CN102902909B - A kind of system and method preventing file to be tampered - Google Patents
A kind of system and method preventing file to be tampered Download PDFInfo
- Publication number
- CN102902909B CN102902909B CN201210382366.0A CN201210382366A CN102902909B CN 102902909 B CN102902909 B CN 102902909B CN 201210382366 A CN201210382366 A CN 201210382366A CN 102902909 B CN102902909 B CN 102902909B
- Authority
- CN
- China
- Prior art keywords
- system call
- file
- application
- monitoring
- monitoring means
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of system preventing file to be tampered, it is placed in computing equipment, this computing equipment has operating system, this operating system comprises the user's space providing the kernel spacing of core operation He provide various application, and this system preventing file to be tampered comprises: the monitoring means being arranged in kernel spacing; Be arranged in the monitoring client of user's space and multiple application, wherein said monitoring client is suitable for communicating with described monitoring means; And the system call interfaces between user's space and kernel spacing, the described multiple application being arranged in user's space is connected with described monitoring means respectively by this system call interfaces; Wherein, the multiple application being arranged in user's space initiate system call request, described monitoring means monitoring said system call request respectively by system call interfaces to the core operation of kernel spacing.In addition, the present invention also discloses a kind of method preventing file to be tampered.Utilize the present invention, even if when hacker obtains highest weight limit, also can prevent it from distorting file and catalogue.
Description
Technical field
The present invention relates to field of information security technology, the system and method being specifically related to a kind of monitoring means and method and preventing file to be tampered.
Background technology
Along with the development of computer and network technologies, increasing application is Network Based to be provided, and the security of network application becomes more and more important.Increasing hacker has taken a fancy to the marketable value of network application and has tried hard to invade network application server to obtain various information, thus therefrom makes a profit.
File security in network application server also becomes more and more important, and a lot of hacker can distort the file in server, writes invalid information hereof, implants wooden horse etc., thus the user utilizing server to apply is incurred loss.File security how in protecting network application server is the important challenge of information security field.
The existing access control to the file system in network application server is mainly by arranging file permission to realize, and the user such as only with certain authority just can revise file.But, if hacker obtains the highest (root) authority, then will be lost efficacy by the method restriction file access.
In addition, also has a kind of mode preventing file to be tampered, it is by regularly monitoring objective file or catalogue, if find that file destination or catalogue are revised by hacker or delete, the file in advance backed up and catalogue is just utilized to recover revised content, even if file and catalogue have been modified like this, also can recover in time.But this mode exists following shortcoming: always need the content for protecting to backup, always needing when there is tampering the content synchronization doing to revert to object, and if monitoring not in time, the situation being tampered content and not temporarily being resumed can be there is.At this moment, if user have accessed the file or catalogue that are tampered content, the content of some malice will be obtained, thus cause user to incur loss.In addition, if adopt the file in polling server incessantly, if protected quantity of documents is huge, the performance of hardware device will certainly be affected, cause the access speed of network application server to reduce.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of system and method overcoming the problems referred to above or the monitoring means solved the problem at least in part and method and prevent file to be tampered.
According to one aspect of the present invention, provide a kind of monitoring means, it loads in the kernel spacing of operating system, comprising: interception module, is suitable for intercepting and capturing described system call before the core operation corresponding with system call is performed; Judge module, is suitable for judging that whether described system call is legal; Alarm module, it, when described judge module judges that this system call is illegal, is refused this system call and generates warning information; Recover module, it, when described judge module judges that this system call is legal, allows this system call, recovers the execution of this system call.Wherein, described core operation is various operations associated with the file, and described system call is the various system calls relevant to file operation.
Alternatively, described judge module comprises configuration information, and described configuration information comprises one or more configuration item, and each configuration item comprises the fileinfo of the file that described system call relates to and/or initiates the application message of application of this system call.According to described configuration information, wherein said judge module judges that whether this system call is legal.
Alternatively, described fileinfo comprises routing information and/or the title of file, and described application message comprises described application unique identifying number in an operating system.
According to a further aspect in the invention, provide a kind of system preventing file to be tampered, it is placed in computing equipment, this computing equipment has operating system, this operating system comprises the user's space providing the kernel spacing of core operation He provide various application, and this system preventing file to be tampered comprises: the foregoing monitoring means being arranged in kernel spacing; Be arranged in the monitoring client of user's space and multiple application, wherein said monitoring client is suitable for communicating with described monitoring means; And the system call interfaces between user's space and kernel spacing, the described multiple application being arranged in user's space is connected with described monitoring means respectively by this system call interfaces.Wherein, the multiple application being arranged in user's space initiate system call request, described monitoring means monitoring said system call request respectively by system call interfaces to the core operation of kernel spacing.
Alternatively, the system preventing file to be tampered of the present invention also comprises: virtual module, it is arranged in kernel spacing, after loading on monitoring means, the next module of its pointed monitoring means in the single-track link table that representation module loads, and do not point to described monitoring means, thus make monitoring means invisible in single-track link table.
According to another aspect of the invention, provide the monitoring method of monitor operating system, wherein said operating system comprises the user's space providing the kernel spacing of core operation He provide various application, application in described user's space calls by initiating system call the corresponding core operation provided in kernel spacing, described core operation is various operations associated with the file, and described system call is the various system calls relevant to file operation.Described monitoring method comprises: before the core operation corresponding with system call is performed, intercept and capture described system call; Judge that whether described system call is legal, allow this system call when it is legal, otherwise refuse this system call.
In accordance with a further aspect of the present invention, a kind of method preventing file to be tampered is provided, it performs in computing equipment, this computing equipment has operating system, this operating system comprises the user's space providing the kernel spacing of core operation He provide various application, and the method comprises: receive application the calling by system call to the corresponding core operation provided in kernel spacing in user's space; And the step in foregoing monitoring method.Alternatively, in the method preventing file to be tampered of the present invention, also step is comprised: perform a pseudo operation after step in foregoing monitoring method, to make representing the next one operation of the monitoring operation that the pointed monitoring method noted earlier of this pseudo operation in the single-track link table that each operation loads performs, and do not point to described monitoring operation, thus it is invisible that described monitoring is operated in single-track link table.
Even if can when hacker obtains highest weight limit according to monitoring means of the present invention, the system preventing file to be tampered and corresponding method, also can prevent it from distorting file and catalogue, thus without the need to the file in polling server in real time, thus can ensure that the performance of system is unaffected.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the schematic block diagram of the system preventing file to be tampered comprising monitoring means according to an embodiment of the invention;
Fig. 2 shows the interactive relation according to an embodiment of the invention between monitoring means, monitoring client and kernel;
Fig. 3 shows the schematic diagram of monitoring means loading procedure according to an embodiment of the invention;
Fig. 4 illustrates the schematic diagram of an example of the system preventing file to be tampered according to an embodiment of the invention; And
Fig. 5 shows the process flow diagram of monitoring method according to an embodiment of the invention.
Fig. 6 shows the process flow diagram of the method preventing file to be tampered according to an embodiment of the invention.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Modern computing machine all comes the hardware of managing computer system, software and data resource by configuration operation system, control program runs, improve man-machine interface, provide support for other application, the all resources of computer system are played a role to greatest extent, for user provide convenience, effectively, friendly service interface.
Operating system, between the bottom hardware and user of computer system, is the bridge that both link up.User can by the user interface input command of operating system.Operating system then makes an explanation to order, drives hardware device, realizes user's requirement.The most most basic component of kernel of operating system is kernel.Kernel provides a series of many kernel function possessing predetermined function, is called that the interface of (systemcall) of system call presents to user by one group.
The basic reason of system call is adopted to be in order to the data run of relying to computer system is protected.The memory headroom of operating system is divided into: operating system nucleus run space and kernel spacing, and various application run space and user's space, they operate in kernel state and User space two kinds of runlevels respectively, mutually isolated in logic.Operating system oneself is not destroyed by ordinary procedure to protect, and has carried out some definition, such as access rights, swapping in and out, priority etc. to kernel spacing.That is, kernel spacing only allows kernel to access, and various being applied in does not allow access kernel space under normal circumstances, does not namely allow to access kernel data, and also cannot use kernel function, they can only operate user data at user's space, call kernel function.If access kernel space is wanted in the application of user's space, obtain system service (i.e. calling system program), have to pass through system call, system call defines the particular location that each application enters kernel, in other words, the path that user accesses kernel provides in advance, can only enter kernel from assigned position, and disapprove and wantonly jump into kernel, can Kernel security be ensured like this.Therefore, logically, system call can be regarded as the mutual interface of the application of kernel and user's space, the request performing application is conveyed to the kernel of kernel spacing by system call, call corresponding kernel function and complete required process, after kernel is disposed request, then result is sent back to application.Such as, user can be opened file by the system call Request System that file system is relevant, close file or reading and writing of files, can be obtained system time or arranged timer etc. by the system call that clock is relevant.
But, between operating system runtime, hacker may obtain the access rights of application access kernel spacing, thus or obtain various information and therefrom make a profit, or write invalid information, implantation wooden horse etc. hereof and make user obtain the content of some malice when access kernel space, causing user to sustain a loss.
For this reason, the invention provides a kind of monitoring means of monitor operating system.As shown in Figure 1, monitoring means 130 according to an embodiment of the invention loads in the kernel spacing 102 of operating system, comprises interception module 1310, judge module 1320, alarm module 1330 and recovers module 1340.For convenience of description, user's space 101 and the kernel spacing 102 of operating system is also show in Fig. 1, be arranged in monitoring client 110 and the various application 115 of user's space 101, and the system call interfaces 120 between user's space 101 and kernel spacing 102.User is when carrying out mutual with various application 115, and application 115 is called to kernel spacing transmitting system by system call interfaces 120.But, before core operation corresponding with this system call in kernel spacing is performed, the interception module 1310 of monitoring means 130 intercepts and captures this system call, then, intercepted and captured system call is sent to judge module 1320, judges that whether this system call is legal by judge module 1320.When judging that this system call is illegal, refusing this system call, forcing end user to the access of kernel spacing, to avoid the destruction to kernel data, and allowing alarm module 1330 generate warning information, this warning information is sent to monitoring client 110; When judge module 1320 judges that this system call is legal, then allow this system call, inform and recover the execution that module 1340 recovers this system call, complete the core operation corresponding with this system call by kernel, and to monitoring client 110 feedback information thus completing this system call.
Here, core operation can be various operation associated with the file, and system call can be the various system call relevant to file operation.
In the embodiment illustrated in fig. 1, interception module 1310 and judge module 1320 can be realized by hook (HOOK) or Hook Function particularly.
Hook is the program segment of a processing messages, by system call, it is linked into system.Whenever specific message sends, before not arriving object window, hook just first catches this message, that is hook first obtains control.At this moment namely hook can process process (such as changing) this message, also can not deal with and continue to transmit this message, can also force the transmission of end.
Utilize above-mentioned Hook Mechanism, interception module 1310 intercepts and captures the system call that application 115 sends to the kernel of kernel spacing 102, and the application message of the fileinfo of judge module 1320 involved by this system call and/or the application of initiating this system call judges that whether this system call is legal.Wherein, the fileinfo involved by system call comprises routing information and/or the title of file, and application message comprises application unique identifying number in an operating system.Judge module 1320 comprises configuration information, and this configuration information comprises one or more configuration item, and each configuration item comprises the fileinfo of file and the unique identifying number of application.When the fileinfo involved by system call and/or the application message of application of initiating this system call are present in a certain configuration item of described configuration information, then judge module 1320 judges that this system call is legal, if there is no time in arbitrary configuration item of described configuration information, then judge module 1320 judges that this system call is illegal.
Alternatively, the configuration item in the configuration information of judge module 1320 can also comprise operating right.The unique identifying number of the fileinfo of the file related to when system call and the application of initiating this system call is present in the configuration item of described configuration information, but when the operating right in the file operation authority required for this system call and described configuration item does not mate, judge module 1320 also judges that this system call is illegal.The unique identifying number of the fileinfo only having the file related to when system call and the application of initiating this system call is present in the configuration item of described configuration information, and when the file operation authority required for this system call and the coupling of the operating right in described configuration item, judge module 1320 just judges that this system call is legal.
Below for (SuSE) Linux OS, the monitoring means 130 of employing Hook Mechanism of the present invention is specifically described.
In the operating system of Linux, the process called during client-side program access application interface API is:
INT0x80 → system call (system call) → system call service routine → kernel program
Here API is exactly the built-in function that system provides in fact.
Particularly, in (SuSE) Linux OS, the kernel of operating system is divided into user's space and kernel spacing.The application of user's space is by system call access kernel space.Be provided with order file or catalogue being performed to various operation in the user space, such as, touch, mkdir, rm, unlink, rmdir, mv, vim, vi, gedit, notepad, chmod, chown, cp etc.System call realizes some User space of operating system and the switching of kernel state mainly through weaken rock instruction INT 0x80, and this instruction is encapsulated in built-in function.The execution of INT 0x80 instruction can allow operating system jump to a default kernel spacing address, that is, make operating system enter kernel state from User space.Here kernel spacing address pointing system calling processor, i.e. system call function.
In kernel spacing, first system call function finds the entrance of the corresponding 0x80 of interrupt vector table according to system call number, obtain the address of corresponding subsystem call table sys_call_table, value in save register in current C R0, then the 16bit in register CR0 is emptied, record original correct system call interfaces, be designated as orig_sys_xxx.Following predefined replace original entrance with the function interface (being designated as new_sys_xxx) that original system call interfaces has an identical type.
The object that monitoring means 130 utilizes Hook Mechanism to monitor mainly comprises the path of file and the PID of application that access is wanted in application.Here PID is the unique identifying number of each application in server.By limiting the path of file and the PID of application of application access, only certain application can be limited and just can the file under certain path be modified.When monitoring means 130 is monitored, judging unit 1320 wherein can based on the information in the configuration file from the path white list (namely allowing path and/or the listed files of access) and process white list (namely allowing the thereof using PID list carrying out operating) of monitoring client 110 reading, path and PID inspection is done in new_sys_xxx, if the process PID in new_sys_xxx does not exist in process white list or file is not present in the catalogue of path white list, then judge that this system call is illegal operation, the current system call of refusal user, forbidding and/or warning information is returned directly to monitoring client 110, if the process PID in new_sys_xxx exists in process white list sequence or file is present in the catalogue of path white list, then judge that this system call is valid operation, this system call of clearance user, directly enter orig_syx_xxx, perform the core operation that normal system call is corresponding, and then recover the value of preservation before register CR0 is.
The system call that monitoring means 130 is monitored can comprise: sys_rmdir(deletes empty list: from a catalogue, delete one or more sub-directory item, must be empty before a catalogue is deleted), sys_unlink, what sys_open(arranged file opens pattern), sys_write, sys_mkdir(creates the system call of a new directory), sys_unlinkat, sys_rename, sys_openat, sys_fchmodat, sys_f chownat, sys_link, sys_symlink, sys_chown, the authority of sys_chmod(change file or catalogue).These system calls all relate to some important processes of operating system.Therefore, when the application 115 of user's space is to when as above any file carries out system call, monitoring means 130 all will be tackled, and whether legally detects this system call, in case the malice such as hacker distorts said system call program in involved kernel, destroy operating system.
Alternatively, monitoring means 130 also comprises communication module 1350, this communication module 1350 communicates with the monitoring client 110 in user's space 101, monitoring means 130 reads the configuration file in monitoring client 110 through communication module 1350 and is sent to judge module 1320, and through communication module 1350, the warning information that alarm module 1330 generates is sent to monitoring client 110.Such as, communication module 1350 can utilize netlink to realize monitoring client 110 and kernel spacing 102 between mutual.When monitoring means 130 loads successfully, and monitoring client 110 is when starting, netlink can be set up between monitoring means 130 and monitoring client 110 to communicate to connect, the Content of Communication of this communication connection carrying comprises: monitoring means 130 is when original upload is with the instruction received from the reading Reconfigurations file wherein of monitoring client 110, the configuration file comprising process white list configuration file and path white list configuration file can be read from monitoring client 110, here process white list configuration file comprises legal process (namely applying) list, it can be such as the PID list of application, these application can by the monitoring of monitoring means, and be not treated as rubbish and rejected, path white list configuration file comprises legal path and/or listed files, and these paths also can by the monitoring of monitoring means, and can not be treated as rubbish and be rejected access, can greatly improve security and agility like this.In addition, the Content of Communication that the communication connection between the monitoring client 110 in this communication module 1350 and user's space 101 carries can also comprise: the warning information that Alarm Unit 1330 sends also is sent to by netlink and monitors client 110.Further, by this communication connection, monitoring client 110 pairs of monitoring means 130 can do timing heartbeat detection, whether are in normal operating conditions to detect monitoring means 130.
In addition, the present invention also provides a kind of system 100 preventing file to be tampered, and as shown in Figure 1, this system 100 is placed in computing equipment, and described computing equipment can be such as computing machine etc.Computing equipment has operating system, and this operating system comprises the kernel spacing 101 providing core operation and the user's space 102 providing various application, and core operation performs in the kernel of kernel spacing.The system 100 preventing file to be tampered of the present invention comprises the monitoring means 130 in kernel spacing 102 as above, the monitoring client 110 in user's space 101 and various application 115 and the system call interfaces between user's space 101 and kernel spacing 102 120.Various application 115 in user's space 101 are connected with monitoring means 130 respectively by system call interfaces 120, monitoring means 130 in kernel spacing 102 communicates therebetween with the monitoring client 110 in user's space 101, such as, realized the communication connection of the two by netlink communication mode.
The interactive relation between the application 115 of user's space and monitoring client 110, the monitoring means 130 of kernel spacing 102 and kernel 170 and the function performed by each parts is illustrated below by Fig. 2.
As shown in Figure 2, store in monitoring client 110 configuration file comprising process white list and path white list, this configuration file can upgrade.Process white list comprises the list of application about allowing to carry out the application operated.Path white list comprises the path and/or listed files that allow access.At C1, monitoring means 130 is successfully carried in kernel spacing, in this case, monitoring client 110 performs the function of A1, that is, monitor client 110 and start, and the handshake information set up TCP and connect is sent to monitoring means 130, request is set up netlink with monitoring means 130 and is connected.Monitoring means 130 receive monitoring client 110 send set up netlink connect request after, at C2, to monitoring client 110 send set up netlink connect feedback information, thus, at A2, complete therebetween netlink communication connection.
After monitoring client 110 and monitoring means 130 set up netlink communication connection, at A3, when monitoring the configuration file in client 110 and upgrading, monitoring client 110 can issue the instruction of again reading configuration file by this netlink communication connection to monitoring means 130.Correspondingly, at C3, when monitoring means 130 receive monitoring client 110 send again read the instruction of configuration file time, can by this netlink communicate to connect from monitoring client 110 read upgrade configuration file.
In addition, also show when the application 115 of user's space initiates request (as shown in the B1) of system call to kernel spacing in Fig. 2, monitoring means 130 performs the function of C4, C5, C6, namely at C4, tackle this system call, detect and judge that whether it is legal, concrete judgment mode reference is above about the relevant description of judge module 1320.At C6, when monitoring means 130 judges that this system call is illegal, can be communicated to connect by this netlink and send a warning message to monitoring client 110.And monitor the function that client 110 correspondingly performs A4, warning information is done categorised collection, preserve in a database such as to show on monitoring client 110 webpage.On the other hand, at C5, when monitoring means 130 judges that this system call is legal, then this system call of letting pass, thus kernel 170 performs the function of D1, namely performs the core operation corresponding with this system call.
In addition, also show monitoring client 110 in Fig. 2 and send heartbeat detection bag (as shown in A5) to monitoring means 130 at regular intervals, go to connect monitoring means 130 by this netlink communication connection, monitoring means 130 then can send corresponding feedback information (as shown in C7), to prove the existence of oneself to monitoring client 110.Situation whether can exist by monitoring means 130 thus, whether is in normal operating conditions, so that when monitoring means 130 occurs extremely or unloaded by hacker etc. or destroy, can be known in time in monitoring client 110 side.
Alternatively, the above-mentioned system 100 preventing file to be tampered of the present invention can also comprise virtual (dummy) module 150, this virtual module 150 is arranged in kernel spacing 102, be connected with monitoring means 130, be suitable for making monitoring means 130 to hide and cannot see in operating system when other people inquire about current operating system and be loaded with monitoring means 130, thus can prevent hacker from being uninstalled, therefore, it is possible to improve the security of current operation system further inquiring in current operating system to be loaded with after monitoring means 130.Such as, in the operating system being similar to linux and so on, can by the similar order such as lsmod, the module loaded in inquiry current operation system.According to the principle of Linux system, can find that the module loaded in kernel spacing 102 always adds in the gauge outfit of a single-track link table, this is easily found any module newly loaded in kernel spacing 102 by hacker etc.The monitoring means 130 loaded in kernel spacing 102 is seen in order to prevent hacker, be loaded with monitoring means 130 in kernel spacing 102 after, in kernel spacing 102, reload a virtual module 150, the effect of this virtual module 150 is next pointer monitoring means 130 for pointing to concealing it in single-track link table.
Particularly, as shown in Figure 3, it illustrates the schematic diagram of the loading procedure of monitoring means according to an embodiment of the invention.In the present invention, the loading of module can be reflected by a single-track link table, and in single-track link table, each module points to next module by pointer.In Fig. 3 the single-track link table of the first row show that the module of t1 moment current system real-time loading is modules A, module B and other module of loading before load-on module B.The single-track link table of the second row has shown at t2 moment current system real-time loading subsequently new module---monitoring means 130.The single-track link table of the third line has shown at t3 moment current system real-time loading subsequently new module---virtual module 150.Next module pointed by pointer that the single-track link table of fourth line shows virtual module 150 in the single-track link table of the third line is modules A instead of points to its monitoring means 130 of next-door neighbour, by such mode, hacker etc. can be made to utilize during lsmod instructions query kernel and cannot see the monitoring means 130 that current system loads, thus monitoring means 130 can not be unloaded easily.
The present invention is further illustrated again below by the example of shown in Fig. 4.
As shown in Figure 4, for the content management server CMS 400 of a safety, it is be synchronized to server 430 by indirectly mode (such as by forwarding server 420) that content issues the content that source 410 issues, and server 430 can be such as webserver webserver or Ftp server ftp-server.Two kinds of situations have been shown in Fig. 4, a kind of situation is, application A on server 430 is the application of the synchronizing content receiving the content issue source 410 that forwarding server 420 forwards specially, application A(identification number, such as process number is PID-A) send request by system call to the kernel of the kernel spacing of operating system, want to be written in catalogue DIR-A by issuing the information that source 410 receives from content, at this moment, the monitoring means 130 being arranged in kernel spacing intercepts this request, and according to the process white list configuration file read from monitoring client, when comprising " allowing PID-A to write catalogue DIR-A " this process when it detects in the configuration file of process white list, the process requested determining this application A is legal, monitoring means 130 then in kernel spacing is let pass to the write operation that aforesaid PID-A writes this process of catalogue DIR-A, the write operation information received be written in catalogue DIR-A is performed in kernel.And when the client-side program PID-A applying A requires to carry out read operation to catalogue DIR-A, the monitoring means 130 of kernel spacing intercepts this request, and determine that this request is illegal according to the process white list configuration file read from monitoring client, then refuse client-side program PID-A carries out read operation request to catalogue DIR-A, in kernel, do not perform this read operation.
Another kind of situation is also show in Fig. 4.When Another application B attempts to read the content in catalogue DIR-A, application B(identification number, such as process number is PID-B) send request by system call to the kernel of the kernel spacing of operating system, want reading information from catalogue DIR-A, at this moment, the monitoring means 130 being arranged in kernel spacing intercepts this request, and according to the process white list configuration file read from monitoring client, when comprising " allowing PID-B to do read operation to catalogue DIR-A " when it detects in process white list configuration file, determine that the process requested of this application B is legal, then the process of this read operation is let pass, kernel 170 performs this read operation, and when applying B and performing write operation to catalogue DIR-A, according to the process white list configuration file read from monitoring client, monitoring means 130 determines that this process is illegal, then refuse this process, namely kernel does not perform the write operation to DIR-A.
Can be seen by above-mentioned example, even if hacker tampers with a document on the machine providing file service, the operation of deleted file, what can detect that hacker provides the machine of file service to this due to the monitoring means 130 in kernel spacing is operating as illegal operation, therefore this process can be refused, thus the behavior of hacker can be defendd, making it operate cannot be successful.And normal file distribution issues source by content and utilizes special application A indirectly to complete.
The method of monitor operating system according to an embodiment of the invention is described in detail below in conjunction with Fig. 5.Fig. 5 shows the process flow diagram of the monitoring method of monitor operating system according to an embodiment of the invention.Wherein operating system comprises the user's space providing the kernel spacing of core operation He provide various application.Application in user's space calls by initiating system call the corresponding core operation provided in kernel spacing.Here core operation is various operations associated with the file, and system call is the various system calls relevant to file operation.As shown in Figure 5, monitoring method of the present invention starts from step S505, in step S510, the core operation of this correspondence be performed before, intercept and capture this system call after the corresponding core operation provided in the application of user's space initiates system call in kernel spacing.Then, in step S520, judging that whether this system call is legal, allowing this system call when judging that it is legal, otherwise refuse this system call.Like this, before the core operation that this system call is corresponding is performed, it is detected, can prevent hacker etc. from utilizing this system call and invading kernel spacing, the file revised or delete in kernel spacing or wherein implantation wooden horse etc.
In step S520, particularly, the application message of the fileinfo related to according to system call and/or the application of initiating this system call judges that whether this system call is legal.Wherein, the fileinfo that system call relates to comprises routing information and/or the title of file, and the application message initiating the application of this system call comprises this application unique identifying number in an operating system.Such as, whether legal can the file abc123 under the user A of client wants reading catalogue DIR-A, at this moment be read according to file abc123 the read operation judging user A, if file abc123 can not be read, so judge that the read operation of user A is illegal, refuse its system call; If file abc123 can be read, so judge that the read operation of user is legal, then clearance user A is to the reading behavior of file abc123, and kernel spacing performs this read operation.
Further, in kernel spacing, store configuration information, configuration information comprises one or more configuration item, and each configuration item comprises the fileinfo of file and the unique identifying number of application.This configuration information is that kernel spacing reads according to the configuration file update instruction received from monitoring client from monitoring client and stores.In this case, when the fileinfo of the file that system call relates to and the unique identifying number of application of initiating this system call are not present in any one configuration item of configuration information, judge that this system call is illegal, otherwise judge that this system call is legal.
In addition, the configuration item that the configuration information stored in above-mentioned kernel spacing comprises can also comprise operating right.In this case, the unique identifying number of the fileinfo of the file related to when system call and the application of initiating this system call is present in the configuration item of configuration information, but when the operating right in the file operation authority required for this system call and described configuration item does not mate, judge that this system call is illegal.The unique identifying number of the fileinfo only having the file related to when system call and the application of initiating this system call is present in the configuration item of configuration file, and the file operation authority required for this system call and the operating right in described configuration item coupling time, judge that this system call is legal.
When judging that system call is legal in step S520, then this system call of letting pass, enters step S540, performs core operation corresponding to this system call at kernel spacing.And when judging that system call is illegal in step S520, then enter step S530, refuse this system call, generate warning information and feed back to monitoring client, hacker etc. can be avoided like this to utilize system call and destroy the content in the kernel spacing of operating system.
After execution of step S530 or S540, directly can enter end step S555, alternatively, after execution of step S530 or S540, also can perform step S550, receive the heartbeat detection that monitoring client sends at set intervals, and send corresponding feedback information to monitoring client, to inform that the monitoring of this kernel spacing of client is in normal duty, then enter end step S555.In addition, after wanting to be noted that step S550 is not necessarily positioned at step S530 or S540, it can at any time be performed as required.
In the monitoring method of monitor operating system provided by the invention, kernel spacing sends a warning message from monitoring client file reading and to monitoring client, heartbeat detection, monitoring client send the instruction etc. of reading configuration file to kernel spacing all needs to establish a communications link between user's space and kernel spacing, and this can be realized by modes such as such as netlink.
In addition, a kind of method that the present invention also provides anti-file to be tampered, as shown in Figure 6, it comprises the step of the monitoring method shown in Fig. 5, particularly, the method that anti-file of the present invention is tampered as in step S605, subsequently, in step S610, receive application the calling by system call to the corresponding core operation provided in kernel spacing in user's space.Afterwards, the step of the monitoring method shown in Fig. 5 is performed: namely perform step S510, before the core operation corresponding with system call is performed, intercepts and captures described system call; Subsequently, perform step S520, judging that whether described system call is legal, when judging that this system call is legal, allowing this system call, then perform step S540, perform core operation corresponding to this system call at kernel spacing; When judging that this system call is illegal, then perform step S530, refuse this system call, generate warning information.
After execution of step S530 or S540, directly can enter end step S655.Alternatively, after execution of step S530 or S540, also step S550 can be performed, receive the heartbeat detection that monitoring client sends at set intervals, and send corresponding feedback information to monitoring client, to inform that the monitoring of this kernel spacing of client is in normal duty, then enter end step S655.In addition, after wanting to be noted that step S550 is not necessarily positioned at step S530 or S540, it can at any time be performed as required.
Alternatively, the method that anti-file of the present invention is tampered can also comprise step S620 after step S530 or S540, in this step S620, perform a pseudo operation, it makes in the single-track link table representing each operation loading, the aforementioned monitoring of pointed of this pseudo operation operates (from step S510 to S530 or step S540, when there is step S550, then also comprise step S550) the next one operation, and do not point to described monitoring operation, thus it is invisible that described monitoring is operated in single-track link table.About the structure of single-track link table see shown in prior figures 3, the operation that module is wherein corresponding described here.End step S655 is entered after step S620.
The present invention completes some by the system call relevant to file and catalogue of hook (HOOK) mechanism and checks or preventing mechanism, prevents the catalogue of user or file not to be tampered.By reading the respective profiles of user's space in hook (HOOK) function, check application identities PID and courses of action information, multiple different strategy can be combined into, make only just to modify to the file under particular category and catalogue from the application of application-specific identification number PID.Like this, for improper and hit the behavior of block rule, directly can in Hook Function, user is returned to by different wrong round valuess, in this case, even if user has the highest (root) authority, also can be limited when doing corresponding operating.And for normal system call, normal entrance can be passed through again, do normal clearance.Therefore, utilize the present invention can not affect normal user operation, but the user operation that absolute prohibition is illegal.
In addition, the present invention can also introduce virtual module, to conceal the monitoring means of carry on module single-track link table, prevents monitoring means by illegal unloadings such as hackers.Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
Claims (14)
1. prevent the system that file is tampered, it is placed in computing equipment, and this computing equipment has operating system, and this operating system comprises the user's space providing the kernel spacing of core operation He provide various application, and this system preventing file to be tampered comprises:
Be arranged in monitoring means and the virtual module of kernel spacing;
Be arranged in the monitoring client of user's space and multiple application, wherein said monitoring client is suitable for communicating with described monitoring means; And
System call interfaces between user's space and kernel spacing, the described multiple application being arranged in user's space is connected with described monitoring means respectively by this system call interfaces;
Wherein, the multiple application being arranged in user's space initiate system call request, described monitoring means monitoring said system call request respectively by system call interfaces to the core operation of kernel spacing, and
This monitoring means comprises:
Interception module, is suitable for intercepting and capturing described system call before the core operation corresponding with system call is performed;
Judge module, is suitable for judging that whether described system call is legal;
Alarm module, when described judge module judges that this system call is illegal, refuses this system call and generates warning information; And
Recover module, when described judge module judges that this system call is legal, allow this system call, recover the execution of this system call,
Wherein, described core operation is various operations associated with the file, and described system call is the various system calls relevant to file operation, and
This virtual module, after loading on monitoring means, the next module of its pointed monitoring means in the single-track link table that representation module loads, and do not point to described monitoring means, thus make monitoring means invisible in single-track link table.
2. system according to claim 1, wherein,
Described judge module comprises configuration information, and described configuration information comprises one or more configuration item, and each configuration item comprises the fileinfo of the file that described system call relates to and/or initiates the application message of application of this system call,
According to described configuration information, wherein said judge module judges that whether this system call is legal.
3. system according to claim 2, wherein said fileinfo comprises routing information and/or the title of file, and described application message comprises described application unique identifying number in an operating system.
4. system according to claim 3, when each configuration item wherein in described configuration information comprises the unique identifying number of the fileinfo of file and application, when the fileinfo of the file that described system call relates to and the unique identifying number of application of initiating this system call are not present in any one configuration item of described configuration information, described judge module judges that this system call is illegal.
5. system according to claim 4, wherein each configuration item also comprises operating right;
The unique identifying number of the fileinfo of the file related to when described system call and the application of initiating this system call is present in the configuration item of described configuration information, but when the operating right in the file operation authority required for this system call and described configuration item does not mate, described judge module judges that this system call is illegal.
6. the system according to claim 4 or 5, wherein monitoring means also comprises:
Communication module, it communicates with the monitoring client of described user's space, reads the configuration information in described monitoring client and is sent to judge module, and the warning information that alarm module generates is sent to described monitoring client.
7. according to the system in claim 1-5 described in any one, wherein,
Whether described monitoring client detects described monitoring means by doing timing heartbeat detection to described monitoring means and normally works.
8. according to the system in claim 1-5 described in any one, wherein,
The configuration information at described monitoring client place is stored in configuration file;
Described configuration file comprises configuration file about allowing to carry out the process list operated and the configuration file about the path and/or listed files that allow access.
9. prevent the method that file is tampered, it performs in computing equipment, and this computing equipment has operating system, and this operating system comprises the user's space providing the kernel spacing of core operation He provide various application, and the method comprises:
Receive application the calling by system call to the corresponding core operation provided in kernel spacing in user's space;
Described system call was intercepted and captured before the core operation corresponding with system call is performed; And
Judge that whether described system call is legal, allow this system call when it is legal, otherwise refuse this system call;
Perform a pseudo operation, to make the next one operation of the monitoring operation that monitoring method performs before the pointed representing this pseudo operation in the single-track link table that each operation loads, and do not point to described monitoring operation, thus it is invisible that described monitoring is operated in single-track link table.
10. method according to claim 9, wherein, describedly judge described system call whether legal step comprises: the application message of the fileinfo related to according to described system call and/or the application of initiating this system call judges that whether this system call is legal.
11. methods according to claim 10, wherein,
Described fileinfo comprises routing information and/or the title of file, and described application message comprises described application unique identifying number in an operating system,
Described method also comprises:
In described kernel spacing store configuration information, described configuration information comprises one or more configuration item, and each configuration item comprises the fileinfo of file and the unique identifying number of application;
Wherein, describedly judge described system call whether legal step is: when the fileinfo of the file that system call relates to and the unique identifying number of application of initiating this system call are not present in any one configuration item of described configuration information, judge that this system call is illegal, otherwise judge that this system call is legal.
12. methods according to claim 11, wherein,
Each configuration item also comprises operating right;
The illegal step of the described system call of described judgement is: the unique identifying number of the fileinfo of the file related to when system call and the application of initiating this system call is present in the configuration item of described configuration information, but when the operating right in the file operation authority required for this system call and described configuration item does not mate, judge that this system call is illegal.
13. according to the method in claim 9-12 described in any one, wherein,
Also comprise refuse the step of this system call when judging that this system call is illegal after: generate warning information.
14., according to the method in claim 9-12 described in any one, also comprise:
Receive the heartbeat detection that monitoring client sends at set intervals, and send corresponding feedback information to monitoring client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210382366.0A CN102902909B (en) | 2012-10-10 | 2012-10-10 | A kind of system and method preventing file to be tampered |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210382366.0A CN102902909B (en) | 2012-10-10 | 2012-10-10 | A kind of system and method preventing file to be tampered |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102902909A CN102902909A (en) | 2013-01-30 |
| CN102902909B true CN102902909B (en) | 2015-09-16 |
Family
ID=47575136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210382366.0A Expired - Fee Related CN102902909B (en) | 2012-10-10 | 2012-10-10 | A kind of system and method preventing file to be tampered |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102902909B (en) |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104252380B (en) * | 2013-06-28 | 2017-11-17 | 百度在线网络技术(北京)有限公司 | The control method and device that system is called under linux system |
| CN104731892B (en) * | 2015-03-17 | 2018-03-27 | 中国人民解放军信息工程大学 | A kind of mimicry tamper resistant method of centralized File Serving System |
| CN105100074A (en) * | 2015-07-01 | 2015-11-25 | 小米科技有限责任公司 | Data operation processing method, device and terminal equipment |
| CN105100120B (en) * | 2015-08-31 | 2019-04-12 | 宇龙计算机通信科技(深圳)有限公司 | Monitoring method, device and the terminal of client identification module |
| CN106709334A (en) * | 2015-11-17 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting intrusive script files |
| CN105550599B (en) * | 2015-12-29 | 2018-07-17 | 山东中创软件商用中间件股份有限公司 | A kind of tamper resistant method and system based on Linux Virtual File Systems |
| CN105760496B (en) * | 2016-02-19 | 2019-05-28 | 珠海豹趣科技有限公司 | A kind of processing method of shortcut, processing unit and electronic equipment |
| CN105956467A (en) * | 2016-04-21 | 2016-09-21 | 北京金山安全软件有限公司 | System time setting method and device and electronic equipment |
| US10379745B2 (en) * | 2016-04-22 | 2019-08-13 | Samsung Electronics Co., Ltd. | Simultaneous kernel mode and user mode access to a device using the NVMe interface |
| CN106055453A (en) * | 2016-06-01 | 2016-10-26 | 北京百度网讯科技有限公司 | Equipment monitoring method and device |
| CN107645480B (en) * | 2016-07-22 | 2021-04-30 | 阿里巴巴集团控股有限公司 | Data monitoring method, system and device |
| CN107766351B (en) * | 2016-08-16 | 2020-12-25 | 腾讯科技(深圳)有限公司 | File directory identification method and device |
| CN106778243B (en) * | 2016-11-28 | 2020-06-09 | 北京奇虎科技有限公司 | Virtual machine-based kernel vulnerability detection file protection method and device |
| CN108334788B (en) * | 2017-01-20 | 2023-01-06 | 腾讯科技(深圳)有限公司 | File tamper-proofing method and device |
| CN108629197B (en) * | 2017-03-21 | 2020-07-28 | 中国航发商用航空发动机有限责任公司 | File access control method and system for integrated environment |
| CN107423325A (en) * | 2017-04-07 | 2017-12-01 | 杭州安恒信息技术有限公司 | A kind of method for tracing webpage tamper behavior source |
| CN108959918B (en) * | 2017-05-18 | 2021-09-03 | 北京搜狗科技发展有限公司 | Input method file protection method and device and electronic equipment |
| CN107547566B (en) * | 2017-09-29 | 2020-11-20 | 新华三信息安全技术有限公司 | Method and device for processing service message |
| CN109660579B (en) * | 2017-10-11 | 2022-02-25 | 阿里巴巴集团控股有限公司 | Data processing method and system and electronic equipment |
| CN107958152A (en) * | 2017-12-04 | 2018-04-24 | 山东中创软件商用中间件股份有限公司 | Tamper resistant method, device and equipment based on Virtual File System |
| CN108256298A (en) * | 2017-12-14 | 2018-07-06 | 大唐微电子技术有限公司 | A kind of resource access method and device |
| CN109936528B (en) * | 2017-12-15 | 2022-08-05 | 阿里巴巴集团控股有限公司 | Monitoring method, device, equipment and system |
| CN108416210B (en) * | 2018-03-09 | 2020-07-14 | 北京顶象技术有限公司 | Program protection method and device |
| CN111783087A (en) * | 2020-06-02 | 2020-10-16 | Oppo广东移动通信有限公司 | Method and device for detecting malicious execution of executable file, terminal and storage medium |
| TWI802040B (en) * | 2021-10-08 | 2023-05-11 | 精品科技股份有限公司 | Method of application control based on file attributes |
| CN114048469B (en) * | 2022-01-10 | 2022-06-14 | 荣耀终端有限公司 | Directory operation management method, electronic device and readable storage medium |
| CN117407118A (en) * | 2022-07-08 | 2024-01-16 | 北京火山引擎科技有限公司 | Container operation control method, device, electronic equipment and readable storage medium |
| CN115599929B (en) * | 2022-09-30 | 2023-08-04 | 荣耀终端有限公司 | File management method and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102043927A (en) * | 2010-12-29 | 2011-05-04 | 北京深思洛克软件技术股份有限公司 | Computer system for data divulgence protection |
| CN102592076A (en) * | 2011-12-20 | 2012-07-18 | 北京神州绿盟信息安全科技股份有限公司 | Data tamper-proof method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020065945A1 (en) * | 2000-11-29 | 2002-05-30 | Brad Calder | System and method for communicating and controlling the behavior of an application executing on a computer |
-
2012
- 2012-10-10 CN CN201210382366.0A patent/CN102902909B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102043927A (en) * | 2010-12-29 | 2011-05-04 | 北京深思洛克软件技术股份有限公司 | Computer system for data divulgence protection |
| CN102592076A (en) * | 2011-12-20 | 2012-07-18 | 北京神州绿盟信息安全科技股份有限公司 | Data tamper-proof method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102902909A (en) | 2013-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102902909B (en) | A kind of system and method preventing file to be tampered | |
| CN102930205A (en) | Monitoring unit and method | |
| EP3404948B1 (en) | Centralized selective application approval for mobile devices | |
| CA2617204C (en) | Network security systems and methods | |
| US7895651B2 (en) | Content tracking in a network security system | |
| US8984636B2 (en) | Content extractor and analysis system | |
| US8782800B2 (en) | Parametric content control in a network security system | |
| US8272058B2 (en) | Centralized timed analysis in a network security system | |
| US9230100B2 (en) | Securing anti-virus software with virtualization | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| US20070028302A1 (en) | Distributed meta-information query in a network | |
| CN104885092A (en) | Security system and method for operating systems | |
| CN102999726B (en) | File macro virus immunization method and device | |
| CN103020524A (en) | Computer virus monitoring system | |
| CN103294955B (en) | Macrovirus checking and killing method and system | |
| CN103001947A (en) | Program processing method and program processing system | |
| CN104239797B (en) | Active defense method and device | |
| CN103049695A (en) | Computer virus monitoring method and device | |
| CN102999720A (en) | Program identification method and system | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| CN101393591B (en) | Method and system for discovering unknown USB virus | |
| KR101234066B1 (en) | Web / email for distributing malicious code through the automatic control system and how to manage them | |
| CN103561076A (en) | Webpage trojan-linking real-time protection method and system based on cloud | |
| CN102999721A (en) | Program processing method and system | |
| CN104573496A (en) | Method and device for inhibiting starting items from starting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150916 Termination date: 20211010 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |