device, and update the number of versions in the two version lists.
本发明实施例中,所述待发布列表模块21还设置成In the embodiment of the present invention, the to-be-published list module 21 is further configured to
判断发布版本列表中异构版本的数目是否为0;Determine whether the number of heterogeneous versions in the release version list is 0;
如果为0,则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;If it is 0, all the heterogeneous versions in the published version list are added to the list of to-be-released versions, and the number of heterogeneous versions in the published version list and the to-be-released list is updated correspondingly;
如果不为0,则通知选取模块选取所述第Na个异构版本。If not 0, the notification selection module selects the Na heterogeneous version.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理单元的划分;例如,一个物理组件可以具有多个功能,或者一
个功能或步骤可以由若干物理组件合作执行。某些组件或者所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical units; for example, one physical component may have multiple functions, or one
A function or step can be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
要说明的是,以上所述的实施例仅是为了便于本领域的技术人员理解而已,并不用于限制本申请的保护范围,在不脱离本申请的发明构思的前提下,本领域技术人员对本发明实施例所做出的任何显而易见的替换和改进等均在本申请的保护范围之内。It should be noted that the above-mentioned embodiments are only for the purpose of facilitating the understanding of those skilled in the art, and are not intended to limit the scope of the present application, and those skilled in the art will Any obvious substitutions and improvements made by the embodiments of the invention are within the scope of the present application.
本发明实施例提供的技术方案包括:根据业务源代码,通过编译生成多个不同的异构版本;根据多个不同的异构版本,将异构版本写入到多个设备中。通过本申请的方案,对于不同的设备安装相同的业务软件时,使用不同的异构版本,将动态、多样、随机等特征集成到软件系统中,打破攻击链所依赖的固定的、可预期的、一致性的规律,使软件系统具备拟态主动防御的能力,从而增加攻击者对系统的不确定性和明显的攻击复杂度,减少攻击者的机会时间窗口,并增加攻击者探测和进行攻击的花销。
The technical solution provided by the embodiment of the present invention includes: generating multiple different heterogeneous versions by compiling according to the service source code; and writing the heterogeneous version to multiple devices according to multiple different heterogeneous versions. Through the solution of the present application, when installing the same business software for different devices, different heterogeneous versions are used, and dynamic, diverse, random and other features are integrated into the software system, breaking the fixed and predictable dependence of the attack chain. The law of consistency enables the software system to have the ability to mimic active defense, thereby increasing the attacker's uncertainty on the system and the obvious attack complexity, reducing the attacker's opportunity time window, and increasing the attacker's detection and attack. Spend.
Claims (10)
- 一种主动防御方法,包括:An active defense method, including:根据业务源代码,通过编译生成多个不同的异构版本;Generate multiple different heterogeneous versions by compiling according to the business source code;根据多个不同的异构版本,将异构版本写入到多个设备中。Write heterogeneous versions to multiple devices based on several different heterogeneous versions.
- 根据权利要求1所述的主动防御方法,其中,所述根据业务源代码,通过编译生成多个不同的异构版本的步骤包括:The active defense method according to claim 1, wherein the step of generating a plurality of different heterogeneous versions by compiling according to the service source code comprises:生成新的系统调用的头文件;Generate a header file for the new system call;根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;Compiling the service source code according to the header file of the new system call, and generating a corresponding service image file;根据新的系统调用的头文件,对操作系统进行编译,生成对应的内核镜像文件;Compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file;根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。A heterogeneous version corresponding to the service source code is formed according to the generated business image file and the kernel image file.
- 根据权利要求2所述的主动防御方法,其中,所述生成新的系统调用的头文件的步骤包括:The active defense method according to claim 2, wherein said step of generating a header file of a new system call comprises:读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Reading a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;针对系统调用头文件中记录的任意一个系统调用功能,生成一个随机数;其中,所述随机数没有被其他系统调用功能占用;Generating a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system call functions;将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。The generated random number is used as the system call number corresponding to the current system call function; and the mapping relationship between the current system call function and the system call number is recorded in the new system call header file.
- 根据权利要求1所述的主动防御方法,其中,所述根据多个不同的异构版本,将异构版本写入到多个设备中的步骤包括:The active defense method according to claim 1, wherein the step of writing the heterogeneous version into the plurality of devices according to the plurality of different heterogeneous versions comprises:将生成的多个不同的异构版本加入到待发布版本列表中;Add multiple different heterogeneous versions generated to the list of releases to be released;生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中; Generating a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current to-be-released version list, and the Na heterogeneous version in the to-be-released version list is written to the device according to the random number Na;对于写入到设备的将该异构版本,将该异构版本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。For the heterogeneous version written to the device, move the heterogeneous version from the list of published versions to the list of published versions and update the number of versions in both versions.
- 根据权利要求4所述的主动防御方法,在所述生成一个随机数之前,所述方法还包括:The active defense method according to claim 4, before the generating a random number, the method further comprises:判断发布版本列表中异构版本的数目是否为0;Determine whether the number of heterogeneous versions in the release version list is 0;如果为0,则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;If it is 0, all the heterogeneous versions in the published version list are added to the list of to-be-released versions, and the number of heterogeneous versions in the published version list and the to-be-released list is updated correspondingly;如果不为0,则执行所述生成一个随机数的步骤。If not 0, the step of generating a random number is performed.
- 一种主动防御装置,包括:An active defense device, including:异构编译单元,设置成根据业务源代码,通过编译生成多个不同的异构版本;a heterogeneous compilation unit, configured to generate a plurality of different heterogeneous versions by compiling according to the business source code;异构版本写入单元,设置成根据多个不同的异构版本,将异构版本写入到多个设备中。A heterogeneous version is written to a unit that is set to write heterogeneous versions to multiple devices based on multiple different heterogeneous versions.
- 根据权利要求6所述的主动防御装置,其中,所述异构编译单元包括:The active defense device of claim 6, wherein the heterogeneous compilation unit comprises:头文件生成模块,设置成生成新的系统调用的头文件;a header file generation module configured to generate a header file of a new system call;业务镜像模块,设置成根据新的系统调用的头文件,对业务源代码进行编译,生成对应的业务镜像文件;The service image module is configured to compile the service source code according to the header file of the new system call, and generate a corresponding service image file;内核镜像模块,设置成根据新的系统调用的头文件,对操作系统进行编译,生成对应的内核镜像文件;The kernel image module is configured to compile the operating system according to the header file of the new system call, and generate a corresponding kernel image file;编译模块,设置成根据生成的业务镜像文件和内核镜像文件,形成业务源代码对应的一个异构版本。The compiling module is configured to form a heterogeneous version corresponding to the service source code according to the generated business image file and the kernel image file.
- 根据权利要求7所述的主动防御装置,其中,所述头文件生成模块包括:The active defense device of claim 7, wherein the header file generating module comprises:读取子模块,设置成读取系统调用头文件,所述系统调用头文件中记录有系统调用号和系统调用功能之间的映射关系;Reading a submodule, configured to read a system call header file, wherein the system call header file records a mapping relationship between a system call number and a system call function;随机数模块,设置成针对系统调用头文件中记录的任意一个系统调用功能,生成一个随机数;其中,所述随机数没有被其他系统调用功能占用; The random number module is configured to generate a random number for any system call function recorded in the system call header file; wherein the random number is not occupied by other system calling functions;映射关系记录模块,设置成将生成的随机数作为当前系统调用功能对应的系统调用号;并将当前系统调用功能和系统调用号之间的映射关系记录在新的系统调用头文件中。The mapping relationship record module is configured to use the generated random number as the system call number corresponding to the current system call function; and record the mapping relationship between the current system call function and the system call number in the new system call header file.
- 根据权利要求6所述的主动防御装置,其中,所述异构版本写入单元包括:The active defense device of claim 6, wherein the heterogeneous version writing unit comprises:待发布列表模块,设置成将异构编译单元生成的多个不同的异构版本加入到待发布版本列表中;The to-be-published list module is configured to add a plurality of different heterogeneous versions generated by the heterogeneous compilation unit to the list of to-be-released versions;选取模块,设置成生成一个随机数,随机数为整数并且小于或等于当前待发布版本列表中异构版本的数目,根据该随机数Na,将待发布版本列表中第Na个异构版本写入到设备中;The module is configured to generate a random number, the random number is an integer and is less than or equal to the number of heterogeneous versions in the current release list, and the Na heterogeneous version in the to-be-released list is written according to the random number Na. Into the device;已发布列表模块,设置成对于写入到设备的将该异构版本,将该异构版本从待发布版本列表搬移到已发布版本列表,并更新两个版本列表中的版本数目。The published list module is set to move the heterogeneous version from the list of to-be-released versions to the list of published versions for the heterogeneous version written to the device, and to update the number of versions in the two version lists.
- 根据权利要求9所述的主动防御装置,所述待发布列表模块还设置成The active defense device according to claim 9, wherein the to-be-published list module is further configured to判断发布版本列表中异构版本的数目是否为0;Determine whether the number of heterogeneous versions in the release version list is 0;如果为0,则将已发布版本列表中的全部异构版本加入到待发布版本列表中,并对应地更新已发布版本列表和待发布版本列表中的异构版本的数目;If it is 0, all the heterogeneous versions in the published version list are added to the list of to-be-released versions, and the number of heterogeneous versions in the published version list and the to-be-released list is updated correspondingly;如果不为0,则通知选取模块选取所述第Na个异构版本。 If not 0, the notification selection module selects the Na heterogeneous version.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610115377.0 | 2016-03-01 | ||
| CN201610115377.0A CN107145376B (en) | 2016-03-01 | 2016-03-01 | Active defense method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2017148289A1 true WO2017148289A1 (en) | 2017-09-08 |
Family
ID=59742535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2017/074122 WO2017148289A1 (en) | 2016-03-01 | 2017-02-20 | Active defense method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107145376B (en) |
| WO (1) | WO2017148289A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110247928A (en) * | 2019-06-29 | 2019-09-17 | 河南信大网御科技有限公司 | A kind of mimicry interchanger safe traffic control device and method |
| CN111624869A (en) * | 2020-04-25 | 2020-09-04 | 中国人民解放军战略支援部队信息工程大学 | Method and system for automatically sensing attack behavior and Ethernet switch |
| CN111783079A (en) * | 2020-06-04 | 2020-10-16 | 河南信大网御科技有限公司 | Mimicry defense device, mimicry defense method and mimicry defense framework |
| CN112134842A (en) * | 2020-08-18 | 2020-12-25 | 河南信大网御科技有限公司 | Heterogeneous executive super-privilege detector, method and mimicry architecture |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110134428B (en) | 2018-02-09 | 2024-02-06 | 中兴通讯股份有限公司 | Safety protection method and device |
| CN110324417B (en) * | 2019-06-29 | 2020-10-27 | 河南信大网御科技有限公司 | Cloud service execution body dynamic reconstruction method based on mimicry defense |
| CN110519253B (en) * | 2019-08-21 | 2020-08-28 | 浙江大学 | Virtual private network mimicry method in mimicry defense |
| CN110784475A (en) * | 2019-10-31 | 2020-02-11 | 中国人民解放军战略支援部队信息工程大学 | Security defense method and device |
| CN111459832B (en) * | 2020-04-13 | 2022-09-09 | 郑州昂视信息科技有限公司 | Heterogeneous compilation algorithm feasibility evaluation method and system |
| CN112612594B (en) * | 2020-12-30 | 2024-03-29 | 郑州昂视信息科技有限公司 | Execution body scheduling method and related device |
| CN113364791B (en) * | 2021-06-11 | 2022-12-20 | 北京天融信网络安全技术有限公司 | System and method for detecting interference version |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2384066A (en) * | 2002-01-09 | 2003-07-16 | Hewlett Packard Co | Installation of software components having multiple implementations |
| CN1619458A (en) * | 2003-10-31 | 2005-05-25 | Sap股份公司 | Secure user-specific application versions |
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | Be used to verify, data transmit and the system and method for protection against phishing |
| CN101944170A (en) * | 2010-09-20 | 2011-01-12 | 中兴通讯股份有限公司 | Method, system and device for issuing software version |
| US20120221864A1 (en) * | 2008-03-12 | 2012-08-30 | Apple Inc. | Method and apparatus for computer code obfuscation and deobfuscation using boot installation |
| US20120260106A1 (en) * | 2011-04-07 | 2012-10-11 | Apple Inc. | System and method for binary layout randomization |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102118500B (en) * | 2010-12-27 | 2013-08-21 | 清华大学 | Software package-based online automatic updating method for open source operating system of mobile terminal |
| CN103853532B (en) * | 2012-11-29 | 2017-09-29 | 国际商业机器公司 | Method and apparatus for function call |
| CN103065102B (en) * | 2012-12-26 | 2015-05-27 | 中国人民解放军国防科学技术大学 | Data encryption mobile storage management method based on virtual disk |
-
2016
- 2016-03-01 CN CN201610115377.0A patent/CN107145376B/en active Active
-
2017
- 2017-02-20 WO PCT/CN2017/074122 patent/WO2017148289A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2384066A (en) * | 2002-01-09 | 2003-07-16 | Hewlett Packard Co | Installation of software components having multiple implementations |
| CN1619458A (en) * | 2003-10-31 | 2005-05-25 | Sap股份公司 | Secure user-specific application versions |
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | Be used to verify, data transmit and the system and method for protection against phishing |
| US20120221864A1 (en) * | 2008-03-12 | 2012-08-30 | Apple Inc. | Method and apparatus for computer code obfuscation and deobfuscation using boot installation |
| CN101944170A (en) * | 2010-09-20 | 2011-01-12 | 中兴通讯股份有限公司 | Method, system and device for issuing software version |
| US20120260106A1 (en) * | 2011-04-07 | 2012-10-11 | Apple Inc. | System and method for binary layout randomization |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110247928A (en) * | 2019-06-29 | 2019-09-17 | 河南信大网御科技有限公司 | A kind of mimicry interchanger safe traffic control device and method |
| CN111624869A (en) * | 2020-04-25 | 2020-09-04 | 中国人民解放军战略支援部队信息工程大学 | Method and system for automatically sensing attack behavior and Ethernet switch |
| CN111783079A (en) * | 2020-06-04 | 2020-10-16 | 河南信大网御科技有限公司 | Mimicry defense device, mimicry defense method and mimicry defense framework |
| CN111783079B (en) * | 2020-06-04 | 2022-07-26 | 河南信大网御科技有限公司 | Mimicry defense device, mimicry defense method and mimicry defense framework |
| CN112134842A (en) * | 2020-08-18 | 2020-12-25 | 河南信大网御科技有限公司 | Heterogeneous executive super-privilege detector, method and mimicry architecture |
| CN112134842B (en) * | 2020-08-18 | 2022-08-16 | 河南信大网御科技有限公司 | Heterogeneous executive super-privilege detector, method and mimicry architecture |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107145376B (en) | 2021-04-06 |
| CN107145376A (en) | 2017-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017148289A1 (en) | Active defense method and device | |
| US11882134B2 (en) | Stateful rule generation for behavior based threat detection | |
| US20160269442A1 (en) | Methods and systems for improving analytics in distributed networks | |
| US11263295B2 (en) | Systems and methods for intrusion detection and prevention using software patching and honeypots | |
| US11409862B2 (en) | Intrusion detection and prevention for unknown software vulnerabilities using live patching | |
| US11368479B2 (en) | Methods and apparatus to identify and report cloud-based security vulnerabilities | |
| US20190220593A1 (en) | Systems and methods for tracking and recording events in a network of computing systems | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| EP3692695B1 (en) | Intrusion investigation | |
| KR102045772B1 (en) | Electronic system and method for detecting malicious code | |
| US11528291B2 (en) | Methods and apparatus for defending against exploitation of vulnerable software | |
| US11334666B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| JP5951621B2 (en) | Inoculators and antibodies for computer security | |
| US11658996B2 (en) | Historic data breach detection | |
| US10791128B2 (en) | Intrusion detection | |
| US20230300168A1 (en) | Detecting malware infection path in a cloud computing environment utilizing a security graph | |
| Elsayed et al. | IFCaaS: information flow control as a service for cloud security | |
| US20230208862A1 (en) | Detecting malware infection path in a cloud computing environment utilizing a security graph | |
| US9509718B1 (en) | Network-attached storage solution for application servers | |
| CN109472138B (en) | Method, device and storage medium for detecting snort rule conflict | |
| US10943007B2 (en) | System and method for defending applications invoking anonymous functions | |
| US11611570B2 (en) | Attack signature generation | |
| US11392696B1 (en) | Systems and methods for detecting code implanted into a published application | |
| Hovmark et al. | Towards Extending Probabilistic Attack Graphs with Forensic Evidence: An investigation of property list files in macOS | |
| Lei et al. | MeadDroid: Detecting monetary theft attacks in Android by DVM monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17759140 Country of ref document: EP Kind code of ref document: A1 |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 17759140 Country of ref document: EP Kind code of ref document: A1 |