CN104182684A - Design solution of security process operating environment - Google Patents
Design solution of security process operating environment Download PDFInfo
- Publication number
- CN104182684A CN104182684A CN201410402074.8A CN201410402074A CN104182684A CN 104182684 A CN104182684 A CN 104182684A CN 201410402074 A CN201410402074 A CN 201410402074A CN 104182684 A CN104182684 A CN 104182684A
- Authority
- CN
- China
- Prior art keywords
- redirected
- target process
- file
- system call
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Abstract
The invention provides a design solution of a security process operating environment, which can be realized through the following steps: a system call of a target process is intercepted through a kernel; the operation object and the operation sign are classified according to types; that the system is protected through redirection of the system call is then determined; after the target process quits, the information of the target process is cleaned, then the security process operating environment is capable of running in a real computer, all destructive operations of the target process are redirected, therefore, the computer resources are prevented from damage of operations of the target process; when the target process quits, all the data generated by the target process is cleaned, so that the security of the computer is well guaranteed.
Description
Technical field
The present invention relates to the system call of windows kernel file, registration table, kernel objects, specifically a kind of design solution of security procedure running environment.
Background technology
Along with the develop rapidly of computer technology, computing machine has been full of the various piece in our life, can say that people more and more depend on computing machine, but various rogue programs are also comed one after another simultaneously.So it is more and more important to have a kind of safe program running environment, at present safe operation environment is on the market as VMware Workstation, Virtural PC, Returnil System Safe Pro (PowerShadow) can system of Full-virtualization out, but user uses and is inconvenient.This method operates in real system, calls the operation that intercepts target process by intercepting system, and the operation of target process is redirected, and makes it can real system not produced and be destroyed.
Analysis is intercepted and captured in all system calls to target process process, and operand is copied and is redirected, so all operations of target process is all to carry out on virtual resource, in this way, the all operations of target process can not damage system resource, certainly, for the optimization to operational efficiency, we are only redirected the destructive procedure of resource target process.
Summary of the invention
The object of this invention is to provide a kind of design solution of security procedure running environment.
The object of the invention is to realize in the following manner; intercept and capture by the interior system call of checking target process; operand and operation flag are carried out to somatotype; determine again to carry out protection system by Redirection of system call; after target process exits; information to target process is cleared up, and particular content comprises:
(1) target process is to being redirected of file, directory operation, and the method can the destructive procedure of blip steady process to file, directory object, and file, directory object copys redirected; Concrete steps are:
Operation in inner nuclear layer blip steady process to file, catalogue, and operation flag is analyzed, non-destructive is operated, comprise read operation or replicate run, directly invoke system call, is not redirected operand, improves the operational efficiency of system with this; For destructive procedure, comprise write operation or deletion action, destination object is copied and is redirected, like this, target process can't damage system resource the operation of operand;
(2) being redirected of the operation of target process to registration table, the method want can blip steady process to the destructive system call of registration table, and operand is redirected; Concrete steps are:
By before the operation of system call registry system, first access a registration table redirection file of having safeguarded, the read operation of process is not done to any interception, but the data that process reads are system registry data safeguards registry data sum with oneself, to be redirected in registration table for destructive operation, and can system registry not produced and be destroyed;
(3) target process being redirected kernel objects, the method can the system call of blip steady process to kernel objects, and system call is redirected, kernel objects comprises: kernel events, semaphore object or Mutex object, in system, exist with document form, by intercepting process system call, kernel objects is copied and is redirected.
Method of the present invention also comprises that application layer user operation part and inner nuclear layer file, registration table and kernel objects are redirected part;
First application layer segment, application layer provides the function of user add target program, and in the time that target program moves, inner nuclear layer solution interception system calls, and whether analysis operation main body is target process;
Next is that kernel is redirected part, kernel is redirected part after interception system operation, analyze and find that operating main body is target process, can continue operation object to analyze, according to the difference of operation object, can be divided into file operation, registry operations, kernel objects operation, thus be redirected accordingly.
The invention has the beneficial effects as follows: the process running environment of safety can be moved in true computing machine, all destructive procedures to target process are redirected, so all operations of target process is all can not damage computer resource, and in the time that target process exits, can clean out all data that target process produces.Well ensure the safety of computing machine.
Brief description of the drawings
Fig. 1 is that target process is redirected flow process figure;
Fig. 2 is file redirection process flow diagram;
Fig. 3 is that registration table is redirected flow process figure;
Fig. 4 is that kernel objects is redirected flow process figure.
Embodiment
Be described in detail below of the present invention with reference to Figure of description.
The design solution of a kind of security procedure running environment of the present invention, inner nuclear layer intercepts the system call of target process, according to the difference of operand, and the difference of action type, take Different Strategies.Operand is divided into file (catalogue), registration table, kernel objects (kernel events object, Mutex object, semaphore object, timer object, section object, port object (po)), action type is divided into destructive procedure (as writing deletion, rename etc.), non-destructive operation.For nondestructive operation, this method will be let slip system call, and for destructive procedure, this method will be redirected operand, and it can not damaged system, as Fig. 1 target process is redirected flow process figure.
The type of system call can be divided into three parts: the operation of (1) target process to file, catalogue, the operation of (2) target process to registration table, the operation of (3) target process to kernel objects.
(1) operation of target process to file, catalogue:
In the time that target process moves, this method is by the system call of kernel module blip steady process to file, catalogue, decision operation type, in the time that action type is non-destructive operation, such as reading file, catalogue, now system is not redirected, such benefit is to improve the operational efficiency of system; And for destructive operation, such as written document, deleted file, duplication of name file, copy targeting file or catalogue are generated temporary file by this method, and now system call will be redirected to the temporary file of copy generation, as accompanying drawing 2 file redirection flow processs.
(2) operation of target process to registration table
Target process is compared file to registration target operation larger difference, this method had increased a nonsystematic registry file before system registry list file, in the time that interception system calls registry access, decision operation type, if nondestructive operation, now system call, by the read operation increasing nonsystematic registration table, is carried out read operation to system registry afterwards again; If action type is destructive procedure, and operating main body is target process, and operation now will be redirected to nonsystematic registration table, and detailed process is shown in that accompanying drawing 3 registration tablies are redirected flow process figure.
(3) operation of target process to kernel objects
Kernel objects is a kind of special file directory, when target process is in the time opening or create kernel objects, can copy completely a current inner object directory tree, and then Redirection of system call is to the kernel objects of copy, and detailed process is shown in accompanying drawing 4.
Safe process running environment solution of the present invention, comprises that application layer user operation part and inner nuclear layer file, registration table and kernel objects are redirected part.
First application layer segment, application layer provides the function of user add target program, and in the time that target program moves, inner nuclear layer solution interception system calls, and whether analysis operation main body is target process.
Next is that kernel is redirected part, kernel is redirected part after interception system operation, analyze and find that operating main body is target process, can continue operation object to analyze, according to the difference of operation object, can be divided into file operation, registry operations, kernel objects operation, thus be redirected accordingly.
Certainly in order to improve the efficiency of the method, also the operation flag of file and registration table is classified, be divided into destructive procedure and non-destructive operation, non-destructive operation comprises reads, and copies, and destructive procedure comprises and writing, and deletes rename.Non-destructive operation can not destroy system resource operation, so when target process is in the time carrying out non-destructive operation, this method will not be redirected system call, and destructive procedure can directly destroy system resource, so can be redirected system call in system call, the information after target process exits, it being produced is cleared up.
Except the technical characterictic described in instructions, be the known technology of those skilled in the art.
Claims (2)
1. the design solution of a security procedure running environment; it is characterized in that intercepting and capturing by the interior system call of checking target process; operand and operation flag are carried out to somatotype; determine again to carry out protection system by Redirection of system call; after target process exits; information to target process is cleared up, and particular content comprises:
(1) target process is to being redirected of file, directory operation, and the method can the destructive procedure of blip steady process to file, directory object, and file, directory object copys redirected; Concrete steps are:
Operation in inner nuclear layer blip steady process to file, catalogue, and operation flag is analyzed, non-destructive is operated, comprise read operation or replicate run, directly invoke system call, is not redirected operand, improves the operational efficiency of system with this; For destructive procedure, comprise write operation or deletion action, destination object is copied and is redirected, like this, target process can't damage system resource the operation of operand;
(2) being redirected of the operation of target process to registration table, the method want can blip steady process to the destructive system call of registration table, and operand is redirected; Concrete steps are:
By before the operation of system call registry system, first access a registration table redirection file of having safeguarded, the read operation of process is not done to any interception, but the data that process reads are system registry data safeguards registry data sum with oneself, to be redirected in registration table for destructive operation, and can system registry not produced and be destroyed;
(3) target process being redirected kernel objects, the method can the system call of blip steady process to kernel objects, and system call is redirected, kernel objects comprises: kernel events, semaphore object or Mutex object, in system, exist with document form, by intercepting process system call, kernel objects is copied and is redirected.
2. safe process running environment design solution according to claim 1, characterized by further comprising application layer user operation part and inner nuclear layer file, registration table and kernel objects and is redirected part;
First application layer segment, application layer provides the function of user add target program, and in the time that target program moves, inner nuclear layer solution interception system calls, and whether analysis operation main body is target process;
Next is that kernel is redirected part, kernel is redirected part after interception system operation, analyze and find that operating main body is target process, can continue operation object to analyze, according to the difference of operation object, can be divided into file operation, registry operations, kernel objects operation, thus be redirected accordingly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410402074.8A CN104182684A (en) | 2014-08-15 | 2014-08-15 | Design solution of security process operating environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410402074.8A CN104182684A (en) | 2014-08-15 | 2014-08-15 | Design solution of security process operating environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104182684A true CN104182684A (en) | 2014-12-03 |
Family
ID=51963716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410402074.8A Pending CN104182684A (en) | 2014-08-15 | 2014-08-15 | Design solution of security process operating environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104182684A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106250766A (en) * | 2016-07-27 | 2016-12-21 | 北京金山安全软件有限公司 | Information security processing method and device and terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101551756A (en) * | 2009-03-31 | 2009-10-07 | 成都市华为赛门铁克科技有限公司 | The virtual method and virtual device based on operating system layer |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN102799817A (en) * | 2011-06-30 | 2012-11-28 | 卡巴斯基实验室封闭式股份公司 | System and method for malware protection using virtualization |
| CN103345604A (en) * | 2013-07-16 | 2013-10-09 | 湘潭大学 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
-
2014
- 2014-08-15 CN CN201410402074.8A patent/CN104182684A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101551756A (en) * | 2009-03-31 | 2009-10-07 | 成都市华为赛门铁克科技有限公司 | The virtual method and virtual device based on operating system layer |
| CN102542187A (en) * | 2010-12-23 | 2012-07-04 | 盛趣信息技术(上海)有限公司 | Method for improving safety performance of computers on basis of safety sandbox |
| CN102799817A (en) * | 2011-06-30 | 2012-11-28 | 卡巴斯基实验室封闭式股份公司 | System and method for malware protection using virtualization |
| CN103345604A (en) * | 2013-07-16 | 2013-10-09 | 湘潭大学 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106250766A (en) * | 2016-07-27 | 2016-12-21 | 北京金山安全软件有限公司 | Information security processing method and device and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ligh et al. | The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory | |
| US10180899B2 (en) | Device for automatically generating test cases for embedded software using symbolic and concrete execution | |
| JP6166839B2 (en) | System and method for replacing application methods at runtime | |
| Hebbal et al. | Virtual machine introspection: Techniques and applications | |
| CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
| CN106201872A (en) | A kind of running environment detection method of android system | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN106302404B (en) | A kind of collection network is traced to the source the method and system of information | |
| CN103399812A (en) | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization | |
| CN105204973A (en) | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform | |
| CN107203410B (en) | VMI method and system based on system call redirection | |
| CN105630636A (en) | Dynamical recovery method and device for operating system of intelligent electronic device | |
| CN104182684A (en) | Design solution of security process operating environment | |
| Yehuda et al. | Hypervisor memory acquisition for ARM | |
| Jia et al. | Findevasion: an effective environment-sensitive malware detection system for the cloud | |
| Wang et al. | Exploring efficient and robust virtual machine introspection techniques | |
| Orgah et al. | MemForC: Memory Forensics Corpus Creation for Malware Analysis | |
| Lei et al. | Research on live forensics in cloud environment | |
| Otsuki et al. | Tracing malicious injected threads using alkanet malware analyzer | |
| Pereberina et al. | An approach to dynamic malware analysis based on system and application code split | |
| Zhan et al. | SAVM: A practical secure external approach for automated in‐VM management | |
| Cruz et al. | Evolution of traditional digital forensics in virtualization | |
| Zhan et al. | Protecting critical files using target-based virtual machine introspection approach | |
| Xu et al. | Research on semantic gap problem of virtual machine | |
| Chen et al. | HerQules: Securing programs via hardware-enforced message queues |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141203 |