CN112115477B - Kernel repairing method and device, electronic equipment and storage medium - Google Patents
Kernel repairing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112115477B CN112115477B CN202010824141.0A CN202010824141A CN112115477B CN 112115477 B CN112115477 B CN 112115477B CN 202010824141 A CN202010824141 A CN 202010824141A CN 112115477 B CN112115477 B CN 112115477B
- Authority
- CN
- China
- Prior art keywords
- kernel
- target
- function call
- call graph
- patch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kernel repairing method, a kernel repairing device, electronic equipment and a storage medium, which are used for a server and a terminal, wherein the kernel repairing method for the server comprises the following steps: acquiring basic information sent by a terminal, and constructing a first kernel file and a second kernel file according to the basic information; extracting to obtain a target patch function according to the first kernel file and the second kernel file; preprocessing the target patch function to generate a target patching text; and sending the target patching text to a terminal. By the kernel repairing method, the reliability and effectiveness of kernel repairing can be enhanced, and the real-time repairing performance is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a kernel repair method and apparatus, an electronic device, and a storage medium.
Background
With the development of the information field, software services are increasingly complex and heterogeneous, resulting in more and more frequent application of patches. The existing real-time patch mechanisms such as Kpatch, kGraft and the like really realize the restoration of the specified kernel function without interrupting the software execution. The main idea is to intercept the execution instruction and replace the patch function in the memory by tracking the target function.
In order to ensure consistency between the system and the software execution state, the existing real-time patching program needs to save and restore the current system execution state, and the operation introduces a large amount of storage and calculation overhead. The existing real-time patch repairing technology is based on normal kernel function to repair, if the kernel is in a damaged or attacked state, all real-time patch schemes have the risk of being damaged; in addition, the existing real-time patch repair scheme needs kernel authority to track and intercept system kernel instructions, and self bugs with complex self codes introduce more kernel security problems.
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art. Therefore, the embodiment of the invention provides a kernel repairing method which can enhance the reliability and effectiveness of kernel repairing and improve the real-time repairing performance.
The embodiment of the invention also provides another kernel repairing method.
The embodiment of the invention also provides another kernel repairing method.
The embodiment of the invention also provides a kernel repairing device.
The embodiment of the invention also provides another kernel repairing device.
The embodiment of the invention also provides the electronic equipment.
The embodiment of the invention also provides a computer readable storage medium.
The kernel repair method according to the embodiment of the first aspect of the invention is used for a server and comprises the following steps:
acquiring basic information sent by a terminal, and constructing a first kernel file and a second kernel file according to the basic information;
extracting to obtain a target patch function according to the first kernel file and the second kernel file;
preprocessing the target patch function to generate a target patching text;
and sending the target patching text to a terminal.
The kernel repair method according to the embodiment of the first aspect of the present invention has at least the following beneficial effects: firstly, a first kernel file and a second kernel file can be constructed and obtained according to basic information sent by a terminal, and then a target patch function is extracted and obtained according to the first kernel file and the second kernel file; thirdly, preprocessing the target patch function to generate a target patching text; and finally, the target repairing text is sent to the terminal, so that the reliability and effectiveness of kernel repairing can be enhanced, and the real-time repairing performance is improved.
According to some embodiments of the present invention, obtaining the target patch function according to the first kernel file and the second kernel file comprises: creating a first function call graph and a second function call graph based on the first kernel file; creating a third function call graph and a fourth function call graph based on the second kernel file; comparing the first function call graph with the second function call graph to obtain a first comparison result, and comparing the third function call graph with the fourth function call graph to obtain a second comparison result; and extracting a target patch function according to the first comparison result and the second comparison result.
According to some embodiments of the present invention, the preprocessing the target patch function to generate a target patching text includes: obtaining a symmetric key; and encrypting the target patch function according to the symmetric key to obtain a target patching text.
The kernel repair method according to the second aspect of the embodiment of the invention is used for a terminal and comprises the following steps:
acquiring basic information of an operating system, and sending the basic information to a server;
acquiring a target patching text sent by the server, and processing the target patching text to obtain a target patch;
and performing kernel repair according to the target patch.
The kernel repairing method according to the embodiment of the second aspect of the invention has at least the following beneficial effects: firstly, acquiring basic information of an operating system, and sending the basic information to a server; secondly, acquiring a target patching text sent by the server, and processing the target patching text to obtain a target patch; and finally, kernel repair is carried out according to the target patch, so that real-time patch repair of the damaged kernel can be supported, the storage overhead is reduced, and the consistency of the operating system and the software execution state can be ensured.
According to some embodiments of the present invention, the obtaining the target patch according to the target patch text processing includes: verifying the integrity of the target repairing text to obtain a first verification result; simplifying the branch instruction in the target patching text to obtain a simplified processing result; supplementing the identification information of the target repairing text to obtain a supplementing result; and carrying out encryption processing according to the first verification result, the simplification processing result and the supplement result to obtain a target patch.
According to some embodiments of the invention, the performing kernel repair according to the target patch comprises: verifying the integrity of the target patch to obtain a second verification result; writing out the target patch according to the second verification result, and acquiring a patching instruction; and repairing the kernel according to the repairing instruction.
The kernel repair method according to the third aspect of the present invention is applied to a server and a terminal, and includes:
the server executes the kernel repairing method of the first aspect of the present invention, and the terminal executes the kernel repairing method of the second aspect of the present invention.
The kernel repair method according to the embodiment of the third aspect of the invention has at least the following beneficial effects: the kernel repairing method of the first aspect of the present invention is executed by a server, and the kernel repairing method of the second aspect of the present invention is executed by a terminal, so that the real-time patching performance can be improved, the storage overhead can be reduced, and the patch privacy can be protected.
The kernel repair apparatus according to the fourth aspect of the present invention includes:
the acquisition module is used for acquiring basic information sent by a terminal and constructing a first kernel file and a second kernel file according to the basic information;
the extraction module is used for extracting a target patch function according to the first kernel file and the second kernel file;
the first processing module is used for preprocessing the target patch function to generate a target patching text;
and the first sending module is used for sending the target patching text to a terminal.
The kernel repair device according to the fourth aspect of the present invention has at least the following advantages: by executing the kernel repairing method of the first aspect of the present invention, the reliability and effectiveness of kernel repairing can be enhanced, and the real-time repairing performance can be improved.
The kernel repair apparatus according to the fifth aspect of the present invention includes:
the second sending module is used for acquiring basic information of the operating system and sending the basic information to the server;
the second processing module is used for acquiring a target patching text sent by the server and processing the target patching text to obtain a target patch;
and the repairing module is used for repairing the kernel according to the target patch.
The kernel repair device according to the embodiment of the fifth aspect of the invention has at least the following advantages: by executing the kernel repairing method of the second aspect of the present invention, the damaged kernel can be supported to perform real-time patch repair, the storage overhead is reduced, and the consistency of the operating system and the software execution state can be ensured.
An electronic device according to an embodiment of the sixth aspect of the invention includes: at least one processor, and a memory communicatively coupled to the at least one processor; the memory stores instructions, and the instructions are executed by the at least one processor, so that the at least one processor, when executing the instructions, implements the kernel repair method according to the embodiment of the first aspect and/or the embodiment of the second aspect of the present invention and/or the embodiment of the third aspect of the present invention.
The kernel repair electronic device according to the embodiment of the sixth aspect of the invention has at least the following beneficial effects: by executing the kernel repair method according to the embodiment of the first aspect of the present invention and/or the embodiment of the second aspect of the present invention and/or the embodiment of the third aspect of the present invention, the real-time patching performance can be improved, the storage overhead can be reduced, and the patch privacy can be protected.
According to a seventh aspect of the present invention, there is provided a computer-readable storage medium, which stores computer-executable instructions for causing a computer to execute the kernel repair method according to the first aspect of the present invention and/or the second aspect of the present invention and/or the third aspect of the present invention.
The computer-readable storage medium according to the seventh embodiment of the present invention has at least the following advantages: by executing the kernel repair method according to the embodiment of the first aspect of the present invention and/or the embodiment of the second aspect of the present invention and/or the embodiment of the third aspect of the present invention, the real-time patching performance can be improved, the storage overhead can be reduced, and the patch privacy can be protected.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flowchart illustrating a kernel repair method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a kernel repair method according to another embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a kernel repair apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a kernel repair apparatus according to another embodiment of the present invention;
FIG. 5 is a functional block diagram of an electronic device according to an embodiment of the invention.
Reference numerals are as follows:
the system comprises an acquisition module 300, an extraction module 310, a first processing module 320, a first sending module 330, a second sending module 400, a second processing module 410, a repair module 420, a processor 500, a memory 510, a data transmission module 520, a camera 530 and a display screen 540.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
In the description of the present invention, unless otherwise explicitly limited, terms such as arrangement, installation, connection and the like should be understood in a broad sense, and those skilled in the art can reasonably determine the specific meanings of the above terms in the present invention in combination with the specific contents of the technical solutions.
Referring to fig. 1, a kernel repair method according to an embodiment of the first aspect of the present invention includes:
step S100, acquiring basic information sent by the terminal, and constructing a first kernel file and a second kernel file according to the basic information.
Wherein, the basic information can be information about an operating system of the terminal; the first kernel file can be a pre-repair original code file constructed based on the basic information; the second kernel file may be a repaired code file constructed based on the basic information. Alternatively, the server may be a remote patch server, and the basic information may include a kernel version of the operating system, a compilation flag of the configuration, and the like, which are sufficient to reconstruct the binary image, and the basic information may be prepared by the terminal and then may be sent to the server. Optionally, the server may construct the first kernel file and the second kernel file according to the received basic information, for example, the server may construct the first kernel file and the second kernel file using the same compiling information as the basic information.
Step S110, a target patch function is obtained according to the first kernel file and the second kernel file.
The target patch function may be a patch repair function that needs to be obtained. Optionally, the target patch function may be obtained by comparing the first kernel file with the second kernel file and extracting. For example, corresponding function call graphs are respectively generated according to the first kernel file and the second kernel file, and the target patch function can be extracted by comparing the obtained function call graphs.
Step S120, the target patch function is preprocessed to generate a target patching text.
Wherein, the target patching text can be the initial binary patch obtained after processing. Optionally, before the kernel of the operating system of the terminal repairs the kernel by using the obtained patch code, the patch code needs to be subjected to necessary preprocessing, that is, a target patch function is preprocessed, so as to obtain a preliminary trusted real-time patching program, that is, a target patching text is obtained. The target patch function can be preprocessed at the server to obtain a primary trusted real-time patching program, and then a target patching text is obtained.
Step S220, sending the target patching text to the terminal.
Optionally, after the server performs preprocessing to obtain a preliminary trusted implementation patching program and a target patching text, the target patching text may be sent to the terminal, so that the terminal may perform kernel patching of the operating system according to the target patching text. The target fix-up text may be sent to the terminal by encrypted data transmission.
According to the kernel repairing method, firstly, a first kernel file and a second kernel file can be constructed and obtained according to basic information sent by a terminal, and secondly, a target patch function is extracted and obtained according to the first kernel file and the second kernel file; thirdly, the target patch function can be preprocessed to generate a target patching text; and finally, the target repairing text is sent to the terminal, so that the reliability and effectiveness of kernel repairing can be enhanced, and the real-time repairing performance is improved.
In some embodiments of the present invention, obtaining the target patch function according to the first kernel file and the second kernel file includes:
a first function call graph and a second function call graph are created based on a first kernel file. The first function call graph may be a code-level function call graph of an original code created based on a first kernel file before compiling, that is, a function call graph corresponding to a source code before patch patching; the second function call graph may be a binary function call graph obtained after compiling an original code created based on the first kernel file, that is, a function call graph corresponding to the binary file before patching. Optionally, in order to read the first kernel file, an existing algorithm and technology may be used in combination, for example, a codeviz tool is used, and a function call graph before the original code is compiled is constructed according to the first kernel file, that is, the first function call graph is obtained; for example, an IDA Pro (Interactive Disassembler Professional) is used to create a binary function call graph after the original code is compiled according to the first kernel file. Thereby, a first function call graph and a second function call graph can be obtained.
A third function call graph and a fourth function call graph are created based on the second kernel file. The third function call graph may be a code-level function call graph of the patch repaired code created based on the second kernel file before compiling, that is, a function call graph corresponding to the source code after patch repairing; the fourth function call graph may be a compiled binary function call graph of the code after patch repair, which is created based on the second kernel file, that is, a function call graph corresponding to the binary file after patch repair. Optionally, for reading the second kernel file, a codeviz tool may be used to construct a third function call graph according to the second kernel file; the fourth function call graph may be constructed from the second kernel file using IDA Pro, whereby the third function call graph and the fourth function call graph may be obtained.
And comparing the first function call graph with the second function call graph to obtain a first comparison result, and comparing the third function call graph with the fourth function call graph to obtain a second comparison result. Wherein the first comparison result may be indicative of a difference between the first function call graph and the second function call graph; the second alignment result may represent a difference between the third function call graph and the fourth function call graph. Optionally, some compiler optimizations may be illustrated by differences between the source code level function call graph and the binary function call graph, so that the first function call graph and the second function call graph may be compared, and the third function call graph and the fourth function call graph may be compared, respectively, whereby the first comparison result and the second comparison result may be obtained.
And extracting the target patch function according to the first comparison result and the second comparison result. Optionally, the obtained first comparison result and the second comparison result may include an inline function that is particularly common in an operating system kernel, so that the inline function may be extracted according to the first comparison result and the second comparison result, that is, the target patch function is obtained. For example, a first function call graph may be compared to a second function call graph, a third function call graph may be compared to a fourth function call graph, and in particular, the relevant portions of the binary kernel image may be aligned and identified using existing binary signature matching methods, such as iBinHunt and FIBER, and the included functions may be identified iteratively through an algorithm until no new included functions can be added. For ease of discussion and evaluation, the resulting contained functions can be divided into three broad categories (increasing the difficulty of support by kernel real-time patching), for example, into a Type1 function, a Type2 function, and a Type3 function, where the Type1 function does not involve inlining, the Type2 function does involve inlining, and the Type3 function modifies global or shared variables. The function of Type1 and Type2 can be considered as the target patch function, and the Type3 function needs to determine the target patch function according to the variable modification condition: in the Type3 function, global or shared variables that change in the patch (such variables may be deleted, added, or modified) may be considered, and if the size of the variable is not modified, the patch code is not affected. And only part of the Type3 function can be extracted to be used as a target patch function for patch repair. And then, the first function call graph and the second function call graph are compared, and the third function call graph and the fourth function call graph are compared respectively, so that a target patch function can be extracted and obtained, and the high-efficiency target patch function can be obtained.
In some embodiments of the present invention, preprocessing the target patch function to generate a target fix-up text, includes:
a symmetric key is obtained. The symmetric key may be a shared key generated by the server and the terminal through interaction with a shared memory, and the same key is used by both the server and the terminal for encrypting and decrypting a plaintext when the server and the terminal send and receive data. The shared memory may be a reserved memory in an operating system, such as a shared memory of two trusted execution environments, an Intel SGX and an Intel SMM, on the operating system. Optionally, the target patch function may be preprocessed at the server to obtain a preliminary trusted real-time patch. Thus, a symmetric key, i.e., a deffei-Hellman key, may be obtained, which may be used to encrypt the transmission target patch text.
And encrypting the target patch function according to the symmetric key to obtain a target patching text. Optionally, the target patch function may be encrypted according to the symmetric key to obtain a preliminary trusted real-time patch program, that is, the target patch text is obtained. The target patch function can be encrypted through the acquired symmetric key to obtain a primary trusted binary patch, namely a target patching text, and a trusted patch patching execution environment can be constructed primarily, so that interference or attack to the patching process from the kernel can be avoided.
Referring to fig. 2, a kernel repair method according to a second aspect of the present invention is applied to a terminal, and includes:
and step S200, acquiring basic information of the operating system and sending the basic information to the server.
The basic information of the operating system may be information of the terminal about the operating system, such as kernel version, configuration, and compilation flag sufficient to reconstruct the binary image. Optionally, the information about the kernel of the current operating system may be securely collected when the terminal system is started, that is, the basic information may be obtained, and then the collected basic information may be sent to the remote patch server, so that the remote patch server may construct the first kernel file and the second kernel file using the same compiling information according to the basic information.
Step S210, obtaining a target patching text sent by the server, and processing the target patching text to obtain a target patch.
The target patch may be a binary patch for kernel repair that can correctly perform repair. Optionally, in order to avoid the problem that the function size may be changed and kernel consistency may be caused by directly using the target patching text for real-time patching, a server may obtain a preliminary binary patch, that is, obtain the target patching text, and may send the target patching text to an Intel SGX enclave of the terminal operating system for further processing into a binary patch that can be correctly executed, so as to obtain the target patch.
And step S220, performing kernel repair according to the target patch.
Optionally, after the target patch is obtained through processing, a binary patch that can be executed correctly is obtained, and since the binary patch is encrypted, kernel repair can be performed according to the target patch while ensuring security. For example, the SGX enclave of the terminal receives the processed binary patch (i.e., the target patch), prepares a repair function, may add an external message field to the target patch to ensure that the System processing program can correctly process the target patch, and places the processed target patch in an executable memory space, i.e., in a shared memory (a reserved memory in the operating System), so that the operating System may call the target patch to perform kernel repair, for example, the target patch is obtained by the SMM processing program by reading the shared memory to perform kernel repair.
In some specific embodiments, in order to ensure that the running state of the system does not change when the kernel is repaired, the current execution program of the system may be suspended and the state may be saved by using hardware characteristics, and the system state may be automatically restored after the kernel is repaired, so as to ensure the consistency of the system execution. For example, the state of the runtime process is saved by the SMM system, which is restored after the SMM completes the patch, i.e., the SMM hardware ensures that the latest runtime state and register values are saved to the protected memory SMRAM area. By using SMM to natively store the runtime state of the operating system, thereby reducing external storage overhead and improving real-time patching performance, faster recovery is supported without the need for external checking and recovery.
The kernel repairing method comprises the steps of firstly, obtaining basic information of an operating system, and sending the basic information to a server; secondly, acquiring a target patching text sent by the server, and processing the target patching text to obtain a target patch; and finally, kernel repair is carried out according to the target patch, so that real-time patch repair of the damaged kernel can be supported, the storage overhead is reduced, and the consistency of the operating system and the software execution state can be ensured.
In some embodiments of the present invention, obtaining the target patch according to the target fix-up text processing includes:
and verifying the integrity of the target patching text to obtain a first verification result. The first verification result may be a result of verifying whether the target inpainting text is complete, for example, a result of verifying that the target inpainting text is complete. Optionally, the integrity of the target patching text received from the server may be detected, so as to ensure the security of the target patching text, for example, a first verification result that the target patching text is complete may be obtained.
And simplifying the branch instruction in the target patching text to obtain a simplified processing result. The simplified processing result can simplify the result of the reset calculation of the branch instruction jump offset in the target patching text. Optionally, a branch instruction in the target patching text may be identified, and the reset calculation of the branch instruction jump offset may be simplified to obtain a simplified processing result, for example, a result of completing the simplified processing.
And supplementing the identification information of the target patching text to obtain a supplementing result. The identification information may be information for identifying the target patching text, and the supplement result may be a result of completing supplementing the identification information for the target patching text. Optionally, in order to obtain an executable target patch, the target patch is conveniently identified and correctly implemented in the operating system, and the identification information of the target patch text may be supplemented, for example, a standard patch message may be generated, and the identification information of the version, the type, the hash value, and the like of the target patch text may be supplemented, so as to obtain a completed result.
And carrying out encryption processing according to the first verification result, the simplified processing result and the supplement result to obtain the target patch. Optionally, after the target patching text is processed, the integrity verification, the reset calculation of the branch instruction jump offset in the simplified target patching text, and the identification information of the target patching text are completed, and then the encrypted target patch can be obtained according to the obtained first verification result, the simplified processing result, and the supplement result.
In some specific embodiments, the target patch obtained through encryption processing may be transferred to a shared memory area reserved by the operating system, so that the operating system may call the target patch through the shared memory to perform kernel repair. For example, the shared memory can be obtained by: firstly, configuring a boot loader (for example, GRUB. GNU GRUB, a grind Unified Bootloader, abbreviated as "GRUB", which is a multi-operating system boot program from GNU project) to reserve a proper kernel memory allocation space in an operating system (assuming that the prototype is implemented as 18 MB); second, a page attribute opcode may be added to the paging _ init function to provide appropriate access restrictions for the shared memory. The target patch may be stored in the shared memory by: assume that the shared memory includes three logical portions: mem _ RW, mem _ W, and mem _ X. Where mem _ RW is a read/write area for symmetric key exchange, assuming that the symmetric key exchange is performed using Diffie-Hellman key exchange algorithm; the larger region mem _ W is a write-only region for storing encrypted target fix-up text, and untrusted applications write data from the SGX enclave to mem _ W, but untrusted applications cannot decrypt the output data; the larger mem _ X area can only be executed for storing the decrypted target patch as the kernel text of the local operating system. To maintain integrity, read-write access to the kernel text may be prohibited. In addition, the existing SMM-based runtime check system may also be used to further ensure the integrity of the region, so that control mechanism access rights are limited to the local operating system kernel.
By the method, the target patching text can be processed on the premise of ensuring the integrity and the safety of the target patching text to obtain the target patch, so that the interference or attack of the kernel to kernel repair caused by network transmission errors is prevented; and the target patch is stored in the shared memory, and the target patch can be stored in the trusted execution environment, so that the efficient and safe target patch can be provided.
In some embodiments of the invention, performing kernel repair based on a target patch comprises:
and verifying the integrity of the target patch to obtain a second verification result. The second verification result may be a result of verifying the integrity of the target patch when the target patch is called for kernel repair. Optionally, to prevent a network transmission error, integrity verification may be performed on the target patch, for example, an external message field may be added to the target patch to ensure that the SMM handler can correctly process the target patch, and the processed target patch is placed in a correct memory location and alignment manner, and then the integrity of the target patch is verified to obtain a second verification result after the integrity verification is completed.
And writing out the target patch according to the second verification result, and acquiring a patching instruction. Wherein the patch instruction may be an instruction that triggers kernel patching. For example, the target patch may be written out as an executable memory block, and this memory block may be packed with external header information; the written data can then be encrypted at the SGX enclave, and the encrypted data can then be transferred to the mem _ W segment; finally, the SMI may be triggered to transfer control to the SMM-based real-time patching component while getting the patching instructions.
And performing kernel repair according to the repair instruction. Optionally, when the system receives the repair instruction, the system may switch to the system management mode to perform kernel repair. Meanwhile, the SMM hardware can store the latest running state and register value in a protected memory SMRAM area, namely, the current execution program of the system is paused and the state is stored by using the hardware characteristic, and the system state is automatically restored after the kernel is repaired, so that the consistency of system execution is ensured. And performing integrity verification and writing according to the target patch, and triggering kernel repair according to the obtained repair instruction, so that the kernel can be repaired reliably and correctly even if damaged, the minimum downtime of kernel repair can be realized, and the reliability and consistency of repair are improved.
The kernel repair method provided by the embodiment of the third aspect of the invention is used for a server and a terminal, and comprises the following steps:
the server executes the kernel repair method according to the embodiment of the first aspect of the present invention; correspondingly, the terminal executes the kernel repair method according to the embodiment of the second aspect of the present invention.
According to the kernel repairing method, the server executes the kernel repairing method disclosed by the embodiment of the invention, and the terminal executes the kernel repairing method disclosed by the embodiment of the invention, so that the real-time repairing performance can be improved, the storage expense can be reduced, and the patch privacy can be protected.
Referring to fig. 3, a kernel repair apparatus according to a fourth aspect of the present invention includes:
an obtaining module 300, configured to obtain basic information sent by a terminal, and construct a first kernel file and a second kernel file according to the basic information;
an extracting module 310, configured to extract a target patch function according to the first kernel file and the second kernel file;
the first processing module 320 is configured to preprocess the target patch function to generate a target patch text;
a first sending module 330, configured to send the target fix-up text to the terminal.
By executing the kernel repairing method of the first aspect of the present invention, the kernel repairing apparatus can enhance the reliability and effectiveness of kernel repair and improve the real-time repair performance.
Referring to fig. 4, a kernel repair apparatus according to an embodiment of a fifth aspect of the present invention includes:
a second sending module 400, configured to obtain basic information of the operating system, and send the basic information to the server;
the second processing module 410 is configured to obtain a target patching text sent by the server, and process the target patching text to obtain a target patch;
and the repair module 420 is configured to perform kernel repair according to the target patch.
By executing the kernel repairing method of the second aspect of the present invention, the kernel repairing apparatus can support the damaged kernel to perform patch repair in real time, reduce storage overhead, and ensure consistency of the operating system and the software execution state.
Referring to fig. 5, an embodiment of the sixth aspect of the present invention further provides an internal structure diagram of a kernel repair electronic device, including: at least one processor 500, and a memory 510 communicatively coupled to the at least one processor 500; and the system also comprises a data transmission module 520, a camera 530 and a display 540.
The processor 500 is configured to execute the kernel repair method according to the first aspect embodiment and/or the second aspect embodiment and/or the third aspect embodiment by calling a computer program stored in the memory 510.
The memory, as a non-transitory storage medium, may be used to store a non-transitory software program and a non-transitory computer-executable program, such as the kernel repair method in the embodiment of the first aspect and/or the embodiment of the second aspect and/or the embodiment of the third aspect of the present invention. The processor implements the kernel repair method in the first aspect embodiment and/or the second aspect embodiment and/or the third aspect embodiment by executing the non-transitory software program and the instructions stored in the memory.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store and execute the kernel repair method in the embodiment of the first aspect and/or the embodiment of the second aspect and/or the embodiment of the third aspect. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software programs and instructions required to implement the kernel repair method in the first aspect embodiment and/or the second aspect embodiment and/or the third aspect embodiment described above are stored in a memory, and when executed by one or more processors, perform the kernel repair method in the first aspect embodiment and/or the second aspect embodiment and/or the third aspect embodiment described above.
An embodiment of the seventh aspect of the present invention further provides a computer-readable storage medium storing computer-executable instructions for: the kernel repair method in the first aspect embodiment and/or the second aspect embodiment and/or the third aspect embodiment is/are executed.
In some embodiments, the storage medium stores computer-executable instructions, which are executed by one or more control processors, for example, by one of the electronic devices of the sixth aspect, and may cause the one or more processors to execute the kernel repair method of the first aspect, the second aspect, and/or the third aspect.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an illustrative embodiment," "an example," "a specific example," or "some examples" or the like mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
Claims (7)
1. The kernel repair method is used for a server, and is characterized by comprising the following steps:
acquiring basic information sent by a terminal, and constructing a first kernel file and a second kernel file according to the basic information;
extracting a target patch function according to the first kernel file and the second kernel file;
preprocessing the target patch function to generate a target patching text;
sending the target patching text to a terminal;
the extracting the target patch function according to the first kernel file and the second kernel file includes:
creating a first function call graph and a second function call graph based on the first kernel file; the first kernel file is a repaired original code file constructed based on the basic information; the first function call graph is a code-level function call graph of an original code before compiling, which is created based on the first kernel file, namely a function call graph corresponding to a source code before patch patching; the second function call graph is a binary function call graph obtained after compiling an original code created based on the first kernel file, namely, a function call graph corresponding to the binary file before patch repair;
creating a third function call graph and a fourth function call graph based on the second kernel file; the second kernel file is a repaired code file constructed based on the basic information; the third function call graph is a code-level function call graph of the code before compiling, which is created based on the second kernel file and is used for repairing the patch, namely the function call graph corresponding to the source code after the patch is repaired; the fourth function call graph is a compiled binary function call graph of the code after patch repair, which is created based on the second kernel file, namely the function call graph corresponding to the binary file after patch repair;
comparing the first function call graph with the second function call graph to obtain a first comparison result, and comparing the third function call graph with the fourth function call graph to obtain a second comparison result;
and extracting a target patch function according to the first comparison result and the second comparison result.
2. The method of claim 1, wherein preprocessing the target patch function to generate a target fix-up text comprises:
obtaining a symmetric key;
and encrypting the target patch function according to the symmetric key to obtain a target patching text.
3. The kernel repair method is used for a terminal, and is characterized by comprising the following steps:
acquiring basic information of an operating system, and sending the basic information to a server;
acquiring a target patching text sent by the server, and processing the target patching text to obtain a target patch;
performing kernel repair according to the target patch;
the processing according to the target patching text to obtain the target patch comprises the following steps:
verifying the integrity of the target repairing text to obtain a first verification result;
simplifying the branch instruction in the target patching text to obtain a simplified processing result;
supplementing the identification information of the target repairing text to obtain a supplementing result;
carrying out encryption processing according to the first verification result, the simplification processing result and the supplement result to obtain a target patch;
performing kernel repair according to the target patch, including:
verifying the integrity of the target patch to obtain a second verification result;
writing out the target patch according to the second verification result, and acquiring a patching instruction;
and repairing the kernel according to the repairing instruction.
4. A kernel repair device, comprising:
the acquisition module is used for acquiring basic information sent by a terminal and constructing a first kernel file and a second kernel file according to the basic information;
the extraction module is used for extracting a target patch function according to the first kernel file and the second kernel file; the extracting the target patch function according to the first kernel file and the second kernel file includes:
creating a first function call graph and a second function call graph based on the first kernel file; the first kernel file is a repaired original code file constructed based on the basic information; the first function call graph is a code-level function call graph of an original code before compiling, which is created based on the first kernel file, namely a function call graph corresponding to a source code before patch patching; the second function call graph is a binary function call graph obtained after compiling an original code created based on the first kernel file, namely the function call graph corresponding to the binary file before patch repair;
creating a third function call graph and a fourth function call graph based on the second kernel file; the second kernel file is a repaired code file constructed based on the basic information; the third function call graph is a code-level function call graph of the code before compiling, which is created based on the second kernel file and is used for repairing the patch, namely the function call graph corresponding to the source code after the patch is repaired; the fourth function call graph is a compiled binary function call graph of the code after patch repair, which is created based on the second kernel file, namely the function call graph corresponding to the binary file after patch repair;
comparing the first function call graph with the second function call graph to obtain a first comparison result, and comparing the third function call graph with the fourth function call graph to obtain a second comparison result;
extracting a target patch function according to the first comparison result and the second comparison result;
the first processing module is used for preprocessing the target patch function to generate a target patching text;
and the first sending module is used for sending the target patching text to a terminal.
5. A kernel repair device, comprising:
the second sending module is used for obtaining basic information of the operating system and sending the basic information to the server;
the second processing module is used for acquiring a target patching text sent by the server and processing the target patching text to obtain a target patch; the processing the target patching text to obtain the target patch comprises the following steps:
verifying the integrity of the target repairing text to obtain a first verification result;
simplifying the branch instruction in the target patching text to obtain a simplified processing result;
supplementing the identification information of the target repairing text to obtain a supplementing result;
carrying out encryption processing according to the first verification result, the simplification processing result and the supplement result to obtain a target patch;
the repairing module is used for repairing the kernel according to the target patch; performing kernel repair according to the target patch, including:
verifying the integrity of the target patch to obtain a second verification result;
writing out the target patch according to the second verification result, and acquiring a patching instruction;
and repairing the kernel according to the repairing instruction.
6. Electronic device, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing, when executing the program:
a kernel repair method as claimed in any one of claims 1 to 3.
7. A computer-readable storage medium having stored thereon computer-executable instructions for:
performing the kernel repair method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010824141.0A CN112115477B (en) | 2020-08-17 | 2020-08-17 | Kernel repairing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010824141.0A CN112115477B (en) | 2020-08-17 | 2020-08-17 | Kernel repairing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112115477A CN112115477A (en) | 2020-12-22 |
| CN112115477B true CN112115477B (en) | 2022-06-21 |
Family
ID=73804690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010824141.0A Active CN112115477B (en) | 2020-08-17 | 2020-08-17 | Kernel repairing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112115477B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221123B (en) * | 2021-05-24 | 2024-06-04 | 南京统信软件技术有限公司 | Method for combining kernel branches into patches and computing equipment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103197942B (en) * | 2013-03-18 | 2016-03-02 | 华为技术有限公司 | A kind of generation method of patch, the method for patch installing and device |
| CN106055979B (en) * | 2016-05-24 | 2019-04-09 | 百度在线网络技术(北京)有限公司 | Kernel restorative procedure and device |
| CN106598667B (en) * | 2016-12-12 | 2018-07-27 | 百度在线网络技术(北京)有限公司 | Method and apparatus for repairing kernel loophole |
| CN106775732B (en) * | 2016-12-23 | 2019-02-12 | 优刻得科技股份有限公司 | A kind of hot patch loading method and device |
| CN109472148B (en) * | 2018-11-15 | 2021-04-02 | 百度在线网络技术(北京)有限公司 | Method, device and storage medium for loading hot patch |
-
2020
- 2020-08-17 CN CN202010824141.0A patent/CN112115477B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112115477A (en) | 2020-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108399339B (en) | Trusted starting method based on security chip | |
| US8510596B1 (en) | System and methods for run time detection and correction of memory corruption | |
| CN110990084B (en) | Chip secure starting method and device, storage medium and terminal | |
| TWI436229B (en) | System and method for providing a secure boot architecture | |
| US9652755B2 (en) | Method and system for securely updating field upgradeable units | |
| US20140250290A1 (en) | Method for Software Anti-Rollback Recovery | |
| US20160110545A1 (en) | Code pointer authentication for hardware flow control | |
| JP6585072B2 (en) | Safe reading of data into non-volatile memory or secure elements | |
| US10142109B2 (en) | Instantiating containers | |
| CN102880828B (en) | Intrusion detection and recovery system aiming at virtualization support environment | |
| CN105205401A (en) | Trusted computer system based on safe password chip and trusted guiding method thereof | |
| JP6385842B2 (en) | Information processing terminal, information processing method, and information processing system | |
| CN105579955A (en) | Application control flow models | |
| CN111201553B (en) | Safety element and related equipment | |
| JP2010182196A (en) | Information processing apparatus and file verification system | |
| CN104461594A (en) | Updating method and device of embedded operating system | |
| CN115062307B (en) | Open POWER-based program integrity checking method, system, terminal and storage medium | |
| CN112115477B (en) | Kernel repairing method and device, electronic equipment and storage medium | |
| US20230342476A1 (en) | Bootloaders | |
| US20210234686A1 (en) | Information processing device, information processing method, and storage medium | |
| CN116340956B (en) | Trusted protection optimization method and device for electric embedded terminal equipment | |
| CN108958761A (en) | A kind of processing method and processing device of device program | |
| CN115422554B (en) | Request processing method, compiling method and trusted computing system | |
| US20200244461A1 (en) | Data Processing Method and Apparatus | |
| JP2009169868A (en) | Storage area access device and method for accessing storage area |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |