CN112487413A - Linux-based white list program control system and method - Google Patents
Linux-based white list program control system and method Download PDFInfo
- Publication number
- CN112487413A CN112487413A CN202011447624.XA CN202011447624A CN112487413A CN 112487413 A CN112487413 A CN 112487413A CN 202011447624 A CN202011447624 A CN 202011447624A CN 112487413 A CN112487413 A CN 112487413A
- Authority
- CN
- China
- Prior art keywords
- executable program
- library file
- dynamic library
- white list
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000008569 process Effects 0.000 claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000005457 optimization Methods 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The invention discloses a Linux-based white list program control system and a method, which comprises the following steps: a software application layer, a system security kernel and a database; the software application layer is used for scanning an executable program and a dynamic library file in the control system and inputting the original hash values of the executable program and the dynamic library file into the database; the database is used for storing the original hash value; the system security kernel is used for capturing the execution or loading operation of the executable program and the dynamic library file in the control system, calculating a hash value in the capturing process, comparing the hash value with an original hash value and a current hash value in the white list policy library, preventing the execution of the unauthorized or unexpected executable program and the dynamic library file, and finishing the control based on the Linux white list program; the method solves the problem that when a prelink mechanism in a Linux system loads a shared library, hash values of certain executable programs and files are modified.
Description
Technical Field
The invention relates to the technical field of internet information processing, in particular to a Linux-based white list program control system and method.
Background
In recent years, computer technology is becoming mature, and the application of the computer technology relates to the aspects of daily life and work, so that the information security of the computer is more and more emphasized by people. Computer system security protection techniques are numerous, and white list protection techniques are one of the most commonly used techniques.
On one hand, the technology can effectively resist malicious software and targeted attack, prevent unknown programs and files from running and deny the authority of the unknown programs and files. On the other hand, white-listing may improve user efficiency and keep the system operating at optimal performance. The whitelist may provide full visibility into the system with respect to running applications, tools, and processes.
The white list can help to resist advanced memory injection attacks; the technique provides functionality to verify all approved processes running in memory and ensure that these processes are not modified at runtime, thereby defending against advanced memory exploits.
Disclosure of Invention
Aiming at the defects in the prior art, the Linux white list based program control system and the method solve the problem that when a pre-link mechanism of a prelink in a Linux system loads a shared library, hash values of certain executable programs and files are modified.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that: a Linux-based white list program control system, comprising: a software application layer, a system security kernel and a database;
the software application layer is used for scanning an executable program and a dynamic library file in the control system and inputting original hash values of the executable program and the dynamic library file into a database;
the database is used for storing original hash values;
the system security kernel is used for capturing the execution or loading operation of the executable program and the dynamic library file in the control system, calculating the hash values of the executable program and the dynamic library file in the capturing process, comparing the hash values of the executable program and the dynamic library file in the capturing process with the original hash value and the current hash value in the white list policy library, preventing the execution of the executable program and the dynamic library file which are not authorized or not in accordance with the expectation, and finishing the control based on the Linux white list program.
A control method based on a Linux white list program control system comprises the following steps:
s1, installing a client in the control system, and issuing a control instruction for opening a white list of the client through a control center after the connection between the client and the control center of the server is successfully established;
s2, after the client receives the command for opening the white list of the client, a white list strategy library is established;
s3, monitoring the optimization behavior and the log analysis result of the prelink pre-link through a software application layer, and acquiring a dynamic library file and an executable program which are optimized by the prelink pre-link in real time;
s4, calculating hash values of the optimized dynamic library file and the executable program, recording the hash values as optimized hash values, and recording the optimized hash values into a database to serve as current hash values of the optimized dynamic library file and the executable program;
s5, capturing the execution or loading operation of the executable program and the dynamic library file in the control system through the system security kernel, calculating the hash value of the executable program and the dynamic library file which are executed or loaded, and recording the hash value as a captured hash value;
s6, judging whether the captured hash value is equal to the original hash value or the current hash value of the executable program and the dynamic library file of the same file in the white list strategy library, if so, allowing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program, and if not, refusing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program.
Further: the step S2 specifically includes:
s21, after the client receives a control instruction for starting the white list of the client, calling a prelink pre-link revocation function, and restoring the dynamic library file and the executable program which are optimized by the prelink pre-link to obtain a primary dynamic library file and an original executable program;
and S22, after the prelink pre-link is cancelled by the client, automatically scanning the original executable program and the original dynamic library file through the software application layer, recording the corresponding original hash value in the scanning process into the database, and establishing a white list policy library.
In conclusion, the beneficial effects of the invention are as follows:
1. a user or an enterprise can set a white list control strategy in a self-defined mode according to actual requirements of the user or the enterprise, and therefore the integrated mechanism of 'monitoring-defense-alarm-audit-tracing' from a terminal to a server is achieved.
2. The invention obtains and records the hash value of the executable program and the file through the whole-disk scanning of the system, establishes the white list strategy library, realizes the comprehensive active defense of the system, integrates the monitoring, the defense and the alarm, and has flexible deployment and simple and convenient use.
3. The invention calls the pre-link canceling function of the prelink before the white list strategy library is established and the system is scanned, thereby avoiding the hash of the file and the executable program from being modified and restoring the related dynamic library file and the executable program.
4. When a dynamic library file optimized by prelink is loaded, after a loading request is intercepted by a security kernel, the intercepted program hash value is compared with the original value and the current value in a strategy library, and if one of the intercepted program hash value is in accordance with the original value and the current value, the execution is allowed; the advantages of prelink pre-linking are also considered to be retained.
Drawings
Fig. 1 is a flowchart of a control method based on a Linux white list program control system.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
A Linux-based white list program control system adopts a traditional C/S mode, a client is installed at a system terminal, long connection heartbeat is established between the system terminal and a control center deployed on a remote server, and the control center issues a strategy to the client to start a white list control execution function of a user terminal system.
A Linux-based white list program control system comprises: a software application layer, a system security kernel and a database;
the software application layer is used for scanning an executable program and a dynamic library file in the control system and inputting original hash values of the executable program and the dynamic library file into a database;
the database is used for storing original hash values;
the system security kernel is used for capturing the execution or loading operation of the executable program and the dynamic library file in the control system, calculating the hash values of the executable program and the dynamic library file in the capturing process, comparing the hash values of the executable program and the dynamic library file in the capturing process with the original hash value and the current hash value in the white list policy library, preventing the execution of the executable program and the dynamic library file which are not authorized or not in accordance with the expectation, and finishing the control based on the Linux white list program.
As shown in fig. 1, a control method based on a Linux white list program control system includes the following steps:
s1, installing a client in the control system, and issuing a control instruction for opening a white list of the client through a control center after the connection between the client and the control center of the server is successfully established;
s2, after the client receives the command for opening the white list of the client, a white list strategy library is established;
further: the step S2 specifically includes:
s21, after the client receives a control instruction for opening the white list of the client, calling a prelink pre-link revocation function, restoring the dynamic library file and the executable program which are optimized by the prelink pre-link to obtain a dynamic library file and an original executable program, so as to ensure that the original hash value of the related dynamic library file or the executable program is acquired during scanning;
s22, after the prelink is removed by the client, the original executable program and the original dynamic library file are automatically scanned through the software application layer, the corresponding original hash value in the scanning process is recorded into the database, a white list strategy library is established, and the hash values of the scanned dynamic library file and the executable program are the original hash value of the file certainly in the scanning process.
S3, monitoring the optimization behavior and the log analysis result of the prelink pre-link through a software application layer, and acquiring a dynamic library file and an executable program which are optimized by the prelink pre-link in real time;
s4, calculating hash values of the optimized dynamic library file and the executable program, recording the hash values as optimized hash values, and recording the optimized hash values into a database to serve as current hash values of the optimized dynamic library file and the executable program;
multiple times of optimization exist in the same dynamic library file and the executable program, and only the original hash value and the latest current hash value are reserved;
s5, capturing the execution or loading operation of the executable program and the dynamic library file in the control system through the system security kernel, calculating the hash value of the executable program and the dynamic library file which are executed or loaded, and recording the hash value as a captured hash value;
s6, judging whether the captured hash value is equal to the original hash value or the current hash value of the executable program and the dynamic library file of the same file in the white list strategy library, if so, allowing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program, and if not, refusing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program.
In a Linux system, a Prelink pre-linking mechanism can accelerate the loading of a shared library by using a method of replacing a runtime link with a pre-link, accelerate the starting speed, reduce part of memory overhead, reduce program loading time, shorten system starting time and accelerate the starting of an application program, but when the dynamic shared library is updated each time, a relevant executable file needs to execute the Prelink again to ensure the validity, so that the hash values of addresses, program files and the like in a new shared library are probably modified; the invention calls the pre-link canceling function of the prelink before the white list strategy library is established and the system is scanned, on one hand, the hash of the file and the executable program is prevented from being modified, and the related dynamic library file is restored.
On the other hand, when the dynamic library file optimized by the prelink is loaded, after the security kernel intercepts the loading request, the intercepted program hash value is compared with the original value and the current value in the strategy library, and the execution is allowed as long as one of the intercepted program hash value is in accordance with the original value and the current value in the strategy library; the advantages of prelink pre-linking are also considered to be retained.
Claims (3)
1. A Linux-based white list program control system, comprising: a software application layer, a system security kernel and a database;
the software application layer is used for scanning an executable program and a dynamic library file in the control system and inputting original hash values of the executable program and the dynamic library file into a database;
the database is used for storing original hash values;
the system security kernel is used for capturing the execution or loading operation of the executable program and the dynamic library file in the control system, calculating the hash values of the executable program and the dynamic library file in the capturing process, comparing the hash values of the executable program and the dynamic library file in the capturing process with the original hash value and the current hash value in the white list policy library, preventing the execution of the executable program and the dynamic library file which are not authorized or not in accordance with the expectation, and finishing the control based on the Linux white list program.
2. The Linux white-list-based program control system control method of claim 1, comprising the steps of:
s1, installing a client in the control system, and issuing a control instruction for opening a white list of the client through a control center after the connection between the client and the control center of the server is successfully established;
s2, after the client receives the command for opening the white list of the client, a white list strategy library is established;
s3, monitoring the optimization behavior and the log analysis result of the prelink pre-link through a software application layer, and acquiring a dynamic library file and an executable program which are optimized by the prelink pre-link in real time;
s4, calculating hash values of the optimized dynamic library file and the executable program, recording the hash values as optimized hash values, and recording the optimized hash values into a database to serve as current hash values of the optimized dynamic library file and the executable program;
s5, capturing the execution or loading operation of the executable program and the dynamic library file in the control system through the system security kernel, calculating the hash value of the executable program and the dynamic library file which are executed or loaded, and recording the hash value as a captured hash value;
s6, judging whether the captured hash value is equal to the original hash value or the current hash value of the executable program and the dynamic library file of the same file in the white list strategy library, if so, allowing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program, and if not, refusing the execution or loading operation of the executable program and the dynamic library file to finish the control based on the Linux white list program.
3. The method for controlling a Linux white-list-based program control system as claimed in claim 2, wherein the step S2 specifically comprises:
s21, after the client receives a control instruction for starting the white list of the client, calling a prelink pre-link revocation function, and restoring the dynamic library file and the executable program which are optimized by the prelink pre-link to obtain a primary dynamic library file and an original executable program;
and S22, after the prelink pre-link is cancelled by the client, automatically scanning the original executable program and the original dynamic library file through the software application layer, recording the corresponding original hash value in the scanning process into the database, and establishing a white list policy library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011447624.XA CN112487413A (en) | 2020-12-11 | 2020-12-11 | Linux-based white list program control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011447624.XA CN112487413A (en) | 2020-12-11 | 2020-12-11 | Linux-based white list program control system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112487413A true CN112487413A (en) | 2021-03-12 |
Family
ID=74940132
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011447624.XA Pending CN112487413A (en) | 2020-12-11 | 2020-12-11 | Linux-based white list program control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487413A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564720A (en) * | 2022-02-18 | 2022-05-31 | 北京圣博润高新技术股份有限公司 | Program file auditing method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930202A (en) * | 2012-11-05 | 2013-02-13 | 曙光信息产业(北京)有限公司 | Operation executing method in Linux system |
| KR101565590B1 (en) * | 2015-01-07 | 2015-11-04 | (주) 바이러스체이서 | A system for expanding the security kernel with system for privilege flow prevention based on white list |
| CN107256358A (en) * | 2017-07-04 | 2017-10-17 | 北京工业大学 | Industrial configuration monitoring software implementation procedure dynamic protection method |
| CN107480522A (en) * | 2017-08-14 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of ELF files executive control system and method |
-
2020
- 2020-12-11 CN CN202011447624.XA patent/CN112487413A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930202A (en) * | 2012-11-05 | 2013-02-13 | 曙光信息产业(北京)有限公司 | Operation executing method in Linux system |
| KR101565590B1 (en) * | 2015-01-07 | 2015-11-04 | (주) 바이러스체이서 | A system for expanding the security kernel with system for privilege flow prevention based on white list |
| CN107256358A (en) * | 2017-07-04 | 2017-10-17 | 北京工业大学 | Industrial configuration monitoring software implementation procedure dynamic protection method |
| CN107480522A (en) * | 2017-08-14 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of ELF files executive control system and method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564720A (en) * | 2022-02-18 | 2022-05-31 | 北京圣博润高新技术股份有限公司 | Program file auditing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9195823B1 (en) | System and method for intercepting process creation events | |
| US7698744B2 (en) | Secure system for allowing the execution of authorized computer program code | |
| CN102081722A (en) | Method and device for protecting appointed application program | |
| CN110188547B (en) | Trusted encryption system and method | |
| US8763129B2 (en) | Vulnerability shield system | |
| JP2010205270A (en) | Device for providing tamper evident property to executable code stored in removable medium | |
| US11449602B1 (en) | Systems and methods for generating trust binaries | |
| CN115221524B (en) | Service data protection method, device, equipment and storage medium | |
| US20060212940A1 (en) | System and method for removing multiple related running processes | |
| CN108287779B (en) | Windows startup item monitoring method and system | |
| CN114417335A (en) | Malicious file detection method and device, electronic equipment and storage medium | |
| CN112487413A (en) | Linux-based white list program control system and method | |
| CN111796904A (en) | Docker file access control method based on namespace | |
| CN101414329A (en) | Method for deleting in-service virus | |
| CN107657170B (en) | Trusted loading starting control system and method supporting intelligent repair | |
| JP2009505196A (en) | Protected software identifiers for improving security in computing devices | |
| US6763465B1 (en) | Method of ensuring that the PC is not used to make unauthorized and surreptitious telephone calls | |
| CN110348180B (en) | Application program starting control method and device | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| US20080127352A1 (en) | System and method for protecting a registry of a computer | |
| US11822647B1 (en) | Data structure for trust store | |
| CN114462038B (en) | Security protection method, device, equipment and computer readable storage medium | |
| CN111523111B (en) | Dock white list execution control method for k8s environment | |
| TWI730415B (en) | Detection system, detection method, and an update verification method performed by using the detection method | |
| CN112398783B (en) | Security protection method and device for network sharing session |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |