CN107967426B - Detection method, defense method and system for Linux kernel data attack - Google Patents
Detection method, defense method and system for Linux kernel data attack Download PDFInfo
- Publication number
- CN107967426B CN107967426B CN201711205897.1A CN201711205897A CN107967426B CN 107967426 B CN107967426 B CN 107967426B CN 201711205897 A CN201711205897 A CN 201711205897A CN 107967426 B CN107967426 B CN 107967426B
- Authority
- CN
- China
- Prior art keywords
- data
- linux kernel
- key data
- kernel
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a detection method, a defense method and a system for Linux kernel data attack, wherein the detection method comprises the following steps: extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation; performing static analysis on the Linux kernel data to obtain a data stream of the Linux kernel data; extracting the relation between the safety key data from the data stream of the Linux kernel data to obtain the data stream of the safety key data; and monitoring key data in the running process of the Linux kernel, comparing the key data with the data stream of the safety key data, and if the key data in the running process of the Linux kernel deviates from the data stream of the safety key data, outputting the Linux kernel data to be attacked, otherwise, outputting the Linux kernel data not to be attacked. Compared with the existing kernel data attack detection scheme, the method and the device fully consider the indirect branch characteristics of the program data stream, and effectively reduce the false alarm rate of the detection result.
Description
Technical Field
The invention belongs to the field of kernel attack detection and defense, and particularly relates to a detection and defense method and system for Linux kernel data attack.
Background
The kernel is the most basic part of the operating system, and for a safe and stable system, it is essential to protect the kernel from other running programs. Today kernels are becoming targets for attackers, mainly for several reasons:
first, attacks against user-mode programs are becoming more difficult due to the implementation of various user-mode protection mechanisms such as ASLR, Sandbox, CFI, CPI, DEP, etc.;
second, the attack surface of the kernel is large. This is because the kernel code line number is large (16.9MLOC, linux 4.5.4), the system calls are many (397), and new bugs and attack opportunities are brought by the new version of kernel;
third, the gain obtained by attacking the kernel is high. Kernel code is typically privileged code and attackers typically perform privilege elevation or malicious code execution operations. Meanwhile, some data structures of the kernel are important for a security mechanism, and the kernel security mechanism is invalid due to tampering of the data structures to hide the trace of the kernel, so that attacks are difficult to discover.
In recent years, research hotspots for kernel attacks have gradually focused on data-only attacks. The biggest difference between this kind of attack and the previous attack is that the data-only attack utilizes the kernel data structure and no longer aims at modifying the code segment and the kernel function. The attack research on Data-only at home and abroad is mainly divided into two categories: control-data attacks and Non-Control-data attacks. The defense research on the control-data attack mainly aims at memory security, kernel code integrity check and control flow integrity technology, and the defense research on the non-control-data attack mainly aims at memory security, memory isolation and data flow integrity technology.
The kernel-oriented approach goes through mainly 3 stages. Early kernel-oriented attacks were mainly code injection attacks, which were completed by introducing malicious code into the kernel space and then executing the string of malicious code. The defense method against the attack mainly has kernel code integrity protection.
With the research on the kernel attack method, the kernel attack mode evolves from code injection attack to control flow hijacking attack. Such attacks complete the attack on the kernel by changing the kernel's execution control flow, eventually directing the control flow to execute malicious code. Such kernel attack methods generally have attack forms such as ROP and JOP. The defense method against the attack mainly comprises control flow integrity protection.
A new kernel attack has emerged in recent years. This type of attack differs from previous kernel attacks in that it only attacks using data structures in the kernel, which are typically security-related data. There are two forms of such attacks: a control data attack and a non-control-data attack. The defense method aiming at the attacks mainly comprises control flow integrity protection, kernel data invariance detection and data flow integrity protection.
In summary, the existing solutions of the Linux kernel attack defense system have the following disadvantages:
the Linux kernel attack defense system based on control flow integrity cannot cope with Linux kernel data-oriented attacks because the attack on kernel data is not considered; in addition, the data stream obtained by the traditional static analysis has the problems of inaccurate indirect branch analysis result and omission.
Disclosure of Invention
Aiming at the defects or the improvement requirements of the prior art, the invention provides a method and a system for detecting Linux kernel data attack, and aims to solve the technical problem that kernel data cannot be responded to kernel data attack because the kernel data is not considered in the conventional kernel attack defense method.
As one aspect of the present invention, the present invention provides a method for detecting Linux kernel data attack, including the following steps:
step 1: extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation;
step 2: performing static analysis on the Linux kernel data to obtain a data stream of the Linux kernel data;
and step 3: extracting the relation between the safety key data from the data stream of the Linux kernel data to obtain the data stream of the safety key data;
and 4, step 4: and monitoring key data in the running process of the Linux kernel, comparing the key data with the data stream of the safety key data, and if the key data in the running process of the Linux kernel deviates from the data stream of the safety key data, outputting the Linux kernel data to be attacked, otherwise, outputting the Linux kernel data not to be attacked.
Preferably, the security critical data in step 1 comprises data related to access rights, data related to security checks and uniquely identified data.
Preferably, the static analysis in step 2 comprises the following steps:
step 21: translating the Linux kernel source code into a bottom virtual machine intermediate language;
step 22: performing flow-sensitive (flow-sensitive) alias analysis (alias analysis) on the intermediate language of the bottom layer virtual machine to obtain an alias analysis result;
step 23: and (3) taking the result of the alias analysis as a precondition to perform path-sensitive (path-sensitive) data flow analysis to obtain the data flow of the Linux kernel data.
As another aspect of the invention, the defense method provided by the invention comprises the following steps:
step 1: determining whether the Linux kernel data is attacked or not through the detection method;
step 2: when key data are attacked in the running process of the Linux kernel, rolling the key data in the running process of the Linux kernel back to a state before the key data are attacked; and when the key data in the running process of the Linux kernel is not attacked, the key data in the running process of the Linux kernel is not processed.
As another aspect of the present invention, the present invention provides a detection system comprising:
the data extraction module is used for extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation degree;
the kernel data flow analysis module is used for statically analyzing the Linux kernel data to obtain the data flow of the Linux kernel data;
the key data flow analysis module is connected with the output end of the kernel data flow analysis module at the first input end and connected with the output end of the data extraction module at the second input end, and is used for extracting the relationship between the safety key data from the data flow of the Linux kernel data to obtain the data flow of the safety key data;
and the input end of the attack judgment module is connected with the output end of the key data flow analysis module and is used for monitoring key data in the running process of the Linux kernel, comparing the key data with the data flow of the safety key data and outputting the Linux kernel data attack state according to the comparison result.
Preferably, the kernel dataflow analysis module includes:
the translation unit is used for translating the Linux kernel source code into a bottom layer virtual machine intermediate language by using the translator;
the input end of the alias analysis unit is connected with the output end of the translation unit and is used for carrying out stream-sensitive alias analysis on the intermediate language of the bottom layer virtual machine to obtain an alias analysis result;
and the input end of the data flow analysis unit is connected with the output end of the alias analysis unit and is used for carrying out path-sensitive data flow analysis by taking the alias analysis result as a precondition to obtain the data flow of the Linux kernel data.
Preferably, the system comprises a defense module with an input end connected with the output end of the attack judgment module, and the defense module is used for performing rollback processing on the key data in the running process of the Linux kernel when the Linux kernel data is under attack, so that the key data in the running process of the Linux kernel returns to a non-attack state.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) the method for detecting the kernel data attack, provided by the invention, comprises the steps of firstly obtaining the data streams of all kernel data, extracting the key data related to safety from the data streams of the kernel data to form the key data streams related to safety, monitoring the data streams in the kernel operation process, and realizing the detection of the kernel data stream attack.
(2) The invention fully considers the indirect branch analysis characteristic of the program data flow, can more accurately analyze the indirect branch analysis result of the program by using the data flow analysis with sensitive path, and effectively reduces the false alarm rate of the detection result. On the other hand, the method and the system can enable the result of the data flow analysis to be more accurate by using the flow-sensitive alias analysis; therefore, the detection method provided by the invention has high accuracy. Compared with the existing kernel data attack detection scheme, the method has the advantages that the method is only capable, the problem that the existing detection scheme cannot cope with the kernel non-control-data attack is solved, the missing report rate of the detection result is effectively reduced, and the scheme can accurately detect the kernel data attack.
(3) And the overhead is low. According to the invention, the kernel data flow graph is used, and simultaneously, the non-safety key data flow in the kernel data flow graph is removed, so that the problem of overlarge data monitoring amount is avoided, the time overhead of the system is reduced, and the execution efficiency of the system is further improved.
(4) Low coupling. The invention uses simple interface connection between each module, has very low coupling, and can rapidly complete addition, deletion and modification of the modules. Allowing a user to customize the module functionality level, such as listening for a selection of data types, etc.
Drawings
FIG. 1 is a flow chart of a method for detecting data attack of a Linux kernel provided by the invention;
FIG. 2 is a schematic diagram of the principle of extracting safety critical data in the detection method provided by the present invention;
FIG. 3 is a schematic diagram of the data flow for obtaining safety critical data in the detection method provided by the present invention;
FIG. 4 is a data flow diagram of security critical data obtained in the detection method provided by the present invention;
FIG. 5 is a schematic block diagram of a detection system provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The overall idea of the invention is to collect kernel safety key data and obtain a data flow graph of the kernel safety key data through static analysis. And monitoring the security critical data of the Linux kernel by using a TSX technology, obtaining data streams obtained by analyzing each operation of the Linux kernel, comparing the data streams with a data graph obtained by previous analysis, judging whether the data streams are illegal data streams, and if so, stopping and recovering. Finally, a detection and defense mechanism facing direct kernel attack is completed, and the attack facing kernel safety key data is effectively detected and defended.
Fig. 1 is a method for detecting Linux kernel data attack, which includes the following steps:
step 1: extracting security-critical data from the Linux kernel data according to the security correlation of the Linux kernel data, as shown in fig. 2, where the amount of the security-critical data is greater than the minimum data size of the generated data flow graph
The Linux kernel data is huge in quantity, in order to improve performance, it is first necessary to analyze whether the Linux kernel data is related to security, and the security-related data in the Linux kernel data mainly includes: data relating to access rights, data relating to security checks, data in the form of unique identifiers such as uid, pid and data relating to decision-making.
Aiming at the condition that data in a Linux kernel is complex, the minimum data set required by data flow graph analysis is reserved while the data related to the safety of the kernel is screened out, and a huge data set is reduced to a smaller data set. This greatly reduces performance overhead while still generating a reliable and accurate Linux kernel dataflow graph.
Step 2: performing static processing on the Linux kernel data to obtain a data flow graph of the Linux kernel data; the data flow of the Linux kernel data is characterized by using a static analysis method, and the data flow graph of the Linux kernel data can be more accurately and efficiently described in a finer granularity and more flexible mode. As shown in fig. 3, the method specifically comprises the following steps:
step 21: firstly, translating a Linux kernel source code into an LLVM intermediate language by using an LLVM IR (bottom layer virtual machine intermediate language) translator;
step 22: then, the Pass of the user-defined LLVM performs flow-sensitive alias analysis on the obtained LLVM intermediate language;
step 23: and then, taking the result of alias analysis as a precondition to perform path-sensitive data flow analysis to obtain a data flow diagram of the Linux kernel data.
And 3, screening the data flow of the kernel data related to safety from the data flow graph of the Linux kernel data, and finally drawing the data flow graph of the Linux kernel safety key data.
And 4, step 4: the method is realized by writing codes by using an interface provided by an Intel TSX technology, relevant operations on safety critical data each time are intercepted, and each state of the safety critical data is acquired.
And for each data to be monitored, obtaining each operation on the data, comparing the operation with the data flow diagram of the Linux kernel safety key data in the step 3, and analyzing whether each operation is legal or not.
The security critical data of the Linux kernel in the memory is monitored by using an Intel TSX technology, wherein the TSX is a transaction synchronization extension, and the transaction memory characteristic is added to an x86-64 instruction set. Transactional memory is a technology that allows for synchronized and efficient access to data structures in a concurrent environment. We provide two interfaces through TSX technology: HLE (Hardware Lock Elision) and RTM (Restricted Transactional memory).
And 5: the method is used for defending against the attack of Linux kernel data, comparing the data flow of the Linux kernel security key data with the kernel security key data flow graph obtained by previous analysis, and judging whether the data flow of the security key data deviates from the security data flow. If the data flow deviates from the data flow diagram obtained in the step (2), rolling back the data and recovering the original state of the data; if the data flow is normal, nothing is done.
As another aspect of the invention, the invention provides a detection system for Linux kernel data attack. As shown in fig. 5, the detection system includes a data extraction module, a kernel data stream analysis module, a key data stream analysis module, an attack judgment module, and a defense module, wherein a first input end of the key data stream analysis module is connected to an output end of the kernel data stream analysis module, a second input end of the key data stream analysis module is connected to an output end of the data extraction module, and an input end of the attack judgment module is connected to an output end of the key data stream analysis module.
The data extraction module is used for extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation degree; the kernel data flow analysis module is used for statically analyzing the Linux kernel data to obtain the data flow of the Linux kernel data; the key data flow analysis module is used for extracting the relationship between the safety key data from the data flow of the Linux kernel data to obtain the data flow of the safety key data; the attack judging module is used for monitoring key data in the running process of the Linux kernel, comparing the key data with the data stream of the safety key data, and outputting the Linux kernel data attack state according to the comparison result, if the key data in the running process of the Linux kernel deviates from the data stream of the safety key data, the Linux kernel data is output to be attacked, otherwise, the Linux kernel data is output not to be attacked. When the Linux kernel data attack state is attacked, the defense module performs rollback processing on the key data in the Linux kernel operation process, so that the key data in the Linux kernel operation process returns to the non-attack state. And when the Linux kernel data attack state is not attacked, the defense module does not work.
The kernel data stream analysis module comprises a translation unit, an alias analysis unit and a data stream analysis unit which are sequentially connected, wherein the translation unit is used for translating the Linux kernel source code into an intermediate language of the bottom layer virtual machine; the alias analysis unit is used for carrying out stream-sensitive alias analysis on the intermediate language of the bottom layer virtual machine to obtain an alias analysis result; and the data flow analysis unit is used for performing path-sensitive data flow analysis by taking the result of alias analysis as a precondition to obtain the data flow of the Linux kernel data.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (6)
1. A method for detecting Linux kernel data attack is characterized by comprising the following steps:
step 1: extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation;
step 2: performing static analysis on the Linux kernel data to obtain a data stream of the Linux kernel data;
and step 3: extracting the relation between the safety key data from the data stream of the Linux kernel data to obtain the data stream of the safety key data;
and 4, step 4: monitoring key data in the running process of the Linux kernel, comparing the key data with the data stream of the safety key data, and if the key data in the running process of the Linux kernel deviates from the data stream of the safety key data, outputting the Linux kernel data to be attacked, otherwise, outputting the Linux kernel data not to be attacked;
the static analysis in step 2 comprises the following steps:
step 21: translating the Linux kernel source code into a bottom virtual machine intermediate language;
step 22: performing stream-sensitive alias analysis on the intermediate language of the bottom layer virtual machine to obtain an alias analysis result;
step 23: and taking the result of alias analysis as a precondition to perform path-sensitive data flow analysis to obtain the data flow of the Linux kernel data.
2. A detection method as claimed in claim 1, characterized in that the security-critical data in step 1 comprise data relating to access rights, data relating to security checks and data of unique identification.
3. The detection method according to any one of claims 1 to 2, characterized in that monitoring of critical data during the operation of the Linux kernel is realized by an Intel TSX technology.
4. A defense method based on the detection method of claim 1, characterized by comprising the steps of:
step 1: determining whether the Linux kernel data is attacked or not through the detection method;
step 2: when key data are attacked in the running process of the Linux kernel, rolling the key data in the running process of the Linux kernel back to a state before the key data are attacked; and when the key data in the running process of the Linux kernel is not attacked, the key data in the running process of the Linux kernel is not processed.
5. A detection system based on the detection method according to claim 1, comprising:
the data extraction module is used for extracting safety key data from the Linux kernel data according to the Linux kernel data and the safety correlation degree;
the kernel data flow analysis module is used for statically analyzing the Linux kernel data to obtain the data flow of the Linux kernel data;
the key data flow analysis module is connected with the output end of the kernel data flow analysis module at the first input end and connected with the output end of the data extraction module at the second input end, and is used for extracting the relationship between the safety key data from the data flow of the Linux kernel data to obtain the data flow of the safety key data;
the input end of the attack judgment module is connected with the output end of the key data flow analysis module and is used for monitoring key data in the running process of the Linux kernel, comparing the key data with the data flow of the safety key data and outputting the Linux kernel data attack state according to the comparison result;
the kernel data flow analysis module comprises:
the translation unit is used for translating the Linux kernel source code into a bottom layer virtual machine intermediate language by using the translator;
the input end of the alias analysis unit is connected with the output end of the translation unit and is used for carrying out stream-sensitive alias analysis on the intermediate language of the bottom layer virtual machine to obtain an alias analysis result;
and the input end of the data flow analysis unit is connected with the output end of the alias analysis unit and is used for carrying out path-sensitive data flow analysis by taking the alias analysis result as a precondition to obtain the data flow of the Linux kernel data.
6. The detection system according to claim 5, comprising a defense module having an input terminal connected to the output terminal of the attack determination module, and configured to perform rollback processing on the key data in the operating process of the Linux kernel when the data attack state of the Linux kernel is under attack, so that the key data in the operating process of the Linux kernel returns to an un-attacked state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711205897.1A CN107967426B (en) | 2017-11-27 | 2017-11-27 | Detection method, defense method and system for Linux kernel data attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711205897.1A CN107967426B (en) | 2017-11-27 | 2017-11-27 | Detection method, defense method and system for Linux kernel data attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107967426A CN107967426A (en) | 2018-04-27 |
| CN107967426B true CN107967426B (en) | 2020-07-03 |
Family
ID=61998610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711205897.1A Active CN107967426B (en) | 2017-11-27 | 2017-11-27 | Detection method, defense method and system for Linux kernel data attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107967426B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111666216B (en) * | 2020-06-05 | 2024-01-23 | 中国银行股份有限公司 | Intelligent contract analysis method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1870829B1 (en) * | 2006-06-23 | 2014-12-03 | Microsoft Corporation | Securing software by enforcing data flow integrity |
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| CN106570394B (en) * | 2016-11-10 | 2021-04-16 | 厦门安胜网络科技有限公司 | Method for detecting malicious program |
-
2017
- 2017-11-27 CN CN201711205897.1A patent/CN107967426B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107967426A (en) | 2018-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10268819B2 (en) | Techniques for enforcing control flow integrity using binary translation | |
| Kawakoya et al. | Memory behavior-based automatic malware unpacking in stealth debugging environment | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| Cesare et al. | Classification of malware using structured control flow | |
| US20060143707A1 (en) | Detecting method and architecture thereof for malicious codes | |
| US20200193031A1 (en) | System and Method for an Automated Analysis of Operating System Samples, Crashes and Vulnerability Reproduction | |
| US20200012793A1 (en) | System and Method for An Automated Analysis of Operating System Samples | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN112733150A (en) | Firmware unknown vulnerability detection method based on vulnerability analysis | |
| Basu et al. | Preempt: Preempting malware by examining embedded processor traces | |
| CN103514405A (en) | Method and system for detecting buffer overflow | |
| CN110647748B (en) | Code multiplexing attack detection system and method based on hardware characteristics | |
| Rajput et al. | Remote non-intrusive malware detection for plcs based on chain of trust rooted in hardware | |
| CN107967426B (en) | Detection method, defense method and system for Linux kernel data attack | |
| Wang et al. | Dftracker: detecting double-fetch bugs by multi-taint parallel tracking | |
| US11126721B2 (en) | Methods, systems and apparatus to detect polymorphic malware | |
| Tian et al. | MDCD: A malware detection approach in cloud using deep learning | |
| CN111291377A (en) | Application vulnerability detection method and system | |
| Kim et al. | Malicious behavior detection method using api sequence in binary execution path | |
| Al-Sharif et al. | The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach. | |
| Guri et al. | Noninvasive detection of anti-forensic malware | |
| CN114647845A (en) | Detection and identification method and device for malicious sample delay codes | |
| Lim et al. | Survey of Dynamic Anti-Analysis Schemes for Mobile Malware. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |