CN111291364B - Kernel security detection method, device, equipment and storage medium - Google Patents
Kernel security detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111291364B CN111291364B CN201811495107.2A CN201811495107A CN111291364B CN 111291364 B CN111291364 B CN 111291364B CN 201811495107 A CN201811495107 A CN 201811495107A CN 111291364 B CN111291364 B CN 111291364B
- Authority
- CN
- China
- Prior art keywords
- credential set
- hash value
- authority
- stored
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 40
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims abstract description 197
- 230000008569 process Effects 0.000 claims abstract description 183
- 230000006870 function Effects 0.000 claims description 22
- 238000004364 calculation method Methods 0.000 claims description 11
- 230000004048 modification Effects 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 2
- 230000003111 delayed effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 11
- 230000002085 persistent effect Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000854350 Enicospilus group Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 229920001184 polypeptide Polymers 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 102000004196 processed proteins & peptides Human genes 0.000 description 1
- 108090000765 processed proteins & peptides Proteins 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a kernel security detection method, a kernel security detection device, kernel security detection equipment and a storage medium. Comparing the current process authority credential set with a pre-stored process authority credential set on a use path of the process authority credential set, wherein the process authority credential set comprises information related to process authority; and judging whether the current process permission credential set is maliciously modified according to the comparison result. Thus, by performing integrity detection on the process permission credential set on the path, the detection time is delayed relative to a real attack, but is difficult to bypass by an attacker.
Description
Technical Field
The present invention relates to the field of kernel security, and in particular, to a kernel security detection method, device, apparatus, and storage medium.
Background
In recent years, the application range of the Linux system is continuously expanded, the Linux system is widely applied to the fields of servers, desktops, embedded equipment and the like, and along with the worldwide popularization and use of the Linux system, the safety problem of the Linux system is also increasingly concerned.
At present, an attacker mainly acquires rights higher than the attacker through kernel vulnerabilities, and then uses the rights to further harm the system so as to achieve the purpose. The existing kernel protection scheme mainly divides the kernel-coded structure into read-only and writable parts for protection, but the pointer of the coded structure (rather than the structure itself) is stored in the kernel process structure, and the scheme can be bypassed if the pointer of the coded in the process structure is modified although read-only protection is formed for the coded key data.
Thus, there is a need for a more efficient kernel security detection scheme.
Disclosure of Invention
An object of the present invention is to provide a more efficient kernel security detection method, apparatus, device and storage medium, so as to enhance kernel security.
According to a first aspect of the present invention, there is provided a kernel security detection method, comprising: comparing the current process authority credential set with a pre-stored process authority credential set on a use path of the process authority credential set, wherein the process authority credential set comprises information related to process authority; and judging whether the current process permission credential set is maliciously modified according to the comparison result.
Optionally, the step of comparing the current process permission credential set with the pre-stored process permission credential set comprises: on a using path of a process permission credential set, calculating a hash value of the current process permission credential set to obtain a first hash value; and comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on a pre-stored process permission credential set.
Optionally, the step of determining whether the current process permission credential set is maliciously modified includes: and under the condition that the first hash value is inconsistent with the second hash value, judging that the process permission credential set is maliciously modified.
Optionally, the method further comprises: in response to modifying the process permission credential set in a secure manner, a hash value is calculated for the modified process permission credential set to obtain a second hash value.
Optionally, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a secure manner.
Optionally, the secure manner is invoking a standard interface function corresponding to the set of process permission credentials.
Optionally, the set of process rights credentials includes at least one of: a group ID; a user ID; a valid user ID; capability; a secure pointer; security context; the current process rights credential set address; the random number is started.
Optionally, the step of comparing the current process permission credential set with the pre-stored process permission credential set on the usage path of the process permission credential set comprises: comparing the current process authority credential set with a pre-stored process authority credential set at a system call portal; and/or comparing the current process rights credential set with a pre-stored process rights credential set when the fork/exec function is executed.
According to a second aspect of the present invention, there is also provided a kernel security detection device, including: the comparison module is used for comparing the current process authority credential set with a pre-stored process authority credential set on a use path of the process authority credential set, wherein the process authority credential set comprises information related to process authorities; and the judging module is used for judging whether the current process permission credential set is maliciously modified according to the comparison result.
Optionally, the comparing module includes: the first calculation module is used for calculating the hash value of the current process authority credential set on the using path of the process authority credential set so as to obtain a first hash value; and the comparison sub-module is used for comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on a pre-stored process permission credential set.
Optionally, the judging module judges that the process permission credential set is maliciously modified under the condition that the first hash value is inconsistent with the second hash value.
Optionally, the apparatus further comprises: and the second calculation module is used for responding to the modification of the process authority credential set in a secure mode and calculating a hash value for the modified process authority credential set so as to obtain a second hash value.
Optionally, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a secure manner.
Optionally, the secure manner is invoking a standard interface function corresponding to the set of process permission credentials.
Optionally, the set of process rights credentials includes at least one of: a group ID; a user ID; a valid user ID; capability; a secure pointer; security context; the current process rights credential set address; the random number is started.
Optionally, the comparison module compares the current process permission credential set with a pre-stored process permission credential set at the system call portal and/or the comparison module compares the current process permission credential set with the pre-stored process permission credential set when the fork/exec function is executed.
According to a third aspect of the present invention there is also provided a computing device comprising: a processor; and a memory having executable code stored thereon which, when executed by the processor, causes the processor to perform the method as described in the first aspect of the invention.
According to a fourth aspect of the present invention there is also provided a non-transitory machine-readable storage medium having stored thereon executable code which when executed by a processor of an electronic device causes the processor to perform a method as described in the first aspect of the present invention.
According to the scene that the process permission credential set is used in the kernel, a path which is difficult to bypass after an attacker modifies the process permission credential set is found, and the integrity of the process permission credential set is detected on the path. For example, the passive checking of the fork/exec can be based on the system call, and the timing of the checking is delayed relative to the real attack, but the checking is difficult to bypass by an attacker.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following more particular descriptions of exemplary embodiments of the disclosure as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout exemplary embodiments of the disclosure.
FIG. 1 shows a data structure schematic of a kernel architecture of a process.
Fig. 2 is a schematic flow chart diagram illustrating a kernel security detection method according to an embodiment of the present invention.
Fig. 3 shows a schematic diagram of the fields joining the hash calculation.
Fig. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention.
FIG. 5 illustrates a schematic diagram of a data processing computing device that may be used to implement the kernel security detection method described above, according to one embodiment of the present invention.
Detailed Description
Preferred embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
[ PREPARATION ] A method for producing a polypeptide
Kernel weight raising: an attack method for acquiring a process higher than a system designated authority by utilizing a kernel vulnerability.
A core structure: each process has an instance of a task_struct structure in the kernel, which represents the process in the kernel's view.
A cred structure: two pointers of the shared structure are arranged in the kernel structure of each process, and the identity and authority of the current process as a host/object are recorded in the shared structure, including uid, gid, euid, capability, security context and the like.
The uid is a UserId, i.e., a user ID, that is used to identify each user's unique identifier.
gid is the GroupId, i.e. group ID, used to identify the unique identifier of the user group.
euid is the valid user ID, representing the access rights of the process to files and resources.
capability: the capability, starting from 2.1 edition, is that the Linux kernel has the concept of capability (capability), which breaks the concept of super user/common user in the UNIX/LINUX operating system, and the common user can also do work which can be completed only by the super user.
[ scheme overview ]
Taking Linux operating system as an example, the implementation principle of the kernel security detection scheme of the present invention is described in an exemplary manner. It should be appreciated that the present invention is also applicable to other operating systems similar to the Linux operating system.
Each process in the Linux operating system has different access rights to system resources, and with the development of Linux, management of the system rights is from initial autonomous access control (DAC, including UID) to forced access control of later SELinux, and the operating system provides finer granularity management and safer guarantee to the access rights of the processes, and all the guarantees are based on a structure named as cred in the kernel.
Cred is a data structure that each process has, in which information related to process rights, such as user/group information, capability information, etc., is stored. The specific definition of the structure of the seed is known in the art and will not be described in detail herein.
Each process has a kernel stack, and typically a kernel state process obtains its own address (current_thread_info () - > task. As shown in fig. 1, the process information (thread_info) in the kernel stack is stored at the lowest end of the stack, including an address space (addr_limit) accessible to the process and a process control block (task_struct) structure, and a process permission credential set (i.e., a cred structure) can be obtained from the task_struct. As shown, the set of process rights credentials may include, but is not limited to uid, gid, euid, capability, security context, and the like.
The kernel authority raising refers to an attack method for acquiring a process with a kernel vulnerability higher than a system assigned authority, and for an attacker, the method for realizing the kernel authority raising in a Linux system generally comprises the following two methods.
1) From a code perspective, modifying the cred operation function includes, but is not limited to, modifying the xid, cap_xxx, security/context checking functions bypass security checking.
2) From a data perspective, the encoded content is modified directly, including but not limited to directly modifying the content of xid, cap_xxx, security/context.
Modifying the cred operating function is actually modifying the code of the kernel, and the attack should be protected by security features such as RODATA. For the attack means of modifying the coded content, the coded structure of the process is located in the data section of the kernel, and no mechanism in the kernel can detect the operation at the moment of modifying the coded by an attacker unless RO protection is performed, while the cost of protecting the safety characteristics of the coded, such as RODATA, is greater than the benefit, which is determined by the attack vector for the coded.
The invention mainly aims at an attack mode for directly modifying the content of the seed, and provides a kernel security detection scheme which judges whether the seed is maliciously modified by checking the integrity of the seed and can be used for defending an attacker from directly modifying the content of the seed through reading and writing of a kernel-mode memory. Although in theory, the kernel security detection scheme provided by the invention cannot completely defend all attacks directly modifying the seed (such as a seed verification algorithm in the reverse direction of an attacker, obtaining a verification key, and the like), the attack difficulty and the attack cost of the attacker can be greatly improved.
The following describes a specific implementation flow of the kernel security detection scheme of the present invention.
[ Kernel Security detection scheme ]
Fig. 2 is a schematic flow chart diagram illustrating a kernel security detection method according to an embodiment of the present invention. The method shown in fig. 2 may be used to detect whether a process running in a Linux operating system (or other operating systems like Linux operating systems) environment is maliciously modified, i.e. kernel authority is raised.
Referring to fig. 2, in step S210, a current process permission credential set is compared with a pre-stored process permission credential set on a use path of the process permission credential set.
The process rights credential set includes information related to process rights. Taking Linux operating system as an example, the process permission credential set may refer to a shared structure, and may include, but is not limited to, a group ID (gid), a user ID (uid), a valid user ID (euid), capability (capability), a security pointer (security pointer), a security context, a current process permission credential set address (e.g., a shared address), and a boot random number (boot random).
The data in the pre-stored process rights credential set may be considered as the access rights that the process has under normal conditions. As an example of the present invention, the pre-stored process permission credential set may be a process permission credential set obtained by modifying the process permission credential set based on a security manner, for example, may be a process permission credential set obtained by modifying the process permission credential set based on invoking a standard interface function corresponding to the process permission credential set.
When comparing the current process authority credential set with the pre-stored process authority credential set, whether the current process authority credential set is consistent with the pre-stored process authority credential set or not is mainly compared, namely, the integrity comparison is performed on the current process authority credential set.
As an example, it may be determined whether the current process permission credential set is consistent with the pre-stored process permission credential set by comparing hash values. Specifically, the hash value of the current process permission credential set may be calculated on the usage path of the process permission credential set, and for convenience of distinction, the obtained hash value may be referred to as a first hash value. The first hash value may then be compared to a second hash value obtained by performing the same hash calculation on a pre-stored set of process permission credentials. The storage location of the second hash value may be predefined, for example, may be stored in a task_struct structure of the process, or may be stored separately in a memory, and indexed according to the process permission credential set address, or may also be stored in a trusted memory.
In step S220, it is determined whether the current process permission credential set is maliciously modified according to the comparison result.
Under the condition that the current process authority credential set is consistent with the pre-stored process authority credential set, the current process authority credential set can be considered to be not maliciously modified, and under the condition that the current process authority credential set is inconsistent with the pre-stored process authority credential set, the current process authority credential set can be considered to be maliciously modified. And, in the case of judging that the authority of the process is maliciously modified, the process can be ended or the system is crashed to actively prevent further damage to the system by an attacker.
[ comparison opportunity of Process rights credential set ]
The attack flow of the core right-lifting by the attacker is generally as follows:
1. triggering kernel loopholes by calling a system by using a certain user state process;
2. the process modifies the process authority credential set in the kernel state;
3. returning the system call to the user state, wherein the current process has root authority;
4. an operation after possession of the root authority.
Step 1-2 is how to acquire the root rights, step 3 is how to return to the user mode after acquiring the root rights, and step 4 is the hazard after the root rights. If the attacker only performed steps 1-3, then in practice the attacker does not pose any hazard to the system structure, at which point the attacker may be considered to have the ability to pose a hazard to the system, but the attacker does not perform any dangerous operations.
There are many ways to implement step 4, and common ways are: a) Obtaining a temporary shell (most common) through fork+exec; b) Acquiring a temporary shell (occasionally seen) through a shellcode/next code; c) Other operations (relatively unusual) are performed directly by shellcode/next code.
a. b, finally, acquiring a temporary shell, wherein the follow-up operation is difficult to avoid executing a fork/exec system call according to the characteristics of the shell, so that the invention provides that whether the process authority credential set of the current process accords with expectations or not, namely, whether the process authority credential set accords with the previous process authority credential set or not can be detected in the fork/exec call.
In addition, in the three attack modes of a, b and c, if an attacker wants to form further harm to the system, the attacker can call the system again, for example, the operations such as fork/exec/open/close/read/write and the like all need to call the system call, so the invention provides that the invention can check whether the process authority credential set of the current process accords with expectations at a system call entry, and ensure that the attacker cannot form harm to the system even if obtaining root authorities. That is, step S210 may be performed at the system call portal, and/or step S210 may also be performed when the fork/exec function is performed to detect whether the process permission credential set is maliciously modified.
Specific application example
Taking the process authority credential set as a cred structure body as an example, the detection of the integrity of cred can be divided into the following two steps.
1) Hash is generated for the new seed when the seed is modified by the standard seed interface function.
As an example, as shown in fig. 3, the fields added to the hash calculation may include various ids such as uid/gid/euid, cap_xxx, security pointer or context, current cred address, a boot random number (boot random).
2) And re-calculating the hash when the entry of the system call and the fork/exec function are executed, and comparing the hash with the original hash.
The hash modified by the coded standard interface function can pass the verification, and an attacker directly modifies the coded structure body and cannot pass the hash verification, so that the storage position of the hash can be predefined, for example, the hash can be stored in a task_struct structure body of a process, can be independently stored in a memory, and can be indexed according to the coded address, or can be stored in a trusted memory.
Therefore, when the system call entry detection can ensure that the system call happens each time, whether the hash of the cred of the current process is correct or not is checked, and the modification of the cred can be detected in one system call period. Detection in the fork/exec function may ensure that an attacker can detect a malicious modification of the seed before performing most operations through the shell or by running a new process.
In summary, the invention finds a path which is difficult to bypass after an attacker modifies the process permission credential set according to the situation that the process permission credential set is used in the kernel, and carries out integrity detection on the process permission credential set on the path. For example, the passive checking of the fork/exec can be based on the system call, and the timing of the checking is delayed relative to the real attack, but the checking is difficult to bypass by an attacker.
[ Kernel safety detection device ]
Fig. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention. The functional modules of the kernel security detection device may be implemented by hardware, software, or a combination of hardware and software that implements the principles of the present invention. Those skilled in the art will appreciate that the functional modules depicted in fig. 4 may be combined or divided into sub-modules to implement the principles of the invention described above. Accordingly, the description herein may support any possible combination, or division, or even further definition of the functional modules described herein.
The functional modules that the kernel security detection device may have and the operations that each functional module may perform are briefly described, and the details related to these functional modules may be referred to the above description, which is not repeated here.
Referring to fig. 4, the kernel security detection device 400 includes a comparison module 410 and a determination module 420. The comparison module 410 is configured to compare, on a usage path of the process permission credential set, the current process permission credential set with a pre-stored process permission credential set, where the process permission credential set includes information related to process permissions. The judging module 420 is configured to judge whether the current process permission credential set is maliciously modified according to the comparison result.
Optionally, the comparison module 410 may compare the current process permission credential set with the pre-stored process permission credential set at the system call portal, and/or the comparison module 410 may also compare the current process permission credential set with the pre-stored process permission credential set when the fork/exec function is executed.
As an example of the present invention, the comparison module 410 includes a first calculation module and a comparison sub-module (not shown in the figures). The first calculation module is used for calculating the hash value of the current process authority credential set on the using path of the process authority credential set to obtain a first hash value, and the comparison sub-module is used for comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on the pre-stored process authority credential set. The determining module 420 may determine that the process permission credential set is maliciously modified if the first hash value is inconsistent with the second hash value.
As an example of the present invention, the kernel security detection device 400 may further include a second computing module (not shown). The second calculating module is used for responding to the modification of the process authority credential set in a secure mode and calculating a hash value for the modified process authority credential set so as to obtain a second hash value.
In the invention, the pre-stored process permission credential set is a process permission credential set obtained by modifying the process permission credential set based on a safety mode before. The secure manner may be to invoke a standard interface function corresponding to the set of process permission credentials.
[ computing device ]
FIG. 5 illustrates a schematic diagram of a data processing computing device that may be used to implement the kernel security detection method described above, according to one embodiment of the present invention.
Referring to fig. 5, a computing device 500 includes a memory 510 and a processor 520.
Processor 520 may be a multi-core processor or may include multiple processors. In some embodiments, processor 520 may comprise a general-purpose host processor and one or more special coprocessors such as, for example, a Graphics Processor (GPU), a Digital Signal Processor (DSP), etc. In some embodiments, processor 520 may be implemented using custom circuitry, for example, an application specific integrated circuit (ASIC, application Specific Integrated Circuit) or a field programmable gate array (FPGA, field Programmable Gate Arrays).
Memory 510 may include various types of storage units, such as system memory, read Only Memory (ROM), and persistent storage. Where the ROM may store static data or instructions that are required by the processor 520 or other modules of the computer. The persistent storage may be a readable and writable storage. The persistent storage may be a non-volatile memory device that does not lose stored instructions and data even after the computer is powered down. In some embodiments, the persistent storage device employs a mass storage device (e.g., magnetic or optical disk, flash memory) as the persistent storage device. In other embodiments, the persistent storage may be a removable storage device (e.g., diskette, optical drive). The system memory may be a read-write memory device or a volatile read-write memory device, such as dynamic random access memory. The system memory may store instructions and data that are required by some or all of the processors at runtime. Furthermore, memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks, and/or optical disks may also be employed. In some embodiments, memory 510 may include a readable and/or writable removable storage device such as a Compact Disc (CD), a read-only digital versatile disc (e.g., DVD-ROM, dual layer DVD-ROM), a read-only blu-ray disc, an ultra-dense disc, a flash memory card (e.g., SD card, min SD card, micro-SD card, etc.), a magnetic floppy disk, and the like. The computer readable storage medium does not contain a carrier wave or an instantaneous electronic signal transmitted by wireless or wired transmission.
The memory 510 has stored thereon executable code that, when processed by the processor 520, causes the processor 520 to perform the kernel security detection method described above.
The kernel security detection method, apparatus and device according to the present invention have been described in detail above with reference to the accompanying drawings.
Furthermore, the method according to the invention may also be implemented as a computer program or computer program product comprising computer program code instructions for performing the steps defined in the above-mentioned method of the invention.
Alternatively, the invention may also be embodied as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) having stored thereon executable code (or a computer program, or computer instruction code) which, when executed by a processor of an electronic device (or computing device, server, etc.), causes the processor to perform the steps of the above-described method according to the invention.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems and methods according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The foregoing description of embodiments of the invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the improvement of technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (8)
1. A kernel security detection method, comprising:
comparing a current process authority credential set with a pre-stored process authority credential set when a system call entry and/or a fork/exec function is executed, wherein the pre-stored process authority credential set is a process authority credential set obtained after modification based on calling a standard interface function corresponding to the process authority credential set, and the process authority credential set comprises information related to process authorities; and
and judging whether the current process permission credential set is maliciously modified according to the comparison result.
2. The kernel security detection method of claim 1, wherein the step of comparing the current process permission credential set with a pre-stored process permission credential set comprises:
calculating a hash value of a current process permission credential set to obtain a first hash value;
and comparing the first hash value with a second hash value, wherein the second hash value is obtained by carrying out hash calculation on the pre-stored process permission credential set.
3. The kernel security detection method as recited in claim 2, wherein the step of determining whether the current process permission credential set is maliciously modified comprises:
and under the condition that the first hash value is inconsistent with the second hash value, judging that the process permission credential set is maliciously modified.
4. The kernel security detection method of claim 2, further comprising:
and in response to modifying the process permission credential set in a secure manner, calculating a hash value for the modified process permission credential set to obtain the second hash value.
5. The kernel security detection method of claim 1, wherein the set of process permission credentials comprises at least one of:
a group ID;
a user ID;
a valid user ID;
capability;
a secure pointer;
security context;
the current process rights credential set address;
the random number is started.
6. A kernel security detection device, comprising:
the comparison module is used for comparing the current process authority credential set with a prestored process authority credential set when the system calls an entry and/or a fork/exec function is executed, wherein the prestored process authority credential set is a process authority credential set obtained after modification based on calling a standard interface function corresponding to the process authority credential set, and the process authority credential set comprises information related to process authorities; and
and the judging module is used for judging whether the current process permission credential set is maliciously modified according to the comparison result.
7. A computing device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor causes the processor to perform the method of any of claims 1-5.
8. A non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method of any of claims 1 to 5.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811495107.2A CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
| TW108130239A TW202044079A (en) | 2018-12-07 | 2019-08-23 | Kernel security check method, apparatus, and device, and storage medium |
| PCT/CN2019/122335 WO2020114342A1 (en) | 2018-12-07 | 2019-12-02 | Kernel security check method, apparatus, and device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811495107.2A CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111291364A CN111291364A (en) | 2020-06-16 |
| CN111291364B true CN111291364B (en) | 2024-03-01 |
Family
ID=70973579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811495107.2A Active CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN111291364B (en) |
| TW (1) | TW202044079A (en) |
| WO (1) | WO2020114342A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784274A (en) * | 2021-03-16 | 2021-05-11 | 斑马网络技术有限公司 | Linux platform based malicious sample detection and collection method and system, storage medium and equipment |
| CN113836510B (en) * | 2021-08-13 | 2022-07-12 | 北京吉大正元信息技术有限公司 | Token-based application access control method and device, equipment and storage medium thereof |
| CN115033889B (en) * | 2022-06-22 | 2023-10-31 | 中国电信股份有限公司 | Illegal right-raising detection method and device, storage medium and computer equipment |
| US20240070260A1 (en) * | 2022-08-31 | 2024-02-29 | BedRock Systems, Inc. | Process Credential Protection |
| CN116796308B (en) * | 2023-02-03 | 2024-04-12 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN107908958A (en) * | 2017-11-30 | 2018-04-13 | 中国人民解放军国防科技大学 | SE L inux security identifier tamper-proof detection method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9772953B2 (en) * | 2014-02-03 | 2017-09-26 | Samsung Electronics Co., Ltd. | Methods and apparatus for protecting operating system data |
| CN104517057B (en) * | 2014-12-22 | 2017-11-21 | 中国人民解放军信息工程大学 | Software hybrid metric method based on trust computing |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
-
2018
- 2018-12-07 CN CN201811495107.2A patent/CN111291364B/en active Active
-
2019
- 2019-08-23 TW TW108130239A patent/TW202044079A/en unknown
- 2019-12-02 WO PCT/CN2019/122335 patent/WO2020114342A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN107908958A (en) * | 2017-11-30 | 2018-04-13 | 中国人民解放军国防科技大学 | SE L inux security identifier tamper-proof detection method and system |
Non-Patent Citations (3)
| Title |
|---|
| Linux内核提权攻击研究;左玉丹;丁滟;魏立峰;;计算机工程与科学(第11期);74-79 * |
| 左玉丹.基于SELinux的内核提权攻击防御技术研究.《中国优秀硕士学位论文全文数据库信息科技辑》.2018,(第04期),第I138-247页. * |
| 针对Linux内核提权攻击防御方法的研究;周靖康;;数字技术与应用(第04期);216-217 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111291364A (en) | 2020-06-16 |
| WO2020114342A1 (en) | 2020-06-11 |
| TW202044079A (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111291364B (en) | Kernel security detection method, device, equipment and storage medium | |
| US11514159B2 (en) | Method and system for preventing and detecting security threats | |
| CN107066311B (en) | Kernel data access control method and system | |
| EP3207485B1 (en) | Code pointer authentication for hardware flow control | |
| US9516056B2 (en) | Detecting a malware process | |
| WO2020114262A1 (en) | Kernel security detection method, apparatus, and device, and storage medium | |
| CN113632432B (en) | Method and device for judging attack behaviors and computer storage medium | |
| WO2014153635A1 (en) | Method and system for platform and user application security on a device | |
| EP3440586B1 (en) | Method for write-protecting boot code if boot sequence integrity check fails | |
| TWI715826B (en) | Computer-implemented method and apparatus for improving security of a silicon-based system | |
| CN108345804B (en) | Storage method and device in trusted computing environment | |
| CN112988262B (en) | Method and device for starting application program on target platform | |
| WO2005122715A2 (en) | A mandatory access control (mac) method | |
| KR102344966B1 (en) | Apparatus and method for detecting attacks using file based deception technology | |
| CN115618337A (en) | Method, device, medium and equipment for controlling application program to access target unit | |
| CN117708795A (en) | Process right-raising detection method and device, machine-readable storage medium and computing equipment | |
| CN116578968A (en) | Method and device for providing safety protection for application program in power control system | |
| CN116910768A (en) | Attack defending method, system, device and medium | |
| WO2012005565A1 (en) | A method for rootkit resistance based on a trusted chip |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20201125 Address after: Room 603, 6 / F, Roche Plaza, 788 Cheung Sha Wan Road, Kowloon, China Applicant after: Zebra smart travel network (Hong Kong) Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |