CN104809401A - Method for protecting integrity of kernel of operating system - Google Patents
Method for protecting integrity of kernel of operating system Download PDFInfo
- Publication number
- CN104809401A CN104809401A CN201510234249.3A CN201510234249A CN104809401A CN 104809401 A CN104809401 A CN 104809401A CN 201510234249 A CN201510234249 A CN 201510234249A CN 104809401 A CN104809401 A CN 104809401A
- Authority
- CN
- China
- Prior art keywords
- ips
- monitoring
- kernel
- integrity protection
- integrity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012544 monitoring process Methods 0.000 claims abstract description 126
- 230000001012 protector Effects 0.000 claims abstract description 77
- 238000012545 processing Methods 0.000 claims abstract description 13
- 230000001960 triggered effect Effects 0.000 claims abstract description 10
- YQYRYHNCVCFNHU-UHFFFAOYSA-N 1-ethyl-4-phenyl-3,6-dihydro-2h-pyridine Chemical compound C1N(CC)CCC(C=2C=CC=CC=2)=C1 YQYRYHNCVCFNHU-UHFFFAOYSA-N 0.000 claims description 29
- 230000008569 process Effects 0.000 claims description 26
- 230000007246 mechanism Effects 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 17
- 238000012546 transfer Methods 0.000 claims description 14
- 230000000903 blocking effect Effects 0.000 claims description 7
- 238000009413 insulation Methods 0.000 claims description 7
- 238000004321 preservation Methods 0.000 claims description 5
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 5
- 230000008859 change Effects 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000000737 periodic effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000002955 isolation Methods 0.000 claims description 2
- 230000009191 jumping Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 4
- 239000000306 component Substances 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method for protecting integrity of a kernel of an operating system. An operating system kernel integrity protecting system comprises integrity protection software (IPS), a kernel hook, skip codes, a target operating system (Target OS) and a monitor protector. The method comprises the following steps: (1) starting up and initializing the monitor protector; after initializing is completed, waiting for request operation of the IPS; (2) logging in the IPS and setting a monitoring and protecting environment; (3) monitoring and protecting the integrity of the kernel of the Target OS; when a hook, arranged in the kernel, of the IPS is triggered, checking the integrity of the kernel of the Target OS, protecting a kernel event from occurring, and then, switching into the IPS for corresponding processing; (4) logging off the IPS and clearing the monitoring and protecting environment; clearing the monitoring and protecting environment established in the step (2), and recovering the normal operation of the Target OS.
Description
Technical field
The present invention relates to the safeguard protection of operating system, particularly a kind of method of operating system nucleus being carried out to integrality monitoring and protection.
Background technology
Operating system nucleus code is in large scale, complex structure, and in order to ensure running efficiency of system, usually adopting fail-safe program language compilation, thus wherein there is a large amount of leaks and mistake.Assailant can utilize these leaks internally to examine and execute attack, and amendment kernel key state, perform arbitrary malicious code, therefore, operating system nucleus is faced with very severe safety issue.The integrality of operating system nucleus monitored and protects, can effectively promote its security.
The mechanism of the integrity protection more employing monitor of virtual machine VMM of existing operating system nucleus, these VMM should provide virtual support for operating system, but there are some problems.VMM is faced with the same safety problem of operating system nucleus, and the security of himself can not effectively be ensured.Because operating system can be carried out with VMM alternately continually in its life cycle, VMM is existed and attacks face widely.Like this, malicious operating system just can trigger the leak in VMM by the data meticulously constructed, to implement to attack.VMM needs perform virtualization operations for operating system and need to intervene kernel integrity checksum protection process, can produce serious performance cost, practicality is reduced greatly.Therefore, operating system nucleus integrality monitoring and protection technology, is very important safely and efficiently.Utilize computer hardware Intel Virtualization Technology, ensureing effectively to implement kernel integrity monitoring with on the basis of protection, promote himself security and reduce the performance cost of completeness protection method, there is realistic meaning.
Summary of the invention
In order to overcome the deficiencies in the prior art, the invention provides a kind of operating system nucleus completeness protection method, make to the monitoring of operating system nucleus integrality and protection safer, efficient.
For achieving the above object, the present invention takes following technical scheme: a kind of operating system nucleus integrity protection system, based on assembly comprise integrity protection program, kernel hooking, redirect code, goal systems and monitoring protector; Comprise the steps (key operation):
(1) startup of monitoring protector and initialization; Monitoring protector carries out the configuration effort of virtualized environment when starting, enable expansion page table EPT mechanism that Intel processor provides and VM-functions machine-processed, and set up for supporting that goal systems Target OS carries out the EPT paging structure GEPT of internal storage access, wait for the solicit operation of integrity protection program IPS after initialization;
(2) registration of integrity protection program IPS and the setting of monitoring and protection environment; Integrity protection program IPS is when loading, need the kernel hooking that intercepting and capturing event is set, create and configure redirect code and coherence check program, registered to monitoring protector by the instruction of VMCALL hypercalls, monitoring protector creates for supporting that integrity protection program IPS carries out the EPT paging structure SEPT of internal storage access, and memory protect is set, realize internal memory isolation;
(3) monitoring to goal systems Target OS kernel integrity and protection is implemented; When the hook that integrity protection program IPS is arranged in kernel is triggered, means the generation needing the kernel events carried out checking to Target OS kernel integrity and protect, be now switched in integrity protection program IPS and carry out respective handling.
(4) integrity protection program IPS nullifies and removes with monitoring and protection environment; The monitoring and protection environment set up in clear operation (2), and recover the normal operation of goal systems Target OS.
It is inner that integrity protection program IPS (Integrity Protection Software) is placed in destination OS Target OS address space, encapsulate correlative code destination OS Target OS kernel being carried out to integrity checking and protection, and required data segment and work stack when running, form a closed execution environment, the security strategy foundation user's request that wherein concrete integrity checking is relevant with protection is formulated voluntarily; When needs implement integrality monitoring and protection to operating system nucleus; integrity protection program IPS registers to monitoring protector when loading; monitoring protector is that IPS builds the running environment protected, and performs corresponding security strategy in the whole life cycle of IPS under monitoring protector protection.
Kernel hooking is placed in goal systems Target OS kernel, for intercepting and capturing the kernel events that Target OS integrity state may be made to change, control flow check can be proceeded in integrity protection program IPS and carry out checking and analyzing.
Embodiment and the setting position of kernel hooking are relevant to security strategy, formulated voluntarily by user, such as, arrange at kernel events places such as kernel module loading and deletion, executable file execution, or intercept and capture Target OS clock interrupt handling routine to carry out periodic integrity checking.
The control that redirect code is used between destination OS Target OS and integrity protection program IPS switches, and is subject to the protection of monitoring protector equally.After user's kernel hooking be placed in Target OS is triggered, control flow check can be proceeded in integrity protection program IPS by redirect code and carry out analyzing and processing, and then returns goal systems Target OS continuation execution by redirect code.The redirect code entering integrity protection program IPS is called entry redirect code, and the redirect code returning goal systems Target OS is called exit redirect code.
Monitoring protector runs directly on computer hardware, for integrity protection program IPS, kernel hooking and redirect code provide insulation blocking, build the execution environment of safety, resist the malicious attack of goal systems Target OS to said modules, thus ensure the validity of kernel integrity protection system;
Monitoring protector provides the running environment of an insulation blocking for integrity protection program IPS, is the VMM of a lightweight but does not perform any virtualization operations, the operation of nonintervention destination OS Target OS; Monitoring protector, accepts the registration and unregistration request that integrity protection program IPS sends, and sets up and cancel constructed internal storage access safeguard measure, and recording-related information; Monitoring protector is guided by Grub and starts, and runs directly on hardware, and monitoring protector uses the GETSEC instruction of Intel TXT to carry out credible startup when starting; Monitoring protector only enables the machine-processed and protection to LBR MSR of expansion page table EPT mechanism, VM-functions, by different EPT page table structure GEPT and SEPT respectively control objectives system Target OS and integrity protection program IPS to the access of physical memory.
READ, WRITE, EXECUTION position that monitoring protector is enabled in expansion page table EPT item reflects the reading and writing of this list item indication physical memory page and can perform access rights; By arranging different access rights in GEPT and SEPT; Meanwhile, in redirect code, use the EPTP handover mechanism provided in VM-functions, in non-root pattern, directly realize the switching between EPT;
In order to manage the internal storage access authority of integrity protection program IPS, kernel hooking, redirect code; the integrity protection program IPS that monitoring protector uses safe_monitor data structure correspondence to register; for stored memory protection information, comprising: base address ips_eptp, ips_eptp index ips_index in EPTP list field of SEPT, the initial and end address of each region of memory and the access rights of required setting.
For contextual information and the monitoring configuration information of goal systems Target OS when preservation performs integrity checking and protects, integrity protection program IPS inside uses ips_context structure to carry out record, comprise: need stack pointer os_stack when preservation goal systems Target OS is current to be run, integrity protection program IPS stack pointer ips_stack, entry and exit redirect code address ips_entry and ips_exit, integrity protection program IPS processing function entrance address ips_handler, kernel hooking address ips_hook and return address ips_return.
Beneficial effect of the present invention: operating system nucleus completeness protection method provided by the invention is based on Intel VT hardware virtualization technology.In this kernel integrity protection system; it is inner that integrity protection program IPS operates in goal systems TargetOS; intercepting and capturing Target OS kernel events by arranging kernel hooking, proceeding to integrity protection program IPS via redirect code and performing corresponding security strategy.All assemblies are all subject to the protection of monitoring protector, make Target OS not modify to it and to destroy, thus protect its security.Monitoring protector provided by the invention is a lightweight VMM; only for kernel integrity protection system provides an isolated execution environment; and without the need to other virtualization feature; monitoring protector only enables the machine-processed and protection to LBR MSR of expansion page table EPT mechanism, VM-functions; by different EPT page table control Target OS and IPS to the access of physical memory; and the EPTP handover mechanism using VM-functions to provide, directly realizes the switching between EPT in non-root pattern.Thus, Target OS in the process of implementation and IPS perform in integrity protection related security policies process, all without the need to the intervention of monitoring protector, whole system is performed safe and efficient.
Accompanying drawing explanation
Fig. 1 operating system nucleus integrity protection system structural representation;
Fig. 2 operating system nucleus completeness protection method process flow diagram;
Fig. 3 monitoring protector initialization flowchart;
Fig. 4 integrity protection program IPS registers and monitoring and protection ambient As process flow diagram;
Fig. 5 HYPERCALL_CREATE hypercalls flowchart;
Fig. 6 HYPERCALL_SET hypercalls flowchart;
Fig. 7 is specifically to the monitoring and protection process flow diagram of kernel integrity;
Fig. 8 entry redirect code flow figure;
Fig. 9 exit redirect code flow figure;
Figure 10 integrity protection program IPS nullifies and removes process flow diagram with monitoring and protection environment;
Figure 11 HYPERCALL_DESTROY hypercalls process flow diagram.
Embodiment
Below in conjunction with accompanying drawing, the present invention is further described.
As shown in Figure 1, a kind of operating system nucleus integrity protection system provided by the invention, contained assembly comprises integrity protection program IPS, kernel hooking, redirect code, goal systems Target OS and monitoring protector.When needs implement integrality monitoring and protection to operating system nucleus; integrity protection program IPS is loaded in destination OS Target OS address space by the mode of kernel module; carry out the configuration that monitoring and protection environment needs; and register to monitoring protector, build the running environment that one is subject to insulation blocking.Integrity protection program IPS self encapsulates correlative code goal systems Target OS kernel being carried out to integrity checking and protection; and required data segment and work stack when running; form a closed execution environment, wherein concrete security strategy is formulated voluntarily according to user's request.
In order to preserve the contextual information and monitoring configuration information that perform integrity checking and goal systems Target OS during protection, integrity protection program IPS inside uses ips_context structure to carry out record, comprise: need stack pointer os_stack when preservation goal systems Target OS is current to be run, integrity protection program IPS stack pointer ips_stack, entry and exit redirect code address ips_entry and ips_exit, integrity protection program IPS processing function entrance address ips_handler, kernel hooking address ips_hook and return address ips_return.
Intercept and capture the kernel events that goal systems Target OS integrity state may be made to change for enabling integrity protection program IPS, and then carry out association integrity inspection and analysis, need to arrange kernel hooking in Target OS.Embodiment and the setting position of kernel hooking are relevant to security strategy, formulated voluntarily by user, such as, arrange at kernel events places such as kernel module loading and deletion, executable file execution, or intercept and capture Target OS clock interrupt handling routine to carry out periodic integrity checking.
The control that redirect code is used between goal systems Target OS and integrity protection program IPS switches, and is subject to the protection of monitoring protector equally.After user's kernel hooking be placed in goal systems Target OS is triggered, control flow check can be proceeded in integrity protection program IPS by redirect code and carry out analyzing and processing, and then returns goal systems Target OS continuation execution by redirect code.The redirect code entering integrity protection program IPS from goal systems Target OS is called entry redirect code, and the redirect code returning goal systems Target OS is called exit redirect code.
Monitoring protector is the core component of native system; for integrity protection program IPS provides the running environment of an insulation blocking; in fact the VMM of a lightweight is equivalent to; accept the registration and unregistration request that integrity protection program IPS sends; set up and cancel constructed internal storage access safeguard measure, and recording-related information.Monitoring protector is guided by Grub and starts, and runs directly on hardware, and in order to ensure the clean boot of self, monitoring protector uses the GETSEC instruction of IntelTXT to carry out credible startup when starting.Monitoring protector is only for kernel integrity protection system provides an isolated execution environment; and without the need to other virtualization feature; thus the execution control domain arranged in virtual machine control block VMCS is needed hardly; only enable the machine-processed and protection to LBR MSR of expansion page table EPT mechanism, VM-functions, by different EPT page table structure GEPT and SEPT respectively control objectives system Target OS and integrity protection program IPS to the access of physical memory.READ, WRITE, EXECUTION position in EPT page table entry reflects the reading and writing of this list item indication physical memory page and can perform access rights.By arranging different access rights in GEPT and SEPT, it is the key realizing carrying out integrity protection program IPS insulation blocking.Meanwhile, in redirect code, use the EPTP handover mechanism provided in VM-functions, directly can realize the switching between EPT in non-root pattern, without the need to the intervention of monitoring protector, ensure that the high efficiency of monitoring and protection method.
In order to manage the internal storage access authority of integrity protection program IPS, kernel hooking, redirect code; the integrity protection program IPS that monitoring protector uses safe_monitor data structure correspondence to register; for stored memory protection information, comprising: base address ips_eptp, ips_eptp index ips_index in EPTP list field of SEPT, the initial and end address of each region of memory and the access rights of required setting.
Figure 2 shows that operating system nucleus completeness protection method process flow diagram.Comprise: the initialization of step 20 monitoring protector; Step 21 integrity protection program IPS registers and monitoring and protection ambient As; Step 22 is specifically to the monitoring and protection of kernel integrity; And step 23 integrity protection program IPS cancellation mainly operates with monitoring and protection environment removing etc.
Fig. 3 is monitoring protector initialization flowchart.Step 30 is initial state; Step 31 enables expansion page table EPT mechanism and VM functions mechanism, the object of enabling VM functions is to directly perform EPT blocked operation in goal systems Target OS, by Enable EPT position in virtual machine control block VMCS and VM functions position 1; Step 32 is by IA32_DEBUGCTL MSR register bit 0 position 1, to open LBR (Last BranchRecord) mechanism, write in bitmap at the MSR of VMCS simultaneously, by the position 1 corresponding to IA32_DEBUGCTL and LBR stack (LBRstack) register, to forbid that goal systems Target OS revises these registers, allow again to read these registers in integrity protection program IPS simultaneously; Step 33 arranges whole GEPT list items according to the size of goal systems Target OS physical address, page size is set to 4KB, READ, WRITE, EXECUTION position 1 of the whole GEPT list item of initialization, ensure the identical mapping between the guest-physical addresses of Target OS and machine physical address, and GEPT page table base address guest_eptp is stored in the EPTP field of virtual machine control block VMCS, in addition, monitoring protector self place physical memory area is left out from GEPT page table entry, to forbid external module access monitoring protector own content; Step 34, by VM-functions control field bit 0 position 1 in VMCS, switches (EPTP Switching) mechanism to enable EPTP, distributes 4KB size EPTP list, and guest_eptp to be stored in EPTP list index position be 0 place; Step 35 terminates.Initialization completes, and waits for the request of integrity protection program IPS.
After monitoring protector initialization completes, just possess for integrity protection program IPS builds the function that is isolated running environment.Integrity protection program IPS, when loading, needs to carry out the operation such as pertinent registration and monitoring and protection ambient As.And at the end of monitoring, cancel configured monitoring and protection environment, recover the normal operation of goal systems Target OS.Need the operation carrying out arranging in monitoring protector in concrete registration and unregistration process, use hypercalls to carry out by integrity protection program IPS.In Intel VT-x; hypercalls make use of VMCALL instruction; for this reason, the invention provides following three supersystems and call: (1) HYPERCALL_CREATE: for notifying that monitoring protector creates SEPT paging structure, RAX register Transfer Parameters HYPERCALL_CREATE.(2) HYPERCALL_SET: for arranging kernel hooking in GEPT and SEPT; redirect code; the access rights of integrity protection program IPS place region of memory; for realizing the protection to integrality monitoring and protection environment; RAX register Transfer Parameters HYPERCALL_SET; RBX register Transfer Parameters start address start; RCX register Transfer Parameters end address end; RDX register Transfer Parameters component type (kernel hooking; redirect code; IPS code, IPS data).(3) HYPERCALL_DESTROY: for removing the memory protect measure arranged in monitoring protector, RAX register Transfer Parameters HYPERCALL_DESTROY.When integrity protection program IPS call supersystem call time, CPU can be trapped in monitoring protector, and monitoring protector carries out relevant treatment according to concrete parameter information.
Fig. 4 is that integrity protection program IPS registers and monitoring and protection ambient As process flow diagram.Step 40 is initial state; Step 41 distribute integrality defence program IPS run needed for stack and other data areas, for forming a closed running environment; Step 42 dynamically produces ips_context structure, goal systems Target OS contextual information and monitoring configuration information during for preserving monitoring, comprise and need to preserve stack pointer os_stack, IPS stack pointer ips_stack, entry and exit redirect code address ips_entry and ips_exit when Target OS is current to be run, IPS processing function entrance address ips_handler, kernel hooking address ips_hook and return address ips_return; Step 43 by IPS stack top address ips_stack, entry and exit redirect code address ips_entry, ips_exit, IPS processing function entrance ips_handler is saved in ips_context structure; Step 44 arranges kernel hooking, the present invention not limited subscriber adds the concrete mode of kernel hooking, guarantee that kernel hooking jumps to ips_entry position by user, and its address ips_hook and return address ips_return is saved in ips_context structure, ips_hook is used for calling scrutiny program, ensures that integrity protection program IPS is triggered by set kernel hooking; Step 45 is called HYPERCALL_CREATE hypercalls and is created SEPT paging structure, this process comprises a sub-process processed in monitoring protector, and be the index of SEPT page table base address ips_eptp in the EPTP list field of virtual machine control block VMCS with the transmission of RAX register rreturn value ips_index, ips_index; Whether step 46 judges that page memory protect shared by kernel hooking, redirect code, integrity protection program IPS is arranged and has all processed, and if so, then forwards step 48 to and terminates, otherwise forward step 47 to; Step 47 is called HYPERCALL_SET hypercalls and arrange kernel hooking in GEPT and SEPT, redirect code, the access rights of integrity protection program IPS place internal memory, for realizing the protection to kernel integrity monitoring and protection environment, this process comprises a sub-process processed in monitoring protector; Step 48 terminates.
Fig. 5 is HYPERCALL_CREATE hypercalls flowchart.Step 50 is initial state, step 51 produces safe_monitor structure stored memory protection information, comprises base address ips_eptp, ips_eptp index ips_index in EPTP list field of SEPT, the initial and end address of each region of memory and the access rights of required setting, step 52 arranges whole SEPT list items according to the size of goal systems Target OS physical address, page size is set to 4KB, what SEPT was equivalent to GEPT copies version, but all pages do not have to perform authority, therefore, the READ of the whole SEPT list item of initialization, WRITE position 1, EXECUTION position 0, ensure the identical mapping of guest-physical addresses and machine physical address, monitoring protector self place physical memory area is left out from SEPT page table entry, to forbid external module access monitoring protector own content, and SEPT base address ips_eptp is saved in safe_monitor, ips_eptp is saved in the EPTP list field in VMCS by step 53, and index is ips_index, ips_index is saved in safe_monitor by step 54, rreturn value ips_index preserved by step 55 RAX register, step 56 terminates.
Fig. 6 is HYPERCALL_SET hypercalls flowchart.Step 60 is initial state, step 61 verifies the legitimacy of HYPERCALL_SET hypercalls instruction Transfer Parameters, namely processed (being kept in safe_monitor) whether the start address start of determination component and end address end, and start<end, if Transfer Parameters is legal, proceed to step 62, otherwise proceed to the error handle of step 6A, step 62 determines the authority gacc that will arrange in GEPT and SEPT and sacc according to component type in RDX register: if kernel hooking, then gacc is set to readable, can not write, can perform, sacc is set to readable, can write, can not perform, if redirect code, then gacc is set to readable, can not write, can perform, sacc is set to readable, can write, can perform, if IPS code, then gacc is set to not readable, can not write, can not perform, sacc is set to readable, can not write, can perform, if IPS data, then gacc is set to not readable, can not write, can not perform, sacc is set to readable, can write, can not perform, step 63 arranges circulation initial state, start address start is set to current address laddr, step 64 judges whether laddr is more than or equal to end address end, and if so, then all page process complete, and jump to step 69, and circulation terminates, otherwise enters loop body, goes to step 65, step 65 uses laddr to inquire about current Target OS page table, obtains corresponding guest-physical addresses paddr, step 66 uses paddr to travel through GEPT and SEPT respectively, and corresponding list item access rights are set to gacc and sacc respectively, step 67 preserves laddr, paddr, gacc and sacc in safe_monitor, current address laddr is set to the address of the next page by step 68, goes to step 64, step 69 terminates internal storage access priority assignation, the parameter imported in step 6A is illegal, and program error terminates.
Fig. 7 is specifically to the monitoring and protection process flow diagram of kernel integrity.Step 70 is initial state; In step 71 when being arranged on the hook in kernel and being triggered, the ips_entry place, address jumping to entry redirect code is performed; Perform task switching by entry redirect code in step 72, mainly execute the task to comprise and preserve goal systems Target OS register information before the handover, perform EPT blocked operation (GEPT switches to SEPT), integrality defence program IPS is set runs work stack ips_stack and jump to and call scrutiny program; Jump information can be recorded in LBR stack register in step 73, reading LBR stack register content, and compare with ips_hook, calling validity checking for performing, guarantee that control flow check is come from the hook redirect of correspondence, instead of goal systems Target OS malice triggers; If step 74 is identical, then it is legal to call, and proceeds to step 75, otherwise proceeds to the end of step 78 mistake; Step 75 jumps to the inspection of ips_handler place, integrity protection program IPS processing function entrance address execution kernel integrity and operates with protection, and the concrete security strategy performed is defined by the user; Step 76 is performed by exit redirect code and returns task, mainly executes the task to comprise and recovers goal systems Target OS register information before the handover, performs EPT blocked operation (SEPT switches to GEPT) and turn back to continuation in goal systems Target OS to perform; Step 77 terminates; Step 78 mistake terminates.
Fig. 8 is entry redirect code flow figure, is made up of assembly instruction.Step 80 is initial state, and kernel hooking jumps to entry redirect code place; Step 81 uses CLI instruction to close interruption, ensures the atomicity that entry redirect code performs; The general-purpose register pop down that goal systems Target OS uses by step 82, the storehouse used by Target OS oneself is preserved; Step 83 is by RAX register assignment 0, and representing EPTP and switch (EPTP switching), is ips_index by RCX register assignment, performs VMFUNC instruction and is switched to SEPT; Step 84 performs CLI instruction again, prevents goal systems Target OS from directly skipping step 81, ensures the atomicity of kernel integrity monitoring and protection process; The stack pointer that goal systems Target OS uses is saved in the os_stack in ips_context by step 85; Step 86 by ips_stack assignment to RSP register; Step 87 jumps to step 73 and performs.Step 88 terminates.
Fig. 9 is exit redirect code flow figure, is made up of assembly instruction.Step 90 is initial state, integrity protection program finishes execution, turns back to exit redirect code place; Step 91 uses CLI instruction to close interruption, ensures the atomicity that exit redirect code performs; Os_stack assignment to RSP register, is recovered the stack pointer of goal systems Target OS by step 92; Step 93, by RAX register assignment 0, represents EPTP and switches (EPTP switching), be 0, represent the index of GEPT in EPTP list field by RCX register assignment, performs VMFUNC instruction and EPTP is switched back GEPT; Step 94 recovers the general-purpose register of the goal systems Target OS previously used; Step 95 uses STI instruction to open interruption, recovers the interruption status of Target OS; Step 96 jumps to return address ips_return and continues goal systems Target OS execution.Step 97 terminates.
Figure 10 is that integrity protection program IPS nullifies and monitoring environment removes process flow diagram.Steps A 0 is initial state; Steps A 1 is called HYPERCALL_DESTROY hypercalls and is removed the memory protect measure arranged in monitoring protector, and this process comprises a sub-process processed in monitoring protector; Steps A 2 eliminates the kernel hooking arranged, and recovers goal systems Target OS and normally performs; Steps A 3 empties internal memory and the register of integrity protection program IPS use, in case information leakage, and the memory headroom shared by release; Steps A 4 terminates.
Figure 11 is HYPERCALL_DESTROY hypercalls process flow diagram.Step B0 is initial state; Step B1 judge current whether be in SEPT control under, only have integrity protection program IPS internal code can call HYPERCALL_DESTROY hypercalls, as "Yes", then enter step B2, otherwise, proceed to step B9 mistake and terminate; Step B2 judges whether the page needing to remove memory protect setting has all processed, and if so, then forwards step B4 to, otherwise forwards step B3 to; Step B3 utilizes the paddr be kept in safe_monitor to travel through GEPT, corresponding page table entry access rights is reverted to READ, WRITE, EXECUTION, and proceeds to the next paddr of step B2 process; Step B4 empties whole SEPT list item, release busy internal memory; Step B5 discharges safe_monitor and takes up room; GEPT page table base address guest_eptp is stored in the EPTP field in VMCS by step B6; Step B7 normal termination; Step B8 mistake terminates.
The above is only the preferred embodiment of the present invention; be noted that for those skilled in the art; under the premise without departing from the principles of the invention, can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (7)
1. an operating system nucleus completeness protection method, it is characterized in that based on assembly comprise integrity protection program, kernel hooking, redirect code, goal systems and monitoring protector; Adopt following steps:
(1) startup of monitoring protector and initialization; Monitoring protector carries out the configuration effort of virtualized environment when starting, enable expansion page table EPT mechanism that Intel processor provides and VM-functions machine-processed, and set up for supporting that goal systems Target OS carries out the EPT paging structure GEPT of internal storage access, wait for the solicit operation of integrity protection program IPS after initialization;
(2) registration of integrity protection program IPS and the setting of monitoring and protection environment; Integrity protection program IPS is when loading, need the kernel hooking that intercepting and capturing event is set, create and configure redirect code and coherence check program, registered to monitoring protector by the instruction of VMCALL hypercalls, monitoring protector creates for supporting that integrity protection program IPS carries out the EPT paging structure SEPT of internal storage access, and memory protect is set, realize internal memory isolation;
(3) monitoring to goal systems Target OS kernel integrity and protection is implemented; When the hook that integrity protection program IPS is arranged in kernel is triggered, needs the generation of the kernel events carried out checking to Target OS kernel integrity and protect, be now switched in integrity protection program IPS and carry out respective handling;
(4) integrity protection program IPS nullifies and removes with monitoring and protection environment; The monitoring and protection environment set up in clear operation (2), and recover the normal operation of goal systems Target OS;
It is inner that integrity protection program IPS (Integrity Protection Software) is placed in destination OS Target OS address space, encapsulate correlative code destination OS Target OS kernel being carried out to integrity checking and protection, and required data segment and work stack when running, form a closed execution environment, the security strategy foundation user's request that wherein concrete integrity checking is relevant with protection is formulated voluntarily; When needs implement integrality monitoring and protection to operating system nucleus, load integrity protection program IPS and register to monitoring protector, monitoring protector is that IPS builds the running environment protected, and performs corresponding security strategy in the whole life cycle of IPS under monitoring protector protection;
Kernel hooking is placed in goal systems Target OS kernel, for intercepting and capturing the kernel events that Target OS integrity state may be made to change, control flow check can be proceeded in integrity protection program IPS and carry out checking and analyzing; Embodiment and the setting position of kernel hooking are relevant to security strategy, formulated voluntarily by user, such as, arrange at kernel events places such as kernel module loading and deletion, executable file execution, or intercept and capture Target OS clock interrupt handling routine to carry out periodic integrity checking;
The control that redirect code is used between destination OS Target OS and integrity protection program IPS switches, and is subject to the protection of monitoring protector equally; After user's kernel hooking be placed in Target OS is triggered, control flow check can be proceeded in integrity protection program IPS by redirect code and carry out analyzing and processing, and then returns goal systems Target OS continuation execution by redirect code; The redirect code entering integrity protection program IPS is called entry redirect code, and the redirect code returning goal systems Target OS is called exit redirect code;
Monitoring protector runs directly on computer hardware, for integrity protection program IPS, kernel hooking and redirect code provide insulation blocking, build the execution environment of safety, resist the malicious attack of goal systems Target OS to said modules, thus ensure the validity of kernel integrity protection system;
Monitoring protector provides the running environment of an insulation blocking for integrity protection program IPS, is the VMM of a lightweight, but does not perform any virtualization operations, the operation of nonintervention destination OS Target OS; Monitoring protector accepts the registration and unregistration request that integrity protection program IPS sends, and sets up and cancel constructed internal storage access safeguard measure, and recording-related information; Monitoring protector is guided by Grub and starts, and runs directly on hardware, and monitoring protector uses the GETSEC instruction of Intel TXT to carry out credible startup when starting; Monitoring protector only enables the machine-processed and protection to LBR MSR of expansion page table EPT mechanism, VM-functions, by different EPT page table structure GEPT and SEPT respectively control objectives system Target OS and integrity protection program IPS to the access of physical memory.
2. operating system nucleus completeness protection method according to claim 1, is characterized in that READ, WRITE, EXECUTION position that monitoring protector is enabled in expansion page table EPT item reflects the reading and writing of this list item indication physical memory page and can perform access rights; By arranging different access rights in GEPT and SEPT; Meanwhile, in redirect code, use the EPTP handover mechanism provided in VM-functions, in non-root pattern, directly realize the switching between EPT;
In order to manage the internal storage access authority of integrity protection program IPS, kernel hooking, redirect code; the integrity protection program IPS that monitoring protector uses safe_monitor data structure correspondence to register; for stored memory protection information, comprising: base address ips_eptp, ips_eptp index ips_index in EPTP list field of SEPT, the initial and end address of each region of memory and the access rights of required setting.
3. operating system nucleus completeness protection method according to claim 1, it is characterized in that the contextual information for goal systems Target OS when preservation performs integrity checking and protects and monitoring configuration information, integrity protection program IPS inside uses ips_context structure to carry out record, comprise: need stack pointer os_stack when preservation goal systems Target OS is current to be run, integrity protection program IPS stack pointer ips_stack, entry and exit redirect code address ips_entry and ips_exit, integrity protection program IPS processing function entrance address ips_handler, kernel hooking address ips_hook and return address ips_return.
4. operating system nucleus completeness protection method according to claim 1, is characterized in that monitoring protector initialize flow; Step 30 is initial state; Step 31 enables expansion page table EPT mechanism and VM functions mechanism, the object of enabling VM functions is to directly perform EPT blocked operation in goal systems Target OS, by Enable EPT position in virtual machine control block VMCS and VM functions position 1; Step 32 is by IA32_DEBUGCTL MSR register bit 0 position 1, to open LBR (Last Branch Record) mechanism, write in bitmap at the MSR of VMCS simultaneously, by the position 1 corresponding to IA32_DEBUGCTL and LBR stack (LBR stack) register, to forbid that goal systems Target OS revises these registers, allow again to read these registers in integrity protection program IPS simultaneously; Step 33 arranges whole GEPT list items according to the size of goal systems Target OS physical address, page size is set to 4KB, READ, WRITE, EXECUTION position 1 of the whole GEPT list item of initialization, ensure the identical mapping between the guest-physical addresses of Target OS and machine physical address, and GEPT page table base address guest_eptp is stored in the EPTP field of virtual machine control block VMCS, in addition, monitoring protector self place physical memory area is left out from GEPT page table entry, to forbid external module access monitoring protector own content; Step 34, by VM-functions control field bit 0 position 1 in VMCS, to enable EPTP handover mechanism, distributes 4KB size EPTP list, and guest_eptp to be stored in EPTP list index position be 0 place; Step 35 terminates; Initialization completes, and waits for the request of integrity protection program IPS;
After monitoring protector initialization completes, just possess for integrity protection program IPS builds the function that is isolated running environment; Integrity protection program IPS, when loading, needs to carry out the operation such as pertinent registration and monitoring and protection ambient As; And at the end of monitoring, cancel configured monitoring and protection environment, recover the normal operation of goal systems Target OS; Need the operation carrying out arranging in monitoring protector in concrete registration and unregistration process, use hypercalls to carry out by integrity protection program IPS; In Intel VT-x, hypercalls make use of VMCALL instruction; For this reason, following three supersystems are provided to call: (1) HYPERCALL_CREATE: for notifying that monitoring protector creates SEPT paging structure, RAX register Transfer Parameters HYPERCALL_CREATE; (2) HYPERCALL_SET: for arranging kernel hooking in GEPT and SEPT, redirect code, the access rights of integrity protection program IPS place region of memory, for realizing the protection to integrality monitoring and protection environment, RAX register Transfer Parameters HYPERCALL_SET, RBX register Transfer Parameters start address start, RCX register Transfer Parameters end address end, RDX register Transfer Parameters component type (kernel hooking, redirect code, IPS code, IPS data); (3) HYPERCALL_DESTROY: for removing the memory protect measure arranged in monitoring protector, RAX register Transfer Parameters HYPERCALL_DESTROY; When integrity protection program IPS call supersystem call time, CPU can be trapped in monitoring protector, and monitoring protector carries out relevant treatment according to concrete parameter information.
5. operating system nucleus completeness protection method according to claim 1, is characterized in that integrity protection program IPS registers and monitoring and protection ambient As flow process: step 40 is as initial state; Step 41 distribute integrality defence program IPS run needed for stack and other data areas, for forming a closed running environment; Step 42 dynamically produces ips_context structure, goal systems Target OS contextual information and monitoring configuration information during for preserving monitoring, comprise and need to preserve stack pointer os_stack, IPS stack pointer ips_stack, entry and exit redirect code address ips_entry and ips_exit when Target OS is current to be run, IPS processing function entrance address ips_handler, kernel hooking address ips_hook and return address ips_return; Step 43 by IPS stack top address ips_stack, entry and exit redirect code address ips_entry, ips_exit, IPS processing function entrance ips_handler is saved in ips_context structure; Step 44 arranges kernel hooking, the present invention not limited subscriber adds the concrete mode of kernel hooking, guarantee that kernel hooking jumps to ips_entry position by user, and its address ips_hook and return address ips_return is saved in ips_context structure, ips_hook is used for calling scrutiny program, ensures that integrity protection program IPS is triggered by set kernel hooking; Step 45 is called HYPERCALL_CREATE hypercalls and is created SEPT paging structure, this process comprises a sub-process processed in monitoring protector, and be the index of SEPT page table base address ips_eptp in the EPTP list field of virtual machine control block VMCS with the transmission of RAX register rreturn value ips_index, ips_index; Whether step 46 judges that page memory protect shared by kernel hooking, redirect code, integrity protection program IPS is arranged and has all processed, and if so, then forwards step 48 to and terminates, otherwise forward step 47 to; Step 47 is called HYPERCALL_SET hypercalls and arrange kernel hooking in GEPT and SEPT, redirect code, the access rights of integrity protection program IPS place internal memory, for realizing the protection to kernel integrity monitoring and protection environment, this process comprises a sub-process processed in monitoring protector; Step 48 terminates.
6. operating system nucleus completeness protection method according to claim 1, is characterized in that the monitoring and protection flow process to kernel integrity: step 70 is initial state; In step 71 when being arranged on the hook in kernel and being triggered, the ips_entry place, address jumping to entry redirect code is performed; Perform task switching by entry redirect code in step 72, mainly execute the task to comprise and preserve goal systems Target OS register information before the handover, perform EPT blocked operation (GEPT switches to SEPT), integrality defence program IPS is set runs work stack ips_stack and jump to and call scrutiny program; Jump information can be recorded in LBR stack register in step 73, reading LBR stack register content, and compare with ips_hook, calling validity checking for performing, guarantee that control flow check is come from the hook redirect of correspondence, instead of goal systems Target OS malice triggers; If step 74 is identical, then it is legal to call, and proceeds to step 75, otherwise proceeds to the end of step 78 mistake; Step 75 jumps to the inspection of ips_handler place, integrity protection program IPS processing function entrance address execution kernel integrity and operates with protection, and the concrete security strategy performed is defined by the user; Step 76 is performed by exit redirect code and returns task, mainly execute the task comprise recover goal systems Target OS register information before the handover, perform EPT blocked operation, SEPT switches to GEPT and turns back in goal systems Target OS and continue to perform; Step 77 terminates; Step 78 mistake terminates.
7. operating system nucleus completeness protection method according to claim 1, is characterized in that entry redirect code flow: be made up of assembly instruction; Step 80 is initial state, and kernel hooking jumps to entry redirect code place; Step 81 uses CLI instruction to close interruption, ensures the atomicity that entry redirect code performs; The general-purpose register pop down that goal systems Target OS uses by step 82, the storehouse used by Target OS oneself is preserved; Step 83 is by RAX register assignment 0, and representing EPTP and switch (EPTP switching), is ips_index by RCX register assignment, performs VMFUNC instruction and is switched to SEPT; Step 84 performs CLI instruction again, prevents goal systems Target OS from directly skipping step 81, ensures the atomicity of kernel integrity monitoring and protection process; The stack pointer that goal systems Target OS uses is saved in the os_stack in ips_context by step 85; Step 86 by ips_stack assignment to RSP register; Step 87 jumps to step 73 and performs; Step 88 terminates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510234249.3A CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510234249.3A CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104809401A true CN104809401A (en) | 2015-07-29 |
| CN104809401B CN104809401B (en) | 2017-12-19 |
Family
ID=53694214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510234249.3A Active CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104809401B (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096455A (en) * | 2016-08-08 | 2016-11-09 | 王波 | A kind of main frame kernel data reduction protection method |
| CN106203082A (en) * | 2016-06-29 | 2016-12-07 | 上海交通大学 | The system and method efficiently isolating kernel module based on virtualization hardware characteristic |
| CN106778257A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of anti-release apparatus of virtual machine |
| CN106775941A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of virtual machine kernel completeness protection method and device |
| CN107016283A (en) * | 2017-02-15 | 2017-08-04 | 中国科学院信息工程研究所 | Android privilege-escalations attack safety defense method and device based on integrity verification |
| WO2017177801A1 (en) * | 2016-04-15 | 2017-10-19 | 中兴通讯股份有限公司 | Method and apparatus for realising integrity protection for operating system |
| CN107368739A (en) * | 2017-07-26 | 2017-11-21 | 北京理工大学 | A kind of monitoring method and apparatus of kernel-driven |
| CN107391225A (en) * | 2017-07-13 | 2017-11-24 | 北京航空航天大学 | A kind of monitoring method and system based on more EPT lists |
| CN107479946A (en) * | 2017-08-16 | 2017-12-15 | 南京大学 | A kind of interbehavior monitoring scheme of kernel module |
| CN107506638A (en) * | 2017-08-09 | 2017-12-22 | 南京大学 | A kind of kernel controlling stream method for detecting abnormality based on hardware mechanisms |
| CN107797895A (en) * | 2017-05-08 | 2018-03-13 | 中国人民解放军国防科学技术大学 | A kind of secure virtual machine monitoring method and system |
| CN108171061A (en) * | 2018-01-16 | 2018-06-15 | 武汉轻工大学 | A kind of Android system Kernel security detection method and device |
| CN108469984A (en) * | 2018-04-17 | 2018-08-31 | 哈尔滨工业大学 | It is a kind of to be examined oneself function grade virtual machine kernel dynamic detection system and method based on virtual machine |
| CN108573144A (en) * | 2017-03-08 | 2018-09-25 | 智能Ic卡公司 | The execution context data of safety |
| CN108763927A (en) * | 2018-01-16 | 2018-11-06 | 武汉轻工大学 | A kind of cloud system safety detection method and device |
| CN108958879A (en) * | 2017-05-24 | 2018-12-07 | 华为技术有限公司 | A kind of monitoring method and device of virtual machine |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
| CN109388948A (en) * | 2018-11-05 | 2019-02-26 | 杭州安恒信息技术股份有限公司 | A kind of potential malware analysis method and relevant apparatus based on virtualization technology |
| CN109522050A (en) * | 2018-09-10 | 2019-03-26 | 上海交通大学 | The internal storage data real-time recording method and system of stream recording characteristic are controlled based on processor |
| CN110348252A (en) * | 2018-04-02 | 2019-10-18 | 华为技术有限公司 | Operating system and method based on trusted domain |
| CN111177703A (en) * | 2019-12-31 | 2020-05-19 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
| CN111177716A (en) * | 2019-06-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
| CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
| CN111881485A (en) * | 2020-07-14 | 2020-11-03 | 浙江大学 | Core sensitive data integrity protection method based on ARM pointer verification |
| CN112100686A (en) * | 2020-08-28 | 2020-12-18 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
| CN112631671A (en) * | 2020-12-31 | 2021-04-09 | 东软睿驰汽车技术(沈阳)有限公司 | Method and device for initializing operating system |
| CN112989326A (en) * | 2021-04-08 | 2021-06-18 | 北京字节跳动网络技术有限公司 | Instruction sending method and device |
| US11436155B2 (en) | 2018-07-11 | 2022-09-06 | Huawei Technologies Co., Ltd. | Method and apparatus for enhancing isolation of user space from kernel space |
| CN117688552A (en) * | 2024-01-30 | 2024-03-12 | 龙芯中科技术股份有限公司 | Stack space protection method, electronic device, storage medium and computer program product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
| CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
| CN103093150A (en) * | 2013-02-18 | 2013-05-08 | 中国科学院软件研究所 | Dynamic integrity protection method based on credible chip |
| CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
-
2015
- 2015-05-08 CN CN201510234249.3A patent/CN104809401B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
| CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
| CN103093150A (en) * | 2013-02-18 | 2013-05-08 | 中国科学院软件研究所 | Dynamic integrity protection method based on credible chip |
| CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
Non-Patent Citations (1)
| Title |
|---|
| 李珣等: "一个基于硬件虚拟化的内核完整性监控方法", 《计算机科学》 * |
Cited By (43)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017177801A1 (en) * | 2016-04-15 | 2017-10-19 | 中兴通讯股份有限公司 | Method and apparatus for realising integrity protection for operating system |
| CN106203082A (en) * | 2016-06-29 | 2016-12-07 | 上海交通大学 | The system and method efficiently isolating kernel module based on virtualization hardware characteristic |
| CN106096455A (en) * | 2016-08-08 | 2016-11-09 | 王波 | A kind of main frame kernel data reduction protection method |
| CN106778257A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of anti-release apparatus of virtual machine |
| CN106775941A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of virtual machine kernel completeness protection method and device |
| CN107016283A (en) * | 2017-02-15 | 2017-08-04 | 中国科学院信息工程研究所 | Android privilege-escalations attack safety defense method and device based on integrity verification |
| CN107016283B (en) * | 2017-02-15 | 2019-09-10 | 中国科学院信息工程研究所 | Android privilege-escalation attack safety defense method and device based on integrity verification |
| CN108573144A (en) * | 2017-03-08 | 2018-09-25 | 智能Ic卡公司 | The execution context data of safety |
| CN107797895A (en) * | 2017-05-08 | 2018-03-13 | 中国人民解放军国防科学技术大学 | A kind of secure virtual machine monitoring method and system |
| CN108958879A (en) * | 2017-05-24 | 2018-12-07 | 华为技术有限公司 | A kind of monitoring method and device of virtual machine |
| CN107391225A (en) * | 2017-07-13 | 2017-11-24 | 北京航空航天大学 | A kind of monitoring method and system based on more EPT lists |
| CN107368739A (en) * | 2017-07-26 | 2017-11-21 | 北京理工大学 | A kind of monitoring method and apparatus of kernel-driven |
| CN107368739B (en) * | 2017-07-26 | 2020-02-07 | 北京理工大学 | Kernel drive monitoring method and device |
| CN107506638A (en) * | 2017-08-09 | 2017-12-22 | 南京大学 | A kind of kernel controlling stream method for detecting abnormality based on hardware mechanisms |
| CN107479946A (en) * | 2017-08-16 | 2017-12-15 | 南京大学 | A kind of interbehavior monitoring scheme of kernel module |
| CN107479946B (en) * | 2017-08-16 | 2020-06-16 | 南京大学 | Interactive behavior monitoring scheme of kernel module |
| CN108763927A (en) * | 2018-01-16 | 2018-11-06 | 武汉轻工大学 | A kind of cloud system safety detection method and device |
| CN108171061B (en) * | 2018-01-16 | 2021-02-02 | 武汉轻工大学 | Android system kernel safety detection method and device |
| CN108171061A (en) * | 2018-01-16 | 2018-06-15 | 武汉轻工大学 | A kind of Android system Kernel security detection method and device |
| CN110348252A (en) * | 2018-04-02 | 2019-10-18 | 华为技术有限公司 | Operating system and method based on trusted domain |
| CN110348252B (en) * | 2018-04-02 | 2021-09-03 | 华为技术有限公司 | Trust zone based operating system and method |
| US11443034B2 (en) | 2018-04-02 | 2022-09-13 | Huawei Technologies Co., Ltd. | Trust zone-based operating system and method |
| CN108469984B (en) * | 2018-04-17 | 2021-07-30 | 哈尔滨工业大学 | Virtual machine introspection function level-based dynamic detection system and method for inner core of virtual machine |
| CN108469984A (en) * | 2018-04-17 | 2018-08-31 | 哈尔滨工业大学 | It is a kind of to be examined oneself function grade virtual machine kernel dynamic detection system and method based on virtual machine |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
| US11436155B2 (en) | 2018-07-11 | 2022-09-06 | Huawei Technologies Co., Ltd. | Method and apparatus for enhancing isolation of user space from kernel space |
| CN109522050A (en) * | 2018-09-10 | 2019-03-26 | 上海交通大学 | The internal storage data real-time recording method and system of stream recording characteristic are controlled based on processor |
| CN109522050B (en) * | 2018-09-10 | 2020-11-17 | 上海交通大学 | Memory data real-time recording method and system based on processor control flow recording characteristics |
| CN109388948B (en) * | 2018-11-05 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Virtualization technology-based potential malware analysis method and related device |
| CN109388948A (en) * | 2018-11-05 | 2019-02-26 | 杭州安恒信息技术股份有限公司 | A kind of potential malware analysis method and relevant apparatus based on virtualization technology |
| CN111177716A (en) * | 2019-06-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
| CN111177716B (en) * | 2019-06-14 | 2024-04-02 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
| CN111177703A (en) * | 2019-12-31 | 2020-05-19 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
| CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
| CN111400702B (en) * | 2020-03-24 | 2023-06-27 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
| CN111881485B (en) * | 2020-07-14 | 2022-04-05 | 浙江大学 | Core sensitive data integrity protection method based on ARM pointer verification |
| CN111881485A (en) * | 2020-07-14 | 2020-11-03 | 浙江大学 | Core sensitive data integrity protection method based on ARM pointer verification |
| CN112100686A (en) * | 2020-08-28 | 2020-12-18 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
| CN112631671A (en) * | 2020-12-31 | 2021-04-09 | 东软睿驰汽车技术(沈阳)有限公司 | Method and device for initializing operating system |
| CN112989326A (en) * | 2021-04-08 | 2021-06-18 | 北京字节跳动网络技术有限公司 | Instruction sending method and device |
| WO2022213769A1 (en) * | 2021-04-08 | 2022-10-13 | 北京字节跳动网络技术有限公司 | Instruction sending method and apparatus |
| CN117688552A (en) * | 2024-01-30 | 2024-03-12 | 龙芯中科技术股份有限公司 | Stack space protection method, electronic device, storage medium and computer program product |
| CN117688552B (en) * | 2024-01-30 | 2024-04-12 | 龙芯中科技术股份有限公司 | Stack space protection method, electronic device, storage medium and computer program product |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104809401B (en) | 2017-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104809401A (en) | Method for protecting integrity of kernel of operating system | |
| RU2686552C2 (en) | Systems and methods for presenting a result of a current processor instruction when exiting from a virtual machine | |
| Werner et al. | No-execute-after-read: Preventing code disclosure in commodity software | |
| Nyman et al. | CFI CaRE: Hardware-supported call and return enforcement for commercial microcontrollers | |
| EP2973194B1 (en) | Linear address mapping protection | |
| US10628589B2 (en) | Methods, systems, and computer readable media for preventing code reuse attacks | |
| Azab et al. | HIMA: A hypervisor-based integrity measurement agent | |
| KR100602157B1 (en) | New processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| CN102096786A (en) | Cross-platform safety protection system based on hardware virtualization | |
| US20130091568A1 (en) | Systems and methods for secure in-vm monitoring | |
| US10140448B2 (en) | Systems and methods of asynchronous analysis of event notifications for computer security applications | |
| CN111858004A (en) | TEE expansion-based real-time application dynamic loading method and system for computer security world | |
| CN107479946B (en) | Interactive behavior monitoring scheme of kernel module | |
| EP3864555B1 (en) | Verifying a stack pointer | |
| US10503932B2 (en) | Secure mode state data access tracking | |
| KR20160019454A (en) | Security protection of software libraries in a data processing apparatus | |
| Wang et al. | Seimi: Efficient and secure smap-enabled intra-process memory isolation | |
| US10649787B2 (en) | Exception handling involving emulation of exception triggering data transfer operation using syndrome data store that includes data value to be transferred | |
| Shuo et al. | Prevent kernel return-oriented programming attacks using hardware virtualization | |
| Jiang et al. | HyperCrop: a hypervisor-based countermeasure for return oriented programming | |
| Jia et al. | Defending return‐oriented programming based on virtualization techniques | |
| Zhang et al. | Super Root: A New Stealthy Rooting Technique on ARM Devices | |
| CN111737656A (en) | Privileged hardware resource access method for application program and electronic equipment | |
| Ahmed et al. | Rule-based integrity checking of interrupt descriptor tables in cloud environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |