CN111291364A - Kernel security detection method, device, equipment and storage medium - Google Patents
Kernel security detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111291364A CN111291364A CN201811495107.2A CN201811495107A CN111291364A CN 111291364 A CN111291364 A CN 111291364A CN 201811495107 A CN201811495107 A CN 201811495107A CN 111291364 A CN111291364 A CN 111291364A
- Authority
- CN
- China
- Prior art keywords
- process permission
- credential set
- permission credential
- stored
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 204
- 230000008569 process Effects 0.000 claims abstract description 189
- 230000006870 function Effects 0.000 claims description 20
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000004048 modification Effects 0.000 claims description 8
- 238000012986 modification Methods 0.000 claims description 8
- 230000003111 delayed effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 4
- 230000002085 persistent effect Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a kernel security detection method, a kernel security detection device, kernel security detection equipment and a storage medium. On a use path of a process permission credential set, comparing the current process permission credential set with a pre-stored process permission credential set, wherein the process permission credential set comprises information related to process permission; and judging whether the current process permission certificate set is maliciously modified or not according to the comparison result. Therefore, by carrying out integrity detection on the process permission certificate set on the path, although the time for checking is delayed relative to real attack, the process permission certificate set is difficult to be bypassed by an attacker.
Description
Technical Field
The present invention relates to the field of kernel security, and in particular, to a kernel security detection method, apparatus, device, and storage medium.
Background
In recent years, the application range of the Linux system is continuously expanded, and the Linux system is widely applied to the fields of servers, desktops, embedded devices and the like, and the security problem of the Linux system is receiving increasing attention as the Linux system is popularized and used in the world.
At present, an attacker mainly obtains the authority higher than the attacker through kernel vulnerability, and then the authority is utilized to further damage the system so as to achieve the purpose. The existing kernel protection scheme mainly divides a kernel cred structure into a read-only part and a writable part for respectively protecting, but a pointer of the cred structure is stored in a kernel process structure (instead of the structure), and although read-only protection is formed on the cred key data, the scheme can be bypassed if the pointer of the cred in the process structure is modified.
Therefore, a more efficient kernel security detection scheme is needed.
Disclosure of Invention
An object of the present invention is to provide a more effective kernel security detection method, apparatus, device and storage medium, so as to enhance kernel security.
According to a first aspect of the present invention, there is provided a kernel security detection method, including: on a use path of a process permission credential set, comparing the current process permission credential set with a pre-stored process permission credential set, wherein the process permission credential set comprises information related to process permission; and judging whether the current process permission certificate set is maliciously modified or not according to the comparison result.
Optionally, the step of comparing the current process permission credential set with the pre-stored process permission credential set includes: calculating a hash value of the current process permission certificate set on a use path of the process permission certificate set to obtain a first hash value; and comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on a prestored process permission certificate set.
Optionally, the step of determining whether the current process permission credential set is maliciously modified includes: and under the condition that the first hash value is inconsistent with the second hash value, judging that the process permission credential set is maliciously modified.
Optionally, the method further comprises: and responding to the modification of the process permission credential set in a secure manner, and calculating a hash value for the modified process permission credential set to obtain a second hash value.
Optionally, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a security manner.
Optionally, the security mode is to call a standard interface function corresponding to the process permission credential set.
Optionally, the process permission credential set comprises at least one of: a group ID; a user ID; a valid user ID; (ii) a capability; a safety pointer; a security context; current process permission credential set address; a random number is started.
Optionally, the step of comparing the current process permission credential set with the pre-stored process permission credential set on the usage path of the process permission credential set includes: comparing the current process permission credential set with a pre-stored process permission credential set at a system call entry; and/or comparing the current process permission credential set with a pre-stored process permission credential set when the fork/exec function executes.
According to the second aspect of the present invention, there is also provided a kernel security detection apparatus, including: the comparison module is used for comparing the current process permission certificate set with a pre-stored process permission certificate set on the use path of the process permission certificate set, wherein the process permission certificate set comprises information related to process permission; and the judging module is used for judging whether the current process permission certificate set is maliciously modified or not according to the comparison result.
Optionally, the comparison module comprises: the first calculation module is used for calculating the hash value of the current process permission certificate set on the use path of the process permission certificate set to obtain a first hash value; and the comparison submodule is used for comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on a pre-stored process permission certificate set.
Optionally, the determining module determines that the process permission credential set is maliciously modified when the first hash value is inconsistent with the second hash value.
Optionally, the apparatus further comprises: and the second calculation module is used for responding to the modification of the process permission certificate set in a safe mode and calculating a hash value for the modified process permission certificate set to obtain a second hash value.
Optionally, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a security manner.
Optionally, the security mode is to call a standard interface function corresponding to the process permission credential set.
Optionally, the process permission credential set comprises at least one of: a group ID; a user ID; a valid user ID; (ii) a capability; a safety pointer; a security context; current process permission credential set address; a random number is started.
Optionally, the comparison module compares the current process permission credential set with a pre-stored process permission credential set at the system call entry, and/or the comparison module compares the current process permission credential set with the pre-stored process permission credential set when the fork/exec function is executed.
According to a third aspect of the present invention, there is also provided a computing device comprising: a processor; and a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method according to the first aspect of the invention.
According to a fourth aspect of the invention, there is also provided a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method as set forth in the first aspect of the invention.
According to the method, a path which is difficult to bypass after an attacker modifies the process permission credential set is found according to the situation that the process permission credential set is used in a kernel, and integrity detection is carried out on the process permission credential set on the path. For example, passive checking based on system call, fork/exec, while the timing of checking is delayed relative to real attack, it is difficult to be bypassed by the attacker.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in greater detail exemplary embodiments thereof with reference to the attached drawings, in which like reference numerals generally represent like parts throughout.
Fig. 1 shows a data structure diagram of a kernel structure of a process.
FIG. 2 is a schematic flow chart diagram illustrating a kernel security detection method according to an embodiment of the present invention.
Fig. 3 shows a schematic diagram of fields added to a hash calculation.
Fig. 4 is a schematic block diagram showing the structure of a core security detection apparatus according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a data processing computing device that can be used to implement the above-described kernel security detection method according to an embodiment of the present invention.
Detailed Description
Preferred embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
[ term interpretation ]
The kernel rights offering: and obtaining an attack method higher than the system specified authority for the process by utilizing the kernel vulnerability.
The core structure body: each process has an instance of a task _ struct structure corresponding to the kernel, and the structure represents the process when viewed by the kernel.
A cred structure: the kernel structure of each process is provided with two bred structure pointers, and the identity and authority of the current process as a host/object are recorded in the bred structure, wherein the identity and authority comprise uid, gid, euid, capability, security context and the like.
The uid is a UserId, i.e., a user ID, a unique identifier for identifying each user.
gid is the group ID, i.e. the group ID, a unique identifier used to identify the user group.
euid is a valid user ID that indicates the access rights of the process to files and resources.
capability: the capability, starting from version 2.1, the Linux kernel has a capability concept, which breaks the concept of a supervisor/normal user in the UNIX/Linux operating system, and the normal user can also do work which can be completed by only the supervisor.
[ scheme overview ]
The following takes Linux operating system as an example to illustrate the implementation principle of the kernel security detection scheme of the present invention. It should be appreciated that the present invention may also be applicable to other operating systems similar to the Linux operating system.
With the development of Linux, management of system permissions is from initial autonomous access control (DAC, including UID, capability) to subsequent forced access control of SELinux, and the access permissions of processes by an operating system provide finer-grained management and safer guarantees, and all these guarantees appear to a kernel to be based on a structural body named cred.
The seed is a data structure owned by each process, in which information related to process rights, such as user/group information, capability information, etc., is stored. The detailed definition of the cred structure is the prior art and is not described herein.
Each process has a kernel stack, and usually, in the kernel mode, the process obtains its own copied address (current _ thread _ info () - > task. As shown in fig. 1, the process information (thread _ info) in the kernel stack is stored at the lowest end of the stack, and includes an address space (addr _ limit) and a process control block (task _ structure) structure accessible by the process, and a process permission credential set (i.e., a cred structure) may be obtained from the task _ structure. As shown, the process permission credential set may include, but is not limited to, uid, gid, euid, capability, security context, and the like.
The kernel privilege escalation refers to an attack method for acquiring a privilege higher than a system designated privilege for a process by using a kernel vulnerability, and for an attacker, the two methods are generally included in summary when kernel privilege escalation is realized in a Linux system.
1) From a code perspective, the modified cred operation functions, including but not limited to modifying the xid, cap _ xxx, security/context check functions, bypass the security check.
2) From a data perspective, the cred content is directly modified, including but not limited to directly modifying the content of xid, cap _ xxx, security/context.
Modifying the cred operation function is actually modifying the code of the kernel, and such attacks should be protected by security features such as data. For an attack means of modifying the content of the crid, the cred structure of the process is positioned in a data section of a kernel, unless RO protection is carried out, no mechanism in the kernel can detect the operation at the moment of modification of the crid by an attacker, and the cost of security characteristic protection of the crid, such as RODATA and the like, is larger than the benefit, which is determined by an attack vector aiming at the crid.
The invention mainly provides a kernel safety detection scheme aiming at an attack mode of directly modifying the content of the bred, judges whether the bred is maliciously modified or not by checking the integrity of the bred, and can be used for preventing an attacker from directly modifying the content of the bred by reading and writing the content in a kernel-state memory. Although theoretically, the kernel security detection scheme provided by the invention cannot completely defend all attacks (such as a seed verification algorithm in reverse direction of an attacker and key acquisition for verification) for directly modifying seed, the attack difficulty and cost of the attacker can be greatly improved.
The following describes a specific implementation flow of the kernel security detection scheme of the present invention.
[ Kernel safety detection scheme ]
FIG. 2 is a schematic flow chart diagram illustrating a kernel security detection method according to an embodiment of the present invention. The method shown in fig. 2 may be used to detect whether a process running in the environment of the Linux operating system (or other operating systems similar to the Linux operating system) is maliciously modified, that is, the kernel performs privilege escalation.
Referring to fig. 2, in step S210, on a usage path of a process permission credential set, a current process permission credential set is compared with a pre-stored process permission credential set.
The set of process permission credentials includes information related to process permissions. Taking Linux operating system as an example, the process permission credential set may refer to a bred structure, and may include, but is not limited to, a group id (gid), a user id (uid), a valid user id (euid), a capability (capability), a security pointer (security pointer), a security context, a current process permission credential set address (e.g., a bred address), and a boot random number (boot random).
The pre-stored data in the process permission credential set can be regarded as the access permission which the process normally has. As an example of the present invention, the pre-stored process permission credential set may be a process permission credential set obtained by modifying a process permission credential set based on a secure manner, for example, the pre-stored process permission credential set may be a process permission credential set obtained by modifying a standard interface function corresponding to the process permission credential set by calling.
When comparing the current process permission credential set with the pre-stored process permission credential set, the method mainly compares whether the current process permission credential set is consistent with the pre-stored process permission credential set, namely, the integrity of the current process permission credential set is compared.
By way of example, whether the current process permission credential set is consistent with the pre-stored process permission credential set may be determined by comparing hash values. Specifically, a hash value of the current process permission credential set may be calculated on a usage path of the process permission credential set, and for convenience of distinction, the obtained hash value may be referred to as a first hash value. The first hash value may then be compared to a second hash value, where the second hash value is obtained by performing the same hash calculation on a pre-stored set of process permission credentials. The storage location of the second hash value may be predefined, for example, may be stored in a task _ struct structure of the process, may also be separately stored in the memory, and indexed according to the address of the process permission credential set, or may also be stored in the trusted memory.
In step S220, it is determined whether the current process permission credential set is maliciously modified according to the comparison result.
The current process permission credential set can be considered to be maliciously modified under the condition that the current process permission credential set is consistent with the pre-stored process permission credential set, and the current process permission credential set can be considered to be maliciously modified under the condition that the current process permission credential set is inconsistent with the pre-stored process permission credential set. And under the condition that the authority of the process is judged to be maliciously modified, the process can be ended or the system can be crashed, so that further damage to the system by an attacker can be actively prevented.
[ opportunity for comparison of Process Authority credential sets ]
The attack flow of the attacker for kernel privilege escalation is as follows:
1. calling a system call by utilizing a certain user mode process to trigger kernel loopholes;
2. modifying a process authority certificate set by the process in a kernel state;
3. the system calls and returns to the user state, and the current process has root authority;
4. operations after owning root rights.
Step 1-2 is how to obtain the root authority, step 3 is how to return to the user state after obtaining the root authority, and step 4 is the hazard after the root authority. If the attacker only performs steps 1-3, then in fact the attacker does not pose any harm to the system, at which point the attacker may be considered as having the ability to pose any harm to the system, but the attacker does not perform any dangerous operations.
There are many ways to implement step 4, and there are: a) acquiring a temporary shell (most common) by fork + exec; b) get a temporary shell (occasionally seen) by shellcode/next code; c) other operations are performed directly by shellcode/nextcode (relatively uncommon).
a. b, a temporary shell is finally obtained, and according to the characteristics of the shell, subsequent operations are difficult to avoid executing fork/exec system call, so the invention can detect whether the process permission credential set of the current process is in accordance with expectation in the fork/exec call, namely whether the process permission credential set is consistent with the previous process permission credential set.
In addition, in the three attack modes of a, b and c, if an attacker wants to further harm the system, the attacker must call the system call again, and operations such as fork/exec/open/close/read/write and the like all need to call the system call. That is, step S210 may be performed at the system call entry, and/or step S210 may also be performed at the fork/exec function execution, so as to detect whether the process permission credential set is maliciously modified.
Specific examples of the applications
Taking the process permission credential set as a cred structure as an example, the integrity of the cred can be detected by the following two steps.
1) When the seed is modified through a standard seed interface function, a hash is generated for the new seed.
As an example, as shown in fig. 3, the fields added to the hash calculation may include various ids of uid/gid/euid, cap _ xxx, security pointer or context, current crted address, and a boot random number (boot random).
2) And recalculating the hash when the entry of the system call and the fork/exec function are executed, and comparing the recalculated hash with the original hash.
The hash modified by the bred standard interface function passes the verification, an attacker directly modifies the bred structure and cannot pass the hash verification, and the storage position of the hash can be predefined, for example, the hash can be stored in a task _ struct structure of the process, can be separately stored in a memory and indexed according to a bred address, or can be stored in a trusted memory.
Therefore, when the system call entry detection can ensure that the system call occurs each time, whether the hash of the cred of the current process is correct or not is checked firstly, and the modification of the cred can be ensured to be detected in a system call period. Detection in the fork/exec function can ensure that an attacker can perform most operations through the shell or can detect malicious modifications to the crid before when performing operations by running a new process.
In summary, according to the scenario that the process permission credential set is used in the kernel, the invention finds a path which is difficult to be bypassed after an attacker modifies the process permission credential set, and performs integrity detection on the process permission credential set on the path. For example, passive checking based on system call, fork/exec, while the timing of checking is delayed relative to real attack, it is difficult to be bypassed by the attacker.
[ Kernel safety detection device ]
Fig. 4 is a schematic block diagram showing the structure of a core security detection apparatus according to an embodiment of the present invention. The functional modules of the kernel security detection device can be implemented by hardware, software or a combination of hardware and software which implement the principles of the present invention. It will be appreciated by those skilled in the art that the functional blocks described in fig. 4 may be combined or divided into sub-blocks to implement the principles of the invention described above. Thus, the description herein may support any possible combination, or division, or further definition of the functional modules described herein.
The functional modules that the kernel security detection apparatus may have and the operations that each functional module may perform are briefly described, and details related thereto may be referred to the above description, and are not described herein again.
Referring to fig. 4, the core security detection apparatus 400 includes a comparison module 410 and a determination module 420. The comparison module 410 is configured to compare the current process permission credential set with a pre-stored process permission credential set on a usage path of the process permission credential set, where the process permission credential set includes information related to process permissions. The judging module 420 is configured to judge whether the current process permission credential set is maliciously modified according to the comparison result.
Optionally, the comparing module 410 may compare the current process permission credential set with a pre-stored process permission credential set at the system call entry, and/or the comparing module 410 may also compare the current process permission credential set with the pre-stored process permission credential set at the time of executing the fork/exec function.
As one example of the present invention, the comparison module 410 includes a first calculation module and a comparison sub-module (not shown in the figures). The first calculation module is used for calculating a hash value of the current process permission credential set on a use path of the process permission credential set to obtain a first hash value, and the comparison submodule is used for comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on a pre-stored process permission credential set. The determining module 420 may determine that the process permission credential set is maliciously modified if the first hash value is inconsistent with the second hash value.
As an example of the present invention, the kernel security detection apparatus 400 may further include a second calculation module (not shown in the figure). And the second calculation module is used for responding to the modification of the process permission certificate set in a safe mode and calculating a hash value for the modified process permission certificate set to obtain a second hash value.
In the invention, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a security mode. The security mode may be to invoke a standard interface function corresponding to the set of process permission credentials.
[ calculating device ]
Fig. 5 is a schematic structural diagram of a data processing computing device that can be used to implement the above-described kernel security detection method according to an embodiment of the present invention.
Referring to fig. 5, computing device 500 includes memory 510 and processor 520.
The processor 520 may be a multi-core processor or may include a plurality of processors. In some embodiments, processor 520 may include a general-purpose host processor and one or more special coprocessors such as a Graphics Processor (GPU), a Digital Signal Processor (DSP), or the like. In some embodiments, processor 520 may be implemented using custom circuitry, such as an Application Specific Integrated Circuit (ASIC) or a Field Programmable Gate Array (FPGA).
The memory 510 may include various types of storage units, such as system memory, Read Only Memory (ROM), and permanent storage. Wherein the ROM may store static data or instructions for the processor 520 or other modules of the computer. The persistent storage device may be a read-write storage device. The persistent storage may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off. In some embodiments, the persistent storage device employs a mass storage device (e.g., magnetic or optical disk, flash memory) as the persistent storage device. In other embodiments, the permanent storage may be a removable storage device (e.g., floppy disk, optical drive). The system memory may be a read-write memory device or a volatile read-write memory device, such as a dynamic random access memory. The system memory may store instructions and data that some or all of the processors require at runtime. Further, the memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic and/or optical disks, may also be employed. In some embodiments, memory 510 may include a removable storage device that is readable and/or writable, such as a Compact Disc (CD), a digital versatile disc read only (e.g., DVD-ROM, dual layer DVD-ROM), a Blu-ray disc read only, an ultra-dense disc, a flash memory card (e.g., SD card, min SD card, Micro-SD card, etc.), a magnetic floppy disk, or the like. Computer-readable storage media do not contain carrier waves or transitory electronic signals transmitted by wireless or wired means.
The memory 510 has stored thereon executable code that, when processed by the processor 520, causes the processor 520 to perform the above-mentioned kernel security detection method.
The kernel security detection method, apparatus and device according to the present invention have been described in detail above with reference to the accompanying drawings.
Furthermore, the method according to the invention may also be implemented as a computer program or computer program product comprising computer program code instructions for carrying out the above-mentioned steps defined in the above-mentioned method of the invention.
Alternatively, the invention may also be embodied as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) having stored thereon executable code (or a computer program, or computer instruction code) which, when executed by a processor of an electronic device (or computing device, server, etc.), causes the processor to perform the steps of the above-described method according to the invention.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (11)
1. A kernel security detection method is characterized by comprising the following steps:
on a use path of a process permission credential set, comparing the current process permission credential set with a pre-stored process permission credential set, wherein the process permission credential set comprises information related to process permission; and
and judging whether the current process permission certificate set is maliciously modified or not according to the comparison result.
2. The kernel security detection method of claim 1, wherein the step of comparing the current process permission credential set with the pre-stored process permission credential set comprises:
calculating a hash value of the current process permission certificate set on a use path of the process permission certificate set to obtain a first hash value;
and comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on the pre-stored process permission certificate set.
3. The kernel security detection method of claim 2, wherein the step of determining whether the current process permission credential set is maliciously modified comprises:
and under the condition that the first hash value is inconsistent with the second hash value, judging that the process permission credential set is maliciously modified.
4. The kernel security detection method of claim 2, further comprising:
and responding to the modification of the process permission credential set in a secure manner, and calculating a hash value for the modified process permission credential set to obtain the second hash value.
5. The kernel security detection method according to claim 1, wherein the pre-stored process permission credential set is a process permission credential set obtained by modifying a process permission credential set based on a secure manner.
6. The kernel security detection method according to claim 4 or 5,
and the safety mode is to call a standard interface function corresponding to the process permission certificate set.
7. The kernel security detection method of claim 1, wherein the process permission credential set comprises at least one of:
a group ID;
a user ID;
a valid user ID;
(ii) a capability;
a safety pointer;
a security context;
current process permission credential set address;
a random number is started.
8. The kernel security detection method of claim 1, wherein the step of comparing the current process permission credential set with the pre-stored process permission credential set on the usage path of the process permission credential set comprises:
comparing the current process permission credential set with a pre-stored process permission credential set at a system call entry; and/or
And comparing the current process permission credential set with a pre-stored process permission credential set when the fork/exec function is executed.
9. A kernel security detection apparatus, comprising:
the comparison module is used for comparing the current process permission credential set with a pre-stored process permission credential set on a use path of the process permission credential set, wherein the process permission credential set comprises information related to process permission; and
and the judging module is used for judging whether the current process permission certificate set is maliciously modified or not according to the comparison result.
10. A computing device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method of any of claims 1-8.
11. A non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method of any of claims 1-8.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811495107.2A CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
| TW108130239A TW202044079A (en) | 2018-12-07 | 2019-08-23 | Kernel security check method, apparatus, and device, and storage medium |
| PCT/CN2019/122335 WO2020114342A1 (en) | 2018-12-07 | 2019-12-02 | Kernel security check method, apparatus, and device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811495107.2A CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111291364A true CN111291364A (en) | 2020-06-16 |
| CN111291364B CN111291364B (en) | 2024-03-01 |
Family
ID=70973579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811495107.2A Active CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN111291364B (en) |
| TW (1) | TW202044079A (en) |
| WO (1) | WO2020114342A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784274A (en) * | 2021-03-16 | 2021-05-11 | 斑马网络技术有限公司 | Linux platform based malicious sample detection and collection method and system, storage medium and equipment |
| CN113836510A (en) * | 2021-08-13 | 2021-12-24 | 北京吉大正元信息技术有限公司 | Token-based application access control method and device, equipment and storage medium thereof |
| CN115033889A (en) * | 2022-06-22 | 2022-09-09 | 中国电信股份有限公司 | Illegal copyright detection method and device, storage medium and computer equipment |
| WO2024050447A1 (en) * | 2022-08-31 | 2024-03-07 | BedRock Systems, Inc. | Process credential protection |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116796308B (en) * | 2023-02-03 | 2024-04-12 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150220455A1 (en) * | 2014-02-03 | 2015-08-06 | Samsung Electronics Co., Ltd. | Methods and apparatus for protecting operating system data |
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN107908958A (en) * | 2017-11-30 | 2018-04-13 | 中国人民解放军国防科技大学 | SE L inux security identifier tamper-proof detection method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057B (en) * | 2014-12-22 | 2017-11-21 | 中国人民解放军信息工程大学 | Software hybrid metric method based on trust computing |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
-
2018
- 2018-12-07 CN CN201811495107.2A patent/CN111291364B/en active Active
-
2019
- 2019-08-23 TW TW108130239A patent/TW202044079A/en unknown
- 2019-12-02 WO PCT/CN2019/122335 patent/WO2020114342A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150220455A1 (en) * | 2014-02-03 | 2015-08-06 | Samsung Electronics Co., Ltd. | Methods and apparatus for protecting operating system data |
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN107908958A (en) * | 2017-11-30 | 2018-04-13 | 中国人民解放军国防科技大学 | SE L inux security identifier tamper-proof detection method and system |
Non-Patent Citations (3)
| Title |
|---|
| 周靖康;: "针对Linux内核提权攻击防御方法的研究", 数字技术与应用, no. 04, pages 216 - 217 * |
| 左玉丹: "基于SELinux的内核提权攻击防御技术研究", no. 04, pages 138 - 247 * |
| 左玉丹;丁滟;魏立峰;: "Linux内核提权攻击研究", 计算机工程与科学, no. 11, pages 74 - 79 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784274A (en) * | 2021-03-16 | 2021-05-11 | 斑马网络技术有限公司 | Linux platform based malicious sample detection and collection method and system, storage medium and equipment |
| CN113836510A (en) * | 2021-08-13 | 2021-12-24 | 北京吉大正元信息技术有限公司 | Token-based application access control method and device, equipment and storage medium thereof |
| CN113836510B (en) * | 2021-08-13 | 2022-07-12 | 北京吉大正元信息技术有限公司 | Token-based application access control method and device, equipment and storage medium thereof |
| CN115033889A (en) * | 2022-06-22 | 2022-09-09 | 中国电信股份有限公司 | Illegal copyright detection method and device, storage medium and computer equipment |
| CN115033889B (en) * | 2022-06-22 | 2023-10-31 | 中国电信股份有限公司 | Illegal right-raising detection method and device, storage medium and computer equipment |
| WO2024050447A1 (en) * | 2022-08-31 | 2024-03-07 | BedRock Systems, Inc. | Process credential protection |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202044079A (en) | 2020-12-01 |
| CN111291364B (en) | 2024-03-01 |
| WO2020114342A1 (en) | 2020-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111291364B (en) | Kernel security detection method, device, equipment and storage medium | |
| CN107066311B (en) | Kernel data access control method and system | |
| US10073986B2 (en) | Regulating access to and protecting portions of applications of virtual machines | |
| EP3207485B1 (en) | Code pointer authentication for hardware flow control | |
| US10691800B2 (en) | System and method for detection of malicious code in the address space of processes | |
| US9516056B2 (en) | Detecting a malware process | |
| WO2020114262A1 (en) | Kernel security detection method, apparatus, and device, and storage medium | |
| AU2021319159B2 (en) | Advanced ransomware detection | |
| EP2891105A1 (en) | Method and system for platform and user application security on a device | |
| CN108345804B (en) | Storage method and device in trusted computing environment | |
| TWI715826B (en) | Computer-implemented method and apparatus for improving security of a silicon-based system | |
| WO2017182089A1 (en) | Method for write-protecting boot code if boot sequence integrity check fails | |
| US7243235B2 (en) | Mandatory access control (MAC) method | |
| Zaheri et al. | Preventing reflective dll injection on uwp apps | |
| KR102344966B1 (en) | Apparatus and method for detecting attacks using file based deception technology | |
| CN117708795A (en) | Process right-raising detection method and device, machine-readable storage medium and computing equipment | |
| CN116578968A (en) | Method and device for providing safety protection for application program in power control system | |
| CN116910768A (en) | Attack defending method, system, device and medium | |
| CN115618337A (en) | Method, device, medium and equipment for controlling application program to access target unit | |
| CN111382433A (en) | Module loading method, device, equipment and storage medium | |
| WO2013074071A1 (en) | Regulating access to and protecting portions of applications of virtual machines | |
| US20180114022A1 (en) | Protected loading of a module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20201125 Address after: Room 603, 6 / F, Roche Plaza, 788 Cheung Sha Wan Road, Kowloon, China Applicant after: Zebra smart travel network (Hong Kong) Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |