CN103473508A - Security verification method during kernel operation of operation system - Google Patents
Security verification method during kernel operation of operation system Download PDFInfo
- Publication number
- CN103473508A CN103473508A CN2013104256455A CN201310425645A CN103473508A CN 103473508 A CN103473508 A CN 103473508A CN 2013104256455 A CN2013104256455 A CN 2013104256455A CN 201310425645 A CN201310425645 A CN 201310425645A CN 103473508 A CN103473508 A CN 103473508A
- Authority
- CN
- China
- Prior art keywords
- instruction
- kernel
- translation
- module
- binary translation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a security verification method during kernel operation of an operation system. The security verification method comprises the following steps that the validity of all kernel module files of a target operation system is confirmed, the validity of loaded modules in a kernel is verified, the validity verification is carried out on a new kernel module loaded at any time, all entrances switched from the user grade to the privilege grade in a processor are set again, each instruction to be translated required by the binary translation is checked, and the like. The method can be used for computer security software and can be used for fundamentally detecting the computer operation system in the operation for detecting kernel viruses existing in the computer operation system, in addition, the precaution can be carried out on the existing operation system for finding the kernel viruses tried to invade a computer, and in addition, viruses are conditionally cleared. The method belongs to a measure for thoroughly solving the problem of rootkit.
Description
Technical field
The present invention relates to computer safety field, relate in particular to detection, strick precaution and removing to computer operating system kernel virus, and guarantee the correlation technique of operating system nucleus safe operation.
Background technology
Existing computer information safe comprises a lot of aspects.Wherein to the detection of the rogue programs such as virus, wooden horse with prevent the important ring into computer security.Wherein, run on computer operating system inner nuclear layer (ker nel level), having used the virus that is called as the rootkit technology is that in computer virus, technology content is the highest, is difficult to most detect, prevent and remove.
Kernel virus refers to the virus that runs on the computer operating system inner nuclear layer.The technology that makes virus run on the computer operating system inner nuclear layer is referred to as the rootkit technology.
Generally speaking, the modern processors framework has different franchise levels, so that the software that operation has different rights.There is different titles according to the difference of processor architecture, but its design original idea is identical.Such as the IA32 processor of the Intel that is widely used in personal computer (PC), it has r0, r1, r2, tetra-different prerogative grades of r3.The kernel of operating system runs on the r0 grade, thereby has guaranteed that operating system nucleus has highly privileged to computing machine.And the program of user's polymorphic segment of other application software and operating system all runs on the r3 grade, computer hardware is only had to limited authority, thereby guarantee the security of computing machine.Even the malicious code invasion runs on the software of r3, also can only cause limited destruction.
Equally, the arm processor framework that is widely used in mobile field has the multiple-working modes such as " user model ", " system model ", " privileged mode ".The highest weight of guaranteeing the kernel of operating system with this is equally limit, and the authority of limited subscriber software, guarantees the safety of computer system.
So-called rootkit technology is to manage to obtain the privilege the same with operating system nucleus, invades the technology of operating system nucleus.Used the virus of rootkit technology to obtain the highest weight limit to computer operation.From theory, on a system of having moved kernel virus, detect or remove kernel virus, existing technical be the work that impossible thoroughly complete.Because kernel virus self has the highest weight limit in computer operating system.And the fail-safe software of attempting to detect kernel virus also only has identical with it authority.Kernel virus can be used multiple technologies to hide oneself, disturbs the operation that even stops fail-safe software, such as:
1. adapter system calls.If the system manager attempts tool using when removing to detect hard disk and whether having inner virus, because system call is taken over by virus, so instrument returns to by system call the system situation of seeing and is likely what virus was forged.Such as can't see in fact exist by the file of virus infections etc.
2. kill or forge secure software process.Because virus runs on inner nuclear layer, can in kernel, stop by force the operation of secure software process, even can further generate false secure software process and prevent from being found.The partial function that also can from kernel, remove fail-safe software makes it to become the process that does not possess security.
Rootkit may occur on the processor of various frameworks and various operating system.Such as the PC of existing operation Windows various version, and the server of operation Linux, and the mobile device (as mobile phone, flat board etc.) that the Android system has been installed, the viral report occurred of the kernel that uses the rootkit technology is arranged.
In many great network security accidents, computer system are attacked, the appearance of rootkit technology and kernel virus is arranged.
Summary of the invention
Safe verification method while the purpose of this invention is to provide a kind of operating system nucleus operation, this method can fundamentally be detected operating computer operating system for computer security software, finds out the kernel virus wherein existed; And can be taken precautions against existing operating system, find to attempt the kernel virus of invasion, and removed conditionally.It is the thorough solution to rootkit.
Technical solution of the present invention is:
Safe verification method during a kind of operating system nucleus operation, its special character is: comprise the following steps:
Step 1] confirm the legitimacy of all kernel module files of destination OS:
The static legitimacy of confirming all kernel module files of destination OS, and the integrity verification information of preserving legal kernel modules all in destination OS;
Step 2] legitimacy of the module that loaded in validation of kernel:
The kernel module loaded by the enumeration operation system, contrasted with the integrity verification information of preserving in step 1, thereby the legitimacy of the module loaded in validation of kernel obtains the address realm of each joint carried out of each module simultaneously;
Step 3] the new kernel module loaded is at any time carried out to legitimate verification:
The new kernel module that operating system is loaded at any time, contrasted with the integrity verification information of preserving in step 1, thereby verify the legitimacy of this new load-on module, obtains the address realm of each joint carried out of this module simultaneously;
Step 4] reset all entrances that are switched to prerogative grade from user gradation in processor:
All instructions that are switched to prerogative grade from user gradation in the intercept process device, and reset the entrance of these instructions, make it to point to the binary translation entrance;
Step 5] every instruction will translating binary translation checked:
Every instruction will translating binary translation is checked, if this instruction is processed according to exceptional instructions not in certain joint carried out of certain legal kernel module; If this instruction is arranged in certain joint carried out of certain legal kernel module, perform step 6;
Describedly according to exceptional instructions, process and to refer to:
If system is under the highest safety requirements, halt system moves and collects relevant information and automatically reports, and confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, permission system continues operation or avoids this instruction and manage to allow system can continue normal operation, collects relevant information simultaneously and reports and carry out safety analysis;
If system, under low-security requires, allows exceptional instructions to continue operation, gather information simultaneously and carry out safety analysis;
Step 6] to step 5] in carry out binary translation through every the instruction checked.
Binary translation in above-mentioned steps 6 is to adopt straight copy binary translation, and its concrete steps are as follows:
6.1] call the translation interface function, the address that should carry out instruction from certain starts translation;
6.2] carry out instruction decoding from this address, obtain an instruction;
6.3] if this instruction is jump instruction, translate into and jump to the translation interface function, writing the redirect destination address is parameter, and retain the redirect purpose of former jump instruction, this group instruction jumps to the translation interface and is translated, after translate end, jump to the generation instruction buffer and start to carry out, the redirect purpose of former jump instruction is got back in a to the last instruction after executing; For not with the instruction of redirect, do not do any change, direct copying starts to carry out to generating instruction buffer, and movable address is to next instruction simultaneously;
6.4] return to step 6.1 and start to translate next instruction.
Binary translation in above-mentioned steps 6 is the binary translation that adopts slow buffer technology, fast buffer technology and/or straight chain technology.
Straight copy binary translation in above-mentioned steps 6 is the straight copy binary translation that adopts slow buffer technology, fast buffer technology and/or straight chain technology.
Compared with prior art, the present invention has the following advantages:
1, with respect to traditional being scanned with virus signature, find viral scheme, the present invention is a kind of universal scheme for all kernel viruses, the special case for any virus is not on the defensive or removes, but defend thoroughly and remove for this large class of operating system nucleus virus, be a kind of current techique for operating system nucleus safety.
2, with traditional static file safety technology (as passed through the calculation of integrity code such as md5 value and so on, or executable file being carried out to signature verification etc.), compare, the present invention is a kind of scheme of dynamic authentication.The present invention has utilized existing file security to guarantee that technology verifies that the kernel module of all operating system is legal.But, outside this, what the present invention created is when the operating system nucleus actual motion, guarantee every instruction of actual motion and the consistance of passing through the code in the file of verifying.Thereby be more comprehensively a kind of and security verification technology thoroughly.
3, with the existing technology of " Initiative Defense " of a large amount of fail-safe software employings on the market, compare, the present invention concentrates on several " key points " limited in operating system nucleus checked and defend.Be actually any point in operating system nucleus, namely, before every instruction operation, checked and defend.Therefore, present technique is with respect to existing " Initiative Defense " technology, is more comprehensively a kind of and technology thoroughly.
4, the present invention uses the mode of similar virtual machine, but simple much efficient that scheme is checked any instruction of operation on prerogative grade, guarantees that every instruction is all the valid instruction in known kernel module.
The accompanying drawing explanation
Fig. 1 is the straight copy binary translation process flow diagram of simplifying, and in figure, the part of grey represents translation process, and the part of white represents implementation.
Embodiment
The present invention creates run time kernel module legitimacy detection method method, only by the instruction that detects actual motion in kernel, with having confirmed the homogeneity between legal kernel module executable file, determine in kernel whether have disable instruction moving, to guarantee the tight security of kernel, the purpose that reaches thorough detection and stop the kernel poisoning intrusion fully.
Safe verification method during a kind of operating system nucleus operation comprises the following steps:
Step 1] confirm the legitimacy of all kernel module files of destination OS:
The static legitimacy of confirming all kernel module files of destination OS, and the integrity verification information of preserving legal kernel modules all in destination OS;
Step 2] legitimacy of the module that loaded in validation of kernel:
The kernel module loaded by the enumeration operation system, contrasted with the integrity verification information of preserving in step 1, thereby the legitimacy of the module loaded in validation of kernel obtains the address realm of each joint carried out of each module simultaneously; After the address of each joint carried out of the executable module that each is legal is determined, in kernel, the address of all valid instructions is all determined.Every privileged instruction of carrying out outside these addresses that occurs, all can think virus or other attacks.
Step 3] the new kernel module loaded is at any time carried out to legitimate verification:
The new kernel module that operating system is loaded at any time, contrasted with the integrity verification information of preserving in step 1, thereby verify the legitimacy of this new load-on module, obtains the address realm of each joint carried out of this module simultaneously;
Step 4] reset all entrances that are switched to prerogative grade from user gradation in processor:
All instructions that are switched to prerogative grade from user gradation in the intercept process device, and reset the entrance of these instructions, make it to point to the binary translation entrance; Once processor is switched to prerogative grade like this, all privileged instructions all will be translated.
Step 5] every instruction of binary translation entrance is checked:
Every instruction to the binary translation entrance is checked, if this instruction is processed according to exceptional instructions not in certain joint carried out of certain legal kernel module; If this instruction is arranged in certain joint carried out of certain legal kernel module, carry out step 6;
Describedly according to exceptional instructions, process and to refer to:
If system is under the highest safety requirements, halt system moves the halt system operation and data collection reports automatically, confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, permission system continues operation or avoids this instruction and manage to allow system can continue normal operation, collects relevant information simultaneously and reports and carry out safety analysis;
If system, under low-security requires, allows exceptional instructions to continue operation, collect relevant information simultaneously and carry out safety analysis;
Step 6] step 5] in directly copy binary translation through every the instruction checked:
6.1] call the translation interface function, the address that should carry out instruction from certain starts translation;
6.2] carry out instruction decoding from this address, obtain an instruction;
6.3] if this instruction is jump instruction, translate into and jump to the translation interface function, writing the redirect destination address is parameter, and retain the redirect purpose of former jump instruction, this group instruction jumps to the translation interface and is translated, after translate end, jump to the generation instruction buffer and start to carry out, the redirect purpose of former jump instruction is got back in a to the last instruction after executing; For not with the instruction of redirect, do not do any change, direct copying starts to carry out to generating instruction buffer, and movable address is to next instruction simultaneously;
6.4] return to step 6.1 and start to translate next instruction.
The principle of the invention:
The inventor thinks through research, why kernel virus is difficult in theory is detected, prevents and removes, its basic reason is that kernel virus runs on the (attention of same prerogative grade with fail-safe software, in this explanation, no matter various processor architectures, all be called prerogative grade by the Permission Levels of kernel code operation.The Permission Levels of corresponding normal application software operation are called user gradation with it).In this case, thoroughly detect, take precautions against and remove kernel virus and can not accomplish in theory.So the present invention introduces another layer of control of authority, for thoroughly detecting, take precautions against and removing kernel virus and opened up road.
Notice that kernel virus has and must have two features, indispensable:
1. kernel virus must have instruction to move at prerogative grade.
2. above-mentioned instruction must not be the instruction in operating system nucleus and other legal kernel modules.But be utilized any method " additionally ", be injected in kernel.
The inventor thinks through research, utilizes above 2 features, just is enough to accurately identify kernel virus.
Run time kernel module legitimacy detection method
The present invention uses unique " run time kernel module legitimacy detection method " to be detected kernel virus.This is different from static scanning virus code that now most of fail-safe software adopts on the market fully, monitors the schemes such as Scan for Viruses code, Initiative Defense in real time.
The basic thought of " kernel module legitimacy detection method " is:
1, operating system nucleus is comprised of several extractible executable files.As upper as Windows, by the file of one group of PE form, formed.And, on Linux, by the file of one group of ELF form, formed.The integrality of these files and legitimacy are (such as the signature verifications on Windows etc.) that can be verified by existing method.By these process checkings, determine that the module be not modified is called legal module in the present invention.
2, legal module can be resolved by static state.Generally speaking, contain all executable instructions in the joint carried out in legal module (executable sections).The content of these instructions can resolve to obtain and confirm by static state.
3, the loading of legal module can monitoring when operation.All operating system, when loading legal module, has legal entrance to be monitored.Such as Windows is upper, can be monitored by a call back function of interface PsSetLoadImageNotifyRoutine registration.And Linux or Android can be monitored by the loading interface ins_mod of loadable module (LKM).While having kernel module to load in monitoring system, can video by checking module (Image) confirms the legal module of the unmodified really of this module.After loading, but the memory address range that determination module loads.
4, when illegal instruction (such as rootkit virus) is loaded operation is difficult to control.Because virosis not necessarily loads (certainly, virus also fully likely loads by legal interface) by legal interface.In addition, file structure of illegal module etc. is also non-known.The instruction of virus may be dynamically to generate, and does not have clear and definite file structure, also may not have with legal modular structure what difference.In any case but, in an operating system nucleus that strict safety requirements arranged, if actual any instruction that will operate in prerogative grade is arranged, can't be confirmed by above-mentioned 1,2,3, can suspect it is the instruction of kernel virus.Now, can set different strategies according to different safety requirements.
The problem of the prior art of fail-safe software is can't accomplish accurately to monitor the instruction of every operation in kernel and it is checked on the market.Because one operate in the instruction of prerogative grade in operation, actual whole controls of having grasped computing machine.Outside has no way of it is interfered.Therefore, on prerogative grade, before any instruction of operation, must add one new mechanism to be checked instruction.Original creation of the present invention a bit, is used the mode of similar virtual machine exactly, but much simple efficient that scheme is checked these instructions.Namely what is called directly copies the binary translation technology.
Binary translation (Binary Translation)
Binary translation (Dynamic Binary Translation) is not content of the present invention.This is a kind of technology that has openly existed and be widely used.Be a kind ofly in the direct translation of when operation, can carry out the technology of binary program, can translate the binary program on a kind of processor on another processor and carry out.
Its principle is: one side is read in the binary command stream of certain processor architecture, on the other hand these instruction streams is decoded, and obtains its functional meaning, and contrasts another kind of instruction stream the execution that is suitable for another kind of processor architecture of same function generation.When carrying out the instruction of untranslated mistake, proceed translation.Carry out with translation and intersect and carry out.
This technology is widely used in operating to certain processor hardware the situation that another kind of processor architecture is developed.Such as the Mac notebook of Apple, after the framework by core processor changes IA32 into by PowerPC, in order before can be compatible to be the software of PowerPC architecture processor, have just used the binary translation technology.
Sometimes, also need to use the translation of processor architecture instruction of the same race.Such as, from the IA32 instruction translation to the IA32 instruction.Although be instruction of the same race,, the process of translation has been carried out some changes to instruction.Once used the famous software virtual machine VMware of having of this technology.VMware is on the PC of an IA32 framework, use a processor, the processor of virtual a plurality of same frameworks, thereby binary translation technology (after Intel provides the VT technology, the facility that VMWare is used the VT technology to provide has substituted the binary translation technology) has been provided.
The inventor finds through research, can be specially for the kernel of operating system, carries out binary translation, thereby accomplishes:
1, to operating system nucleus, existing, operating instruction is detected, and guarantees that every instruction is all the valid instruction in known kernel module.
2, existing in operating system nucleus, operating instruction is changed, unused code is shielded and removing etc.
3, do not change the original function of operating system nucleus.To user transparent.
This is because after carrying out binary translation, and every instruction that will move all must first could move through translation.And the process of translation just can be checked the legitimacy of instruction.And, after translation, if presumptive instruction is revised by malicious attack, can be found at an easy rate.Therefore above some for the present invention to detection, the strick precaution of kernel virus, with removing, provide technical foundation.
Straight copy (direct copy) translation technology
Common binary translation involves address mapping and (from certain address space, transforms to another kind of address space, for by situation that on main frame, a virtual complete computing machine is removed in certain sector address space), hardware device virtual machine (for to the hardware operation instruction virtual), the record of state and recovery etc.The technology involved is very complicated, same, also large to the loss of computing power.Its reason is, binary translation is generally used between the xenogenesis platform, or on certain platform, the processor of one-to-many virtual.Therefore have to realize the complicated functions such as address mapping, hardware be virtual.
The inventor finds after deliberation, take in the present invention that antagonism kernel virus is purpose, without carrying out the virtual and address mapping of any hardware.This be because:
1, this is not the translation between the xenogenesis processor architecture.But the translation between processor architecture of the same race.Neither need to change the kind of instruction, also do not need the address of the operated data of transformation directive.
2, do not need the virtual of one-to-many, only need to be translated one to one.So do not need to preserve extraly especially the state of a plurality of virtual processors.Can directly under the primordial condition of operating system, move.Only need to guarantee to translate constant the getting final product of pre-process and post-process device buffer status.
With respect to traditional binary translation, the binary translation of the use of wanting required for the present invention is relatively simple, only needs to realize straight copy, and the interpretative system that in foreign literature, often is called " direct copy " gets final product.The simplest straight copy interpretation method is (not in the situation with any optimization):
1, the address that the translation interface should be carried out from certain starts translation.First preserve the current state of processor operation before translation.
2, the common instruction (not being with redirect) for major part, direct copying, to generating instruction buffer, is not done any change.This is the simplest interpretative system, namely direct copying.(but the instruction of small part relative address addressing is arranged, after translation, self address changes, so the addressing of relative addressing skew should be revised.This kind of instruction must be carried out simple translation and revise).
3, for jump instruction, translate into one group of instruction: this group instruction jumps to the translation interface, and the redirect purpose that retains former jump instruction is parameter.Then end translation, the processor state of preserving before recovering, jump to the generation instruction buffer and start to carry out.Because non-jump instruction is equivalent fully before and after translation, so it is consistent with the effect of carrying out presumptive instruction to carry out the effect of this buffer zone.
4, after the instruction of copy executes, carry out finally, can call the translation interface, and start translation from the redirect purpose of former jump instruction.This has just got back to an initial step.
Above four steps circulations carry out, realized translation and carried out intersecting the cyclic process of carrying out.And the effect of carrying out is the same with original procedure (while not adding translation), " equally " herein means user oriented effect equivalence.Processor has the state difference of intermediate steps in the process of implementation, such as performed instruction address and original difference etc., does not affect the result that the user is showed.
Certainly, above two steps have been ignored some other situations about need to translate, such as the situation of current instruction address relative address addressing.Also omitted various optimization simultaneously.Optimization is described in detail in the content of back.
In the situation that directly copy binary translation, the flow process that translation is carried out is as Fig. 1.
Note, above translation process, due to its simplicity, can directly be inserted into the operation of operating system nucleus entrance.Certainly, must guarantee:
1, user oriented register (specific to x86, meaning general-purpose register, these registers relevant with operation result of the flag register) state in the processor of the process pre-process and post-process device of translation is the same.This point can be backed up before translation, before carrying out after translation, returned to form to realize.
2, translation is without other the hardware resource of employing except register, own exclusive internal memory.
3, any code that translation does not need the call operation system itself to provide.
Advance to translate this simple translation form because the inventor has adopted straight copy two, cause above 3 be all become attainable.Thus, the kernel module that technology described in the invention can be used as operating system directly is installed in operating system and moves, and, without as virtual machine, operates under operating system.Utilize straight copy binary translation technology only to carry out for the translation of operating system nucleus code, this is one of original creation part of the present invention.
Straight copy binary translation (direct copy) belongs to the most a kind of in binary translation, is known technology.The commitment that is generally used for exploitation binary translation project carries out simple analog development, but seldom occurs in actual applications.
Available binary translation optimisation technique in straight copy (direct copy)
Notice in this explanation that the straight copy translation technology of introducing do not introduce its optimizing process.Therefore, iff method as described above, realized, can cause operational efficiency extremely low.But the optimization method of all binary translations, can similarly be used in the present invention, and do not affect security function provided by the present invention.These optimisation techniques have already by extensively, use publicly, such as: buffering (slow cache), fast buffering (fast cache), straight chain (chaining) etc. slowly.
Below noting, the introduction of these optimisation techniques being take to the situation that directly copies binary translation is example.Concrete condition in complicated binary translation (such as the translation between the instruction of xenogenesis platform) may be different, so but because and the present invention it doesn't matter can ignore.
In order to introduce the concrete grammar of optimization, concept that here must be first clearly a small amount of.In binary translation, we,, by the instruction before being translated, are called " presumptive instruction ".And the instruction after translation is called " instruction after translation ".Program with interpretative function, be called " translation program ".And call the interface of translation program, be called " translation interface ".The jump instruction of take of one section continuous appearance in internal memory is the instruction (can not there be jump instruction centre) finished, and is called one " fundamental block ".
In normal translation situation, the fundamental block of presumptive instruction the chances are following appearance:
Non-jump instruction 1
Non-jump instruction 2
...
Jump to target A
Loaded translation program on operating system after, in fact article one instruction " non-jump instruction 1 " will be blocked and be translated before carrying out, and becomes following appearance after translation:
Non-jump instruction 1
Non-jump instruction 2
...
Preservation state
Call " translation interface " (fundamental block that special translating purpose A starts)
Can imagine, an original program is comprised of numerous fundamental block.After translation, each fundamental block is finished, and all can jump to " translation interface " and start original jump target is translated.Due to translation process, a fundamental block of execution is very consuming time relatively, so whole process efficiency is very low.
What is called cushions slowly, just refers to instruction fundamental block after translated translation, is kept in the table that can efficiently search.When there being new target to be translated, first in table, check and whether once translated.Directly carried out if just translate, and there is no need again to translate.Above translation result add slowly buffering after, become following appearance:
Non-jump instruction 1
Non-jump instruction 2
...
Preservation state
Call buffering slowly and search (target A)
If the result of finding:
Return to form, the translation post code that redirect A is corresponding is carried out
If do not find:
Jump to " translation interface " (fundamental block that special translating purpose A starts)
Top mode appears to more complicated, but, due to for each fundamental block, translates Exactly-once in fact.Most of situation has all become slowly buffering and has searched and just find result.Faster so become.
Slowly the buffering be one can constantly expand can be so that the table of searching (such as Hash table).Owing to can constantly expanding, so capacity is huge.But also limited the speed of searching.When table is smaller, seek rate is fast.The fundamental block of serving as interpreter is more and more, and speed has also just reduced.At this time fast buffering just has been necessary.
So-called fast buffering refer to by recently used one group from the presumptive instruction address to translation the corresponding relation of instruction address, be kept in a table that fixed size arranged.Because the size of table is fixed, thus seek rate also fix, with respect to open-ended cushion slowly for, it is fast a lot of that speed is wanted.
But it is fixing that its shortcoming is size.So can only hold up-to-date buffered data recently.Old data are automatically capped in buffer zone.But because the use of data often has centrality, thus the size of fast buffering rationally is set, just can be in the situation that obtain at a high speed high hit rate.
According to inventor's concrete test, show, the hit rate of general fast buffering can reach more than 90%.Efficiency is improved to effect remarkable.
Generally after hitting failure, fast buffering cushions slowly.If buffering is hit slowly, this buffering is added to fast buffering.
After adding fast buffering, the result of translation becomes following appearance:
Non-jump instruction 1
Non-jump instruction 2
...
Preservation state
Call fast buffering and search (target A)
If the result of finding:
Return to form, the translation post code that redirect A is corresponding is carried out
If do not find:
Call buffering slowly and search (target A)
If the result of finding:
This slow cache entry is added to fast buffering
Return to form, the translation post code that redirect A is corresponding is carried out.
If do not find:
Jump to " translation interface " (fundamental block that special translating purpose A starts)
After having used fast buffering, the efficiency of dynamic translation system can be significantly improved.If but add " straight chain " technology, can make the efficiency of dynamic translation system operation bring up to the efficiency that approaches original untranslated system.Look back at the shape of presumptive instruction:
Non-jump instruction 1
Non-jump instruction 2
...
Jump to target A
If hard objectives A is translated, after translation, the address of instruction is B, and so above-mentioned fundamental block can be translated into following appearance in fact:
Non-jump instruction 1
Non-jump instruction 2
...
Jump to target B
The afterbody that so-called straight chain technology is exactly instruction after translation directly adds a fundamental block that jumps to the rear instruction of another translation.Searching of any instruction do not carried out in centre, do not translated yet.So, the speed of operation is just basic has been of little difference with translation before.
About 90% redirect can complete with straight chain.But can't directly use for " indefinite redirect " (in this document, indefinite redirect refers to that jump target is fixing, needs the associative processor state just can know the jump instruction of jump target), but the technological means utilization of can trading off is also arranged.
Through inventor's practical studies, find on Linux, use the present invention to carry out in the situation of actual time safety checking, the 70% when operational efficiency of operating system nucleus still can reach direct operation.And the whole efficiency of whole operating system can reach 90% of primordial condition.Therefore the user is not almost had to appreciable impact.Note that the difference of the actual hardware platform that above-mentioned data based test is used and different.
Technology of the present invention goes for the various operating systems that exist now, and includes but not limited to: the Linux of various version, Android, and Windows.Also go for various processor architecture, include but not limited to: IA32, ARM etc. simultaneously.But, for different processor architectures, need different codes to realize; On different operating system, different implementation methods is also arranged.But, on various systems and various processor platform, the present invention is embodied as a software: both may, as a software (but need to move under prerogative grade) independently, be arranged on existing operating system; Also may, as the part of operating system, offer the user together with operating system; Also may be to be solidificated in certain hardware such as the form in ROM, offer the user as the part of machine.Below content all as software independently, be installed as example as explanation.But, it should be noted, even if directly provide as the part of operating system, or the mode with hardware in hardware memory that is solidificated in offers the client, is also feasible.
The present invention installs when being implemented as software independently, needs following step:
Step 1: the static legitimacy of confirming all kernel module files of goal systems.The attention this point need to not carried out when destination OS moves, and the file that only need to read on hard disk has been checked just.There is known number of ways to carry out.Such as the kernel that checks operating system has the legitimate signature (such as the signature of Microsoft to the Windows kernel) of manufacturer, various drivers also have legal signature or can download legal version from official website.Linux can go out nontoxic kernel with code compilation, and it is carried out to integrality calculating, retains an integrity verification code (such as the md5 value).Now, the integrity verification code of legal modules all in goal systems need to be preserved, in order to verify during module loading.
Step 2: the legitimacy of the module loaded in validation of kernel.The all operations system all provides the open method of enumerating the kernel module loaded.By enumerating these modules, and the integrity information retained in step 1 contrasted, and can confirm whether these modules that have been loaded in internal memory are complete, not destroyed.Also can obtain the address realm of each joint carried out (excutable sections) of each module simultaneously.
Step 3: loadable module is installed and is loaded monitoring.This point is different on different operating system, but known method is arranged separately.And all kinds of fail-safe softwares on the market have been widely used in now.Kernel module to all loadings is verified.The method of checking is identical with step 2.Difference is, step 2 is that the kernel module loaded in system before this software is worked is verified.And this step be this software is worked after, the new kernel module that operating system loads is at any time verified.
Step 4: tackle all switching point of the running status that may cause processor from the user gradation to the prerogative grade.This point is on Windows and linux system, and different processor architecture (IA32 and ARM) is all different.But the processor architecture that is to provide user gradation and two kinds of operational modes of prerogative grade must provide the switching entrance that is switched to prerogative grade from user gradation, and this entrance can only be modified under prerogative grade.Under prerogative grade, therefore always can revise these entrances due to this software self-operating.Concrete operating under different frameworks is different.Such as the IA32 processor, all interruptions all may cause being switched to prerogative grade from user gradation, in addition, instruction sysenter(or 64 s' syscall) also can be switched to prerogative grade, instruction pointer points to a value be kept in MSR simultaneously.Implementation method of the present invention, reset these entrances exactly, makes it to point to the binary translation entrance, and the code of script entrance is directly copied to binary translation.
Step 5: while directly copying binary translation, every instruction to be translated is checked.Guarantee that this instruction is arranged in certain joint carried out of certain legal module really.If this point negates, take different measures according to different security strategies, be such as but not limited to:
Under the highest safety requirements, occur that this situation moves with regard to halt system, machine send relevant department to detect.Confirm after nontoxic to let pass again.
Under higher safety requirements, can the permission system continue operation, send to relevant technologies department and analyzed but collect enough information, to confirm its security.
Sometimes, can manage to avoid for the suspicion instruction, and manage to allow system can continue normal operation.Collect the info alert user has potential security risk simultaneously, sends to relevant technologies department and is analyzed.
Under the occasion required at low-security, can allow disable instruction to continue operation, but collect relevant information, send to relevant technologies department and analyzed.
Note, in legal operating system, the instruction that truly has only a few dynamically to generate be can not be by step 5 checking.But, because this is known and the situation of only a few, can exclude as special case fully.
Present technique depends on the grasp to the hardware entrance of prerogative grade switching to the user right grade.In theory, rootkit virus also can be changed these entrances and reach and obtain control, destroys the purpose of technology of the present invention.But; because the instruction of only having the operation prerogative grade can be changed these entrances and destroy present technique; and the instruction moved on prerogative grade all can be carried out the binary translation analysis by present technique, and therefore discovery the other side's intention can protect oneself not under attack in theory.
Claims (4)
1. safe verification method when an operating system nucleus moves is characterized in that: comprise the following steps:
Step 1] confirm the legitimacy of all kernel module files of destination OS:
The static legitimacy of confirming all kernel module files of destination OS, and the integrity verification information of preserving legal kernel modules all in destination OS;
Step 2] legitimacy of the module that loaded in validation of kernel:
The kernel module loaded by the enumeration operation system, contrasted with the integrity verification information of preserving in step 1, thereby the legitimacy of the module loaded in validation of kernel obtains the address realm of each joint carried out of each module simultaneously;
Step 3] the new kernel module loaded is at any time carried out to legitimate verification:
The new kernel module that operating system is loaded at any time, contrasted with the integrity verification information of preserving in step 1, thereby verify the legitimacy of this new load-on module, obtains the address realm of each joint carried out of this module simultaneously;
Step 4] reset all entrances that are switched to prerogative grade from user gradation in processor:
All instructions that are switched to prerogative grade from user gradation in the intercept process device, and reset the entrance of these instructions, make it to point to the binary translation entrance;
Step 5] every instruction will translating binary translation checked:
Every instruction will translating binary translation is checked, if this instruction is processed according to exceptional instructions not in certain joint carried out of certain legal kernel module; If this instruction is arranged in certain joint carried out of certain legal kernel module, perform step 6;
Describedly according to exceptional instructions, process and to refer to:
If system is under the highest safety requirements, halt system moves and collects relevant information and automatically reports, and confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, permission system continues operation or avoids this instruction and manage to allow system can continue normal operation, collects relevant information simultaneously and reports and carry out safety analysis;
If system, under low-security requires, allows exceptional instructions to continue operation, gather information simultaneously and carry out safety analysis;
Step 6] to step 5] in carry out binary translation through every the instruction checked.
2. safe verification method when operating system nucleus according to claim 1 moves is characterized in that: the binary translation in described step 6 is to adopt straight copy binary translation, and its concrete steps are as follows:
6.1] call the translation interface function, the address that should carry out instruction from certain starts translation;
6.2] carry out instruction decoding from this address, obtain an instruction;
6.3] if this instruction is jump instruction, translate into and jump to the translation interface function, writing the redirect destination address is parameter, and retain the redirect purpose of former jump instruction, this group instruction jumps to the translation interface and is translated, after translate end, jump to the generation instruction buffer and start to carry out, the redirect purpose of former jump instruction is got back in a to the last instruction after executing; For not with the instruction of redirect, do not do any change, direct copying starts to carry out to generating instruction buffer, and movable address is to next instruction simultaneously;
6.4] return to step 6.1 and start to translate next instruction.
3. safe verification method when operating system nucleus according to claim 1 moves is characterized in that: the binary translation in described step 6 is the binary translation that adopts slow buffer technology, fast buffer technology and/or straight chain technology.
4. safe verification method when operating system nucleus according to claim 2 moves is characterized in that: the straight copy binary translation in described step 6 is the straight copy binary translation that adopts slow buffer technology, fast buffer technology and/or straight chain technology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310425645.5A CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310425645.5A CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103473508A true CN103473508A (en) | 2013-12-25 |
| CN103473508B CN103473508B (en) | 2016-07-27 |
Family
ID=49798354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310425645.5A Expired - Fee Related CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103473508B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104572235A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Compiling method and device for loadable kernel module |
| CN103942503B (en) * | 2014-04-28 | 2017-02-01 | 上海新储集成电路有限公司 | Safe state switching system and switching method |
| CN107016283A (en) * | 2017-02-15 | 2017-08-04 | 中国科学院信息工程研究所 | Android privilege-escalations attack safety defense method and device based on integrity verification |
| CN107430661A (en) * | 2015-03-03 | 2017-12-01 | Avg荷兰私人有限公司 | The off-line scan method and system of computing device |
| CN107810483A (en) * | 2015-06-26 | 2018-03-16 | 微软技术许可有限责任公司 | Verify the jump target in block-based processor |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
| CN111241602A (en) * | 2018-11-29 | 2020-06-05 | 阿里巴巴集团控股有限公司 | IP core loading method and device of FPGA and electronic equipment |
| CN111382433A (en) * | 2018-12-29 | 2020-07-07 | 龙芯中科技术有限公司 | Module loading method, device, equipment and storage medium |
| CN113010859A (en) * | 2021-02-18 | 2021-06-22 | 浪潮云信息技术股份公司 | Activation code generation method supporting self-checking |
| US11048517B2 (en) | 2015-06-26 | 2021-06-29 | Microsoft Technology Licensing, Llc | Decoupled processor instruction window and operand buffer |
| US11755484B2 (en) | 2015-06-26 | 2023-09-12 | Microsoft Technology Licensing, Llc | Instruction block allocation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080288940A1 (en) * | 2007-05-16 | 2008-11-20 | Vmware, Inc. | Dynamic Selection and Application of Multiple Virtualization Techniques |
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
| CN102339371A (en) * | 2011-09-14 | 2012-02-01 | 奇智软件(北京)有限公司 | Method, device and virtual machine for detecting rogue program |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
-
2013
- 2013-09-17 CN CN201310425645.5A patent/CN103473508B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080288940A1 (en) * | 2007-05-16 | 2008-11-20 | Vmware, Inc. | Dynamic Selection and Application of Multiple Virtualization Techniques |
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
| CN102339371A (en) * | 2011-09-14 | 2012-02-01 | 奇智软件(北京)有限公司 | Method, device and virtual machine for detecting rogue program |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942503B (en) * | 2014-04-28 | 2017-02-01 | 上海新储集成电路有限公司 | Safe state switching system and switching method |
| CN104572235B (en) * | 2014-12-31 | 2019-02-26 | 北京奇虎科技有限公司 | A kind of Compilation Method and device of UV-Vis spectra |
| CN104572235A (en) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | Compiling method and device for loadable kernel module |
| CN107430661A (en) * | 2015-03-03 | 2017-12-01 | Avg荷兰私人有限公司 | The off-line scan method and system of computing device |
| CN107430661B (en) * | 2015-03-03 | 2020-07-03 | 爱维士软件有限责任公司 | Offline scanning method and system for computing device |
| US11048517B2 (en) | 2015-06-26 | 2021-06-29 | Microsoft Technology Licensing, Llc | Decoupled processor instruction window and operand buffer |
| CN107810483A (en) * | 2015-06-26 | 2018-03-16 | 微软技术许可有限责任公司 | Verify the jump target in block-based processor |
| US11755484B2 (en) | 2015-06-26 | 2023-09-12 | Microsoft Technology Licensing, Llc | Instruction block allocation |
| CN107810483B (en) * | 2015-06-26 | 2021-06-18 | 微软技术许可有限责任公司 | Apparatus, storage device and method for verifying jump target in processor |
| CN107016283A (en) * | 2017-02-15 | 2017-08-04 | 中国科学院信息工程研究所 | Android privilege-escalations attack safety defense method and device based on integrity verification |
| CN107016283B (en) * | 2017-02-15 | 2019-09-10 | 中国科学院信息工程研究所 | Android privilege-escalation attack safety defense method and device based on integrity verification |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
| CN111241602A (en) * | 2018-11-29 | 2020-06-05 | 阿里巴巴集团控股有限公司 | IP core loading method and device of FPGA and electronic equipment |
| CN111241602B (en) * | 2018-11-29 | 2023-05-02 | 阿里巴巴集团控股有限公司 | FPGA IP core loading method and device and electronic equipment |
| CN111382433A (en) * | 2018-12-29 | 2020-07-07 | 龙芯中科技术有限公司 | Module loading method, device, equipment and storage medium |
| CN113010859A (en) * | 2021-02-18 | 2021-06-22 | 浪潮云信息技术股份公司 | Activation code generation method supporting self-checking |
| CN113010859B (en) * | 2021-02-18 | 2022-09-06 | 浪潮云信息技术股份公司 | Activation code generation method supporting self-checking |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103473508B (en) | 2016-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103473508B (en) | Safe verification method when operating system nucleus runs | |
| Fu et al. | S gx-L apd: Thwarting Controlled Side Channel Attacks via Enclave Verifiable Page Faults | |
| Gu et al. | Process implanting: A new active introspection framework for virtualization | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| US10055585B2 (en) | Hardware and software execution profiling | |
| US7845009B2 (en) | Method and apparatus to detect kernel mode rootkit events through virtualization traps | |
| EP2909781B1 (en) | Real-time module protection | |
| US8479174B2 (en) | Method, computer program and computer for analyzing an executable computer file | |
| US9135443B2 (en) | Identifying malicious threads | |
| US8763128B2 (en) | Apparatus and method for detecting malicious files | |
| Kim et al. | A Brief Survey on Rootkit Techniques in Malicious Codes. | |
| CN106326737B (en) | System and method for detecting the harmful file that can be executed on virtual stack machine | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| Korkin et al. | Applying memory forensics to rootkit detection | |
| CN109684829B (en) | Service call monitoring method and system in virtualization environment | |
| Arthur et al. | Getting in control of your control flow with control-data isolation | |
| US20070056039A1 (en) | Memory filters to aid system remediation | |
| Gu et al. | Multi-aspect, robust, and memory exclusive guest os fingerprinting | |
| CN107194246A (en) | A kind of CPU for being used to realize dynamic instruction sets randomization | |
| US11126721B2 (en) | Methods, systems and apparatus to detect polymorphic malware | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| Gu et al. | Derandomizing kernel address space layout for memory introspection and forensics | |
| Zhu et al. | CPU security benchmark | |
| US9450960B1 (en) | Virtual machine file system restriction system and method | |
| Babar et al. | Generic unpacking techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160727 Termination date: 20190917 |