CN106407817A - Trusted measurement method and system of exchange process - Google Patents
Trusted measurement method and system of exchange process Download PDFInfo
- Publication number
- CN106407817A CN106407817A CN201610613701.1A CN201610613701A CN106407817A CN 106407817 A CN106407817 A CN 106407817A CN 201610613701 A CN201610613701 A CN 201610613701A CN 106407817 A CN106407817 A CN 106407817A
- Authority
- CN
- China
- Prior art keywords
- exchange process
- credible
- base
- information
- exchange
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a trusted measurement method and system of an exchange process. The method comprises the following steps of: obtaining a pre-constructed trusted measurement information base of the exchange process, wherein the trusted measurement information base comprises measurement information corresponding to each preset measurement factor which carries out trusted measurement on the exchange process; and on the basis of the trusted measurement information base, carrying out the trusted measurement on the exchange process to obtain a measurement result. Obviously, when the scheme of the invention is applied, the exchange process can be subjected to the trusted measurement to effectively obtain whether the exchange process is trusted or not so as to provide support for the controllability of the exchange process. In practical application, on the basis of a measurement result obtained when the trusted measurement method is applied to the trusted measurement of the exchange process, corresponding safety control is carried out on the exchange process to guarantee the information safety of the exchange process.
Description
Technical field
The invention belongs to process detection and measurement technology field, more particularly, to a kind of exchange process is credible measure and be
System.
Background technology
The continuous development built with network technology and national information, information security receives great attention.At present, right
It has been basically completed in the safety deciding grade and level of important information system and protection work, information security has obtained a certain degree of guarantee.
However, cannot interconnect between the different information systems set up according to different demands, different significance level, by
The actual demand that the information island that this forms is exchanged with information in informatization is disagreed.In different information systeies or peace
Between universe it is often necessary to information shared, but simultaneously also along with corresponding potential safety hazard.Should with the electronics based on the Internet
As a example system, often there is public data treatment region and sensitive data treatment region in system.Enter row information in two treatment regions altogether
During enjoying, attacker very likely kidnaps exchange process, affects normal switch-activity, causes exchange process uncontrollable,
Thus reaching the purpose illegally stolen sensitive information or distort exchange data.
Based on this, for realizing the controllability of exchange process to guarantee information security, credible tolerance is carried out to exchange process, has
Effect knows that whether credible exchange process is very necessary.
Content of the invention
In view of this, it is an object of the invention to provide a kind of exchange process credible tolerance method and system is it is intended to pass through
Credible tolerance is carried out to exchange process, the controlled offer being embodied as exchange process is supported.
For this reason, the present invention is disclosed directly below technical scheme:
A kind of exchange process is credible measure, including:
Obtain the exchange process credible metric base building in advance;Described credible metric base is included for exchange
Process carries out the benchmark metric information corresponding to each predetermined measurement factor of credible tolerance;
Based on described credible metric base, credible tolerance is carried out to exchange process, obtains measurement results.
Said method is it is preferred that described credible metric base includes:Staticametric information base and dynamic measurement information
Base;Wherein:
Described staticametric information base, including static routine information, dynamic link library information, system kernel information, exchange
Dependency information between the dependency information between process and dynamic link library, Different Dynamic chained library and dynamic link library with
Dependency information between system kernel;
Described dynamic measurement information base, including state set at the end of process statuss set, process original state set, process
Close and process statuss conversion set.
Said method is it is preferred that the building process of the described exchange process credible metric base building in advance includes:
The repeatedly optimum execution being in advance based on exchange process builds exchange process credible metric base.
Said method is it is preferred that the described repeatedly optimum execution being in advance based on exchange process builds exchange process credibility
Amount information base includes:
Program dependency graph corresponding in advance from the repeatedly optimum execution of the process of exchange sets up the staticametric of exchange process
Information base;Wherein, described program dependency graph includes the dependence diagram between all types of summits, and described all types of summits include table
The first summit showing exchange process, the second summit representing dynamic link library and the 3rd summit representing system kernel;
The capture exchange process repeatedly function call in optimum implementation procedure in advance, analytic function call between relation;And
Relation between based on function call sets up the dynamic measurement information base of exchange process.
Said method it is preferred that described based on described credible metric base, exchange process is carried out credible tolerance bag
Include:
Based on described staticametric information base, using default staticametric strategy static state corresponding to the process of exchange journey
Dependence between sequence, dynamic link library, system kernel and described static routine, described dynamic link library, described system kernel
Measured;
Based on described dynamic measurement information base, the function call situation exchanging in process implementation procedure, process statuss are turned
Change situation and system resource occupancy situation is measured.
Said method is it is preferred that described staticametric strategy is disposable tolerance, measures on demand and by importance measures
One of arbitrarily.
Gauging system that a kind of exchange process is credible, including:
Acquisition module, for obtaining the exchange process credible metric base building in advance;Described credible metric base
Including for exchange process is carried out with the benchmark metric information corresponding to each predetermined measurement factor of credible tolerance;
Metric module, for based on described credible metric base, carrying out credible tolerance to exchange process, obtains tolerance knot
Really.
Said system is it is preferred that also include:
Pretreatment module, the repeatedly optimum execution for being in advance based on exchange process builds the credible metric of exchange process
Base.
Said system is it is preferred that described pretreatment module includes:
First construction unit, sets up friendship for the program dependency graph corresponding in advance from the repeatedly optimum execution of the process of exchange
The staticametric information base of swap-in journey;Wherein, described program dependency graph includes the dependence diagram between all types of summits, described
All types of summits include representing the first summit of exchange process, represent the second summit of dynamic link library and represent system kernel
3rd summit;
Second construction unit, for capturing function call repeatedly in optimum implementation procedure for the exchange process in advance, analyzes letter
Count the relation between calling;And the relation between based on function call sets up the dynamic measurement information base of exchange process.
Said system is it is preferred that described metric module includes:
Staticametric unit, for based on described staticametric information base, using default staticametric strategy to exchange
The corresponding static routine of process, dynamic link library, system kernel and described static routine, described dynamic link library, described system
Interior internuclear dependence is measured;
Dynamic measurement unit, for based on described dynamic measurement information base, adjusting to the function exchanging in process implementation procedure
Measured with situation, process statuss change over condition and system resource occupancy situation.
From above scheme, exchange process disclosed in the present application is credible tolerance method and system, obtain and build in advance
Exchange process is credible metric base, wherein, described credible metric base is included for carrying out credible tolerance to exchange process
The metric corresponding to each predetermined measurement factor;And it is based on described credible metric base, exchange process is carried out credible
Tolerance, obtains measurement results.It can be seen that, application application scheme can achieve and carries out credible tolerance to exchange process, effectively knows friendship
Whether credible swap-in journey is, thus providing support for the controlled of exchange process, in practical application, can be based on application the application to friendship
Swap-in journey carries out the measurement results of credible tolerance, carries out corresponding security control to exchange process, to guarantee the information of exchange process
Safety.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing providing obtains other accompanying drawings.
Fig. 1 is the exchange process credible tolerance method flow diagram that the embodiment of the present application one provides;
Fig. 2 is the topology example figure of the program dependency graph that the embodiment of the present application one provides;
Fig. 3-Fig. 4 is the structural representation of the credible gauging system of exchange process that the embodiment of the present application three provides.
Specific embodiment
For the sake of quoting and understanding, hereafter used in technical term, write a Chinese character in simplified form or summary of abridging is explained as follows:
Shellcode:Really one section code (can also be filling data), is used to be sent to server by utilizing specific
The code of leak, typically can obtain authority.In addition, Shellcode is usually under fire server as data is activation,
Shellcode is spilling program and the core of worm-type virus.
Kinematic function call-tree set:In the application, all function call tree of comprising in kinematic function call-tree set
All correspond to same exchange process, different its function call tree of operation phase of same exchange process is usually different, additionally, with
When being run multiple times, even same stage, its function call tree is also likely to be different to one exchange process.Once the holding of process
The function calling relationship of row track can be performed a plurality of times, with an orderly tree representation, referred to as kinematic function call-tree, the knot obtaining
Fruit constitutes kinematic function call-tree set.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of protection of the invention.
Embodiment one
The embodiment of the present application one discloses a kind of credible measure of exchange process, and the exchange process with reference to shown in Fig. 1 is credible
Measure flow chart, the method may comprise steps of:
S101:Obtain the exchange process credible metric base building in advance;Described credible metric base include for
Exchange process is carried out with the benchmark metric information corresponding to each predetermined measurement factor of credible tolerance.
Process behavior refers to the process of display form and the state evolution of process operation, and the once execution of process is then based on
The behavior sequence that time serieses occur.By operation splicing symbol " ", these behaviors are combined being referred to as in temporal sequence
For process behavior mark, the behavior collection of the set referred to as behavior mark of all behavior compositions in implementation procedure of process.Software row
Refer to that main body travels through, is engaged in physical meaning and the meaning of behavior on behavior tree for behavioural information base in learning, be semantic domain
Description.The application redefines to this description with reference to data secure exchange background, equally continues to use the concept of information base,
Define a kind of credible metric base (TMIB, Trust Measurement Information Base).In the application, credible
Metric base refer specifically to for exchange process is carried out with credible tolerance each predetermined measurement factor corresponding to metric.
Specifically, the application by impact the believable factor of exchange process be analyzed, by process static routine, process
Environmental factorss in the Static implicit method, and process running such as the dynamic link library relying on and system kernel, such as port, CPU
(Central Processing Unit, central processing unit) etc., includes to the analysis process exchanging process behavior mark, to determine
The expansion behavior mark of exchange process, this expansion behavior mark specifically includes the sequential combination of process behavior, and process static routine,
The Static implicit method such as the dynamic link library of process dependence and system kernel, also includes the environmental factorss in process running, such as holds
Mouth, CPU etc..On this basis, build the credible metric base expanding behavior mark based on the process of exchange.
According to the difference of concrete measurement factor, credible metric base includes staticametric information base and dynamic measurement information
Base.
(1) staticametric information base
Exchange process static state is credible to be the basis that exchange process is run, and usual wooden horse and virus can change exchange process static state
The dynamic link library of program and its association, system kernel etc., thus obtaining system control, affect normally holding of switch-activity
OK.Based on this, the object of staticametric is divided into process static routine, dynamic link library and three sides of system kernel by the application
Face.
Wherein, exchange process is to be based on process static routine to be loaded in internal memory and initializes Process flowchart information and give birth to
Become, the integrity therefore exchanging process static routine is the basis that exchange process is run;Dynamic link library is process in system
Execute the resource shared, often through wooden horse or virus infection or replace dynamic link library for dynamic link library attacker
The mode of file is so that process running is dangerous;System kernel is the most basic part of operating system, constitutes whole behaviour
Make the core frame of system, the basic function of operating system all to be provided by system kernel, such as driven management, resource are common
Enjoy, process scheduling etc..
System kernel mainly includes kernel code section, kernel read-only data section, subsystem call table, interrupt-descriptor table, complete
Office's descriptor table and kernel module.The function of its each several part is as shown in table 1.
Table 1
With reference to Fig. 2, process can represent with program dependency graph with above three side's relation of plane, process program dependency graph is
One directed acyclic graph GPDG(V', E'), wherein V' represent the summit of figure, and E' represents the dependence between each summit of in figure.
Specifically, V'=< P/D/K, inDegree, outDegree >, wherein P represent process collection, and it comprises to exchange
Porcesses elements p, D={ d1,d2,...dnRepresent the dynamic link library set that exchange process is relied on;K represents system kernel collection
Close;The all types of summits (exchanging process, dynamic link library, system kernel) that in figure is comprised, the concept of the application introducing degree
Represent that it relies on number of times, wherein, inDegree, outDegree represent in-degree and out-degree respectively, that is, for a summit,
The inDegree of this vertex correspondence represents the number of times that this summit is relied on by other summits of in figure/node, this summit corresponding
OutDegree represents other degree of vertexs in this summit dependency graph.
Understood based on the program dependency graph shown in Fig. 2, program dependency graph GPDGThere are following features:
(1) there are summit p (exchange process) and two special summits of summit k (kernel), the wherein in-degree of summit p is 0, top
The out-degree of point k is 0, and remaining in-degree of vertex and out-degree are all higher than 0.
(2) program dependency graph GPDGFor directed acyclic graph, therefore there is not the relation that interdepends on summit, i.e. < vi',vj'
> and < vj',vi' > can not possibly occur simultaneously.
TMIB can take the mode of dynamic training to execute foundation based on exchanging the repeatedly optimum of process, described optimum executes tool
The running that body refers to exchange process is without exception, no attacks, no destroys, with this so that the credibility that includes of constructed TMIB
Amount information base can be used as the measuring standard that exchange process is measured.
Specifically, the application be in advance based on exchange process repeatedly program dependency graph corresponding to optimum execution set up exchange into
The staticametric information base of journey, wherein, the staticametric information base of foundation include static routine information, dynamic link library information,
Dependency information between system kernel information, exchange process and dynamic link library, the dependence between Different Dynamic chained library
The benchmark metric information of each measurement factor such as dependency information between information and dynamic link library and system kernel, thus subsequently
On the basis of the benchmark metric information of the above-mentioned measurement factor comprising in staticametric information base, static state can be carried out to exchange process
Credible tolerance.
(2) dynamic measurement information base
To exchange process the credible tolerance of static state be capable of credible before process initiation, however, exchange process staticametric
It is usually completed before process is loaded into internal memory, simply ensure one of believable prerequisite of exchange process, no less important
Be exchange process dynamic credible, based on this, for realize dynamic credible tolerance is carried out to exchange process, the present embodiment is following
The structure of dynamic measurement information is described.
First, to build dynamic measurement information base need to based on all kinds of contents be defined, specifically include to function call,
Function call set, kinematic function call-tree, State Transferring side, State Transferring path and process statuss etc. are defined.
Define 1:Function call
From the beginning of first function call of exchange process execution, each of which function call f can be with a four-tuple table
Show:F=< fid, fname, obj, ostate >, wherein fid representative function call number, adjust for unique mark linear function
With Same Function repeatedly being called in process implementation procedure, and from perform track, each function is adjusted
Call event with regarding different as;Fname represents the title of institute's call function;Obj representative function calls object set;
Ostate representative function calls Obj State set.
Define 2:Function call set
V={ f1,f2,f3...,fn, fi∈ V, 1≤i≤n, i.e. all function calls in a perform track for the process
Set, wherein fiRepresent the function call that i-th moment process is carried out.
Define 3:Kinematic function call-tree
Tree=< V, G >, wherein V representative function call set, and G is the binary crelation set of function call.Process one
As have unique entrance function, other functions all directly or indirectly by this function call, therefore once the holding of process
The function calling relationship of row track can be with an orderly tree representation, referred to as kinematic function call-tree.Given wherein element fi, then
fiDistance to root node is fiDepth, be designated as h (fi).
Define 4:State Transferring side
E={ e1,e2,e3...,en, ei=< fi, tostateno >, 1≤i≤n, in TMIB model, eiRepresent into
The once conversion of journey state, referred to as State Transferring side, the conversion of process statuss is triggered by function call, i.e. the conversion of process statuss
Function call relation is corresponding, wherein fiRepresent that linear function calls, tostateno represents through function call fiLaggard
The status number that journey is turned to, if this time function call does not influence the course state change, the steering state on corresponding conversion side is
Current state itself.
Define 5:State Transferring path
Path=< e1,e2,...,en>, represents what all State Transferring sides in a perform track for the process were constituted
State Transferring path.The difference of process perform track, can lead to the difference in its State Transferring path.
Define 6:Process statuss
S=< stateno, pathlist, resources >, represent running state of process.Wherein:Stateno represents shape
State is numbered, for one of unique mark model state;Pathlist=< path1,path2,path3,...,pathm>
Represent the execution route set being had under this state, wherein pathi(1≤i≤m) represents i-th execution route;
Resources represents the system resource under this state shared by process, such as COM1, CPU etc..
On the basis of the above-mentioned related content to staticametric information base and dynamic measurement information base is described, connect down
Carry out the application definition based on the credible metric base TMIB expanding behavior mark.
Define 7:Credible metric base
TMIB=< S, T, S0,SE, H >, wherein, S, T, S0,SEBelong to dynamic measurement information base, S represents process statuss
Set;S0Expression process original state set;SEState set at the end of expression process;T={ ei|ei∈ E } represent process statuss
Conversion set.H represents process staticametric information set of bases.
Already described above and, TMIB can take the mode of dynamic training to execute foundation based on exchanging the repeatedly optimum of process.Its
In, specifically can be built based on program dependency graph for staticametric information base;And for dynamic measurement information base, then need to catch first
Obtain exchange process function call in the process of implementation, then analytic function call relation, construct kinematic function call-tree, and root
Set up finite automaton state machine model according to the kinematic function call-tree of construction and set up described dynamic measurement information base.
Hereinafter the building process of dynamic measurement information base is described in detail:
Initialization TMIB, calls with specific reference to process function and process resource occupancy situation generates original state S0, and by S0
It is added in TMIB;Then take out a function call tree from kinematic function call-tree set as function currently to be trained
Call, wherein, the training process of each function call tree is identical, specifically includes:Initialization CurrentState is previous first
Original state S of the TMIB that secondary training produces0;Then take out one of current function call-tree function call successively, by letter
Number calls and is converted to corresponding conversion side e, and it is next to call situation to generate according to current state, conversion side and system resource
State NextState;Judge NextState afterwards whether Already in the process statuss set S of TMIB, if not existing,
Then being added, if existing, NextState being updated to already present state in process statuss set S;Next will
State Transferring side e points to NextState, and judges that changing side e whether there is in the transduction pathway set of CurrentState
In pathlist, if not existing, add;Finally CurrentState is updated to NextState, and takes next function
Call, to the function call being taken, circulation successively executes the above-mentioned processing procedure to function call, until having processed current function
All of function call in calling sequence.Each call-tree treated as procedure described above in the function call tree set of training is entered
Row training, until generating last TMIB.
Thus on the basis of pre-building TMIB, can when exchange process has credible tolerance demand, by loading TMIB,
And on the basis of the TMIB loading, credible tolerance is carried out to exchange process.
S102:Based on described credible metric base, credible tolerance is carried out to exchange process, obtains measurement results.
This step, specifically on the basis of step S101, swaps the credible tolerance of process using the TMIB loading, is based on
The basic conception of the credible tolerance of exchange process of TMIB is:Collect the expansion behavior mark letter once executing of exchange process to be measured
Then the benchmark metric information comprising in the information collected and TMIB contrasted by breath, and judges friendship based on comparing result
Whether swap-in journey is credible.TMIB includes staticametric information base and dynamic measurement information base, thus can achieve exchange process is entered
The static credible tolerance of row and dynamic credible tolerance.
The application is by carrying out the aspects such as safety, operational efficiency to switching task (exchanging the corresponding switching task of process)
Consideration, provide following three kinds of staticametric strategies:Disposably measure, measure on demand and press importance measures, described three kinds quiet
Corresponding tolerance feature refer to shown in table 2 below state Metric policy respectively.
Table 2
When staticametric need to be carried out to exchange process, TMIB need to be loaded first, corresponding staticametric plan can be adopted afterwards
Slightly and the staticametric information base based on TMIB to static routine dependency graph, corresponding associated documents are measured, such as specifically can be by
Static routine dependency graph corresponding exchange process static routine, dynamic link library, system kernel and triangular dependence
Compare to the corresponding benchmark metric information in staticametric information base respectively, thus comparison result can be based on this basis
Draw staticametric result.
When applying and implement the application, can be based on actual tolerance demand, in terms of safety or operational efficiency etc.
Demand, a pair of any exchange process chosen in above-mentioned three kinds of staticametric strategies carries out staticametric.
If choosing disposable Metric policy, before exchanging process initiation and running, need to its corresponding static state journey
All dynamic link libraries of sequence and dependence and system kernel carry out integrity measurement.Wherein, can be according to program dependency graph GPDGSpy
Point, chooses more suitable range or Depth Priority Algorithm traversal GPDGIn summit, and successively integrity degree is carried out to it
Amount.When having arbitrarily when metric is different from the corresponding reference content of staticametric information base in TMIB, then insincere, measured
Journey terminates;If all equal, continue executing with exchange process dynamic measurement process.
If choosing Metric policy on demand, when exchange process is called to dynamic link library or system kernel, judge first
Dynamic link library or system kernel whether there is dependence, if existing, dynamic by be related in dependence and dependence
The realization of comparing of state link library or system kernel and the corresponding reference content of staticametric information base in TMIB has been carried out to it
Whole property tolerance.If to be both identical for comparison result then it is assumed that credible, thus exchange process dynamic measurement mistake can be continued executing with
Journey, if it is not the same, then terminate.
If choose pressing importance measures strategy, need to be in advance based on the importance on summit from program dependency graph GPDGMiddle selection
Summit to be measured, such as specifically chooses the summit that in-degree and out-degree sum are more than or equal to 4 and measures etc..Equally, when any
When metric is different from the corresponding reference content of staticametric information base in TMIB, then metrics process terminate;Otherwise, continue
Execution exchange process dynamic measurement process.
If the credible tolerance of static state of the process of exchange is passed through, that is, exchanging the current credible measurement results of static state of process is can
Letter, then can continue exchange process is carried out dynamic credible tolerance, monitor the function call situation in exchange process running, enter
Journey State Transferring situation and system resource occupancy situation, and the corresponding benchmark by monitoring information and the dynamic measurement information base of TMIB
Content is compared, thus drawing the dynamic credible measurement results of exchange process.
Specifically, when the static credible tolerance of exchange process is passed through, the original state in TMIB is set to
CurrentState.When the process of exchange produces function call, detect whether its corresponding side belongs to legal turn of current state
Changing sides, if be not belonging to, returning exception, it is insincere for now exchanging process dynamic measurement result;When the inspection of all of function call
Survey finishes, and its corresponding side all in TMIB, then returns normal, thus the dynamic measurement result exchanging process is credible.
From above scheme, exchange process disclosed in the present application is credible measure, obtain the exchange building in advance and enter
Cheng Kexin metric base, wherein, described credible metric base is included for exchange process is carried out with each pre- of credible tolerance
Determine the metric corresponding to measurement factor;And it is based on described credible metric base, credible tolerance is carried out to exchange process, obtains
To measurement results.It can be seen that, application application scheme can achieve and carries out credible tolerance to exchange process, effectively knows that exchange process can
Whether believing, thus providing support for the controlled of exchange process, in practical application, based on application the application, exchange process can be entered
The measurement results of the credible tolerance of row, carry out corresponding security control to exchange process, to guarantee the information security of exchange process.
Embodiment two
The present embodiment is by the power of test to several frequently seen attack method with the credible measure of exchange process of the application
As a example, the effectiveness of the application method, safety are analyzed.
Specifically, in the present embodiment, the concrete exemplary attack method adopting includes code injection attack, impossible path
Attack, impersonation attack and the attack for data semantic.Next, be directed to each attack method, to the effectiveness of the application method,
Analysis below is specifically made in safety:
1) code injection is attacked
Code injection is attacked and is referred to that one section of executable binary code is injected in exchange process running space attacker,
To change the normal execution flow of exchange process.Attacker passes through to execute the control that injecting codes obtain exchange process, thus
Realize stealing to sensitive information.
Using the credible measure of exchange process of the application, can detect that the extra function that injecting codes are caused is adjusted
Change with information or to system environmentss and destruction.According to the difference of injected Shellcode, specifically code injection can be attacked
It is subdivided into two types.If injecting codes destroy process and execute the complete of file, dynamic link library or system kernel module
Property, then the staticametric process exchanging process can find the staticametric information in the associated static information and TMIB of process in time
Base differs, thus the execution of exchange process can be avoided;If injecting codes have caused function call, and the fid of function call
Different from what current function called, then exchange process dynamic measurement process and can find process statuss with reference value in TMIB not in time
Identical, thus stopping continuing executing with of exchange process;If injecting codes have caused function call, but function call fid with work as
Front function call is identical, and simply call parameters are different, then equally can find in time during exchanging process dynamic measurement into
Journey has been suffered to attack;If injecting codes lead to system resource state that large change occurs, real-time due to exchanging process implementation procedure
Monitoring performing environment state, also equally can find in time.
2) can not possibly attack in path
According to the description in traditional finite automaton state machine model [58] it is impossible to path refers to that function has returned to one
Individual another different point of invocation of the same name.Structure due to dynamic credible metric base in TMIB still falls within finite automaton shape
State machine model, therefore there is still a need for considering the situation that impossible path is attacked.Can not possibly refer specifically in TMIB in path in the application
Process statuss set in exist, but the process that exchanges is in practical implementation and non-existent path.
In TMIB, the structure of dynamic credible metric base takes kinematic function call-tree to carry out representative function call relation, and
What exchange process was carried out to Same Function repeatedly call is considered as different events of calling, and to be marked with different function calls pid
Know.Additionally, TMIB detects impossible path by introducing State Transferring path, and different transduction pathway are taken to represent same
Orderly line set on one paths.Therefore, in attacker is using TMIB, the aggregate information structure reality of directed edge executed
In journey during non-existent path, this path can be detected exception.
3) impersonation attack
Impersonation attack refers to that attacker does not change the function calling sequence of the normal execution of exchange process, but by modification
Function call parameter is to reach the purpose of attack.One example of impersonation attack given below:
Fd=open (/tmp/file.tmp ...);...read(fd,...);...write(fd,...);...close
(fd);
Attacker can be by changing the parameter of function call open in above example, and the execution not changing function call is suitable
Sequence, obtains the content of password file:
Fd=open (/etc/passwd ...);...read(fd,...);...write(1,...);...close
(fd);
The model for traditional finite automata model and call parameters not being analyzed, adjusts to function due to lacking
With the detection of parameter, therefore can not effectively detect impersonation attack.And the structure of TMIB takes function in the application method
The mode that the controlling stream called is combined with data-flow analysis, thus work as the parameter of function call open in examples detailed above be modified
Afterwards, the credible measure based on TMIB for the application can find that in exchanging process implementation procedure function call parameter there occurs change
Change, thus realizing impersonation attack is effectively detected.
Wherein, described controlling stream refers to an abstract representation of all possible event sequence in program performing, herein
Controlling stream refers specifically to the function calling sequence being likely to occur represented by the function call tree set of process being mentioned above.Number
Refer to the flow direction of data in program performing according to stream, data flow refers specifically to the parameter information of call function herein, above carries
To function call definitions in latter two parameter of comprising.
4) it is directed to the attack of data semantic
Traditional data stream analysis techniques focus are data value itself, not the concrete language representated by focused data value
Justice.The described attack for data semantic refers to using the actual different system objects or not of representing of identical object handle value
Same object handle value represents identical system object.
For such attack, below choose the attack instance similar with impersonation attack it is assumed that initial function calling sequence
As follows:
Fhandle=OpenFile (" c:\1.pdf");ReadFile(fandle,...);WriteFile
(fhandle,...);CloseHandle (fhandle) attacker can be by being kidnapped so that every to function WriteFile
The new WriteFile function that attacker is write, example then can be executed when process call function WriteFile of application program
As attacker can be by the file object (" c representated by fhandle in this function:1.pdf ") be revised as new file object
(“c:\2.pdf”).For application program, do not discover implementation procedure and there occurs change, and be based on controlling stream and biography
System data flow detection method all cannot detect such attack, and due to the application the credible tolerance of exchange process based on TMIB
In method, the structure of TMIB includes function call parameter information, therefore, it is possible to detect such attack.
By the above detection and analysis to all types of attacks, application scheme method can effective detection go out to exchange into
All kinds of attacks of journey, thus largely ensure that the credibility of exchange process.
Embodiment three
The embodiment of the present application three discloses a kind of credible gauging system of exchange process, and the exchange process with reference to shown in Fig. 3 is credible
The structural representation of gauging system, described system includes acquisition module 100 and metric module 200.
Acquisition module 100, for obtaining the exchange process credible metric base building in advance;Described credible metric
Base include for exchange process is carried out with credible tolerance each predetermined measurement factor corresponding to benchmark metric information.
Metric module 200, for based on described credible metric base, carrying out credible tolerance, degree of obtaining to exchange process
Amount result.
Wherein, described metric module 200 includes staticametric unit and dynamic measurement unit.
Staticametric unit, for based on described staticametric information base, using default staticametric strategy to exchange
The corresponding static routine of process, dynamic link library, system kernel and described static routine, described dynamic link library, said system
Interior internuclear dependence is measured;
Dynamic measurement unit, for based on described dynamic measurement information base, adjusting to the function exchanging in process implementation procedure
Measured with situation, process statuss change over condition and system resource occupancy situation.
The functional realiey of above each module that gauging system that described exchange process is credible includes need to be set up and build friendship in advance
On the basis of swap-in journey is credible metric base, based on this, as shown in figure 4, described system can also include a pretreatment module
300, the repeatedly optimum execution for being in advance based on exchange process builds exchange process credible metric base.
Described pretreatment module 300 includes the first construction unit and the second construction unit.
First construction unit, sets up friendship for the program dependency graph corresponding in advance from the repeatedly optimum execution of the process of exchange
The staticametric information base of swap-in journey;Wherein, described program dependency graph includes the dependence diagram between all types of summits, described
All types of summits include representing the first summit of exchange process, represent the second summit of dynamic link library and represent system kernel
3rd summit;
Second construction unit, for capturing function call repeatedly in optimum implementation procedure for the exchange process in advance, analyzes letter
Count the relation between calling;And the relation between based on function call sets up the dynamic measurement information base of exchange process.
For the credible gauging system of exchange process disclosed in the embodiment of the present invention three, due to itself and embodiment one disclosure
The credible measure of exchange process corresponding, so description fairly simple, related similarity refers in embodiment one
The explanation of measure part that exchange process is credible, no longer describes in detail herein.
It should be noted that each embodiment in this specification is all described by the way of going forward one by one, each embodiment weight
Point explanation is all difference with other embodiment, between each embodiment identical similar partly mutually referring to.
For convenience of description, it is divided into various modules or unit to be respectively described with function when describing system above or device.
Certainly, the function of each unit can be realized in same or multiple softwares and/or hardware when implementing the application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
Mode by software plus necessary general hardware platform to be realized.Based on such understanding, the technical scheme essence of the application
On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., include some instructions use so that a computer equipment
(can be personal computer, server, or network equipment etc.) executes some of each embodiment of the application or embodiment
Partly described method.
Finally in addition it is also necessary to illustrate, herein, the relational terms of such as first, second, third and fourth or the like
It is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily require or imply these
There is any this actual relation or order between entity or operation.And, term " inclusion ", "comprising" or it is any
Other variants are intended to comprising of nonexcludability, so that including a series of process of key elements, method, article or equipment
Not only include those key elements, but also include other key elements being not expressly set out, or also include for this process, side
Method, article or the intrinsic key element of equipment.In the absence of more restrictions, limited by sentence "including a ..."
It is not excluded that also there is other identical element in process, method, article or the equipment including described key element in key element.
The above is only the preferred embodiment of the present invention it is noted that ordinary skill people for the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of credible measure of exchange process is it is characterised in that include:
Obtain the exchange process credible metric base building in advance;Described credible metric base is included for exchange process
Carry out the benchmark metric information corresponding to each predetermined measurement factor of credible tolerance;
Based on described credible metric base, credible tolerance is carried out to exchange process, obtains measurement results.
2. method according to claim 1 is it is characterised in that described credible metric base includes:Staticametric information
Base and dynamic measurement information base;Wherein:
Described staticametric information base, including static routine information, dynamic link library information, system kernel information, exchanges process
Dependency information between the dependency information and between dynamic link library, Different Dynamic chained library and dynamic link library and system
Interior internuclear dependency information;
Described dynamic measurement information base, including state set at the end of process statuss set, process original state set, process and
Process statuss conversion set.
3. method according to claim 2 is it is characterised in that the described exchange process credible metric base building in advance
Building process include:
The repeatedly optimum execution being in advance based on exchange process builds exchange process credible metric base.
4. method according to claim 3 is it is characterised in that the described repeatedly optimum execution structure being in advance based on exchange process
Swap-in journey of establishing diplomatic relations credible metric base includes:
Program dependency graph corresponding in advance from the repeatedly optimum execution of the process of exchange sets up the staticametric information of exchange process
Base;Wherein, described program dependency graph includes the dependence diagram between all types of summits, and described all types of summits include representing hands over
First summit of swap-in journey, the second summit representing dynamic link library and the 3rd summit representing system kernel;
The capture exchange process repeatedly function call in optimum implementation procedure in advance, analytic function call between relation;And be based on
Relation between function call sets up the dynamic measurement information base of exchange process.
5. method according to claim 4 it is characterised in that described based on described credible metric base, to exchange into
Cheng Jinhang is credible, and tolerance includes:
Based on described staticametric information base, using default staticametric strategy to exchanging the corresponding static routine of process, dynamic
Dependence degree of carrying out between state chained library, system kernel and described static routine, described dynamic link library, described system kernel
Amount;
Based on described dynamic measurement information base, to the function call situation exchanging in process implementation procedure, process statuss conversion feelings
Condition and system resource occupancy situation are measured.
6. method according to claim 5 is it is characterised in that described staticametric strategy is disposable tolerance, spends on demand
Amount and by importance measures one of arbitrarily.
7. a kind of credible gauging system of exchange process is it is characterised in that include:
Acquisition module, for obtaining the exchange process credible metric base building in advance;Described credible metric base includes
For exchange process is carried out with the benchmark metric information corresponding to each predetermined measurement factor of credible tolerance;
Metric module, for based on described credible metric base, carrying out credible tolerance to exchange process, obtaining measurement results.
8. system according to claim 7 is it is characterised in that also include:
Pretreatment module, the repeatedly optimum execution for being in advance based on exchange process builds exchange process credible metric base.
9. system according to claim 8 is it is characterised in that described pretreatment module includes:
First construction unit, in advance from exchange process repeatedly optimum execution corresponding to program dependency graph set up exchange into
The staticametric information base of journey;Wherein, described program dependency graph includes the dependence diagram between all types of summits, described all kinds of
Type summit includes the 3rd of the first summit representing exchange process, the second summit representing dynamic link library and expression system kernel
Summit;
Second construction unit, for capturing function call repeatedly in optimum implementation procedure for the exchange process in advance, analytic function is adjusted
With relation;And the relation between based on function call sets up the dynamic measurement information base of exchange process.
10. system according to claim 9 is it is characterised in that described metric module includes:
Staticametric unit, for based on described staticametric information base, using default staticametric strategy to the process of exchange
Corresponding static routine, dynamic link library, system kernel and described static routine, described dynamic link library, described system kernel
Between dependence measured;
Dynamic measurement unit, for based on described dynamic measurement information base, to the function call feelings exchanging in process implementation procedure
Condition, process statuss change over condition and system resource occupancy situation are measured.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610613701.1A CN106407817A (en) | 2016-07-29 | 2016-07-29 | Trusted measurement method and system of exchange process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610613701.1A CN106407817A (en) | 2016-07-29 | 2016-07-29 | Trusted measurement method and system of exchange process |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106407817A true CN106407817A (en) | 2017-02-15 |
Family
ID=58004209
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610613701.1A Pending CN106407817A (en) | 2016-07-29 | 2016-07-29 | Trusted measurement method and system of exchange process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106407817A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108399338A (en) * | 2018-02-06 | 2018-08-14 | 南京航空航天大学 | Platform integrity status measure information method based on process behavior |
| CN110674494A (en) * | 2018-07-02 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
| CN116861406A (en) * | 2023-06-16 | 2023-10-10 | 国网江苏省电力有限公司扬州供电分公司 | Mixed granularity dynamic trusted chain measurement method and system based on call sequence |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| US9152343B2 (en) * | 2013-02-06 | 2015-10-06 | Ricoh Company, Ltd. | Information processing system that includes multiple information processors and executes process according to request received via network, and information processing method therein |
-
2016
- 2016-07-29 CN CN201610613701.1A patent/CN106407817A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9152343B2 (en) * | 2013-02-06 | 2015-10-06 | Ricoh Company, Ltd. | Information processing system that includes multiple information processors and executes process according to request received via network, and information processing method therein |
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
Non-Patent Citations (1)
| Title |
|---|
| 陈亮: "数据交安全换若干关键技术研究", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108399338A (en) * | 2018-02-06 | 2018-08-14 | 南京航空航天大学 | Platform integrity status measure information method based on process behavior |
| CN110674494A (en) * | 2018-07-02 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
| CN110674494B (en) * | 2018-07-02 | 2023-04-11 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
| CN116861406A (en) * | 2023-06-16 | 2023-10-10 | 国网江苏省电力有限公司扬州供电分公司 | Mixed granularity dynamic trusted chain measurement method and system based on call sequence |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fredj et al. | An OWASP top ten driven survey on web application protection methods | |
| Cova et al. | Swaddler: An approach for the anomaly-based detection of state violations in web applications | |
| Wei et al. | Preventing SQL injection attacks in stored procedures | |
| Li et al. | A survey on server-side approaches to securing web applications | |
| Kindy et al. | A detailed survey on various aspects of sql injection in web applications: Vulnerabilities, innovative attacks, and remedies | |
| Halfond et al. | Improving penetration testing through static and dynamic analysis | |
| Ko | Execution Monitoring of security-critical programs in a distributed system: a specification-based approach | |
| Li et al. | Security attack analysis using attack patterns | |
| Dharam et al. | Runtime monitors for tautology based SQL injection attacks | |
| Sheykhkanloo | SQL-IDS: evaluation of SQLi attack detection and classification based on machine learning techniques | |
| CN106407817A (en) | Trusted measurement method and system of exchange process | |
| CN114780398B (en) | Cisco IOS-XE-oriented Web command injection vulnerability detection method | |
| Sheikh et al. | A Hybrid Threat Assessment Model for Security of Cyber Physical Systems | |
| Bozic et al. | Planning-based security testing of web applications | |
| Shehu et al. | A literature review and comparative analyses on sql injection: vulnerabilities, attacks and their prevention and detection techniques | |
| Wang et al. | A model-based behavioral fuzzing approach for network service | |
| Wen et al. | Lom: Discovering logic flaws within MongoDB-based web applications | |
| Ouffoué et al. | Model-based attack tolerance | |
| Mouelhi et al. | Tailored shielding and bypass testing of web applications | |
| Christensen | Validating petri net models of cyberattacks | |
| Wang et al. | A model-based fuzzing approach for DBMS | |
| Fasolino et al. | Web application testing in fifteen years of WSE | |
| Wan | Protecting web contents against persistent crawlers | |
| Sarjitus et al. | Neutralizing SQL injection attack on web application using server side code modification | |
| Bailey et al. | Evaluating self-adaptive authorisation infrastructures through gamification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170215 |