CN106874747A - A kind of Unix white list control methods based on hook technologies - Google Patents
A kind of Unix white list control methods based on hook technologies Download PDFInfo
- Publication number
- CN106874747A CN106874747A CN201710092963.2A CN201710092963A CN106874747A CN 106874747 A CN106874747 A CN 106874747A CN 201710092963 A CN201710092963 A CN 201710092963A CN 106874747 A CN106874747 A CN 106874747A
- Authority
- CN
- China
- Prior art keywords
- white list
- unix
- file
- binary file
- inventory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention be more particularly directed to a kind of Unix white list control methods based on hook technologies.This is based on the Unix white list control methods of hook technologies, increase filtration drive module on Unix system, the process initiation in non-white list is controlled in whole operation system, the dynamic base in non-white list is controlled to load and drive load, control binary file addition, the binary file in control white list is written into, covers, replacing, deleting and renaming.This is based on the Unix white list control methods of hook technologies, the process initiation in non-white list inventory can be forbidden, forbid the dynamic base and drive load in non-white list inventory, while can guarantee that the process file in white list inventory, dynamic library file again and drive file not write illegally, covered, replaced, deleted and renaming, ensure the no longer newly-built binary file of current operation system, so as to set up an operating system computing environment for safety.
Description
Technical field
The present invention relates to safety of computer operating system technical field, more particularly to a kind of Unix based on hook technologies is white
List control method.
Background technology
With the development of the new techniques such as cloud computing, big data, the secured computing environment requirement to cloud main frame and server
More and more higher.The computing environment of safety is the basis of cloud computing development, and the computing environment without safety cannot ensure high in the clouds number
According to security, the computing environment without safety cannot ensure the sustainability of high in the clouds business.Software white list mechanism is structure
Build the important measures of secured computing environment.
In the prior art, the Unix white list control methods based on hook technologies, effectively can solve on Unix system
The realization mechanism of software white list technology and the problem how to dispose.
The binary file that can be run on Unix system, generally there is three kinds of modes:1st, can independent operating executable file;
2nd, SO files, it is necessary to which the dynamic library file that the process address space of itself could be run is loaded into by executable file;3rd, KO texts
Part, the driving file of kernel spacing operation is loaded into by process.But in the prior art, if hacker or internal staff increase newly, repair
Any one change, replaced in these three type files, causes current operation system to there is malicious file, and computing environment will no longer
Safety.
Based on above mentioned problem, the present invention proposes a kind of Unix white list control methods based on hook technologies.
The content of the invention
Defect in order to make up prior art of the invention, there is provided a kind of simple efficient Unix based on hook technologies is white
List control method.
The present invention is achieved through the following technical solutions:
A kind of Unix white list control methods based on hook technologies, it is characterised in that:Increase filtration drive on Unix system
Module, the filtration drive module realized by the way of kernel-driven, and operation is installed and activated by the main service processes of white list;
The filtration drive module controls the process initiation in non-white list in whole operation system, controls the dynamic in non-white list
Storehouse loads, and controls the drive load in non-white list, control binary file addition, the binary file quilt in control white list
Write-in, covering, replacement, deletion and renaming, make operating system keep the running environment of clean safety.
The main service processes of white list realize that the main service processes of white list are initial by the way of Unix application programs
Filtration drive module is installed during change, while all ELF files in scan operation system, by the complete trails of each ELF file and
The SHA1 values of file content submit to filtration drive module, are added in the white list inventory of driving, set up white list inventory chain
Table.
When process initiation is received, when dynamic base loading and/or drive load access request, the filtration drive module is first
The binary file complete trails and SHA1 values of access request are first obtained, the white list inventory chained list of itself is then traveled through, ELF is judged
Whether File Mapping allows, if the binary file in white list inventory, then access is delivered into original system and called, operation
System normally completes ELF File Mappings;If not the binary file in white list inventory, then access process is prevented, grasped
Make system mapping ELF file failures, so that corresponding process cannot start, dynamic base cannot be loaded, and driving cannot be loaded.
Between operating system runtime, the filtration drive block intercepts document creation behavior is forbidden creating binary file;
The write-in of the binary file between operating system runtime in all inventory chained lists for white list, covering, replacement, deletion, weight
Name, will all be refused after the filtration drive block intercepts.
When write-in, covering, replacement, deletion, the renaming access request of binary file is received, the filtration drive
Module obtains the binary file complete trails and SHA1 values of access request first, then travels through the white list inventory chained list of itself,
If access request is directed to the binary file in white list inventory, access process is prevented, make binary file
Write-in, covering, replacement, deletion, renaming operation failure;If what access request was directed to is not the binary system in white list inventory
File, then be delivered to access original system and call, and operating system normally completes the write-in of binary file, covers, replaces, deleting
Except the operation of, renaming.
For the sake of security, completion is just installed/configured to the main service processes initial start-up of the white list in operating system
And carried out in the case of network disconnection;When the main service processes of white list are actively exited, unloaded from current operation system
Filter drive module and itself.
The beneficial effects of the invention are as follows:This is based on the Unix white list control methods of hook technologies, can forbid non-white name
Process initiation in single inventory, forbids the dynamic base and drive load in non-white list inventory, while can guarantee that white list is clear again
Process file, dynamic library file and driving file in list be not by illegal write-in, covering, replacement, deletion and renaming, it is ensured that when
The no longer newly-built binary file of preceding operating system, so as to set up an operating system computing environment for safety.
Brief description of the drawings
Accompanying drawing 1 is present invention control process initiation, dynamic base loading and/or drive load schematic flow sheet.
Accompanying drawing 2 is write-in, covering, replacement, deletion, the renaming schematic flow sheet of present invention control binary file.
Specific embodiment
In order that the technical problems to be solved by the invention, technical scheme and beneficial effect become more apparent, below tie
Drawings and Examples are closed, the present invention will be described in detail.It should be noted that specific embodiment described herein is only used
To explain the present invention, it is not intended to limit the present invention.
This is based on the Unix white list control methods of hook technologies, and filtration drive module is increased on Unix system, described
Filtration drive module realized by the way of kernel-driven, and operation is installed and activated by the main service processes of white list;The filtering
Drive module controls the process initiation in non-white list in whole operation system, controls the dynamic base loading in non-white list,
The drive load in non-white list is controlled, control binary file addition, the binary file in control white list is written into, covers
Lid, replacement, deletion and renaming, make operating system keep the running environment of clean safety.
In Unix operating systems, executable file, dynamic library file(SO files)With driving file(KO files)All it is
The file of ELF format.Either process initiation, is that dynamic base is loaded, or drive load, will be literary by ELF by operating system
Part is mapped to internal memory.Between operating system runtime, when there is ELF File Mapping behaviors, for example:A processes will start B processes, A
Process will load B dynamic bases, process and want load driver, can be automatically into filtration drive module.
The main service processes of white list realize that the main service processes of white list are initial by the way of Unix application programs
Filtration drive module is installed during change, while all ELF files in scan operation system, by the complete trails of each ELF file and
The SHA1 values of file content submit to filtration drive module, are added in the white list inventory of driving, set up white list inventory chain
Table.
When process initiation is received, when dynamic base loading and/or drive load access request, the filtration drive module is first
The binary file complete trails and SHA1 values of access request are first obtained, the white list inventory chained list of itself is then traveled through, ELF is judged
Whether File Mapping allows, if the binary file in white list inventory, then access is delivered into original system and called, operation
System normally completes ELF File Mappings;If not the binary file in white list inventory, then access process is prevented, grasped
Make system mapping ELF file failures, so that corresponding process cannot start, dynamic base cannot be loaded, and driving cannot be loaded.
Between operating system runtime, the filtration drive block intercepts document creation behavior is forbidden creating binary file;
The write-in of the binary file between operating system runtime in all inventory chained lists for white list, covering, replacement, deletion, weight
Name, will all be refused after the filtration drive block intercepts.
When write-in, covering, replacement, deletion, the renaming access request of binary file is received, the filtration drive
Module obtains the binary file complete trails and SHA1 values of access request first, then travels through the white list inventory chained list of itself,
If access request is directed to the binary file in white list inventory, access process is prevented, make binary file
Write-in, covering, replacement, deletion, renaming operation failure;If what access request was directed to is not the binary system in white list inventory
File, then be delivered to access original system and call, and operating system normally completes the write-in of binary file, covers, replaces, deleting
Except the operation of, renaming.
For the sake of security, completion is just installed/configured to the main service processes initial start-up of the white list in operating system
And carried out in the case of network disconnection;When the main service processes of white list are actively exited, unloaded from current operation system
Filter drive module and itself.
This is based on the Unix white list control methods of hook technologies, is driven by increasing filtering in existing Unix operating systems
Dynamic model block, the file access operation of intervention operation system, so as to avoid non-inventory process initiation, non-inventory dynamic base loading, it is non-
Inventory drive load.
Claims (6)
1. a kind of Unix white list control methods based on hook technologies, it is characterised in that:Increase filtering on Unix system to drive
Dynamic model block, the filtration drive module realized by the way of kernel-driven, and fortune is installed and activated by the main service processes of white list
OK;The filtration drive module controls the process initiation in non-white list in whole operation system, in the non-white list of control
Dynamic base is loaded, and controls the drive load in non-white list, control binary file addition, the binary system text in control white list
Part is written into, covers, replacing, deleting and renaming, operating system is kept the running environment of clean safety.
2. Unix white list control methods based on hook technologies according to claim 1, it is characterised in that the white name
Single main service processes realize that the main service processes of white list install filtration drive in initialization by the way of Unix application programs
Module, while all ELF files in scan operation system, by the complete trails of each ELF file and the SHA1 values of file content
Filtration drive module is submitted to, is added in the white list inventory of driving, set up white list inventory chained list.
3. Unix white list control methods based on hook technologies according to claim 1 and 2, it is characterised in that:When connecing
Process initiation is received, when dynamic base loading and/or drive load access request, the filtration drive module obtains access first please
Whether the binary file complete trails and SHA1 values asked, then travel through the white list inventory chained list of itself, judge ELF File Mappings
Allow, if the binary file in white list inventory, then access is delivered to original system and called, operating system is normally completed
ELF File Mappings;If not the binary file in white list inventory, then access process is prevented, operating system mapping ELF
File fails, so that corresponding process cannot start, dynamic base cannot be loaded, and driving cannot be loaded.
4. Unix white list control methods based on hook technologies according to claim 3, it is characterised in that:Operating system
During operation, the filtration drive block intercepts document creation behavior is forbidden creating binary file;Between operating system runtime
Write-in, covering, replacement, deletion, the renaming of the binary file in all inventory chained lists for white list, all will be by the mistake
Filter drive module is refused after intercepting.
5. Unix white list control methods based on hook technologies according to claim 4, it is characterised in that when receiving
When write-in, covering, replacement, deletion, the renaming access request of binary file, the filtration drive module obtains access first
The binary file complete trails and SHA1 values of request, then travel through the white list inventory chained list of itself, if access request is directed to
Be binary file in white list inventory, then access process is prevented, make the write-in of binary file, cover, replace, deleting
Except, renaming operation failure;If what access request was directed to is not the binary file in white list inventory, transmitted accessing
Called to original system, operating system normally completes write-in, covering, replacement, deletion, the renaming operation of binary file.
6. Unix white list control methods based on hook technologies according to claim 2, it is characterised in that for safety
For the sake of, the situation that completion and network disconnect just is installed/configured to the main service processes initial start-up of white list in operating system
Under carry out;When the main service processes of white list are actively exited, from current operation system unload filtration drive module and itself.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710092963.2A CN106874747A (en) | 2017-02-21 | 2017-02-21 | A kind of Unix white list control methods based on hook technologies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710092963.2A CN106874747A (en) | 2017-02-21 | 2017-02-21 | A kind of Unix white list control methods based on hook technologies |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106874747A true CN106874747A (en) | 2017-06-20 |
Family
ID=59167309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710092963.2A Pending CN106874747A (en) | 2017-02-21 | 2017-02-21 | A kind of Unix white list control methods based on hook technologies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106874747A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107480522A (en) * | 2017-08-14 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of ELF files executive control system and method |
| CN110363013A (en) * | 2019-06-29 | 2019-10-22 | 苏州浪潮智能科技有限公司 | The method and system of file access control is realized under a kind of linux system in application layer |
| CN111651752A (en) * | 2020-04-17 | 2020-09-11 | 北京大学 | Method for acquiring system call white list required by container |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203073A (en) * | 2016-07-13 | 2016-12-07 | 浪潮电子信息产业股份有限公司 | A kind of Windows white list control method based on file system filter driver |
-
2017
- 2017-02-21 CN CN201710092963.2A patent/CN106874747A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106203073A (en) * | 2016-07-13 | 2016-12-07 | 浪潮电子信息产业股份有限公司 | A kind of Windows white list control method based on file system filter driver |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107480522A (en) * | 2017-08-14 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of ELF files executive control system and method |
| CN107480522B (en) * | 2017-08-14 | 2020-05-08 | 苏州浪潮智能科技有限公司 | ELF file execution control system and method |
| CN110363013A (en) * | 2019-06-29 | 2019-10-22 | 苏州浪潮智能科技有限公司 | The method and system of file access control is realized under a kind of linux system in application layer |
| CN111651752A (en) * | 2020-04-17 | 2020-09-11 | 北京大学 | Method for acquiring system call white list required by container |
| CN111651752B (en) * | 2020-04-17 | 2022-10-14 | 北京大学 | Method for acquiring system call white list required by container |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10885189B2 (en) | Isolated container event monitoring | |
| US10466999B2 (en) | Software hot upgrading method and device | |
| US8850430B2 (en) | Migration of virtual machines | |
| US9503475B2 (en) | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment | |
| US10073966B2 (en) | Operating system-independent integrity verification | |
| CN102592077B (en) | Method for providing a security boundary | |
| US9354852B2 (en) | Satisfying application dependencies | |
| US8990561B2 (en) | Pervasive package identifiers | |
| US10241813B2 (en) | Method and apparatus for patching | |
| CN106203073A (en) | A kind of Windows white list control method based on file system filter driver | |
| CN107066884A (en) | A kind of compatible processing method of linux system software white list | |
| CN106874747A (en) | A kind of Unix white list control methods based on hook technologies | |
| US9928010B2 (en) | Methods and apparatus to re-direct detected access requests in a modularized virtualization topology using virtual hard disks | |
| CN104281484A (en) | VM (virtual machine) migration method and device | |
| US20160378361A1 (en) | Methods and apparatus to apply a modularized virtualization topology using virtual hard disks | |
| CN106650435A (en) | Method and apparatus of protecting system | |
| CN103020501A (en) | Access control method and access control device of user data | |
| CN112052045A (en) | Equipment control method and system based on IRP hook | |
| CN110659095B (en) | Desktop virtualization system and method for desktop virtualization | |
| US8881291B2 (en) | System and method for inhibiting the processing of new code modules by an outdated runtime environment | |
| CN116126470A (en) | Method, system and medium for managing script execution in container | |
| CN102214119A (en) | Method and device for moving software | |
| CN102375700B (en) | Method for directly updating hard drive data | |
| US20120167157A1 (en) | Systems and methods for secure software development environments | |
| US20160062926A1 (en) | Storage control devices and method therefor to invoke address thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170620 |
|
| RJ01 | Rejection of invention patent application after publication |