CN113971297A - Linux-based ELF file data integrity protection method - Google Patents
Linux-based ELF file data integrity protection method Download PDFInfo
- Publication number
- CN113971297A CN113971297A CN202010720818.6A CN202010720818A CN113971297A CN 113971297 A CN113971297 A CN 113971297A CN 202010720818 A CN202010720818 A CN 202010720818A CN 113971297 A CN113971297 A CN 113971297A
- Authority
- CN
- China
- Prior art keywords
- elf
- file
- digital signature
- segment
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 32
- 230000008569 process Effects 0.000 claims abstract description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000005034 decoration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
Abstract
The invention discloses an ELF file data integrity protection method based on Linux, which provides a tool for signing an ELF file in a standard binary executable file format, and can attach a digital signature to a segment of the ELF file; when a Linux kernel is initialized, processing functions in all executable file formats are organized into a linked list, an ELF signature verification processing function is added into the linked list, and the ELF signature verification processing function is specially used for extracting and verifying a digital signature in an ELF; in a Linux kernel, before a standard execution process of an ELF binary executable file format, a digital signature is extracted from an ELF file, and then the digital signature in the ELF file is verified; if the digital signature passes the verification, the kernel normally executes the ELF file; if the digital signature is not verified, the kernel prohibits the ELF file from being executed; the security of the operating system based on the Linux kernel can be effectively protected, and the kernel can be prevented from executing the executable file which is maliciously tampered.
Description
Technical Field
The invention relates to the field of (computer) system security, in particular to an ELF file data integrity protection method based on Linux.
Background
Digital signatures are one of the core technologies of network security, and can ensure the integrity of information exchange, non-repudiation of transmitted information, certainty of identity of a signing party, and the like. A digital signature is some data appended to a data unit or a cryptographic transformation performed on a data unit that allows the recipient of the data unit to verify the source of the data unit and the integrity of the data unit and to protect the data from being forged by others.
In actual use, software developers need to distribute their own implemented software over a network. When a user receives and uses software distributed by others on his computer, the user needs to check whether the software is malicious software which may threaten the security of the computer after being maliciously tampered. At present, the main solution is that before the software is distributed by the developer, a digital signature is generated by a trusted key and appended to the software, and distributed together with the software. The receiver firstly checks the digital signature before installing or using the software, and only allows the software to be installed or run if the digital signature passes the check; otherwise, the software is treated as no longer secure through tampering by a third party.
Existing solutions fall into two main categories.
One is to validate the software package in user space (as opposed to kernel space in the operating system). For example, the software Package management tool apt (advanced Package tool) in the Debian system verifies the GPG signature attached to the software or the compressed Package before receiving the software Package or installing the software Package. If the verification fails, the software cannot be decompressed and installed.
One is that the operating system verifies the digital signature in the software in kernel space, for example, the "gate access" in macOS checks whether the signature of the trusted developer is provided in the App from a source other than the Mac App Store, so as to avoid the user from downloading and installing malicious software.
For the scheme of verifying the digital signature in the user space, only software in the management range of the scheme can be protected, and the kernel of the whole operating system cannot be protected from the harm of malicious software. An attacker can easily circumvent the signature verification mechanism by other means.
For the signature verification function in the kernel space of the operating system, the specific implementation mode is different due to different operating system implementations, so the schemes are not compatible with each other.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an ELF file data integrity protection method based on Linux, which can effectively protect the security of an operating system based on a Linux kernel, avoid the kernel from executing an executable file which is maliciously tampered, and protect the data security and privacy of a user.
The technical scheme of the invention is as follows: the Linux-based ELF file data integrity protection method specifically comprises the following steps:
step one, providing a tool for signing an ELF file in a standard binary executable file format, wherein a digital signature can be attached to a segment of the ELF file;
step two, when a Linux kernel is initialized, processing functions in all executable file formats are organized into a linked list, an ELF signature verification processing function is added into the linked list, and the ELF signature verification processing function is specially used for extracting and verifying a digital signature in an ELF;
step three, in a Linux kernel, before a standard execution process of an ELF (executable and Linkable Format) binary executable file format, extracting a digital signature from an ELF file, and then verifying the digital signature in the ELF file; if the digital signature passes the verification, the kernel normally executes the ELF file; if the digital signature is not verified, the kernel prohibits the ELF file from being executed.
Further, in the second step, an ELF signature verification processing function is added to the linked list, and the specific method is as follows: the ELF signature verification processing function is directly compiled into a binary file of a Linux kernel, and meanwhile, the compiling sequence of the processing function and the mode and the level of kernel initialization need to be controlled, so that the position of the processing function in a linked list is positioned in front of an ELF processing program (binfmt _ ELF) built in the kernel.
Further, in the second step, an ELF signature verification processing function is added to the linked list, and the specific method is as follows: the ELF signature processing function is compiled into a kernel module, and after the kernel is started, the processing function is manually added to the first position on the linked list.
Further, a system administrator user can manually load or unload the ELF signature verification processing function module.
Furthermore, in the newly added ELF signature verification processing function, the format of the ELF can be analyzed, the segment where the digital signature is located and the segment protected by the digital signature are extracted, and whether the digital signature is correct or not is verified by using the key in the kernel.
Further, in the step one, a digital signature is attached to the segment of the ELF file, and the specific method is as follows: when a digital signature is attached to an ELF file, the digital signature is required to be added to the file as a segment, the name character string of the segment is added to a segment name character string table, and the basic information of the segment is added to a segment header table; finally, the number of segments in the ELF header and the offset of the segment header table in the file, as well as the index of the segment name string table indicated in the ELF header, also need to be modified.
Further, when the digital signature in the ELF file is read, the corresponding segment is searched in the segment name string table according to the name string of the segment where the digital signature is located, and the data of the digital signature is directly read according to the position and length of the segment in the file indicated in the segment header table.
The invention has the beneficial effects that: compared with the prior art, the method can effectively protect the security of the operating system based on the Linux kernel, avoid the kernel from executing the executable file which is maliciously tampered, and protect the data security and privacy of the user.
On the application level, since the digital signature verification in the kernel is completely transparent to the user, the user can directly use the Linux operating system in the original mode without an operation of explicitly performing signature verification before executing the ELF program.
Drawings
FIG. 1 is a schematic diagram of an execute system call linked list when a Linux kernel is initialized;
FIG. 2 is a position diagram of ELF signature verification processing functions directly compiled into binary files of Linux kernels, the processing functions being in a linked list;
FIG. 3 is a diagram illustrating the compilation of ELF signature processing functions into a kernel module. This handling function is manually added to the linked list after the kernel is started.
FIG. 4 is a schematic diagram of attaching a digital signature to an ELF file.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The invention provides an implementation mode for realizing digital signature verification in a Linux operating system kernel. The concrete parts are as follows:
in the Linux kernel, before a program in the standard binary executable file format ELF is executed, a digital signature is extracted from the ELF file, and then the digital signature in the ELF file is verified. If the digital signature is verified, the kernel can normally execute the ELF file; if the digital signature is not verified, the kernel prohibits the ELF file from being executed.
In response to digital signature verification, the present invention provides a tool for signing an ELF file, which is capable of appending a digital signature to a "segment" of the ELF file.
The Linux kernel realizes the execution of the executable file through the execave system call. For executable files with different formats, the kernel provides different processing functions, analyzes the format of the corresponding executable file, extracts executable information (such as code, data, program entry address) of the program, and the like. For example, the 4.15.0 version of the Linux kernel provides processing functions for ELF files, processing functions for script files, processing functions for a.out format files, and the like.
When the Linux kernel is initialized, all processing functions in the executable file format are organized into a linked list. In the execute system call, the Linux kernel traverses the linked list, calls the processing function of each executable file format in turn, and tries to analyze the executable file by using the format of the file. If the processing function fails to successfully analyze the format of the executable file, returning an ENOEXEC error code, and enabling the kernel to continue to analyze the file by using the next processing function in the linked list until one processing function successfully analyzes the executable file, wherein the executable file is successfully analyzed and is executed later; or no processing function can parse the format of the executable file, the kernel cannot execute the program. A linked list schematic is shown in figure 1.
The invention is specially used for extracting and verifying the digital signature in the ELF by adding a processing function in the linked list. The ELF processing function is executed before the kernel executes it. If the digital signature is verified, then the processing function returns-ENOEXEC, so that the kernel can continue to call the true ELF processing function; if the digital signature fails verification, the processing function returns an error code other than-ENOEXEC, so that the kernel cannot execute this ELF file. The processing function proposed by the present invention can be inserted into the processing function linked list in two forms.
Firstly, the ELF signature verification processing function is directly compiled into the binary file of the Linux kernel, and meanwhile, the compiling order of the processing function and the mode and level of kernel initialization need to be controlled, so that the position of the processing function in the linked list is as shown in fig. 2.
Second, the ELF signature processing function is compiled into a kernel module. This handling function is manually added to the linked list after the kernel is started. At this point, the handling function can only be added to the location shown in FIG. 3, since the linked list has already undergone kernel initialization. The system administrator user may manually load or unload the module.
In the newly added signature verification processing function, the format of the ELF is analyzed, the segment in which the digital signature data is located and the segment protected by the digital signature are extracted, and whether the digital signature is correct or not is verified by using the key in the kernel. In addition, the invention realizes an ELF signature tool which can attach the digital signature to the ELF file in a mode of conforming to the format of the ELF file.
The specific implementation manner of reading and writing the ELF file is to find and read a section header table and a section header string table according to an ELF header in the ELF file.
When the digital signature in the ELF file is read, searching a corresponding segment in a section header string table according to the name character string of the segment where the digital signature is located, and directly reading the data of the digital signature according to the position and the length of the segment in the file indicated in the section header table.
When a digital signature is attached to an ELF file, the digital signature is added to the file as a section (a segment), the name string of the segment is added to a section header string table, and basic information such as the length of the segment is added to the section header table; finally, the number of "sections" in the ELF header (ELF header) and the offset of the section header table (section header table) in the file, as well as the index of the section name string table indicated in the ELF header, also need to be modified. As shown in fig. 4.
Compared with the prior art, the method and the device have the advantages that the safety of the operating system based on the Linux kernel can be effectively protected, the kernel is prevented from executing the executable file which is maliciously tampered, and the data safety and privacy of a user are protected.
On the application level, since the digital signature verification in the kernel is completely transparent to the user, the user can directly use the Linux operating system in the original mode without an operation of explicitly performing signature verification before executing the ELF program.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (7)
1. An ELF file data integrity protection method based on Linux is characterized by comprising the following steps: the method comprises the following specific steps:
step one, providing a tool for signing an ELF file in a standard binary executable file format, wherein a digital signature can be attached to a segment of the ELF file;
step two, when a Linux kernel is initialized, processing functions in all executable file formats are organized into a linked list, an ELF signature verification processing function is added into the linked list, and the ELF signature verification processing function is specially used for extracting and verifying a digital signature in an ELF;
in a Linux kernel, before a standard execution process of an ELF binary executable file format, extracting a digital signature from an ELF file, and then verifying the digital signature in the ELF file; if the digital signature passes the verification, the kernel normally executes the ELF file; if the digital signature is not verified, the kernel prohibits the ELF file from being executed.
2. The Linux-based ELF file data integrity protection method of claim 1, wherein: in the second step, an ELF signature verification processing function is added to the linked list, and the specific method is as follows: the ELF signature verification processing function is directly compiled into a binary file of a Linux kernel, and meanwhile, the compiling sequence of the processing function and the mode and the grade initialized by the kernel need to be controlled, so that the position of the processing function in a linked list is positioned in front of an ELF processing program built in the kernel.
3. The Linux-based ELF file data integrity protection method of claim 1, wherein: in the second step, an ELF signature verification processing function is added to the linked list, and the specific method is as follows: the ELF signature processing function is compiled into a kernel module, and after the kernel is started, the processing function is manually added to the first position on the linked list.
4. The Linux-based ELF file data integrity protection method of claim 3, wherein: the system administrator user can manually load or unload the ELF signature verification processing function module.
5. The Linux-based ELF file data integrity protection method of claim 1, wherein: in the newly added ELF signature verification processing function, the format of the ELF can be analyzed, the segment where the digital signature is located and the segment protected by the digital signature are extracted, and whether the digital signature is correct or not is verified by using the key in the kernel.
6. The Linux-based ELF file data integrity protection method of claim 1, wherein: in the first step, the digital signature is attached to the segment of the ELF file, and the specific method is as follows: when a digital signature is attached to an ELF file, the digital signature is required to be added to the file as a segment, the name character string of the segment is added to a segment name character string table, and the basic information of the segment is added to a segment header table; finally, the number of segments in the ELF header and the offset of the segment header table in the file, as well as the index of the segment name string table indicated in the ELF header, also need to be modified.
7. The Linux-based ELF file data integrity protection method of claim 1, wherein: when the digital signature in the ELF file is read, searching a corresponding segment in the segment name character string table according to the name character string of the segment where the digital signature is located, and directly reading the data of the digital signature according to the position and the length of the segment in the file indicated in the segment header table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010720818.6A CN113971297A (en) | 2020-07-24 | 2020-07-24 | Linux-based ELF file data integrity protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010720818.6A CN113971297A (en) | 2020-07-24 | 2020-07-24 | Linux-based ELF file data integrity protection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113971297A true CN113971297A (en) | 2022-01-25 |
Family
ID=79585794
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010720818.6A Pending CN113971297A (en) | 2020-07-24 | 2020-07-24 | Linux-based ELF file data integrity protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113971297A (en) |
-
2020
- 2020-07-24 CN CN202010720818.6A patent/CN113971297A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101247022B1 (en) | Systems and methods for verifying trust of executable files | |
US8122256B2 (en) | Secure bytecode instrumentation facility | |
CN102830992B (en) | Plug-in loading method and system | |
US7577848B2 (en) | Systems and methods for validating executable file integrity using partial image hashes | |
US8578174B2 (en) | Event log authentication using secure components | |
US20090144561A1 (en) | Method and System for Software Protection Using Binary Encoding | |
US6928548B1 (en) | System and method for verifying the integrity of stored information within an electronic device | |
US9754104B2 (en) | Method for securing Java bytecode | |
US20070192857A1 (en) | System and method for enforcing a security context on a downloadable | |
EP3026558A1 (en) | Method and device for providing verifying application integrity | |
CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
US20050198507A1 (en) | Import address table verification | |
CN104199654A (en) | Open platform calling method and device | |
EP1561301B1 (en) | Software integrity test in a mobile telephone | |
CN108595950A (en) | A kind of safe Enhancement Methods of SGX of combination remote authentication | |
CN111950035A (en) | Method, system, equipment and storage medium for protecting integrity of apk file | |
KR101052734B1 (en) | Application patch device and method | |
CN106709281A (en) | Patch releasing and obtaining method and device | |
CN113761595A (en) | Code signature verification method based on computer memory forensics technology | |
US8484232B2 (en) | Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value | |
Choi et al. | Large-scale analysis of remote code injection attacks in android apps | |
CN108563953B (en) | Safe and extensible trusted application development method | |
CN113971297A (en) | Linux-based ELF file data integrity protection method | |
US20140237605A1 (en) | Automatic correction of security downgraders | |
CN114237642A (en) | Security data deployment method, device, terminal, server and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |