CN103761175A - System and method for monitoring program execution paths under Linux system - Google Patents
System and method for monitoring program execution paths under Linux system Download PDFInfo
- Publication number
- CN103761175A CN103761175A CN201310606932.6A CN201310606932A CN103761175A CN 103761175 A CN103761175 A CN 103761175A CN 201310606932 A CN201310606932 A CN 201310606932A CN 103761175 A CN103761175 A CN 103761175A
- Authority
- CN
- China
- Prior art keywords
- inner nuclear
- layer
- nuclear layer
- program
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a system and a method for monitoring program execution paths under a Linux system, for monitoring the program execution paths of a user layer and a kernel layer. The system for monitoring the program execution paths comprises a user layer monitoring module and a kernel layer monitoring module, wherein the user layer monitoring module is used for detecting a user layer program by a user layer detection tool, acquiring the address information of the user layer, and generating the execution path of the user layer program, so as to monitor the user layer program; the kernel layer monitoring module is used for detecting a kernel layer program by a kernel layer detection tool, acquiring the address information of the kernel layer, and generating the execution path of the kernel layer program, so as to monitor the kernel layer program. The invention provides a system and a method for monitoring program execution paths based on a user layer detection tool and a kernel layer detection tool.
Description
Technical field
The invention belongs to program execution path monitoring field, particularly program execution path monitoring field under linux system.
Background technology
Nowadays, business data leakage, loss have become system managers and have been badly in need of the challenge solving.For enterprise, data are the most valuable assets.The leakage of data, information is lost Dou Huishi enterprise and is suffered huge economic loss.Through the investigation for data leakage problem, the key addressing this problem is whether the operational process of detection system has any abnormal behaviour situation, avoid system to carry out the hidden function module of a series of the unknowns, complete a series of illegal data accesses and data theft operation.
The document that one piece of name is called " LeakProber:A Framework for Profiling Sensitive Data Leakage Paths (LeakProber: analyze the framework of sensitive data leakage path for) " is disclosed in " Proceedings of the first ACM conference on Data and application security the 1st data of and privacy(and application safety privacy ACM symposial) ", author is: Junfeng Yu, Shengzhi Zhang, Peng Liu, Zhitang Li, time of disclosure is 2011, in document, mentioned a kind of detection method about sensitive data leakage path, by utilizing the method, can obtain the function path that the defined sensitive data of user is revised in the middle transmission of system, by obtaining this function path, can realize the monitoring to sensitive data in system.But, the problem of the method is, the sensitive data that needs user to survey needs carries out file configuration, and various relations (call, the call etc.) classification for sensitive data and function call is too careful, realizing the key model that proposes in literary composition--the method that sensitive data is propagated figure (the sensitive data propagation graph) is too complicated, and algorithm implementation is difficult for realizing.
Kprobe is an instrument of dynamically collecting debugging and performance information, act on inner nuclear layer, it derives from from Dprobe project, is a kind of non-destructive instrument, and user almost can follow the tracks of any function or the instruction being performed and some asynchronous events (as timer) with it.Its groundwork mechanism is: user specifies a sensing point, and a user-defined processing functional relationships is linked to this sensing point, and when kernel is carried out this sensing point, corresponding correlation function is performed, and then continues to carry out normal code path.
Kprobe has realized the sensing point of three types: kprobes, jprobes and kretprobes (also cry and return to sensing point).Kprobes is the sensing point that can be inserted into any location of instruction of kernel, and jprobes can be inserted into the entrance of kernel function, and kretprobes is inserted into the entrance of given core function and is just performed when kernel function is returned.
Kretprobe has used kprobes to realize, when user calls register_kretprobe (), kprobe has set up a sensing point at the entrance that is detected function, when carrying out sensing point, kprobe has preserved and has been detected the return address of function and replaces the address that return address is a trampoline, kprobe has defined this trampoline and has registered a kprobe for this trampoline when initialization, when being detected function and carrying out its link order, control is delivered to this trampoline, therefore the chartered processing function corresponding to trampoline of kprobe will be performed, and this processing function can invoke user be associated with the processing function on this kretprobe, after being disposed, order register is set and points to the function return address of having backed up, thereby original function returns and is normally carried out.During kretprobe probe function, the return address value that is detected function is known (one of them parameter s tructkretprobe_instance*ri in the processing function of kretprobe, the ret_addr field of this structure represents return address) in kretprobe.
Uprobe is corresponding with the kprobe instrument of dynamically collecting debugging and performance information, uprobe be used for client layer program debugging, monitoring.Use thought and method and kprobe basically identical.
Utilize kretprobe that kprobe and uprobe provide and the detection method probe function of uretprobe type, the return address value that is detected function is known (one of them parameter s tructkretprobe_instance*ri in the processing function of kretprobe in kretprobe and uretprobe, the ret_addr field of this structure represents return address, and uretprobe is similar).And we know that, if be detected function by certain function call, its return address should be in call function address interval.We can judge by all known function addresses interval in search program, and whether certain function is the call function that we are detected function.The like, the path of function call while finding whole program operation.The behavior of watchdog routine operation.If any abnormal conditions, can find in time.
Relayfs is a file system that forwards fast (relay) data, and it is gained the name with its function.It provides forwarding mechanism fast and effectively for those need to forward mass data from kernel spacing to instrument and the application of user's space.Use this forwarding instrument to transmit inner nuclear layer function and monitor the information obtaining to client layer, for client layer program, analyze.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of program execution path monitoring system and method thereof under linux system, the present invention will utilize uprobe, kprobe instrument is monitored client layer function and inner nuclear layer function, obtain the return address of function in their implementation, and by necessary processing, obtain the address section of client layer function and inner nuclear layer function.Take these data as benchmark, analytic function calls the method for execution route.
For achieving the above object, the invention provides program execution path monitoring system under a kind of linux system, the program execution path of client layer and inner nuclear layer is monitored, it is characterized in that, described program execution path monitoring system comprises:
Client layer monitoring module: for by client layer prospecting tools, described client layer program being surveyed, obtain the address information of client layer, generate the execution route of described client layer program, so that described client layer program is monitored;
Inner nuclear layer monitoring module: for by inner nuclear layer prospecting tools, described inner nuclear layer program being surveyed, obtain the address information of inner nuclear layer, generate the execution route of described inner nuclear layer program, so that described inner nuclear layer program is monitored.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described client layer monitoring module, comprising:
Client layer address acquisition module: for obtaining the address information of client layer program;
Client layer execution route generation module: for generating client layer execution route according to the address information of described client layer program by setting up the mode of digraph.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described inner nuclear layer monitoring module, comprising:
Inner nuclear layer address acquisition module: for obtaining the address information of inner nuclear layer program;
Inner nuclear layer data transmission module: for forwarding instrument by inner nuclear layer, the address information of described inner nuclear layer program is transferred to described client layer from described inner nuclear layer;
Inner nuclear layer execution route generation module: for generating inner nuclear layer execution route according to the address information of described inner nuclear layer program by setting up the mode of described digraph.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described client layer address acquisition module, comprising:
The interval acquisition module of client layer function address: for obtain title and the address section of the client layer function of described client layer program to be monitored by client layer procedure sign list file;
Client layer function return address acquisition module: for by client layer prospecting tools, described client layer function is surveyed, obtained the return address of described client layer function.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described client layer execution route generation module, comprising:
Client layer function calling relationship generation module: for client layer function described in searching loop, the return address of the address section of described client layer function and described client layer function is compared to judgement, the local function calling relationship of recording user layer, sets up described client layer function calling relationship digraph;
Client layer function calling relationship analysis module: for described client layer function calling relationship digraph being calculated by client layer recursive backtracking algorithm, obtain the complete execution route of monitored described client layer program, for the monitoring of described client layer program execution path.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described inner nuclear layer address acquisition module, comprising:
The interval acquisition module of inner nuclear layer function address: for obtain title and the address section of the inner nuclear layer function of described inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file;
Inner nuclear layer function return address acquisition module: for by inner nuclear layer prospecting tools, described inner nuclear layer function is surveyed, obtained the return address of described inner nuclear layer function;
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described inner nuclear layer execution route generation module, comprising:
Inner nuclear layer function calling relationship generation module: for inner nuclear layer function described in searching loop, the return address of the address section of described inner nuclear layer function and described inner nuclear layer function is compared to judgement, record the local function calling relationship of inner nuclear layer, set up described inner nuclear layer function calling relationship digraph;
Inner nuclear layer function calling relationship analysis module: for described inner nuclear layer function calling relationship digraph being calculated by inner nuclear layer recursive backtracking algorithm, obtain the complete execution route of monitored described inner nuclear layer program, for the monitoring of described inner nuclear layer program execution path.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described client layer prospecting tools is uprobe instrument, and described inner nuclear layer prospecting tools is kprobe instrument.
Program execution path monitoring system under above-mentioned linux system, is characterized in that, described inner nuclear layer forwarding instrument is that relayfs forwards instrument.
The present invention also provides program execution path monitoring method under a kind of linux system, is applied to program execution path monitoring system described in claim, it is characterized in that, comprising:
Client layer monitoring step: for by client layer prospecting tools, described client layer program being surveyed, obtain the address information of client layer, generate the execution route of described client layer program, so that described client layer program is monitored;
Inner nuclear layer monitoring step: for by inner nuclear layer prospecting tools, described inner nuclear layer program being surveyed, obtain the address information of inner nuclear layer, generate the execution route of described inner nuclear layer program, so that described inner nuclear layer program is monitored.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described client layer monitoring step, comprising:
Client layer address acquisition step: the address information of obtaining client layer program;
Client layer execution route generates step: according to the address information of described client layer program, by setting up the mode of digraph, generate client layer execution route.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described inner nuclear layer monitoring step, comprising:
Inner nuclear layer address acquisition step: the address information of obtaining inner nuclear layer program;
Inner nuclear layer data transmission step: forward instrument by inner nuclear layer, the address information of described inner nuclear layer program is transferred to described client layer from described inner nuclear layer;
Inner nuclear layer execution route generates step: according to the address information of described inner nuclear layer program, by setting up the mode of described digraph, generate inner nuclear layer execution route.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described client layer address acquisition step, comprising:
The interval obtaining step of client layer function address: the title and the address section that obtain the client layer function in described client layer program to be monitored by client layer procedure sign list file;
Client layer function return address obtaining step: by client layer prospecting tools, described client layer function is surveyed, obtained the return address of described client layer function.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described client layer execution route generates step, comprising:
Client layer function calling relationship generates step: client layer function described in searching loop, the return address of the address section of described client layer function and described client layer function is compared to judgement, the local function calling relationship of recording user layer, sets up described client layer function calling relationship digraph;
Client layer function calling relationship analytical procedure: for described client layer function calling relationship digraph being calculated by client layer recursive backtracking algorithm, obtain the complete execution route of monitored described client layer program, for the monitoring of described client layer program execution path.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described inner nuclear layer address acquisition step, comprising:
The interval obtaining step of inner nuclear layer function address: for obtain title and the address section of the inner nuclear layer function of described inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file;
Inner nuclear layer function return address obtaining step: for by inner nuclear layer prospecting tools, described inner nuclear layer function is surveyed, obtained the return address of described inner nuclear layer function;
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described inner nuclear layer execution route generates step, comprising:
Inner nuclear layer function calling relationship generates step: for inner nuclear layer function described in searching loop, the return address of the address section of described inner nuclear layer function and described inner nuclear layer function is compared to judgement, record the local function calling relationship of inner nuclear layer, set up described inner nuclear layer function calling relationship digraph;
Inner nuclear layer function calling relationship analytical procedure: for described inner nuclear layer function calling relationship digraph being calculated by inner nuclear layer recursive backtracking algorithm, obtain the complete execution route of monitored described inner nuclear layer program, for the monitoring of described inner nuclear layer program execution path.
Program execution path monitoring method under above-mentioned linux system, it is characterized in that, described client layer recursive backtracking algorithm recursive backtracking stops to the principal function of described client layer function, and described inner nuclear layer recursive backtracking algorithm recursive backtracking stops to the system call function of described inner nuclear layer.
Program execution path monitoring method under above-mentioned linux system, it is characterized in that, described client layer function calling relationship digraph is take described client layer function as point, the local function calling relationship of described client layer is directed edge, described inner nuclear layer function calling relationship digraph is take described inner nuclear layer function as point, and the local function calling relationship of described inner nuclear layer is directed edge.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described client layer prospecting tools is uprobe instrument, and described inner nuclear layer prospecting tools is kprobe instrument.
Program execution path monitoring method under above-mentioned linux system, is characterized in that, described inner nuclear layer forwarding instrument is that relayfs forwards instrument.
Compared with prior art, beneficial effect of the present invention is, the present invention respectively independent action, in system kernel layer and client layer, utilizes simple return address information principle, set up the way of thinking of digraph, and the function call Directed Graph analysis based on setting up obtains function call path.Analyze respectively the execution route that has generated monitored program function in two levels and whether be tampered in order to analyze monitored program, whether have execution route that not clear routine change is detected program in order to obtain core data.
Accompanying drawing explanation
Fig. 1 is program execution path monitoring system schematic diagram under linux system of the present invention;
Fig. 2 is client layer monitoring module schematic diagram of the present invention;
Fig. 3 is inner nuclear layer monitoring module schematic diagram of the present invention;
Fig. 4 is client layer program execution path monitoring method process flow diagram of the present invention;
Fig. 5 is inner nuclear layer program execution path monitoring method process flow diagram of the present invention;
Fig. 6 is client layer embodiment processing flow chart of the present invention;
Fig. 7 is inner nuclear layer embodiment processing flow chart of the present invention;
Fig. 8 is that the present invention obtains the schematic flow sheet that is detected program user layer functions address section at client layer;
Fig. 9 is the schematic flow sheet of the present invention at client layer structure Directed Graph Model.
Wherein, Reference numeral:
Program execution path monitoring system under 1Linux system
2 client layer monitoring module 3 inner nuclear layer monitoring modules
21 client layer address acquisition module 22 client layer execution route generation modules
The interval acquisition module 212 client layer function return address acquisition modules of 211 client layer function addresses
221 client layer function calling relationship generation module 222 client layer function calling relationship analysis modules
31 inner nuclear layer address acquisition module 32 inner nuclear layer data transmission modules
33 inner nuclear layer execution route generation modules
The interval acquisition module 312 inner nuclear layer function return address acquisition modules of 311 inner nuclear layer function addresses
331 inner nuclear layer function calling relationship generation module 332 inner nuclear layer function calling relationship analysis modules
S111~S112, S121~S122, S211~S212, S231~S232: the administration step of various embodiments of the present invention
Embodiment
Below in conjunction with the drawings and specific embodiments, describe the present invention, but not as a limitation of the invention.
Below in conjunction with the drawings and specific embodiments, the present invention is described further.
Technical matters to be solved by this invention is to provide program execution path monitoring system and method thereof under a kind of linux system.
As shown in Figure 1, program execution path monitoring system 1 under a kind of linux system provided by the invention, comprise: client layer monitoring module 2 and inner nuclear layer monitoring module 3, client layer monitoring module 2 is for surveying client layer program by client layer prospecting tools, obtain the address information of client layer, generate the execution route of client layer program, so that client layer program is monitored; Inner nuclear layer monitoring module 3, for inner nuclear layer program being surveyed by inner nuclear layer prospecting tools, obtains the address information of inner nuclear layer, generates the execution route of inner nuclear layer program, so that inner nuclear layer program is monitored.
As shown in Figure 1, client layer monitoring module 2 comprises: client layer address acquisition module 21 and client layer execution route generation module 22; Client layer address acquisition module 21 is for obtaining the address information of client layer program; Client layer execution route generation module 22 is for generating client layer execution route according to the address information of client layer program by setting up the mode of digraph.
As shown in Figure 2, client layer address acquisition module 21 comprises: the interval acquisition module 211 of client layer function address and client layer function return address acquisition module 212; The interval acquisition module 211 of client layer function address is for obtaining title and the address section of the client layer function of client layer program to be monitored by client layer procedure sign list file; Client layer function return address acquisition module 212, for by client layer prospecting tools, is surveyed client layer function, obtains the return address of client layer function.
As shown in Figure 2, client layer execution route generation module 22 comprises: client layer function calling relationship generation module 221, client layer function calling relationship analysis module 222; Client layer function calling relationship generation module 221, for searching loop client layer function, compares judgement by the return address of the address section of client layer function and client layer function, sets up client layer function calling relationship digraph; Client layer function calling relationship analysis module 222, for client layer function calling relationship digraph being calculated by recursive backtracking algorithm, obtains the complete execution route of monitored client layer program, for the monitoring of client layer program execution path.
As shown in Figure 1, inner nuclear layer monitoring module 3 comprises: inner nuclear layer address acquisition module 31, inner nuclear layer data transmission module 32 and inner nuclear layer execution route generation module 33; Inner nuclear layer address acquisition module 31 is for obtaining the address information of inner nuclear layer program; Inner nuclear layer data transmission module 32 is for being transferred to described client layer by the address information of inner nuclear layer program from inner nuclear layer; Inner nuclear layer execution route generation module 33 is for generating inner nuclear layer execution route according to the address information of inner nuclear layer program by setting up the mode of digraph.
As shown in Figure 3, inner nuclear layer address acquisition module 31 comprises: the interval acquisition module 311 of inner nuclear layer function address and inner nuclear layer function return address acquisition module 312; The interval acquisition module 311 of inner nuclear layer function address is for obtaining title and the address section of the inner nuclear layer function of inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file; Inner nuclear layer function return address acquisition module 312, for by inner nuclear layer prospecting tools, is surveyed inner nuclear layer function, obtains the return address of inner nuclear layer function.
As shown in Figure 3, inner nuclear layer execution route generation module 33 comprises: inner nuclear layer function calling relationship generation module 331 and inner nuclear layer function calling relationship analysis module 332; Inner nuclear layer function calling relationship generation module 331, for searching loop inner nuclear layer function, compares judgement by the return address of the address section of inner nuclear layer function and inner nuclear layer function, sets up inner nuclear layer function calling relationship digraph; Inner nuclear layer function calling relationship analysis module 332, for inner nuclear layer function calling relationship digraph being calculated by recursive backtracking algorithm, obtains the complete execution route of monitored inner nuclear layer program, for the monitoring of inner nuclear layer program execution path.
Program execution path monitoring method under a kind of linux system provided by the invention, client layer monitoring step is as follows:
Client layer monitoring step S1: for client layer program being surveyed by client layer prospecting tools, obtain the address information of client layer, generate the execution route of client layer program, so that client layer program is monitored;
Client layer monitoring step S1, also comprises:
Client layer address acquisition step S11: for obtaining the address information of client layer program;
Client layer execution route generates step S12: for generating client layer execution route according to the address information of client layer program by setting up the mode of digraph.
As shown in Figure 4, client layer address acquisition step S11, comprising:
The interval obtaining step S111 of client layer function address: for obtain title and the address section of the client layer function of client layer program to be monitored by client layer procedure sign list file;
Client layer function return address obtaining step S112: for by client layer prospecting tools, client layer function is surveyed, obtained the return address of client layer function.
As shown in Figure 4, client layer execution route generates step S12, comprising:
Client layer function calling relationship generates step S121: for client layer function described in searching loop, the return address of the address section of client layer function and client layer function is compared to judgement, the local call relation of recording user layer, sets up client layer function calling relationship digraph;
Client layer function calling relationship analytical procedure S122: for client layer function calling relationship digraph being calculated by recursive backtracking algorithm, obtain the complete execution route of monitored client layer program, for the monitoring of client layer program execution path.
Below in conjunction with the present invention's one specific embodiment, program execution path monitoring method is described in the implementation step of client layer, as shown in Figure 6:
MAP file is the symbol table file of this program of client layer, and MAP file is unique document representation method of globak symbol, source file and the code line number information of program, is the static text of whole program engineering information, conventionally by linker linker, is generated.
(1) obtain client layer function address interval, concrete steps as shown in Figure 8:
A1: compile monitored program, obtain the MAP file of this program, this MAP file is client layer procedure sign list file.
A2: intercept the title of client layer function and the character string paragraph of initial address message (IAM) in MAP file Program.Client layer character string intercepts detailed step: the character in MAP file is read in circulation one by one, until read for the second time character string " main ", stops; Then character described in reverse read, stops until running into " .text ".
A3: character string intercepts complete, gets function name and function first address in client layer program.
A4: the client layer function first address obtaining is carried out to adjacent function first address and do subtraction, obtain all client layer function addresses interval, and by the set of all client layer function formation functions.
(2) obtain client layer function return address, specifically as shown in Figure 9:
To the client layer function reading from MAP file (client layer procedure sign table), utilize client layer prospecting tools uprobe to add sensing point, the client layer function being detected can be obtained return address and progress information by uprobe instrument when operation.
(3) function calling relationship generates, and concrete steps are as follows:
A5: client layer function name, return address and progress information are encapsulated, become packaging information, obtain successively the packaging information of all functions.
A6: every packaging information of searching loop, compared with the address section of all client layer functions successively in the client layer function return address in each packaging information:
Search each client layer function return address value that is detected whether in client layer function set in the address section of a certain client layer function: if, carry out the local call relation record of corresponding client layer; If do not exist, represent that this client layer function is not by the function call in this program.
A7: regard client layer function and call relation as graph structure.Take client layer function as point, take the local call relation of client layer that in A6 step, record obtains as directed edge, set up client layer digraph.
(4) function calling relationship analysis, concrete steps are as follows:
A8: the call relation sequence problem between client layer function is converted into point-to-point transmission in client layer digraph and whether has arrival routing problem, and utilize the call relation path in the algorithm process digraph of recursive backtracking to draw call relation, client layer be find the principal function main function of client layer program till, because the execution of client layer program is all from main function, so the source of call relation sequence is main function, so date back to main function.
Program execution path monitoring method under a kind of linux system provided by the invention, inner nuclear layer monitoring step is as follows:
Inner nuclear layer monitoring step S2: for inner nuclear layer program being surveyed by inner nuclear layer prospecting tools, obtain the address information of inner nuclear layer, generate the execution route of inner nuclear layer program, so that inner nuclear layer program is monitored.
Inner nuclear layer monitoring step S2, comprising:
Inner nuclear layer address acquisition step S21: for obtaining the address information of inner nuclear layer program;
Inner nuclear layer data transmission step S22: be transferred to client layer from inner nuclear layer for the address information of inner nuclear layer program is forwarded to instrument by inner nuclear layer;
Inner nuclear layer execution route generates step S23: for generating inner nuclear layer execution route according to the address information of inner nuclear layer program by setting up the mode of digraph.
As shown in Figure 5, inner nuclear layer address acquisition step S21, comprising:
The interval obtaining step S211 of inner nuclear layer function address: for obtain title and the address section of the inner nuclear layer function of inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file;
Inner nuclear layer function return address obtaining step S212: for by inner nuclear layer prospecting tools, inner nuclear layer function is surveyed, obtained the return address of inner nuclear layer function;
As shown in Figure 5, inner nuclear layer execution route generates step S23, comprising:
Inner nuclear layer function calling relationship generates step S231: for searching loop inner nuclear layer function, the return address of the address section of inner nuclear layer function and inner nuclear layer function is compared to judgement, record the local call relation of inner nuclear layer function, set up inner nuclear layer function calling relationship digraph;
Inner nuclear layer function calling relationship analytical procedure S232: for inner nuclear layer function calling relationship digraph being calculated by inner nuclear layer recursive backtracking algorithm, obtain the complete execution route of monitored inner nuclear layer program, for the monitoring of inner nuclear layer program execution path.
The present invention's one specific embodiment is the program execution path monitoring method at inner nuclear layer, concrete steps as shown in Figure 7:
(1) obtain inner nuclear layer function address interval:
Utilize the system.map file in kernel system, system.map file is inner nuclear layer procedure sign list file, wherein contain the start address of all kernel function in kernel, then read after this file, adjacent function first address does subtraction and obtains function address interval, and its way and client layer are similar from the method for MAP file acquisition address information.
(2) obtain inner nuclear layer function return address:
To the kernel function reading from system.map file (Kernel Symbol Table), utilize inner nuclear layer prospecting tools kprobe to add sensing point, wherein some position that can not add sensing point can be given up, in Kernel Symbol Table, some information is not function, can not add function sensing point, so this category information should neglect.The inner nuclear layer function being detected can be obtained by kprobe instrument the corresponding informations such as inner nuclear layer return address when operation.
(3) transmission data:
Utilize inner nuclear layer to forward instrument relayfs by inner nuclear layer function name, after in implementation, inner nuclear layer return address information and progress information encapsulate, these return messages can be distinguished according to process number PID, take process number PID as unit, inner nuclear layer address return message is distinguished after arrangement, by inner nuclear layer, being delivered to client layer again processes, follow-up inner nuclear layer function calling relationship generates and analyzes and carry out at client layer, due to calculated amount and memory space large, so need to process at client layer, can reduce calculated amount and the memory space of inner nuclear layer.
(4) inner nuclear layer function calling relationship generates:
Inner nuclear layer function name, return address and progress information are encapsulated, become inner nuclear layer packaging information, obtain successively the packaging information of all inner nuclear layer functions.
Every inner nuclear layer packaging information of searching loop, compared with the address section of all inner nuclear layer functions successively in the inner nuclear layer function return address in every inner nuclear layer packaging information:
Search each inner nuclear layer function return address value that is detected whether in inner nuclear layer function set in the address section of a certain inner nuclear layer function: if, carry out the local call relation record of corresponding inner nuclear layer; If do not exist, represent that this function is not called, can temporarily not deal with.
Take inner nuclear layer function as point, the local call relation of inner nuclear layer function is that inner nuclear layer digraph is set up on limit.
(4) inner nuclear layer function calling relationship is analyzed:
Call relation sequence problem between function is converted into point-to-point transmission in digraph and whether has arrival routing problem, and utilize the call relation path in the algorithm process digraph of recursive backtracking to draw call relation, because the execution of kernel function is all from system call function, when therefore recalling the call relation sequence of finding kernel function, when dating back to system call function, stop.Due to program be absorbed in kernel while carrying out all from system call function, the source that monitoring kernel function is carried out the sequence of (being call relation) is all system call function, so date back to system call function.
Certainly; the present invention also can have other various embodiments; in the situation that not deviating from spirit of the present invention and essence thereof; those of ordinary skill in the art are when making according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection domain of the appended claim of the present invention.
Claims (20)
1. a program execution path monitoring system under linux system, monitors the program execution path of client layer and inner nuclear layer, it is characterized in that, described program execution path monitoring system comprises:
Client layer monitoring module: for client layer program being surveyed by client layer prospecting tools, obtain the address information of client layer, generate the execution route of described client layer program, so that described client layer program is monitored;
Inner nuclear layer monitoring module: for inner nuclear layer program being surveyed by inner nuclear layer prospecting tools, obtain the address information of inner nuclear layer, generate the execution route of described inner nuclear layer program, so that described inner nuclear layer program is monitored.
2. program execution path monitoring system under linux system according to claim 1, is characterized in that, described client layer monitoring module, comprising:
Client layer address acquisition module: for obtaining the address information of described client layer program;
Client layer execution route generation module: for generating client layer execution route according to the address information of described client layer program by setting up the mode of digraph.
3. program execution path monitoring system under linux system according to claim 1, is characterized in that, described inner nuclear layer monitoring module, comprising:
Inner nuclear layer address acquisition module: for obtaining the address information of described inner nuclear layer program;
Inner nuclear layer data transmission module: for forwarding instrument by inner nuclear layer, the address information of described inner nuclear layer program is transferred to described client layer from described inner nuclear layer;
Inner nuclear layer execution route generation module: for generating inner nuclear layer execution route according to the address information of described inner nuclear layer program by setting up the mode of described digraph.
4. program execution path monitoring system under linux system according to claim 2, is characterized in that, described client layer address acquisition module, comprising:
The interval acquisition module of client layer function address: for obtain title and the address section of the client layer function of described client layer program to be monitored by client layer procedure sign list file;
Client layer function return address acquisition module: for by client layer prospecting tools, described client layer function is surveyed, obtained the return address of described client layer function.
5. program execution path monitoring system under linux system according to claim 2, is characterized in that, described client layer execution route generation module, comprising:
Client layer function calling relationship generation module: for client layer function described in searching loop, the return address of the address section of described client layer function and described client layer function is compared to judgement, the local function calling relationship of recording user layer, sets up described client layer function calling relationship digraph;
Client layer function calling relationship analysis module: for described client layer function calling relationship digraph being calculated by client layer recursive backtracking algorithm, obtain the complete execution route of monitored described client layer program, for the monitoring of described client layer program execution path.
6. program execution path monitoring system under linux system according to claim 3, is characterized in that, described inner nuclear layer address acquisition module, comprising:
The interval acquisition module of inner nuclear layer function address: for obtain title and the address section of the inner nuclear layer function of described inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file;
Inner nuclear layer function return address acquisition module: for by inner nuclear layer prospecting tools, described inner nuclear layer function is surveyed, obtained the return address of described inner nuclear layer function.
7. program execution path monitoring system under linux system according to claim 3, is characterized in that, described inner nuclear layer execution route generation module, comprising:
Inner nuclear layer function calling relationship generation module: for inner nuclear layer function described in searching loop, the return address of the address section of described inner nuclear layer function and described inner nuclear layer function is compared to judgement, record the local function calling relationship of inner nuclear layer, set up described inner nuclear layer function calling relationship digraph;
Inner nuclear layer function calling relationship analysis module: for described inner nuclear layer function calling relationship digraph being calculated by inner nuclear layer recursive backtracking algorithm, obtain the complete execution route of monitored described inner nuclear layer program, for the monitoring of described inner nuclear layer program execution path.
8. program execution path monitoring system under linux system according to claim 1, is characterized in that, described client layer prospecting tools is uprobe instrument, and described inner nuclear layer prospecting tools is kprobe instrument.
9. program execution path monitoring system under linux system according to claim 3, is characterized in that, described inner nuclear layer forwarding instrument is that relayfs forwards instrument.
10. a program execution path monitoring method under linux system, is applied in claim 1-9 program execution path monitoring system described in any one, it is characterized in that, comprising:
Client layer monitoring step: for client layer program being surveyed by client layer prospecting tools, obtain the address information of client layer, generate the execution route of described client layer program, so that described client layer program is monitored;
Inner nuclear layer monitoring step: for inner nuclear layer program being surveyed by inner nuclear layer prospecting tools, obtain the address information of inner nuclear layer, generate the execution route of described inner nuclear layer program, so that described inner nuclear layer program is monitored.
Program execution path monitoring method under 11. linux systems according to claim 10, is characterized in that, described client layer monitoring step, comprising:
Client layer address acquisition step: the address information of obtaining described client layer program;
Client layer execution route generates step: according to the address information of described client layer program, by setting up the mode of digraph, generate client layer execution route.
Program execution path monitoring method under 12. linux systems according to claim 10, is characterized in that, described inner nuclear layer monitoring step, comprising:
Inner nuclear layer address acquisition step: the address information of obtaining described inner nuclear layer program;
Inner nuclear layer data transmission step: forward instrument by inner nuclear layer, the address information of described inner nuclear layer program is transferred to described client layer from described inner nuclear layer;
Inner nuclear layer execution route generates step: according to the address information of described inner nuclear layer program, by setting up the mode of described digraph, generate inner nuclear layer execution route.
Program execution path monitoring method under 13. linux systems according to claim 11, is characterized in that, described client layer address acquisition step, comprising:
The interval obtaining step of client layer function address: the title and the address section that obtain the client layer function in described client layer program to be monitored by client layer procedure sign list file;
Client layer function return address obtaining step: by client layer prospecting tools, described client layer function is surveyed, obtained the return address of described client layer function.
Program execution path monitoring method under 14. linux systems according to claim 11, is characterized in that, described client layer execution route generates step, comprising:
Client layer function calling relationship generates step: client layer function described in searching loop, the return address of the address section of described client layer function and described client layer function is compared to judgement, the local function calling relationship of recording user layer, sets up described client layer function calling relationship digraph;
Client layer function calling relationship analytical procedure: for described client layer function calling relationship digraph being calculated by client layer recursive backtracking algorithm, obtain the complete execution route of monitored described client layer program, for the monitoring of described client layer program execution path.
Program execution path monitoring method under 15. linux systems according to claim 12, is characterized in that, described inner nuclear layer address acquisition step, comprising:
The interval obtaining step of inner nuclear layer function address: for obtain title and the address section of the inner nuclear layer function of described inner nuclear layer program to be monitored by inner nuclear layer procedure sign list file;
Inner nuclear layer function return address obtaining step: for by inner nuclear layer prospecting tools, described inner nuclear layer function is surveyed, obtained the return address of described inner nuclear layer function.
Program execution path monitoring method under 16. linux systems according to claim 12, is characterized in that, described inner nuclear layer execution route generates step, comprising:
Inner nuclear layer function calling relationship generates step: for inner nuclear layer function described in searching loop, the return address of the address section of described inner nuclear layer function and described inner nuclear layer function is compared to judgement, record the local function calling relationship of inner nuclear layer, set up described inner nuclear layer function calling relationship digraph;
Inner nuclear layer function calling relationship analytical procedure: for described inner nuclear layer function calling relationship digraph being calculated by inner nuclear layer recursive backtracking algorithm, obtain the complete execution route of monitored described inner nuclear layer program, for the monitoring of described inner nuclear layer program execution path.
17. according to program execution path monitoring method under the linux system described in claim 14 or 16, it is characterized in that, described client layer recursive backtracking algorithm recursive backtracking stops to the principal function of described client layer function, and described inner nuclear layer recursive backtracking algorithm recursive backtracking stops to the system call function of described inner nuclear layer.
18. according to program execution path monitoring method under the linux system described in claim 14 or 16, it is characterized in that, described client layer function calling relationship digraph is take described client layer function as point, the local function calling relationship of described client layer is directed edge, described inner nuclear layer function calling relationship digraph is take described inner nuclear layer function as point, and the local function calling relationship of described inner nuclear layer is directed edge.
Program execution path monitoring method under 19. linux systems according to claim 10, is characterized in that, described client layer prospecting tools is uprobe instrument, and described inner nuclear layer prospecting tools is kprobe instrument.
Program execution path monitoring method under 20. linux systems according to claim 12, is characterized in that, described inner nuclear layer forwarding instrument is that relayfs forwards instrument.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310606932.6A CN103761175B (en) | 2013-11-25 | 2013-11-25 | Program execution path monitoring system and method under a kind of linux system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310606932.6A CN103761175B (en) | 2013-11-25 | 2013-11-25 | Program execution path monitoring system and method under a kind of linux system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103761175A true CN103761175A (en) | 2014-04-30 |
| CN103761175B CN103761175B (en) | 2016-08-17 |
Family
ID=50528417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310606932.6A Active CN103761175B (en) | 2013-11-25 | 2013-11-25 | Program execution path monitoring system and method under a kind of linux system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103761175B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077220A (en) * | 2014-06-10 | 2014-10-01 | 中标软件有限公司 | Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel |
| CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
| CN105808252A (en) * | 2016-03-04 | 2016-07-27 | 北京理工大学 | Kernel function traversal method of Windows operating system |
| CN108229155A (en) * | 2017-12-27 | 2018-06-29 | 山东华软金盾软件股份有限公司 | A kind of linux system user's operation behavior auditing method |
| CN108345471A (en) * | 2017-05-08 | 2018-07-31 | 清华大学 | Detection device handles the method and detection device of asynchronous event |
| CN109101416A (en) * | 2014-09-28 | 2018-12-28 | 华为技术有限公司 | A kind of kernel fault filling method and electronic equipment |
| CN109542341A (en) * | 2018-11-06 | 2019-03-29 | 网宿科技股份有限公司 | A kind of read-write IO monitoring method, device, terminal and computer readable storage medium |
| CN109784054A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition methods and device |
| CN109948346A (en) * | 2019-04-09 | 2019-06-28 | 苏州浪潮智能科技有限公司 | A kind of loophole PoC implementation method and device |
| CN110716873A (en) * | 2019-09-24 | 2020-01-21 | 北京计算机技术及应用研究所 | Hardware compatibility knowledge base construction method |
| US10684896B2 (en) | 2017-02-20 | 2020-06-16 | Tsinghua University | Method for processing asynchronous event by checking device and checking device |
| CN111523115A (en) * | 2019-02-02 | 2020-08-11 | 阿里巴巴集团控股有限公司 | Information determination method, function calling method and electronic equipment |
| US10884899B2 (en) | 2018-10-01 | 2021-01-05 | International Business Machines Corporation | Optimized trampoline design for fast software tracing |
| CN112486410A (en) * | 2020-11-23 | 2021-03-12 | 华南师范大学 | Method, system, device and storage medium for reading and writing persistent memory file |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007328597A (en) * | 2006-06-08 | 2007-12-20 | Mitsubishi Electric Corp | Computer system, trace data storage method of computer system, and trace data storing program |
| US20110016289A1 (en) * | 2009-07-20 | 2011-01-20 | Ableidinger Bruce J | Apparatus and Method for Profiling Software Performance on a Processor with Non-Unique Virtual Addresses |
| CN102521537A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Detection method and device for hidden process based on virtual machine monitor |
| CN102799523A (en) * | 2012-07-03 | 2012-11-28 | 华为技术有限公司 | Method, apparatus and computer system for dynamically detecting program execution route |
| CN103034544A (en) * | 2012-12-04 | 2013-04-10 | 杭州迪普科技有限公司 | Management method and device for user mode and kernel mode to share memory |
-
2013
- 2013-11-25 CN CN201310606932.6A patent/CN103761175B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007328597A (en) * | 2006-06-08 | 2007-12-20 | Mitsubishi Electric Corp | Computer system, trace data storage method of computer system, and trace data storing program |
| US20110016289A1 (en) * | 2009-07-20 | 2011-01-20 | Ableidinger Bruce J | Apparatus and Method for Profiling Software Performance on a Processor with Non-Unique Virtual Addresses |
| CN102521537A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Detection method and device for hidden process based on virtual machine monitor |
| CN102799523A (en) * | 2012-07-03 | 2012-11-28 | 华为技术有限公司 | Method, apparatus and computer system for dynamically detecting program execution route |
| CN103034544A (en) * | 2012-12-04 | 2013-04-10 | 杭州迪普科技有限公司 | Management method and device for user mode and kernel mode to share memory |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077220A (en) * | 2014-06-10 | 2014-10-01 | 中标软件有限公司 | Method and device for debugging microprocessor without interlocked piped stages (MIPS) framework operating system kernel |
| CN109101416B (en) * | 2014-09-28 | 2022-01-14 | 华为技术有限公司 | Kernel fault injection method and electronic equipment |
| CN109101416A (en) * | 2014-09-28 | 2018-12-28 | 华为技术有限公司 | A kind of kernel fault filling method and electronic equipment |
| CN104715190B (en) * | 2015-02-03 | 2018-02-06 | 中国科学院计算技术研究所 | A kind of monitoring method and system of the program execution path based on deep learning |
| CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
| CN105808252A (en) * | 2016-03-04 | 2016-07-27 | 北京理工大学 | Kernel function traversal method of Windows operating system |
| US10684896B2 (en) | 2017-02-20 | 2020-06-16 | Tsinghua University | Method for processing asynchronous event by checking device and checking device |
| CN108345471A (en) * | 2017-05-08 | 2018-07-31 | 清华大学 | Detection device handles the method and detection device of asynchronous event |
| CN108229155A (en) * | 2017-12-27 | 2018-06-29 | 山东华软金盾软件股份有限公司 | A kind of linux system user's operation behavior auditing method |
| CN108229155B (en) * | 2017-12-27 | 2021-05-14 | 山东华软金盾软件股份有限公司 | Linux system user operation behavior auditing method |
| US10884899B2 (en) | 2018-10-01 | 2021-01-05 | International Business Machines Corporation | Optimized trampoline design for fast software tracing |
| CN109542341A (en) * | 2018-11-06 | 2019-03-29 | 网宿科技股份有限公司 | A kind of read-write IO monitoring method, device, terminal and computer readable storage medium |
| CN109542341B (en) * | 2018-11-06 | 2022-07-19 | 网宿科技股份有限公司 | Read-write IO monitoring method, device, terminal and computer readable storage medium |
| CN109784054A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition methods and device |
| CN109784054B (en) * | 2018-12-29 | 2021-01-15 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition method and device |
| CN111523115B (en) * | 2019-02-02 | 2023-05-26 | 斑马智行网络(香港)有限公司 | Information determining method, function calling method and electronic equipment |
| CN111523115A (en) * | 2019-02-02 | 2020-08-11 | 阿里巴巴集团控股有限公司 | Information determination method, function calling method and electronic equipment |
| CN109948346A (en) * | 2019-04-09 | 2019-06-28 | 苏州浪潮智能科技有限公司 | A kind of loophole PoC implementation method and device |
| CN110716873A (en) * | 2019-09-24 | 2020-01-21 | 北京计算机技术及应用研究所 | Hardware compatibility knowledge base construction method |
| CN110716873B (en) * | 2019-09-24 | 2023-09-26 | 北京计算机技术及应用研究所 | Method for constructing hardware compatibility knowledge base |
| CN112486410A (en) * | 2020-11-23 | 2021-03-12 | 华南师范大学 | Method, system, device and storage medium for reading and writing persistent memory file |
| CN112486410B (en) * | 2020-11-23 | 2024-03-26 | 华南师范大学 | Method, system, device and storage medium for reading and writing persistent memory file |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103761175B (en) | 2016-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103761175A (en) | System and method for monitoring program execution paths under Linux system | |
| Kwon et al. | MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. | |
| Geneiatakis et al. | A Permission verification approach for android mobile applications | |
| CN103729595B (en) | A kind of Android application program private data leakage off-line checking method | |
| Li et al. | JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. | |
| Yu et al. | ALchemist: Fusing Application and Audit Logs for Precise Attack Provenance without Instrumentation. | |
| CN104008329B (en) | Software privacy leak behavior detection method and system based on virtualization technology | |
| CN105956474A (en) | Abnormal behavior detection system of Android platform software | |
| Ali-Gombe et al. | Toward a more dependable hybrid analysis of android malware using aspect-oriented programming | |
| US20110055815A1 (en) | Incremental Runtime Compliance Validation of Renderable Objects | |
| EP3566166B1 (en) | Management of security vulnerabilities | |
| US20170286693A1 (en) | Security analysis using relational abstraction of data structures | |
| CN104766012A (en) | Method and system for dynamic detection of data safety based on dynamic taint tracking | |
| US8881296B2 (en) | Marking and obscuring sensitive values in traces | |
| Lee et al. | Design and implementation of the secure compiler and virtual machine for developing secure IoT services | |
| CN112035354B (en) | Positioning method, device and equipment of risk codes and storage medium | |
| CN102708043B (en) | Static data race detection and anaylsis | |
| CN102651062A (en) | System and method for tracking malicious behavior based on virtual machine architecture | |
| Cheng et al. | Logextractor: Extracting digital evidence from android log messages via string and taint analysis | |
| Khoury et al. | Execution trace analysis using ltl-fo | |
| Al-Azzani et al. | Secarch: Architecture-level evaluation and testing for security | |
| CN117501658A (en) | Evaluation of likelihood of security event alarms | |
| Gauthier et al. | Experience: model-based, feedback-driven, Greybox web fuzzing with BackREST | |
| Böhme | Statistical reasoning about programs | |
| Shahriar et al. | Mobile application security using static and dynamic analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |