CN108491249B - Kernel module isolation method and system based on module weight - Google Patents
Kernel module isolation method and system based on module weight Download PDFInfo
- Publication number
- CN108491249B CN108491249B CN201810218944.4A CN201810218944A CN108491249B CN 108491249 B CN108491249 B CN 108491249B CN 201810218944 A CN201810218944 A CN 201810218944A CN 108491249 B CN108491249 B CN 108491249B
- Authority
- CN
- China
- Prior art keywords
- module
- kernel
- isolated
- capability
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a kernel module isolation method and system based on module weight. Acquiring a module capability file of a kernel module to be isolated, wherein the module capability file is used for storing the module capability of the kernel module to be isolated; determining a module page table and a slab mark of the kernel module to be isolated according to the module capability of the kernel module to be isolated; and isolating the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated. Accordingly, the system comprises: the module analysis unit, the module loading unit and the module isolation unit. On the premise of not introducing a virtual machine monitor, the invention realizes the isolation of the basic kernel and the kernel module by marking different module capabilities for the kernel module to be isolated on the basis of ensuring the necessary interaction of the basic kernel and the kernel module, thereby avoiding an attacker from attacking the basic kernel through the kernel module and avoiding excessive system overhead.
Description
Technical Field
The invention relates to the technical field of computer operating systems, in particular to a kernel module isolation method and system based on module rights.
Background
The Linux system adopts a kernel model of a single kernel, which provides convenience for attackers. The design goal of the single kernel is to ensure the system performance, and the mutual calling efficiency of the internal entities of the kernel is high. However, since all instructions and data of the core are located within the same address space, the boundaries between various internal entities within the core are not particularly clear. Most operating systems today provide only process-level isolation and protection, and do not provide isolation and protection for the kernel component of the operating system, which allows an attacker to access most of the data and code of the operating system once it has entered the kernel. Loadable kernel modules are more threatening than the base kernel. This is because the Linux operating system allows modules to be loaded into the kernel, so that the modules have kernel authority to run. However, the loadable kernel module may be developed by different companies or individuals, and the security thereof is difficult to be guaranteed. In order to secure the Linux operating system kernel, necessary isolation needs to be implemented on the loadable kernel module loaded into the kernel to avoid introducing uncontrollable risks.
In order to prevent the integrity of the kernel from being damaged by an untrusted loadable module, a kernel integrity protection model-MOKIP is proposed and a prototype system is partially constructed. The operating system kernel, the credible loadable kernel module and the non-credible loadable kernel module are set as subjects, kernel codes, kernel data and the like are set as objects, and an access rule and a conversion rule are proposed by referring to models such as Clark-Wilson-Lite and the like. The system architecture of the MOKIP prototype system is shown in fig. 10. The access control module and the entity marking module are constructed on the virtual machine monitor level and are responsible for marking and judging access to the kernel code, the kernel data and the loadable kernel module. The MOKIP prototype system utilizes Intel Extended Page Table (EPT) technology to identify the integrity of the host and the object, utilizes EPT page table permissions to implement access control constraints, and basically implements the MOKIP model on an open-source XEN platform.
The operating system provides protection and isolation for user processes, but does not provide similar services for kernel components that are more sensitive to security performance. For this purpose, the existing VirtuOS scheme vertically divides the operating system into several service domains, each of which provides a specific service, and its system architecture is shown in fig. 11. Each service domain is located in a different virtual machine client and represents a subset of the operating system's kernel for specific functions, such as process management and scheduling, user memory management, and the like. Each individual service domain does not run or interfere with the associated management tasks or user processes provided by other service domains, and the running of one process may require the cooperation of multiple service domains. For this purpose, the VirtuOS also designs a system call dispatching model, dispatches the system call which needs to be called by a process to different service domains for completion, and returns the result. To do this, VirtuOS rewrites the libc library to complete system call dispatch and result reclamation.
Virtualization technology has good isolation characteristics, so that the prior art mostly utilizes virtualization technology to realize isolation of kernel components of an operating system, but this introduces a great system performance overhead. As shown in fig. 12, both the MOKIP prototype system and the VirtuOS system rely on a virtual machine monitor, and the isolation between the loadable kernel module and the base kernel is implemented at the level of the virtual machine monitor. Because a layer of virtual machine monitor is added in a kernel space and a hardware layer, a user must transit through the virtual machine monitor before accessing any hardware, that is, the user needs to rely on the virtual machine monitor every time the user accesses the hardware, which is equivalent to introducing the switching of a system execution environment, thereby causing the system performance to be reduced by times.
Disclosure of Invention
In order to solve the problem of system performance reduction caused by isolation of kernel components of an operating system by adopting a virtualization technology in the prior art, the invention provides a kernel module isolation method and a kernel module isolation system based on module rights.
In one aspect, the present invention provides a kernel module isolation method based on module weights, including:
step 1, performing module training on a kernel module to be isolated, and determining a module capability file of the kernel module to be isolated; when the kernel module to be isolated needs to be installed in a kernel operating system, acquiring a module capability file of the kernel module to be isolated, wherein the module capability file is used for storing the module capability of the kernel module to be isolated; the module capability refers to a set of read, write or execution permissions of the kernel module to be isolated on other components of the kernel;
and 3, constructing an isolation environment according to the module page table and the slab mark of the kernel module to be isolated, and isolating the kernel module to be isolated.
In another aspect, the present invention provides a kernel module isolation system based on module rights, including:
the module training unit is used for carrying out module training on the kernel module to be isolated and determining a module capability file of the kernel module to be isolated; the module capability refers to a set of read, write or execution permissions of the kernel module to be isolated on other components of the kernel;
the module analysis unit is used for acquiring a module capability file of the kernel module to be isolated when the kernel module to be isolated needs to be installed in a kernel operating system, wherein the module capability file is used for storing the module capability of the kernel module to be isolated;
the module loading unit is used for determining a module page table and a slab mark of the kernel module to be isolated according to the module capability of the kernel module to be isolated; the module page table is used for recording the access authority of the module to be isolated to the kernel resource; the slab mark refers to a kernel data type which can be accessed by a module to be isolated and is marked based on the slab;
and the module isolation unit is used for constructing an isolation environment according to the module page table and the slab mark of the kernel module to be isolated, and isolating the kernel module to be isolated.
According to the kernel module isolation method and system based on the module capability, the module capability attached to the kernel module is obtained, and the corresponding module page table and the slab mark are generated according to the module capability, so that the kernel module is isolated from the kernel according to the module page table and the slab mark. The invention realizes the isolation of the basic kernel and the kernel module by marking different capabilities to the kernel module on the basis of ensuring the necessary interaction of the basic kernel and the kernel module so as to prevent an attacker from attacking the basic kernel through the kernel module. Because the invention only marks different rights for the kernel module in the kernel space, the kernel module isolation is realized by limiting the rights of the kernel module on the premise of not sacrificing the system performance, and the execution environment switching between the kernel space and the virtual machine monitor is not involved, thereby avoiding introducing excessive system performance cost.
Drawings
Fig. 1 is a schematic flowchart of a kernel module isolation method based on module capability according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a kernel data object according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of generating module weights according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a method for expanding energy according to an embodiment of the present invention;
fig. 5 is a schematic flow chart illustrating a process of loading a kernel module to be isolated into a memory according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an isolation domain provided by an embodiment of the present invention;
fig. 7 is a schematic diagram of a permission that a kernel module to be isolated accesses a kernel in an isolation mode/normal mode according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a kernel module isolation system based on module capability according to an embodiment of the present invention;
fig. 9 is a system architecture diagram of a kernel module isolation system according to an embodiment of the present invention;
FIG. 10 is a diagram of a system architecture of a MOKIP prototype in the prior art;
FIG. 11 is a diagram illustrating a system architecture of a VirtuOS system in the prior art;
fig. 12 is a system architecture diagram of a prior art isolation method.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a kernel module isolation method based on module weights according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
s101, obtaining a module capability file of a kernel module to be isolated, wherein the module capability file is used for storing the module capability of the kernel module to be isolated;
specifically, when the kernel module to be isolated needs to be loaded into the kernel operating system, the kernel module isolation system obtains the module capability file of the kernel module to be isolated. By module capability is meant the set of read, write or execution permissions of the kernel module to other components of the kernel to be isolated. Generally, the module capability exists in the form of a file, that is, the module capability file is used for storing the relevant information of the module capability of the kernel module to be isolated. The normal operation of a kernel module does not generally require access to all kernel code and data, but only to the resources necessary to complete the task, whose read, write or execution rights reflect the module capabilities of the module. In order to ensure proper operation of the module, the system must support the requirements of module capabilities. In order to isolate the module, other components of the kernel are protected from being abused by the module, and the module performance must be limited to ensure that the module performance is minimized. In the embodiment of the invention, all kernel modules to be isolated are attached with module capability files for marking kernel components depended by the isolated modules.
S102, determining a module page table and a slab mark of the kernel module to be isolated according to the module capability of the kernel module to be isolated;
specifically, in the loading process of the to-be-isolated module, the kernel module isolation system needs to analyze the module capability file attached to the to-be-isolated kernel module, and know the system resource that the to-be-isolated kernel module needs to access, so as to determine the module page table and the slab flag thereof.
The module page table refers to a page table supporting the operation of a module, and in the page table, the module has an execution right in an occupied address space. The module page table records the access authority of the module to be isolated to the kernel resource. When the kernel module to be isolated is loaded into the memory, the operating system kernel updates the page table. First, when the kernel module to be isolated is just loaded into the memory, the kernel module isolation system allocates an initialization page table to the kernel module to be isolated, for example, as represented by the page table T. In the page table T, the module to be isolated has no execution authority in the kernel address space. The kernel module isolation system copies the page table T to generate a new page table P and modifies the contents of the page table P according to the resolved module capabilities. In the page table P, the module to be isolated has an execution right in the kernel address space where the module is located. The page table P, i.e. the module page table, reflects the range of access of the kernel resources by the module to be isolated.
The slab mark refers to a kernel data type which can be accessed by a module to be isolated and is marked based on the slab. Typically, most kernel data types are allocated and reclaimed using slabs. The kernel data objects that the to-be-isolated module needs to access will also be allocated and recycled by the slab. The function of the slab mark is to prompt that the current kernel data object of the system belongs to the module to be isolated and can be accessed when the slab is distributing the kernel data object. In the embodiment of the invention, in order to facilitate the identification of the kernel data object, a page identifier can be added to the page where the kernel data object is located. The page table entry corresponding to each page has 3 bits for standby, and the 10 th bit in the page can be used for indicating that the current page contains a data object which is allowed to be accessed by the kernel module to be isolated. Fig. 2 is a schematic diagram of a kernel data object according to an embodiment of the present invention. When the kernel module isolation system requests the tab for the first time, the tab also needs to scan other data types of the current kernel and tab the kernel module to be isolated, which has been allocated and is not yet marked. The slab is one of the memory managers of the Linux operating system, and is responsible for allocating and releasing the cache of the memory for the new system object.
S103, isolating the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated;
specifically, when the kernel module to be isolated runs, the kernel module to be isolated does not have an execution right in the kernel address space, and the kernel module to be isolated falls into an interrupt exception due to a page exception. And the kernel module isolation system marks the kernel module to be isolated according to the module page table and the slab to construct an isolation environment. And when the kernel module to be isolated stops running, the kernel module isolation system cancels the isolation environment.
If the kernel module to be isolated puts forward a new energy requirement in the operation process, the kernel module isolation system submits the energy requirement to the support interface and further submits the energy requirement to the user interface, and the user interface determines whether to agree with the energy requirement of the kernel module to be isolated. The user interface returns the result to the kernel module isolation system through the support interface, so that the kernel module isolation system combines the capability requirement allowed by the user interface with the module capability attached to the kernel module to be isolated, thereby forming the new module capability of the module.
According to the kernel module isolation method based on the module capability, provided by the embodiment of the invention, the corresponding module page table and the slab mark are generated according to the module capability by acquiring the module capability attached to the kernel module, so that the kernel module is isolated from the kernel according to the module page table and the slab mark. The invention realizes the isolation of the basic kernel and the kernel module by marking different capabilities to the kernel module on the basis of ensuring the necessary interaction of the basic kernel and the kernel module so as to prevent an attacker from attacking the basic kernel through the kernel module. Because the invention only marks different rights for the kernel module in the kernel space, the kernel module isolation is realized by limiting the rights of the kernel module on the premise of not sacrificing the system performance, and the execution environment switching between the kernel space and the virtual machine monitor is not involved, thereby avoiding introducing excessive system performance cost.
On the basis of the above embodiment, the method further includes: and carrying out module training on the kernel module to be isolated, and determining a module capability file of the kernel module to be isolated.
Specifically, module training is to obtain the capabilities required for the module to function properly. In the embodiment of the invention, the module training adopts a method combining static analysis and dynamic training. The static analysis means that the kernel module isolation system analyzes the source code of the kernel module to be isolated, records the kernel function called by the kernel module to be isolated and the read-write data range, generates an access record set, and identifies the resources required by the normal work of the kernel module to be isolated according to the access record set. The dynamic training refers to adopting a simulation execution method, and the kernel module isolation system identifies resources required by the normal work of the kernel module to be isolated by monitoring kernel codes executed when the kernel module to be isolated runs and read-write data objects. The above resources that the kernel module to be isolated needs to access will be the data basis for generating the module capabilities.
Fig. 3 is a schematic flow chart of generating module weights according to an embodiment of the present invention. As shown in fig. 3, the embodiment of the present invention adopts a dynamic training method based on a virtual machine monitor. One of the necessary conditions for dynamic training is that the kernel module to be isolated cannot know that it is being monitored, otherwise the kernel module to be isolated may hide some malicious behavior, thereby avoiding monitoring. Virtualization technology can provide good isolation support, and a kernel module to be isolated running in a virtual machine client cannot sense whether the kernel module is in a monitored state. Any hardware access passes through the virtual machine monitor, so that the memory access behavior of the kernel module to be isolated can be effectively monitored on the virtual machine monitor level.
The embodiment of the invention adopts a 'capability expansion' method to implement dynamic monitoring. Fig. 4 is a schematic flow chart of a method for expanding energy according to an embodiment of the present invention. As shown in fig. 4, in the initial state, the kernel module to be isolated only allows access to the address space to which the kernel module belongs. In general, the address space cannot meet the operation requirement of the kernel module to be isolated, and other address spaces of the kernel can be accessed. However, the kernel module to be isolated does not have the right to access other address spaces, so that the page generates an exception, and the kernel module to be isolated can be trapped in the virtual machine monitor. At this time, the monitor located in the virtual machine monitor is awakened, the page table of the virtual machine monitor is modified, the corresponding page is authorized to the kernel module to be isolated, and the access information of the kernel module to be isolated is recorded. It should be noted that the monitor modifies the page table at the monitor level of the virtual machine, rather than the page table of the operating system in the virtual machine client, so as to ensure that the kernel module to be isolated cannot know whether it is in the monitored state. By gradually expanding the capability of the kernel module to be isolated, the kernel module to be isolated is not involved in an exception due to memory access any more, for example, a time threshold may be set in an actual operation, and if the kernel module to be isolated is not involved in an exception within the time threshold, the module capability of the kernel module to be isolated is considered to have converged.
In actual operation, the kernel module isolation system needs to distinguish objects when the kernel module to be isolated accesses the memory when generating the module capability according to the access record set. For the kernel code, since it is static, the monitor only needs to record the accessed series function information. For kernel data, the monitor needs to keep track of the type of data object accessed. For kernel data areas where the kernel stack and the like are always in dynamic change, we do not record temporarily, but directly authorize the kernel module. Although the kernel stack is not protected in an isolation manner, the isolation strength is reduced, but in view of the frequent use of the kernel stack, the repeated setting of the authority for the page to which the kernel stack belongs affects the overall performance of the system, so the embodiment of the invention does not consider the situation.
The embodiment of the invention can adopt the traditional static analysis method to analyze the system resources accessed by the kernel module to be isolated. For example, the kernel module isolation system takes the source code of the kernel module to be isolated as input, and summarizes the kernel function list and the kernel data object which need to be accessed by the kernel module to be isolated by analyzing the access behavior in the source code. For example, the kernel module isolation system may also obtain a program assembly instruction set by using a decompilation technology, and analyze an access behavior of the kernel module to be isolated by relying on the program assembly instruction.
According to the kernel module isolation method based on the module right, provided by the embodiment of the invention, the module right of the kernel module to be isolated can be accurately determined by performing module training on the kernel module to be isolated, so that the safety of the kernel can be ensured on the premise of ensuring the normal work of the kernel module in the subsequent process, and excessive system overhead is avoided.
On the basis of the above embodiments, the module capability file in the method specifically includes: a module integrity fingerprint, a list of kernel functions accessed, and a list of kernel data objects and types accessed.
Specifically, the module capability exists in a file form, and records kernel resources required by the module to run and integrity fingerprints of the module. In the embodiment of the present invention, the information stored in the file by the module capability includes: a module integrity fingerprint, a list of kernel functions accessed, and a list of kernel data objects and types accessed.
The module integrity fingerprint is a Hash value of a module corresponding to the module capability, and aims to establish a corresponding relation between the module capability and a target module and avoid misuse. The accessed kernel function list refers to the kernel function set which needs to be accessed by the target module to work normally. The accessed kernel data object and the access type list refer to a kernel data object set and an operation type which are required to be accessed by the target module to work normally.
On the basis of the above embodiment, the determining a module page table and a slab flag of the kernel module to be isolated according to the module capability of the kernel module to be isolated in the method specifically includes:
according to the module integrity fingerprint, matching and verifying the module capability and the kernel module to be isolated;
if the module capability and the kernel module to be isolated are matched and verified, determining a slab mark of the kernel module to be isolated according to the accessed kernel data object and the type list; and determining a module page table of the kernel module to be isolated according to the accessed kernel function list.
Specifically, fig. 5 is a schematic flow chart illustrating a process of loading the kernel module to be isolated into the memory according to the embodiment of the present invention. As shown in fig. 5, the process of loading the kernel module to be isolated into the memory includes the following steps: firstly, loading a kernel module to be isolated into a memory, and isolating the integrity fingerprint of a system computing module by the kernel module; then, the kernel module isolation system reads the module capability file, completes the matching verification with the kernel module to be isolated according to the module integrity fingerprint recorded by the module capability, and acquires two lists in the module capability on the basis of completing the verification; secondly, the kernel module isolation system interacts with the slab according to the kernel data objects and the access type list of the access recorded by the module capability to complete slab marking so as to ensure that all newly generated data objects are marked and update page read/write permission; and finally, the kernel module isolation system interacts with the slab again, marks the current kernel data object, and generates a module page table of the kernel module to be isolated for standby according to the access kernel function list recorded by the module capability.
On the basis of the foregoing embodiments, the isolating the kernel module to be isolated according to the module page table and the slab flag of the kernel module to be isolated in the method specifically includes:
determining an isolation domain of the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated;
and isolating the kernel module to be isolated from the kernel according to the isolation domain of the kernel module to be isolated and the execution mode of the kernel.
Specifically, in the embodiment of the present invention, the kernel module isolation system does not only isolate the kernel module extended outside the kernel, but in order to ensure the normal operation of the kernel module to be isolated and ensure the interaction between the kernel module and other kernel components, the kernel module isolation system also needs to isolate the kernel components on which the kernel module depends. Fig. 6 is a schematic diagram of an isolation domain according to an embodiment of the present invention. The component to be isolated shown in fig. 6 includes not only the core module to be isolated but also a part of the basic core and a part of other modules. The isolated scope is referred to as an isolated domain in the embodiments of the present invention, that is, the isolated domain refers to the isolated scope of the kernel module to be isolated, and generally includes the kernel module to be isolated itself and other kernel components that must be relied on for its operation.
In actual operation, the kernel module isolation system can divide the kernel address space into three parts: the address space occupied by the kernel module to be isolated, the address space occupied by the kernel component for supporting the operation of the module and the address space occupied by other kernel components. The kernel components of the support module are kernel resources such as kernel functions, kernel data objects and the like which need to be accessed when the kernel module to be isolated works normally. The kernel module isolation system limits the access of the kernel module to be isolated to other components of the kernel space by transforming the access authority of the three parts of address space.
Fig. 7 is a schematic diagram of the permission of the kernel module to be isolated to access the kernel in the isolated mode/normal mode according to the embodiment of the present invention. As shown in fig. 7, the operating system kernel has two operating modes: an isolated mode and a normal mode. The key of the kernel module isolation system for dividing the two working modes is whether the kernel module to be isolated has an execution authority or not. In the isolation mode, the kernel module to be isolated has an execution authority, and meanwhile, according to the module capability file, related kernel components which interact with the kernel module to be isolated also have corresponding execution authorities. Correspondingly, in the normal mode, the kernel module to be isolated does not have the execution authority. In isolated mode, the support component may have execution authority. For example, when the kernel module to be isolated normally accesses part of kernel functions, the pages where the kernel functions are located also have execution authority, so that the kernel functions are prevented from interfering with the normal operation of other components of the kernel. Of course, the pages occupied by the support component may also have read, write or execute rights.
When the kernel module to be isolated is loaded into the memory for the first time, the kernel of the operating system is in a normal mode, and the kernel module to be isolated does not have an execution authority. When the kernel module to be isolated requires execution, a page exception is generated, and the kernel module isolation system loads a module page table to replace a conventional page table. By regular page tables we mean the page tables of a conventional operating system, a concept opposite to the block page tables. In the page table, the address space occupied by the kernel module to be isolated has no execution authority. After the kernel module isolation system completes page table switching, the kernel of the operating system is switched from a normal mode to an isolation mode, and at the moment, the kernel module to be isolated has an execution authority and starts to work normally. After the kernel module to be isolated finishes working and exits execution, the kernel of the operating system continues to execute until the kernel module isolation system finishes page table switching again after the execution request of other components exists.
In actual operation, the module page table and the conventional page table have a synchronization problem because the kernel page table is always in a dynamically changing process. In order to solve the problem, in the embodiment of the present invention, a module page table and a conventional page table share one entity page table, a module page table change log is constructed, and the module page table and the conventional page table are constructed by using the entity page table as a main entity page table in a manner of being updated immediately after use. In a simple way, when the kernel of the operating system is switched to the isolation mode, the kernel of the operating system updates the module capability information into the conventional page table according to the change log of the module page table by taking the conventional page table as a reference to obtain the module page table; when the operating system kernel is switched to the conventional mode, the operating system kernel takes the module page table as a reference, and withdraws the module capability information from the page table according to the module page table change log, thereby restoring the conventional page table.
It should be noted that the kernel module isolation system must maintain the support component in real time. The first situation of the change of the support component is that the slab allocates a new data object, the data object needs to be accessed by the kernel module to be isolated, and at the moment, the kernel module isolation system sets the authority of the page where the data object is located according to the slab mark. The second case of support component change is due to incomplete early-stage module capabilities, and the kernel module to be isolated makes a new resource access request. In this case, the kernel module isolation system submits the request of the kernel module expansion capability to be isolated and the relevant details to the user interface through the support interface of the kernel, and the user determines whether to expand the capability. In either case, the kernel module isolation system must maintain the support components in real time to ensure the normal operation of the kernel module to be isolated.
Alternatively, when the operating system kernel receives an instruction such as rmmod (i.e., remove a specified module) that requires evacuation of the kernel module to be isolated, the kernel module isolation system may do the following: firstly, whether the current mode is in the isolation mode is judged, and if so, the mode is switched to the normal mode. And then stopping the slab marking, and not marking the newly generated kernel data object, but not canceling the marking of the marked kernel object. The isolated module is then moved out of memory according to conventional methods. And finally, judging whether the module capability is updated by a user in the module execution process, if so, updating the module capability file, and otherwise, ending the module unloading process.
According to the kernel module isolation method based on the module capability, provided by the embodiment of the invention, the corresponding module page table and the slab mark are generated according to the module capability by acquiring the module capability attached to the kernel module, so that the kernel module is isolated from the kernel according to the module page table and the slab mark. The invention realizes the isolation of the basic kernel and the kernel module by marking different capabilities to the kernel module on the basis of ensuring the necessary interaction of the basic kernel and the kernel module so as to prevent an attacker from attacking the basic kernel through the kernel module. Because the invention only marks different rights for the kernel module in the kernel space, the kernel module isolation is realized by limiting the rights of the kernel module on the premise of not sacrificing the system performance, and the execution environment switching between the kernel space and the virtual machine monitor is not involved, thereby avoiding introducing excessive system performance cost.
Fig. 8 is a schematic structural diagram of a kernel module isolation system based on module performance according to an embodiment of the present invention. As shown in fig. 8, the kernel module isolation system includes: a module analysis unit 801, a module loading unit 802, and a module isolation unit 803; the module analysis unit 801 is configured to obtain a module capability file of a kernel module to be isolated, where the module capability file is used to store the module capability of the kernel module to be isolated; the module loading unit 802 is configured to determine a module page table and a slab flag of the kernel module to be isolated according to the module capability of the kernel module to be isolated; the module isolation unit 803 is configured to isolate the kernel module to be isolated according to the module page table and the slab flag of the kernel module to be isolated.
Specifically, when the kernel module to be isolated needs to be loaded into the kernel operating system, the module analysis unit 801 obtains the module capability of the kernel module to be isolated. In the process of loading the kernel module to be isolated, the module loading unit 802 needs to analyze the module capability attached to the kernel module to be isolated, and know the system resource that the kernel module to be isolated needs to access, so as to determine the module page table and the slab flag thereof. When the kernel module to be isolated runs, the kernel module to be isolated does not have an execution authority in the kernel address space, and the kernel module to be isolated falls into an interrupt exception due to page exception. The module isolation unit 803 builds an isolation environment according to the module page table and the slab marked as the kernel module to be isolated. Optionally, after the kernel module to be isolated stops operating, the module isolation unit 803 cancels the isolation environment. It should be noted that the kernel module isolation system based on module weights provided in the embodiment of the present invention is for implementing the method embodiment, and the functions of the kernel module isolation system may specifically refer to the method embodiment, which is not described herein again.
Fig. 9 is a system architecture diagram of a kernel module isolation system according to an embodiment of the present invention. As shown in fig. 9, all the kernel modules to be isolated are attached with a module capability file for indicating kernel components on which the kernel modules to be isolated depend. On the basis of the traditional module loading function, the module loading unit needs to construct a module page table and a slab mark for the kernel module to be isolated according to the prompt of module capability. When the kernel module to be isolated runs, the page exception falls into the interrupt exception, and the module isolation unit constructs an isolation environment for the kernel module to be isolated according to the module page table. And when the kernel module to be isolated stops running, the module isolation unit cancels the isolation environment. Once the kernel module to be isolated puts forward a new capability requirement, the module isolating unit submits the capability requirement to the support interface and further submits the capability requirement to the user interface, and the user interface determines whether to agree with the capability requirement of the kernel module to be isolated. The module isolation unit combines the capability requirements allowed by the user interface and the module capabilities attached to the module to form a new module capability for the module.
According to the kernel module isolation system based on the module capability, provided by the embodiment of the invention, the module analysis unit acquires the module capability attached to the kernel module, the module loading unit generates the corresponding module page table and the slab mark according to the module capability, and the module isolation unit realizes the isolation between the kernel module and the kernel according to the module page table and the slab mark. The invention realizes the isolation of the basic kernel and the kernel module by marking different capabilities to the kernel module on the basis of ensuring the necessary interaction of the basic kernel and the kernel module so as to prevent an attacker from attacking the basic kernel through the kernel module. Because the invention only marks different rights for the kernel module in the kernel space, the kernel module isolation is realized by limiting the rights of the kernel module on the premise of not sacrificing the system performance, and the execution environment switching between the kernel space and the virtual machine monitor is not involved, thereby avoiding introducing excessive system performance cost.
On the basis of the above embodiment, the system further includes: and the module training unit is used for carrying out module training on the kernel module to be isolated and determining the module capability file of the kernel module to be isolated.
Specifically, the module training unit is used for obtaining the capability required by the module to normally operate. In the embodiment of the invention, the module training unit performs module training on the kernel module to be isolated by adopting a method of combining static analysis and dynamic training. The static analysis means that the module training unit 804 performs analysis on the source code of the kernel module to be isolated, records the kernel function called by the kernel module to be isolated and the read-write data range, generates an access record set, and identifies the resource required by the kernel module to be isolated to normally work according to the access record set. The dynamic training refers to adopting a simulation execution method, and the module training unit identifies resources required by the normal work of the kernel module to be isolated by monitoring kernel codes executed when the kernel module to be isolated runs and read-write data objects. The above resources that the kernel module to be isolated needs to access will be the data basis for generating the module capabilities.
On the basis of the above embodiment, the module loading unit in the system specifically includes:
the module verification subunit is used for performing matching verification on the module capability and the kernel module to be isolated according to the module integrity fingerprint;
determining subunits by a module page table and a slab mark, and if the module capability is matched and verified with the kernel module to be isolated, determining the slab mark of the kernel module to be isolated according to the accessed kernel data object and the type list; and determining a module page table of the kernel module to be isolated according to the accessed kernel function list.
Specifically, the process of loading the kernel module to be isolated into the memory includes the following steps: firstly, the module is loaded into a memory, and the module verifies the integrity fingerprint of the subunit calculation module; then, the module verification subunit reads the module capability file, completes the matching verification with the kernel module to be isolated according to the module integrity fingerprint recorded by the module capability, and acquires two lists in the module capability on the basis of completing the verification; secondly, the module page table and the slab mark determine that the subunit interacts with the slab according to the accessed kernel data object and the accessed type table recorded by the module capability to complete the slab mark so as to ensure that all newly generated data objects are marked and update the page read/write permission; and finally, the module page table and the slab mark determine that the subunit interacts with the slab again, mark the current kernel data object, and generate the module page table of the kernel module to be isolated for standby according to the access kernel function list recorded by the module capability.
On the basis of the above embodiments, the module isolation unit in the system specifically includes:
determining an isolation domain subunit, and determining an isolation domain of the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated;
and the kernel module isolation subunit is used for isolating the kernel module to be isolated from the kernel according to the isolation domain of the kernel module to be isolated and the execution mode of the kernel.
The kernel module isolation system based on the module right provided by the embodiment of the invention relies on the operating system to construct the isolation module, and fully utilizes the access control mechanism based on the page to limit the access of the module to other components of the kernel, thereby ensuring that the system performance is not influenced. In terms of isolation strength, although the method provided by the invention is weaker than a method based on a virtualization monitor, the module can still be ensured to be unable to break through the isolation range to a certain extent. In terms of performance overhead, the invention avoids the performance overhead brought by the virtual machine monitor, and compared with the traditional operating system, the invention mainly increases the performance overhead of page switching, and the performance overhead has limited influence on the overall performance of the system. In summary, the present invention sacrifices some of the isolation strength to improve overall performance overhead.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A kernel module isolation method based on module weight is characterized by comprising the following steps:
step 1, performing module training on a kernel module to be isolated, and determining a module capability file of the kernel module to be isolated; when the kernel module to be isolated needs to be loaded into a kernel operating system, acquiring a module capability file of the kernel module to be isolated, wherein the module capability file is used for storing the module capability of the kernel module to be isolated, and the module capability refers to a set of read, write or execution rights of the kernel module to be isolated to other components of a kernel;
step 2, determining a module page table and a slab mark of the kernel module to be isolated according to the module capability of the kernel module to be isolated; the module page table is used for recording the access authority of the module to be isolated to the kernel resource; the slab mark refers to a kernel data type which can be accessed by a module to be isolated and is marked based on the slab;
and 3, constructing an isolation environment according to the module page table and the slab mark of the kernel module to be isolated, and isolating the kernel module to be isolated.
2. The method of claim 1, wherein the module capability file specifically comprises: a module integrity fingerprint, a list of kernel functions accessed, and a list of kernel data objects and types accessed.
3. The method according to claim 2, wherein step 2 is specifically:
according to the module integrity fingerprint, matching and verifying the module capability and the kernel module to be isolated;
if the module capability and the kernel module to be isolated are matched and verified, determining a slab mark of the kernel module to be isolated according to the accessed kernel data object and the type list; and determining a module page table of the kernel module to be isolated according to the accessed kernel function list.
4. The method according to claim 1, wherein step 3 specifically comprises:
determining an isolation domain of the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated;
and isolating the kernel module to be isolated from the kernel according to the isolation domain of the kernel module to be isolated and the execution mode of the kernel.
5. A kernel module isolation system based on module capabilities, comprising:
the module training unit is used for carrying out module training on the kernel module to be isolated and determining a module capability file of the kernel module to be isolated; the module capability refers to a set of read, write or execution permissions of the kernel module to be isolated on other components of the kernel;
the module analysis unit is used for acquiring a module capability file of the kernel module to be isolated when the kernel module to be isolated needs to be installed in a kernel operating system, wherein the module capability file is used for storing the module capability of the kernel module to be isolated;
the module loading unit is used for determining a module page table and a slab mark of the kernel module to be isolated according to the module capability of the kernel module to be isolated; the module page table is used for recording the access authority of the module to be isolated to the kernel resource; the slab mark refers to a kernel data type which can be accessed by a module to be isolated and is marked based on the slab;
and the module isolation unit is used for constructing an isolation environment according to the module page table and the slab mark of the kernel module to be isolated, and isolating the kernel module to be isolated.
6. The system of claim 5, wherein the module capability file specifically comprises: a module integrity fingerprint, a list of kernel functions accessed, and a list of kernel data objects and types accessed.
7. The system of claim 6, wherein the module loading unit specifically comprises:
the module verification subunit is used for performing matching verification on the module capability and the kernel module to be isolated according to the module integrity fingerprint;
determining subunits by a module page table and a slab mark, and if the module capability is matched and verified with the kernel module to be isolated, determining the slab mark of the kernel module to be isolated according to the accessed kernel data object and the type list; and determining a module page table of the kernel module to be isolated according to the accessed kernel function list.
8. The system of claim 5, wherein the module isolation unit specifically comprises:
determining an isolation domain subunit, and determining an isolation domain of the kernel module to be isolated according to the module page table and the slab mark of the kernel module to be isolated;
and the kernel module isolation subunit is used for isolating the kernel module to be isolated from the kernel according to the isolation domain of the kernel module to be isolated and the execution mode of the kernel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810218944.4A CN108491249B (en) | 2018-03-16 | 2018-03-16 | Kernel module isolation method and system based on module weight |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810218944.4A CN108491249B (en) | 2018-03-16 | 2018-03-16 | Kernel module isolation method and system based on module weight |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108491249A CN108491249A (en) | 2018-09-04 |
| CN108491249B true CN108491249B (en) | 2020-11-10 |
Family
ID=63339491
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810218944.4A Active CN108491249B (en) | 2018-03-16 | 2018-03-16 | Kernel module isolation method and system based on module weight |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108491249B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117113378A (en) * | 2023-09-12 | 2023-11-24 | 腾云创威信息科技(威海)有限公司 | Load space isolation method and system based on capability |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8090919B2 (en) * | 2007-12-31 | 2012-01-03 | Intel Corporation | System and method for high performance secure access to a trusted platform module on a hardware virtualization platform |
| CN102938035B (en) * | 2012-11-08 | 2015-05-27 | 西安交通大学 | Driving separation system inside virtual machine and method |
| US9569612B2 (en) * | 2013-03-14 | 2017-02-14 | Daniel Shawcross Wilkerson | Hard object: lightweight hardware enforcement of encapsulation, unforgeability, and transactionality |
| CN104036185B (en) * | 2014-06-23 | 2017-04-12 | 常熟理工学院 | Virtualization based power and function isolating method for loading module of monolithic kernel operation system |
| CN104732140A (en) * | 2015-04-13 | 2015-06-24 | 成都睿峰科技有限公司 | Program data processing method |
| CN107085535B (en) * | 2017-03-30 | 2020-10-27 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN107203410B (en) * | 2017-04-14 | 2020-02-14 | 华中科技大学 | VMI method and system based on system call redirection |
-
2018
- 2018-03-16 CN CN201810218944.4A patent/CN108491249B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108491249A (en) | 2018-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109558211B (en) | Method for protecting interaction integrity and confidentiality of trusted application and common application | |
| US7380049B2 (en) | Memory protection within a virtual partition | |
| CN109522754B (en) | Core control method for trusted isolation environment of mobile terminal | |
| US8464252B2 (en) | Per process virtual machines | |
| JP6484255B2 (en) | Host attestation, including trusted execution environment | |
| JP5487479B2 (en) | Method and apparatus for enforcing security policy for anti-virus (AV) scanner independent of operating system (OS) | |
| KR102255767B1 (en) | Systems and methods for virtual machine auditing | |
| KR100927750B1 (en) | Tamper protection of software agents operating in a vt environment methods and apparatuses | |
| KR101946982B1 (en) | Process Evaluation for Malware Detection in Virtual Machines | |
| EP2764434B1 (en) | Security in virtualized computer programs | |
| CN100533385C (en) | A method and device for providing system integrity and legacy environment emulation | |
| US9202062B2 (en) | Virtual machine validation | |
| US7975117B2 (en) | Enforcing isolation among plural operating systems | |
| US10831889B2 (en) | Secure memory implementation for secure execution of virtual machines | |
| CN109858288B (en) | Method and device for realizing safety isolation of virtual machine | |
| KR20170067740A (en) | Protecting application secrets from operating system attacks | |
| US20170344731A1 (en) | Self-described security model for resource access | |
| KR101323858B1 (en) | Apparatus and method for controlling memory access in virtualized system | |
| WO2012084837A1 (en) | Virtual machine validation | |
| Gold et al. | A security retrofit of VM/370 | |
| Gold et al. | KVM/370 in retrospect | |
| CN106911814A (en) | Large-scale data distributed storage method | |
| TW202038104A (en) | Secure storage isolation | |
| CN108491249B (en) | Kernel module isolation method and system based on module weight | |
| CN110348234A (en) | Pressure access safety strategy implementation method and management method in MILS framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |