CN112668008A - Method for realizing dynamic system call hijacking based on LSM - Google Patents
Method for realizing dynamic system call hijacking based on LSM Download PDFInfo
- Publication number
- CN112668008A CN112668008A CN202110012280.8A CN202110012280A CN112668008A CN 112668008 A CN112668008 A CN 112668008A CN 202110012280 A CN202110012280 A CN 202110012280A CN 112668008 A CN112668008 A CN 112668008A
- Authority
- CN
- China
- Prior art keywords
- customized
- lsm
- function
- security
- detection function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 97
- 230000006870 function Effects 0.000 claims description 174
- 230000000694 effects Effects 0.000 claims description 10
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a method for realizing dynamic system call hijacking based on LSM, comprising the following steps: and calling a system calling function by the user process, operating a hook function inserted into the LSM framework by the system calling function, calling a dynamically loaded LSM detection function by the hook function, checking the relevant information of the operation context and the host-object security domain, allowing the system calling to continue executing according to the customized security policy, and returning by mistake if the system calling function does not accord with the customized security policy. The invention is scientific and reasonable, is safe and convenient to use, can dynamically load the LSM security module without being compiled into a kernel in advance, and uses a customized detection function to complete dynamic system call hijacking based on the LSM.
Description
Technical Field
The invention relates to the technical field of internet security, in particular to a method for realizing dynamic system call hijacking based on LSM.
Background
There are two modes of operation in the Linux system: user mode and kernel mode. The system call is an entrance of a process from a user state to a kernel state, and in a Linux system, a system call hijacking technology can be used for detecting and preventing malicious behaviors. Wherein the security module engine part is implemented by a specific security module.
At present, there are five systems calling hijacking methods: 1. hijacking a user-mode dynamic library, changing the loading sequence of the dynamic library by modifying an LD-PRELOAD environment variable, and preferentially loading the dynamic library containing a system call hijacking function; 2. carrying out hijacking on the kernel-mode system call, and replacing a system call function in a kernel system call table; 3. intercepting a stack file system, and hijacking system calls related to file operation; 4. a built-in hook mechanism such as kprobe provided by a Linux kernel; 5. linux security module lsm (Linux security module). In the prior art, a kernel-mode system call hijacking method is used for taking effect without recompiling a kernel, and replaces a system call processing function in a system call table, so that when an application program executes system call, a new replaced system call processing function is found in the system call table through a system call number, and the new system call processing function can perform a plurality of special processes, such as: the method calls the original system call processing function for some processes, and goes the original flow, and goes the new flow for some processes without calling the original system call processing function, however, the kernel-mode system call hijack method has two disadvantages: firstly, in the upgrading process of the Linux kernel version, the system call implementation method changes, especially the system call of exeve which executes the command changes greatly, the hijacking method is more and more complex, the kernel of the latest version cannot be hijacked at present, secondly, the exeve hijacking relates to the assembly language, the implementation methods of different CPU models are different, the universality is poor, and especially for the CPU which is not X86, the implementation difficulty is very high.
LSM allows developers to customize their own security modules, but the limitation is that customized security modules cannot be used in a dynamically loaded manner, and must be pre-compiled to enter the Linux kernel. Therefore, a method for realizing dynamic system call hijacking based on the LSM is urgently needed.
Disclosure of Invention
The present invention aims to provide a method for implementing dynamic system call hijacking based on LSM, so as to solve the problems proposed in the above background art.
In order to solve the technical problems, the invention provides the following technical scheme:
a method for realizing dynamic system call hijacking based on LSM, the method comprises the following steps:
step S1: loading the customized kernel module, and turning to the step S2;
step S2: loading a pointer address as a first naming module to the customized kernel module, and implementing a customized detection function in the first naming module, and going to step S3;
step S3: the user process calls a system calling function, and goes to step S4;
step S4: the system calls a function to run a hook function inserted into the LSM framework, the hook function calls a dynamically loaded LSM detection function, the address of the first named detection function in the current safety operation set is saved according to the pointer address, the address is stored in the name of the old detection function, the pointer of the first named detection function in the current safety operation set points to the customized detection function, and the step S5 is switched;
step S5: when the system calls exeve, a customized detection function is called firstly, if the customized detection is passed, the first named detection function is called, when the hook function of the security module in the LSM framework is called, the security module obtains the security context information of the security module from the host-object structure and sends the security context information to the security module policy engine, and the security module policy engine makes a decision of the security module on the calling according to the host-object security context information and the security policy library, so that the calling hijacking of the system is realized.
The invention uses LSM to realize dynamic system call hijack, LSM is a lightweight universal access control framework of Linux kernel, it makes various security access control models realized in the form of Linux loadable kernel module, the user can select proper security module to load into Linux kernel according to his demand, thus greatly improving the flexibility and usability of Linux security access control mechanism; the LSM adopts a method of placing a hook function in the kernel source code to arbitrate the access to the kernel internal object; firstly, when a user accesses a system for calling, functional error check is carried out through an original memory interface, and then Linux autonomous access control authority check is carried out. Before accessing an internal object of the kernel, the LSM is called through a hook function of the security module, the LSM checks the operation context and the related information of the subject-object security domain to determine whether to allow the request, feels the access validity, and returns information. The hook function in the security module is called immediately before the kernel performs the actual operation, and the security policy is accessed through the hook function to decide whether to allow the operation to be executed. The first named detection function in the current LSM module security operation set is replaced by the customized detection function, so that the limitation that the LSM mechanism does not allow dynamic loading is broken through.
Further, in step S2, a customized detection function is implemented in the customized kernel module, a pointer address is added to the customized kernel module as a first naming module loading parameter, and the detection function is used to check whether the program to be executed is in the temporary directory, if the program is in the temporary directory, the program is considered to be a dangerous program, the program is prohibited from executing, and if the program is not in the temporary directory, the program is considered to be a safe program, and the program is allowed to execute.
The invention can realize a customized detection function in the customized kernel module according to the requirement of a user, and utilizes the pointer address to store the first named detection function address in the current security operation set as the old detection function address, and points the first named detection function pointer in the current security operation set to the customized detection function, thereby realizing that the customized detection function is executed by the kernel, and breaking through the limitation that the LSM mechanism does not allow dynamic loading.
Further, the customized test functions are inserted into the head of the linked list in step S2, and the customized test functions may be concatenated in the form of a linked list.
In the LSM2.0 framework, the customized detection function is inserted into the head of the linked list, and the customized detection function is connected in series in the form of the linked list, so that the customized detection function takes effect preferentially under the condition of allowing various LSM modules to take effect simultaneously, and the system call hijacking is realized.
Further, the step of concatenating the customized functions in the form of a linked list in step S2 is as follows:
adding a linked list in a hook function pointer structure in an LSM frame, and inserting a customized detection function into the head of the linked list;
creating a field array in an LSM framework, wherein each pointer in the field array corresponds to a security domain of a security module;
in the initialization stage of the LSM framework, the LSM framework obtains the starting parameters of a plurality of safety modules according to configuration and initializes a linked list structure;
when the security module is loaded into a Linux kernel, the security module obtains a hook function pointer structure, then connects a hook function in the security module with a pointer in the hook function pointer structure and allocates a positioning value to the security module, and then links the security module with hook function pointer structures of other security modules loaded into the Linux kernel through a linked list structure of the hook function pointer structure, wherein the positioning value represents the starting sequence of the security module.
The invention can enable the LSM framework to support a plurality of security modules to operate simultaneously, and enables the security modules to be mutually independent and equal in status by adopting a parallel link mode.
Further, if the customized detection function is inserted into the head of the linked list in step S2, the customized detection function exists in the form of the linked list in step S4, the hook function inserted into the LSM frame is run, and the customized detection function takes effect preferentially, thereby implementing system call hijacking.
The invention inserts the customized detection function into the head of the hook function of the system call function, only needs to modify a small amount of Linux kernel codes, and does not influence the performance of the system.
Further, if the customized detection function is inserted into the head of the linked list in the step S2, the customized detection function is sequentially run according to the linked list sequence in the step S4.
The invention sequentially operates the customized detection modules according to the sequence of the linked list, supports the simultaneous operation of a plurality of safety modules, and adopts the parallel link mode to ensure that the safety modules are mutually independent and have equal status.
Compared with the prior art, the invention has the following beneficial effects: the invention uses LSM to realize dynamic system call hijack, LSM is a lightweight universal access control framework of Linux kernel, it makes various security access control models realized in the form of Linux loadable kernel module, the user can select proper security module to load into Linux kernel according to his demand, thus greatly improving the flexibility and usability of Linux security access control mechanism; the LSM adopts a method of placing a hook function in the kernel source code to arbitrate the access to the kernel internal object; firstly, when a user accesses a system for calling, functional error check is carried out through an original memory interface, and then Linux autonomous access control authority check is carried out. Before accessing an internal object of the kernel, the LSM is called through a hook function of the security module, the LSM checks the operation context and the related information of the subject-object security domain to determine whether to allow the request, feels the access validity, and returns information. Calling a hook function in the security module before the kernel performs actual operation, and determining whether to allow the operation to be executed or not by accessing the security policy through the hook function; the invention can realize a customized detection function in the customized kernel module according to the requirement of a user, and utilizes the pointer address to store the first named detection function address in the current safe operation set as the old detection function address, and the pointer of the first named detection function in the current safe operation set points to the customized detection function, thereby realizing that the customized detection function is executed by the kernel; in the LSM2.0 framework, the customized detection function is inserted into the head of the linked list, and the customized detection function is connected in series in the form of the linked list, so that the customized detection function takes effect preferentially under the condition of allowing various LSM modules to take effect simultaneously, and the system call hijacking is realized; the invention can enable the LSM framework to support a plurality of safety modules to operate simultaneously, and adopts a parallel link mode to enable the safety modules to be mutually independent and have equal status; the customized detection function is inserted into the head part of the hook function of the system call function, and only a small amount of Linux kernel codes are required to be modified, so that the system performance is not influenced; the invention has simple configuration and convenient management, and the security administrator can dynamically load the security module only by simply configuring the customized detection function without compiling the detection function into the kernel in advance; the invention replaces the first named detection function in the current LSM module security operation set with the customized detection function, thereby breaking through the limitation that the LSM mechanism does not allow dynamic loading.
Drawings
FIG. 1 is a flow chart of a method for implementing dynamic system call hijacking based on LSM according to the present invention;
FIG. 2 is a schematic flow chart of a method LSM1.0 framework for implementing dynamic system call hijacking based on LSM of the present invention;
FIG. 3 is a flow diagram illustrating an embodiment of the present invention for a single LSM module hijacking an execute system call;
FIG. 4 is a schematic flow chart of a LSM2.0 framework of a method for implementing dynamic system call hijacking based on LSM of the present invention;
FIG. 5 is a flowchart illustrating an embodiment of the present invention for a multi-LSM hijacking execute system call;
fig. 6 is a flowchart illustrating an embodiment of detecting using an execute system call hijacking function according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-5, the present invention provides the following technical solutions:
as shown in fig. 1-3, a method for implementing dynamic system call hijacking based on LSM, the method comprising the steps of:
step S1: loading the customized kernel module, and turning to the step S2;
step S2: loading a pointer address as a first naming module to the customized kernel module, and implementing a customized detection function in the first naming module, and going to step S3;
step S3: the user process calls a system calling function, and goes to step S4;
step S4: the system calls a function to run a hook function inserted into the LSM framework, the hook function calls a dynamically loaded LSM detection function, the address of the first named detection function in the current safety operation set is saved according to the pointer address, the address is stored in the name of the old detection function, the pointer of the first named detection function in the current safety operation set points to the customized detection function, and the step S5 is switched;
step S5: when the system calls exeve, a customized detection function is called firstly, if the customized detection is passed, the first named detection function is called, when the hook function of the security module in the LSM framework is called, the security module obtains the security context information of the security module from the host-object structure and sends the security context information to the security module policy engine, and the security module policy engine makes a decision of the security module on the calling according to the host-object security context information and the security policy library, so that the calling hijacking of the system is realized.
In step S2, a customized detection function is implemented in the customized kernel module, a pointer address is added in the customized kernel module as a first naming module loading parameter, and the detection function is used to check whether the program to be executed is in the temporary directory, if the program is in the temporary directory, the program is regarded as a dangerous program, and the program is prohibited from being executed, and if the program is not in the temporary directory, the program is regarded as a safe program, and the program is permitted to be executed.
The customized detection function is inserted into the head of the linked list in step S2, and the customized detection function may be concatenated in the form of a linked list.
The step of concatenating the customized functions in the form of a linked list in step S2 is as follows:
adding a linked list in a hook function pointer structure in an LSM frame, and inserting a customized detection function into the head of the linked list;
creating a field array in an LSM framework, wherein each pointer in the field array corresponds to a security domain of a security module;
in the initialization stage of the LSM framework, the LSM framework obtains the starting parameters of a plurality of safety modules according to configuration and initializes a linked list structure;
when the security module is loaded into a Linux kernel, the security module obtains a hook function pointer structure, then connects a hook function in the security module with a pointer in the hook function pointer structure and allocates a positioning value to the security module, and then links the security module with hook function pointer structures of other security modules loaded into the Linux kernel through a linked list structure of the hook function pointer structure, wherein the positioning value represents the starting sequence of the security module.
If the customized detection function is inserted into the head of the linked list in the step S2, the customized detection function exists in the linked list form in the step S4, the hook function inserted into the LSM frame is operated, and the customized detection function takes effect preferentially, thereby realizing the hijacking of the system call.
If the customized test functions are inserted into the head of the linked list in the step S2, the customized test functions are sequentially run according to the linked list sequence in the step S4.
As shown in fig. 4-6, the customized test functions are inserted into the head of the linked list in step S2, and the customized test functions may be concatenated in the form of a linked list.
The step of concatenating the customized functions in the form of a linked list in step S2 is as follows:
adding a linked list in a hook function pointer structure in an LSM frame, and inserting a customized detection function into the head of the linked list;
creating a field array in an LSM framework, wherein each pointer in the field array corresponds to a security domain of a security module;
in the initialization stage of the LSM framework, the LSM framework obtains the starting parameters of a plurality of safety modules according to configuration and initializes a linked list structure;
when the security module is loaded into a Linux kernel, the security module obtains a hook function pointer structure, then connects a hook function in the security module with a pointer in the hook function pointer structure and allocates a positioning value to the security module, and then links the security module with hook function pointer structures of other security modules loaded into the Linux kernel through a linked list structure of the hook function pointer structure, wherein the positioning value represents the starting sequence of the security module.
If the customized detection function is inserted into the head of the linked list in the step S2, the customized detection function exists in the linked list form in the step S4, the hook function inserted into the LSM frame is operated, and the customized detection function takes effect preferentially, thereby realizing the hijacking of the system call.
If the customized test functions are inserted into the head of the linked list in the step S2, the customized test functions are sequentially run according to the linked list sequence in the step S4.
The first embodiment is as follows:
step 101: and loading the customized kernel module, and taking the security _ ops pointer address as a module loading parameter. Writing a customized kernel security module, wherein a customized new _ bprm _ check _ security function is implemented in the module, the function checks whether a program to be executed is in a/tmp temporary directory, if the program is in the/tmp temporary directory, the program is considered to be a dangerous program, and the execution of the program is prohibited, and then, turning to step 102;
step 102: after the module is loaded into the kernel, saving the bprm _ check _ security function address in the current security operation set security _ operations according to the security _ ops pointer address, if the bprm _ check _ security function address is stored as old _ bprm _ check _ security, turning to step 103;
step 103: the bprm _ check _ security function pointer in the current security operation set security _ operations is pointed to the customized new _ bprm _ check _ security detection function.
In the execution process of the system call exeve, the bprm _ check _ security detection function is originally called, and now the new _ bprm _ check _ security detection function is called instead, so that the hijacking of the exeve system call is realized.
Example two:
step 201: loading a customized kernel module, wherein a customized new _ bprm _ check _ security detection function is realized in the customized kernel module, and turning to step 202;
step 202: after the module is loaded into the kernel, initializing an exec _ hook _ list data structure, and enabling a bprm _ check _ security function pointer in the exec _ hook _ list data structure to point to new _ bprm _ check _ security, and turning to step 203;
step 203: exec _ hook _ list is inserted into the head of the security _ hook _ headers linked list so that new _ bprm _ check _ security is also at the head of the bprm _ check _ security function linked list.
In the execution process of the system call exeve, bprm _ check _ security detection functions of all LSM modules on a detection function chain table are called in sequence, now, the new _ bprm _ check _ security detection functions are inserted into the head, so that the new _ bprm _ check _ security detection functions always take effect firstly and detect firstly, and therefore hijacking of the exeve system call is achieved.
Example three:
step 301: a normal user or an intruder executes a command, initiates an execute system call, and goes to step 302;
step 302: because the exeve system call is hijacked, after the exeve system call enters a kernel state, a new _ bprm _ check _ security detection function is called to perform detection, and the step 303 is executed;
step 303: according to the customized safety rule, detecting whether the command execution is an abnormal attack behavior, and turning to step 304;
step 304: if the abnormal behavior is judged, the execution of the abnormal command is terminated. If not, go to step 305;
step 305: and continuously executing the original old _ bprm _ check _ security function, and continuously finishing the original security detection.
For the multiple LSM module scenario, if the new _ bprm _ check _ security detection is not an abnormal behavior, step 305 continues to execute the bprm _ check _ security functions that should be executed originally on the detection function chain table.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (6)
1. A method for realizing dynamic system call hijacking based on LSM is characterized in that the method comprises the following steps:
step S1, loading the customized kernel module, and turning to step S2;
step S2: loading a pointer address as a first naming module to the customized kernel module, and implementing a customized detection function in the first naming module, and going to step S3;
step S3: the user process calls a system calling function, and goes to step S4;
step S4: the system calls a function to run a hook function inserted into the LSM framework, the hook function calls a dynamically loaded LSM detection function, the address of the first named detection function in the current safety operation set is saved according to the pointer address, the address is stored in the name of the old detection function, the pointer of the first named detection function in the current safety operation set points to the customized detection function, and the step S5 is switched;
step S5: when the system calls exeve, a customized detection function is called firstly, if the customized detection is passed, the first named detection function is called, when the hook function of the security module in the LSM framework is called, the security module obtains the security context information of the security module from the host-object structure and sends the security context information to the security module policy engine, and the security module policy engine makes a decision of the security module on the calling according to the host-object security context information and the security policy library, so that the calling hijacking of the system is realized.
2. The method for implementing dynamic system call hijacking based on LSM as claimed in claim 1, wherein: in step S2, a customized detection function is implemented in the customized kernel module, a pointer address is added in the customized kernel module as a first naming module loading parameter, and the detection function is used to check whether the program to be executed is in the temporary directory, if the program is in the temporary directory, the program is regarded as a dangerous program, and the program is prohibited from being executed, and if the program is not in the temporary directory, the program is regarded as a safe program, and the program is permitted to be executed.
3. The method for implementing dynamic system call hijacking based on LSM as claimed in claim 1, wherein: the customized detection function is inserted into the head of the linked list in step S2, and the customized detection function may be concatenated in the form of a linked list.
4. The method for implementing dynamic system call hijacking based on LSM as claimed in claim 1, wherein: the step of concatenating the customized functions in the form of a linked list in step S2 is as follows:
adding a linked list in a hook function pointer structure in an LSM frame, and inserting a customized detection function into the head of the linked list;
creating a field array in an LSM framework, wherein each pointer in the field array corresponds to a security domain of a security module;
in the initialization stage of the LSM framework, the LSM framework obtains the starting parameters of a plurality of safety modules according to configuration and initializes a linked list structure;
when the security module is loaded into a Linux kernel, the security module obtains a hook function pointer structure, then connects a hook function in the security module with a pointer in the hook function pointer structure and allocates a positioning value to the security module, and then links the security module with hook function pointer structures of other security modules loaded into the Linux kernel through a linked list structure of the hook function pointer structure, wherein the positioning value represents the starting sequence of the security module.
5. The method for implementing dynamic system call hijacking based on LSM as claimed in claim 1, wherein: if the customized detection function is inserted into the head of the linked list in the step S2, the customized detection function exists in the linked list form in the step S4, the hook function inserted into the LSM frame is operated, and the customized detection function takes effect preferentially, thereby realizing the hijacking of the system call.
6. The method for implementing dynamic system call hijacking based on LSM as claimed in claim 5, wherein: if the customized test functions are inserted into the head of the linked list in the step S2, the customized test functions are sequentially run according to the linked list sequence in the step S4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110012280.8A CN112668008B (en) | 2021-01-06 | 2021-01-06 | Method for realizing dynamic system call hijacking based on LSM |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110012280.8A CN112668008B (en) | 2021-01-06 | 2021-01-06 | Method for realizing dynamic system call hijacking based on LSM |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112668008A true CN112668008A (en) | 2021-04-16 |
CN112668008B CN112668008B (en) | 2024-07-23 |
Family
ID=75413147
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110012280.8A Active CN112668008B (en) | 2021-01-06 | 2021-01-06 | Method for realizing dynamic system call hijacking based on LSM |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112668008B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023071786A1 (en) * | 2021-10-28 | 2023-05-04 | 华为技术有限公司 | Inter-process function calling method and related device |
CN116204883A (en) * | 2023-01-11 | 2023-06-02 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
CN118194307A (en) * | 2024-05-15 | 2024-06-14 | 浪潮云信息技术股份公司 | Method for improving security of credit-invasive operating system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
CN106096400A (en) * | 2016-06-06 | 2016-11-09 | 中国科学院信息工程研究所 | A kind of linux kernel parallel LSM framework implementation method |
CN108205615A (en) * | 2016-12-20 | 2018-06-26 | 中标软件有限公司 | Implementation system and implementation method for optimizing trusted basic component |
CN108614969A (en) * | 2018-05-02 | 2018-10-02 | 北京搜狐新媒体信息技术有限公司 | The forced access control method and system that a kind of system loads after starting |
CN111428241A (en) * | 2019-10-31 | 2020-07-17 | 北京深之度科技有限公司 | Multi-security access policy control method and computing device |
-
2021
- 2021-01-06 CN CN202110012280.8A patent/CN112668008B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
CN106096400A (en) * | 2016-06-06 | 2016-11-09 | 中国科学院信息工程研究所 | A kind of linux kernel parallel LSM framework implementation method |
CN108205615A (en) * | 2016-12-20 | 2018-06-26 | 中标软件有限公司 | Implementation system and implementation method for optimizing trusted basic component |
CN108614969A (en) * | 2018-05-02 | 2018-10-02 | 北京搜狐新媒体信息技术有限公司 | The forced access control method and system that a kind of system loads after starting |
CN111428241A (en) * | 2019-10-31 | 2020-07-17 | 北京深之度科技有限公司 | Multi-security access policy control method and computing device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023071786A1 (en) * | 2021-10-28 | 2023-05-04 | 华为技术有限公司 | Inter-process function calling method and related device |
CN116204883A (en) * | 2023-01-11 | 2023-06-02 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
CN116204883B (en) * | 2023-01-11 | 2023-08-22 | 安芯网盾(北京)科技有限公司 | Method and system for detecting and blocking file self-deletion based on Linux kernel |
CN118194307A (en) * | 2024-05-15 | 2024-06-14 | 浪潮云信息技术股份公司 | Method for improving security of credit-invasive operating system |
Also Published As
Publication number | Publication date |
---|---|
CN112668008B (en) | 2024-07-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112668008B (en) | Method for realizing dynamic system call hijacking based on LSM | |
JP4878715B2 (en) | Method, computer system and computer readable recording medium for patching applications that do not conform to operating system | |
US5579509A (en) | Apparatus and method for verifying compatibility of system components | |
KR101099337B1 (en) | Driver-specific context for kernel-mode shimming | |
US10019598B2 (en) | Dynamic service discovery | |
CN110795128B (en) | Program bug repairing method and device, storage medium and server | |
US20070113291A1 (en) | Method for administrating the function access | |
BRPI0618027A2 (en) | configuration of isolated extensions and device triggers | |
US20060161896A1 (en) | Performing debug requests that are within the debug domain of a class loader | |
CN111666210A (en) | Chip verification method and device | |
US20030074604A1 (en) | Method and apparatus for kernel module testing | |
US10235161B2 (en) | Techniques of adding security patches to embedded systems | |
CN111984263A (en) | Method, device, equipment and medium for running second system application on first system | |
US20080115109A1 (en) | Enhanced Hover Help For Software Debuggers | |
US11934517B2 (en) | Systems and methods for reliably injecting control flow integrity into binaries without source code | |
CN117313127A (en) | Data access authority control method and device, electronic equipment and storage medium | |
CN109947407B (en) | Data acquisition method and device | |
US8689206B2 (en) | Isolating operating system in-memory modules using error injection | |
US20210357312A1 (en) | Method and device for testing robustness and stability of smm, and storage medium | |
CN109426546A (en) | Using starting method and device, computer storage medium and equipment | |
RU2521265C2 (en) | System and method for automatic processing of software system errors | |
CN113535249B (en) | Data processing method, apparatus, device, storage medium, and program product | |
CN112906000B (en) | Program access method, device, equipment and readable storage medium | |
EP1685676A2 (en) | System for selectively enabling operating modes of a device | |
CN111694730B (en) | Method and device for eliminating error reference control resource |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |