CN115146262A - Linux system kernel vulnerability patch relieving method and system based on eBPF technology - Google Patents

Linux system kernel vulnerability patch relieving method and system based on eBPF technology Download PDF

Info

Publication number
CN115146262A
CN115146262A CN202211065564.4A CN202211065564A CN115146262A CN 115146262 A CN115146262 A CN 115146262A CN 202211065564 A CN202211065564 A CN 202211065564A CN 115146262 A CN115146262 A CN 115146262A
Authority
CN
China
Prior art keywords
network
patch
kernel
behavior
instrumentation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211065564.4A
Other languages
Chinese (zh)
Other versions
CN115146262B (en
Inventor
覃锦端
王月兵
柳遵梁
刘聪
毛菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Meichuang Technology Co ltd
Original Assignee
Hangzhou Meichuang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Meichuang Technology Co ltd filed Critical Hangzhou Meichuang Technology Co ltd
Priority to CN202211065564.4A priority Critical patent/CN115146262B/en
Publication of CN115146262A publication Critical patent/CN115146262A/en
Application granted granted Critical
Publication of CN115146262B publication Critical patent/CN115146262B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a Linux system kernel vulnerability patch mitigation method and system based on an eBPF technology. The method comprises the following steps: deploying an eBPF patch mitigation program; extracting network and kernel information of a Linux system; running an executable file of a Linux system, and monitoring the behavior of a network side; judging whether an executable file operation behavior or a network side behavior exists; if yes, inserting the kernel in the operation of the executable file; inserting normal patch logic conversion codes; judging whether a network side behavior exists in the monitoring result; if so, intervening in network instrumentation during the operation of the network side behavior to obtain an intervening result; judging whether the intervention result is matched with a network packet rule base; if yes, a network layer function is inserted and a network response packet is modified; judging whether the pile inserting process is abnormal or not; and if so, generating alarm information with relevant information details. By implementing the method provided by the embodiment of the invention, the Linux kernel vulnerability attack can be accurately defended without actually installing the normal Linux kernel vulnerability patch.

Description

Linux system kernel vulnerability patch relieving method and system based on eBPF technology
Technical Field
The invention relates to the technical field of kernel vulnerability defense of a Linux system, in particular to a Linux system kernel vulnerability patch mitigation method and a Linux system kernel vulnerability patch mitigation system based on an eBPF technology.
Background
In recent years, a great number of Linux system kernel vulnerabilities are discovered and disclosed, and hackers use the vulnerabilities to launch remote code execution, privilege escalation, DDos and other attacks on Linux system hosts, so that huge risks are caused to network security. Due to the particularity of the Linux kernel vulnerability, an official patch must be installed to completely defend the Linux kernel vulnerability attack, and a large number of Linux system hosts cannot be installed with the patch and restarted due to running important business applications, and the traditional firewall cannot prevent hacker kernel vulnerability attack on the Linux system hosts.
Therefore, a new method is needed to be designed, so that the Linux kernel vulnerability attack can be accurately defended without actually installing a normal Linux kernel vulnerability patch.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a Linux system kernel vulnerability patch mitigation method and a Linux system kernel vulnerability patch mitigation system based on an eBPF technology.
In order to realize the purpose, the invention adopts the following technical scheme: the Linux system kernel vulnerability patch relieving method based on the eBPF technology comprises the following steps:
deploying an eBPF patch mitigation program;
extracting relevant information of a Linux system network and a kernel;
running the Linux system executable file by using the eBPF patch relieving program, and monitoring the network side behavior to obtain a monitoring result;
judging whether an executable file operation behavior or a network side behavior exists in the monitoring result;
if the monitoring result has an executable file operation behavior or a network side behavior, utilizing an eBPF patch to relieve the insertion of a program in the executable file operation kernel;
inserting normal patch logic conversion codes;
judging whether a network side behavior exists in the monitoring result;
if the network side behavior exists in the monitoring result, utilizing an eBPF patch relieving program to intervene network instrumentation during the operation of the network side behavior so as to obtain an intervention result;
judging whether the intervention result is matched with a network packet rule base;
if the intervention result matches a network packet rule base, a network layer function is inserted and a network response packet is modified;
judging whether the pile inserting process is abnormal or not;
and if the pile inserting process is abnormal, generating alarm information with relevant information details to alarm the abnormality.
The further technical scheme is as follows: after the determining whether the network side behavior exists in the monitoring result, the method further includes:
if the network side behavior does not exist in the monitoring result, executing the judgment whether the pile inserting process is abnormal or not;
after the step of judging whether the intervention result matches the network packet rule base, the method further comprises the following steps:
and if the intervention result does not match the network packet rule base, executing the judgment whether the pile inserting process is abnormal or not.
The further technical scheme is as follows: the eBPF patch relieving program achieves patch relieving by performing instrumentation injection on a kernel and a network of a Linux system, and is internally provided with two detection features and two instrumentation features, namely a vulnerability-related kernel function detection feature and a normal patch logic rewriting instrumentation feature aiming at the kernel, and a vulnerability-related network request data packet detection feature and a network response packet modification instrumentation feature aiming at the network.
The further technical scheme is as follows: the Linux system network and kernel related information comprises: network card information; network service and port opening information; the network service and the open port correspond to protocol type information; kernel version information; the current system has patch information; process, service, and executable file information.
The further technical scheme is as follows: the judging whether the monitoring result has an executable file operation behavior or a network side behavior includes:
acquiring a Linux system kernel and patch information collection and a Linux system network information collection;
acquiring each kernel and patch data set according to the Linux system kernel and patch information collection;
aiming at a network information collection of a Linux system, acquiring each network data set;
and calculating whether executable file operation or network side behavior occurs according to each network data set and each kernel and patch data set, and generating a marked behavior feature set.
The further technical scheme is as follows: the inserting normal patch logic conversion code comprises:
acquiring corresponding instrumentation codes from the normal patch logic rewriting instrumentation feature data set;
and performing pile inserting by using the pile inserting codes.
The further technical scheme is as follows: the instrumenting network layer functions and modifying network response packets includes:
acquiring a corresponding network response packet from the network response packet modification instrumentation feature data set;
and performing instrumentation modification by using the network response packet.
The invention also provides a Linux system kernel vulnerability patch relieving system based on the eBPF technology, which comprises:
the deployment unit is used for deploying the eBPF patch mitigation program;
the extraction unit is used for extracting the related information of the Linux system network and the kernel;
the file running unit is used for running the Linux system executable file by using the eBPF patch relieving program and monitoring the network side behavior so as to obtain a monitoring result;
the first judgment unit is used for judging whether an executable file operation behavior or a network side behavior exists in the monitoring result;
a first instrumentation unit, configured to, if an executable file operation behavior or a network side behavior exists in the monitoring result, perform instrumentation on a kernel during an executable file operation by using an eBPF patch mitigation program;
a code insertion unit for inserting a normal patch logic conversion code;
the second judging unit is used for judging whether a network side behavior exists in the monitoring result;
a second instrumentation unit, configured to, if a network side behavior exists in the monitoring result, utilize eBPF patch to mitigate network instrumentation when a program intervenes the network side behavior, so as to obtain an intervention result;
a third judging unit, configured to judge whether the intervention result matches a network packet rule base;
a third instrumentation unit, configured to, if the intervention result matches the network packet rule base, instrumentation a network layer function and modify a network response packet;
the fourth judging unit is used for judging whether the pile inserting process is abnormal or not;
and the warning unit is used for generating warning information with relevant information details to carry out abnormal warning if the pile inserting process is abnormal.
The invention also provides a computer device, which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor executes the computer program to realize the method.
The invention also provides a storage medium storing a computer program which, when executed by a processor, implements the method described above.
Compared with the prior art, the invention has the beneficial effects that: by utilizing the eBPF technology and means, the method is based on monitoring of the running behavior and the network behavior of the executable file, code instrumentation of kernel function call and instrumentation rewriting of the network packet, realizes dynamic patch injection during the running of the executable file and before the response of the network flow packet, and can accurately defend Linux kernel vulnerability attacks without actually installing normal Linux kernel vulnerability patches.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of a Linux system kernel vulnerability patch mitigation method based on an eBPF technology according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for mitigating kernel vulnerability patches in a Linux system based on the eBPF technology according to an embodiment of the present invention;
fig. 3 is a sub-flow diagram of a Linux system kernel vulnerability patch mitigation method based on the eBPF technology according to an embodiment of the present invention;
fig. 4 is a sub-flow diagram of a Linux system kernel vulnerability patch mitigation method based on the eBPF technology according to an embodiment of the present invention;
fig. 5 is a schematic sub-flow diagram of a method for alleviating a kernel vulnerability patch in a Linux system based on an eBPF technology according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a Linux system kernel vulnerability patch mitigation system based on eBPF technology according to an embodiment of the present invention;
fig. 7 is a schematic block diagram of a first determining unit of a Linux system kernel vulnerability patch mitigation system based on eBPF technology according to an embodiment of the present invention;
fig. 8 is a schematic block diagram of a code insertion unit of a Linux system kernel vulnerability patch mitigation system based on eBPF technology according to an embodiment of the present invention;
fig. 9 is a schematic block diagram of a third instrumentation unit of the Linux system kernel vulnerability patch mitigation system based on the eBPF technology according to an embodiment of the present invention;
FIG. 10 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a Linux system kernel vulnerability patch mitigation method based on an eBPF technology according to an embodiment of the present invention. Fig. 2 is a schematic flowchart of a Linux system kernel vulnerability patch mitigation method based on the eBPF technology according to an embodiment of the present invention. The Linux system kernel vulnerability patch mitigation method based on the eBPF technology is applied to a server. The server and the terminal perform data interaction, and realize that dynamic patch injection is realized by using eBPF technology and means based on monitoring of running behavior and network behavior of an executable file, code instrumentation of kernel function call and instrumentation rewriting of a network packet when the executable file runs and before response of a network flow packet, so that the aim of accurately defending Linux kernel vulnerability attack without actually installing a normal Linux kernel vulnerability patch is fulfilled.
Fig. 2 is a schematic flowchart of a method for mitigating kernel vulnerability patches in a Linux system based on the eBPF technology according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S220.
S110, deploying the eBPF patch mitigation program.
eBPF (extended Berkeley Packet Filter) is an extension from BPF (Berkeley Packet Filter) technology. The eBPF technology provides a technology for supporting safe injection of custom codes when kernel-mode and user-mode events occur, and allows non-kernel developers to control a kernel.
In this embodiment, the eBPF patch mitigation program implements patch mitigation by performing instrumentation injection on a kernel and a network of a Linux system, and embeds two detection features and two instrumentation features, which are a vulnerability-related kernel function detection feature for the kernel, a normal patch logic rewrite instrumentation feature, and a vulnerability-related network request data packet detection feature and a network response packet modification instrumentation feature for the network, respectively.
When the Linux system executable file runs and network behaviors exist, the Linux kernel function codes related to the running of the executable file are obtained by utilizing the eBPF technology, and meanwhile, network data packets are monitored in a network layer. When the executable file runs kernel function codes related to the existence of Linux kernel vulnerability or network data packets are matched with characteristics of data packets related to Linux kernel vulnerability attack, the eBPF patch mitigation program intervenes to perform instrumentation processing. Aiming at the kernel function code, the eBPF patch relieving program is inserted into the running process of an executable file by adaptively rewriting the code logic of a normal vulnerability repair patch; aiming at the network data packet, the eBPF patch relieving program modifies the network response packet after being matched with the kernel vulnerability attack characteristics. The listening and instrumentation processes described above utilize eBPF technologies including, but not limited to, the BCC compilation tool set, bpftrace tracking language, libbpf kernel standard library, golibary standard library, etc.
S120 and extracting the related information of the network and the kernel of the Linux system.
In this embodiment, the information about the Linux system network and the kernel includes: network card information; network service and port opening information; the network service and the open port correspond to protocol type information; kernel version information; the current system has patch information; process, service, and executable file information.
Specifically, before the eBPF patch mitigation program performs executable file execution and monitoring and instrumentation of network side behaviors, it is necessary to extract network and kernel environment information of the current Linux system host, where the obtained Linux system host network and kernel environment information includes the following contents: network card information including, but not limited to, physical network cards, virtual network cards, etc.; network service and port opening information; the network service and the open port correspond to protocol type information, including but not limited to tcp, udp, http and the like; kernel version information; the current system has patch information; process, service, and executable file information.
S130, running the Linux system executable file by using the eBPF patch relieving program, and monitoring network side behavior to obtain a monitoring result.
In this embodiment, the monitoring result refers to a result obtained by running the Linux system executable file and monitoring the network side behavior.
S140, judging whether an executable file operation behavior or a network side behavior exists in the monitoring result.
In an embodiment, referring to fig. 3, the step S140 may include steps S141 to S144.
S141, acquiring a Linux system kernel and patch information collection and a Linux system network information collection;
s142, acquiring each kernel and patch data set according to the Linux system kernel and patch information collection;
s143, aiming at the Linux system network information collection, obtaining each network data set;
s144, calculating whether executable file operation or network side behavior occurs according to each network data set and each kernel and patch data set, and generating a marked behavior feature set.
Specifically, the Linux system executable file running and network side behavior monitoring has an algorithm T1, which aims at the acquired process, service and executable file information D, judging whether executable file operation or network side behavior exists at present, and generating marked behavior feature set X i
The algorithm T1 is specifically realized by acquiring each kernel and patch data set { F) aiming at a kernel and patch information collection F of the Linux system 1 ,F 2 ,……F n }; aiming at a network information collection L of a Linux system, obtaining each network data set { L 1 ,L 2 ,……L n And calculating whether executable file operation or network side behavior occurs, and generating a marked behavior feature set. Setting the kernel and patch information of the Linux system host as Fx and the network information of the Linux system host as L x The process, service and executable file information is Dx, i.e., T1{ (F) is calculated x ,L x ),D x }; if T1{ (F) x ,L x ),D x = 0, that is, no executable file operation or network side behavior exists, at this time, xx is an empty set, and the eBPF patch relief program does not intervene to perform instrumentation work; if T1{ (F) x ,L x ),D x And = 1, that is, there is executable file running or network side behavior, or both, where Xx is a marked executable file running behavior and network side behavior feature set.
In addition, an algorithm T2 exists for judging the running behavior of the executable file and the network side behavior, and the algorithm aims at the marked behavior feature collection X i Judging whether the current behavior is a kernel calling behavior or a network layer behavior, and generating a classification behavior characteristic P i
The algorithm T2 is specifically implemented as follows, for the marked behavior feature collection Xi, obtaining each marked behavior feature content data set { X } i1 ,X i2 ,……X ii }; aiming at a process, service and executable file information collection Di, acquiring each process service and executable file data set { D 1 ,D 2 ,……D n It is computed whether the current behavior is a kernel call behavior, or a network layer behavior, or both. Setting the marked behavior feature set as X x The information collection of the current process, service and executable file is D x I.e. calculating T2 (X) x ,D x );
If T2 (X) x ,D x ) = 1, that is, the current behavior is a kernel invocation behavior, and the classification behavior feature is PFx at this time; if T2 (X) x ,D x ) = 2, i.e. representing the current behavior as the network behavior, when the classification behavior is characterized by P Lx (ii) a If T2 (X) x ,D x ) = 3, that is, the current behavior is the existence of both kernel call behavior and network behavior, and the classification behavior is characterized by P FLx ,P FLx = P Fx + P Lx
S150, if the executable file running behavior or the network side behavior exists in the monitoring result, utilizing the eBPF patch to relieve the insertion of the kernel when the program intervenes the executable file running.
In this embodiment, a kernel instrumentation existence algorithm T3 is used when the eBPF patch mitigation program intervenes in the runtime of the executable file, and for the classification behavior feature PF of the kernel calling behavior, it is determined whether the behavior feature relates to a kernel vulnerability related function code, and a called kernel vulnerability function set R is generated Fi
The algorithm T3 is specifically realized by acquiring each behavior feature data set { P) aiming at the classification behavior feature PF of the kernel calling behavior F1 ,P F2 ,……P Fn }; aiming at a kernel and patch information collection F of the Linux system, obtaining each kernel and patch data set { F 1 ,F 2 … … Fn }. Setting the classification behavior characteristic of the current kernel calling behavior as P Fx The kernel and patch information of the Linux system host is F x The kernel function related to vulnerability is characterized by Q Fx I.e. calculating T3{ (P) Fx ,F x ),Q Fx };
If T3{ (P) Fx ,F x ),Q Fx = 0, that is, no Linux kernel vulnerability related function code is involved in the classification behavior feature representing the current kernel call behavior, when R is present Fx Is an empty set;if T3{ (P) Fx ,F x ),Q Fx = 1, namely, the Linux kernel vulnerability related function code is involved in the classification behavior characteristic representing the current kernel calling behavior, when R is in the time Fx Is a collection of all involved kernel vulnerability functions.
And S160, inserting normal patch logic conversion codes.
In an embodiment, referring to fig. 4, the step S160 may include steps S161 to S162.
S161, acquiring corresponding instrumentation codes from the normal patch logic rewriting instrumentation feature data set;
and S162, inserting piles by utilizing the pile inserting codes.
There is an algorithm T4 that targets a set R of called kernel vulnerability functions Fi And classification behavior characteristics P of kernel calling behaviors Fi Performing instrumentation injection on the running executable file, and generating instrumentation injection process and result information J Fi
The algorithm T4 is specifically implemented as follows, aiming at the called kernel vulnerability function set R Fi And acquiring kernel vulnerability function data sets { R) of all calls F1 ,R F2 ,……R Fn }; classification behavior feature P for kernel call behavior Fi Obtaining each behavior feature data set { P } F1 ,P F2 ,……P Fn }. Setting the currently called kernel vulnerability function collection as R Fx The classification behavior characteristic of the current kernel calling behavior is P Fx The normal patch logic rewrite stake insertion characteristic is K Fx I.e. calculating T4{ (R) Fx ,K Fx ),P Fx };
If T4{ (R) Fx ,K Fx ),P Fx = 0, meaning that there is no exception to the currently instrumented injection operation for the running executable, at which time J Fx Is an empty set; if T4{ (R) Fx ,K Fx ),P Fx = 1, meaning that there is an exception to the currently instrumented injection operation for the running executable, at which time J Fx The middle is abnormal information of the pile inserting injection process.
S170, judging whether a network side behavior exists in the monitoring result;
and S180, if the network side behavior exists in the monitoring result, utilizing an eBPF patch to relieve network instrumentation when the program intervenes the network side behavior operation so as to obtain an intervention result.
In this embodiment, the intervention result refers to a result of network instrumentation when the eBPF patch mitigation program is used to intervene in the behavior runtime of the network side.
And S190, judging whether the intervention result is matched with a network packet rule base.
In this embodiment, there is an algorithm T5, classification behavior feature P for network request behavior Li Judging whether the network behavior characteristics relate to related network request data packets of kernel vulnerability exploitation or not, and generating a matched network request data packet collection R Li
The algorithm T5 is specifically realized as follows, and the classification behavior characteristic P aiming at the network request behavior L Obtaining each behavior feature data set { P } L1 ,P L2 ,……P Ln }; aiming at a network information collection L of a Linux system, obtaining each network data set { L 1 ,L 2 ,……L n }. Setting the classification behavior characteristic of the current network request behavior as P Lx The Linux system network information is L x The request packet detection characteristic of the vulnerability-related network is Q Lx I.e. calculating T5{ (P) Lx ,L x ),Q Lx };
If T5{ (P) Lx ,L x ),Q Lx = 0, that is, the Linux kernel exploit request packet is not involved in the classification behavior feature representing the current network request behavior, when R is the time when R is the Lx Is an empty set; if T5{ (P) Lx ,L x ),Q Lx = 1, that is, the Linux kernel exploit request packet is involved in the classification behavior feature representing the current network request behavior, when R is the time of the Linux kernel exploit request packet Lx A network request packet collection is utilized for all involved kernel exploits.
S200, if the intervention result matches the network packet rule base, a network layer function is inserted and the network response packet is modified.
In an embodiment, referring to fig. 5, the step S200 may include steps S201 to S202.
S201, acquiring a corresponding network response packet from a network response packet modification pile insertion characteristic data set;
and S202, performing instrumentation modification by using the network response packet.
In this embodiment, there is an algorithm T6 that exploits the network request packet set RLi and the classification behavior feature P of the network request behavior for the kernel exploit involved Li Performing instrumentation modification on a response packet corresponding to the network request packet, and generating instrumentation injection process and result information J Li
The algorithm T6 is implemented as follows, with respect to the set R of kernel exploit network request packets involved Li Obtaining each involved kernel exploit network request packet data set { R L1 ,R L2 ,……R Ln }; classification behavior feature P for network request behavior Li Obtaining each behavior feature data set { P } L1 ,P L2 ,……P Ln }. Setting the currently called kernel vulnerability function collection as R Lx The classification behavior characteristic of the current kernel calling behavior is PLx, and the modification instrumentation characteristic of the network response packet is K Lx I.e. calculating T6{ (R) Lx ,K Lx ),P Lx };
If T6{ (R) Lx ,K Lx ),P Lx = 0, that is, it indicates that there is no abnormality in the current instrumentation modification operation for the response packet corresponding to the network request packet, at this time, J is present Lx Is an empty set; if T6{ (R) Lx ,K Lx ),P Lx = 1, that is, it indicates that there is an abnormality in the current instrumentation modification operation for the response packet corresponding to the network request packet, at this time J Lx The exception information of the pile insertion modification process is shown in the middle.
In addition, an algorithm T7 exists, and when the executable file operation behavior and the network side behavior exist simultaneously, the algorithms T3, T4, T5 and T6 are used in a combined mode to generate the instrumentation injection process and result information J FLi (ii) a Namely, calculating T7{ (T3, T4), (T5, T6) };
if T7{ (T3, T4), (T5, T6) } = 0, it means that the instrumentation injection operation of the currently running executable file is performed, and the response packet corresponding to the network request packet is insertedNo abnormity exists in pile modification operation, and J is realized at the moment FLx Is an empty set; if T7{ (T3, T4), (T5, T6) } = 1, it indicates that there is an abnormality in both the instrumentation injection operation of the currently running executable file and the instrumentation modification operation of the response packet corresponding to the network request packet, and at this time, J is an abnormality FLx Wherein exception information of the operational process is modified for all the stakes.
S210, judging whether the pile inserting process is abnormal or not;
judging whether the pile inserting process is abnormal or not and judging whether the details of alarm related information exist in an algorithm T8, wherein the algorithm aims at the operation process of the pile inserting injection of the kernel behaviors and result information J Fi Network response packet instrumentation modification process and result information J Li And process and result information J when both of the above occur FLi Judging whether the whole pile inserting modification operation process is abnormal, and generating final process and result information J through operations of removing the weight, cleaning and the like Alli
The algorithm T8 is implemented as follows, for kernel behavior instrumentation injection operation process and result information J Fi And acquiring the operation process of the instrumentation injection of each kernel behavior and a result data set { J } F1 ,J F2 ,……J Fn }; instrumentation modification process and result information J for network response packets Li Acquiring the instrumentation modification process and result data set { J } of each network response packet L1 ,J L2 ,……J Ln }; process and result information J for both FLi And acquiring each instrumentation modification operation process and result data set { J } FL1 ,J FL2 ,……J FLn }. Setting the current kernel behavior instrumentation pile injection operation process and result information as J Fx The current network response packet instrumentation modification process and result information collection is J Lx The process and result set when both occur is J FLx I.e. calculating T8{ J Fx ,J Lx ,J FLx };
If T8{ J Fx ,J Lx ,J FLx = 0, namely, it represents that there is no exception in the whole pile-inserting modification operation flow, and J is performed at this time Allx Is an empty set; if T8{ J Fx ,J Lx ,J FLx = 1, i.e.Representing the exception in the whole pile-inserting modification operation process, at the moment J Allx The middle is abnormal information of the pile inserting modification process.
And S220, if the pile inserting process is abnormal, generating alarm information with relevant information details to alarm the abnormality.
If no abnormity exists in the pile inserting process, entering an ending step;
if no network side behavior exists in the monitoring result, executing the step S210;
if the intervention result does not match the network packet rule base, the step S210 is executed.
When T8{ J } Fx ,J Lx ,J FLx When the rate is equal to 1, an alarm is triggered to inform a user that an error occurs in the operation process of the eBPF patch mitigation program; if T8{ J Fx ,J Lx ,J FLx And = 0, implementing unaware Linux kernel vulnerability patch mitigation.
For example: the system of the Linux host is Ubuntu 16.04.2 LTS, the kernel version of the Linux host is Linux version 4.8.0-52-generic, three network cards including docker0, ens and lo are shared, and the ip address of each network card is 172.17.0.1,192.168.51.105 and 127.0.0.1 respectively.
Under the condition that the Linux system and the network normally operate, each process in the Linux system normally operates, can normally receive the network request and respond, and can execute the operation defined in the executable file when the executable file operates.
Since the monitoring of the executable file operation and the network request is real-time, the default monitoring interval in this example is 0, that is, the two behaviors are monitored in real time.
Step S110 deploys the eBPF patch mitigation program in any file directory of the system, in this embodiment, the eBPF patch mitigation program is deployed in a root/eBPF directory, and the eBPF patch mitigation program has 5 files, which are: ebpf _ main program file, kernel _ check. Ini relating to kernel vulnerability function detection feature configuration file, kernel _ patch. Ini kernel vulnerability normal patch logic rewriting instrumentation feature configuration file, packet _ check. Ini relating to kernel vulnerability network request data packet detection feature configuration file, and packet _ patch. Ini kernel vulnerability network response packet modification instrumentation feature configuration file.
Further, in step S120, the related information of the system network and the kernel is extracted, and the patch mitigation program obtains the related information of the network and the kernel by using the commands such as top, diameter, netstat, and the like and the function interface provided by the Linux system, and simultaneously retrieves all folders and files in the root directory/system to obtain the information of the executable files such as elf, sh, and the like. The extracted information is as follows: the network card comprises three network cards of docker0, ens and lo, wherein ip addresses of the three network cards are 172.17.0.1,192.168.51.105 and 127.0.0.1 respectively; the open network ports are 80,110,31524 and 22, and the related network protocols comprise http, tcp and ssh; the system version is Ubuntu 16.04.2 LTS, and the corresponding kernel version is Linux version 4.8.0-52-genetic; the current system is patched to CVE-2018-8822 \uPATCH; the system process service list comprises java, docerd, mysqld, systemd, sshd and the like; there are three executable files in the system, namely, the excute _ file _1, the excute _ file _2 and the excute _ file _ 3.
Further, step S130 will extract the relevant information of the system kernel and the network according to the above-mentioned extracted information, and monitoring the running of the executable file of the Linux system and the network side behavior. Analysis using the algorithm T1, system kernel and patch dataset F x Is { Ubuntu 16.04.2 LTS, linux version 4.8.0-52-genetic, CVE-2018-8822 \uPATCH }, system network data set L x Is { { docker0, ens, lo }, {172.17.0.1,192.168.51.105,127.0.0.1}, {80,110,31524,22}, { http, tcp, ssh } }, and the system process, service and executable file data set Dx is { { java, dockerd, mysqld, systemd, sshd }, { excute _ file _1, excute _file _2, excute _file _file3 } }. I.e., the calculation result T1{ (F) x ,L x ),D x } = {({Ubuntu 16.04.2 LTS,Linux version 4.8.0-52-generic,CVE-2018-8822_PATCH},{{docker0,ens18,lo},{172.17.0.1,192.168.51.105,127.0.0.1},{80,110,31524,22},{http,tcp,ssh}}),{{java,dockerd,mysqld,systemd,sshd},{excute_file_1,excute_file_2,excute_file_3}}}。T1{(F x ,L x ),D x = 1, executable file running and network side behavior occur, and the behavior after the mark generated at this time is specificThe feature set Xx is { { excute _ file _1, excute _file _3}, { Legacy _ parse _ param (), push _ pipe (), ncp _ read _ kernel () } }, { { ens }, { packet8, packet4} }.
Further, step S140 determines the executable file running behavior and the network side behavior according to the generated marked behavior feature set Xx. Analyzing by using the algorithm T2, marking a behavior feature content data set Xx as { { excute _ file _1, excute _file _3}, { ens } }, indicating that two executable files of excute _ file _1 and excute _ file _3 have running behaviors and calling three kernel functions of Legacy _ part _ param (), push _ pipe () and ncp _ read _ kernel (), and meanwhile, monitoring network side behaviors by a network card ens, and having two network request packets of packet8 and packet4; the system process, service and executable file data set Dx is { { java, docerd, mysqld, systemd, sshd }, { excute _ file _1, excute \ufile \u2, excute \ufile _3} }. I.e. calculating T2 (X) x ,D x ) { excute _ file _1, excute _file _3}, { ens } }, { { java, docord, mysqld, systemd, sshd }, { excute _ file _1, excute _file _2, excute _file _3} }. Identifying whether the current behavior is a single-kernel calling behavior or a single-network behavior or the kernel calling behavior and the network behavior exist at the same time, namely calculating T2 (X) x ,D x ) = 1 or T2 (X) x ,D x ) = 2 or T2 (X) x ,D x ) = 3。
In this example, there is both executable and network side behavior, and through analysis of the algorithm T2, T2 (X) x ,D x ) = 3. Here, a classification behavior feature P is obtained FLx Is { { Legacy _ parse _ param (), push _ pipe (), ncp _ read _ kernel () }, { packet8, packet4} }. Due to P FLx = P Fx + P Lx Here P Fx Is { Legacy _ dose _ param (), push _ pipe (), ncp _ read _ kernel () }, P Lx Are { packet8, packet4}, so the algorithm is used below for P Fx 、P Lx And (6) carrying out analysis.
Further, step S150 will be based on the obtained classification behavior feature P Fx And intervening the running behavior of the executable file to perform kernel instrumentation function analysis. Analysis Using the algorithm T3, P Fx Classifying behaviors for kernelsClassification characteristics, F x For kernel and patch datasets, Q Fx Detecting feature data sets for vulnerability-related kernel functions, i.e. calculating T3{ (P) Fx ,F x ),Q Fx } = 0 or T3{ (P) Fx ,F x ),Q Fx = 1. In this example, the classification behavior feature PFx is { Legacy _ pars _ param (), push _ pipe (), ncp _ read _ kernel () }, the kernel and patch data set Fx is { Ubuntu 16.04.2 LTS, linux version 4.8.0-52-genetic, CVE-2018-8822 u PATCH }, ini vulnerability-related kernel function detection feature data set QFx provided in a kernel vulnerability-related function detection feature configuration file is { { CVE-2022-0185, CVE-2022-0847, CVE-2018-5390, CVE-2018-8822}, { { Legacy _ park _ param () }, { copy _ page _ to _ iter _ pipe (), push _ pipe () }, { tcp _ collapse _ ofo _ queue () }, { ncp _ read _ kernel () }, i.e., T3{ (P _ Collapse _ param () } is calculated Fx ,F x ),Q Fx } { ({ Legacy _ park _ param (), push _ pipe () }, { Ubuntu 16.04.2 LTS, linux version 4.8.0-52-genetic, CVE-2018-8822 xu PATCH }), { { CVE-2022-0185, CVE-2022-0847, CVE-2018-5390, CVE-2018-8822}, { { Legacy _ park _ param () }, { copy _ page _ to _ iter _ pipe (), push _ pipe () }, { tcp _ collepse _ 8978 zft 8978 _ queue () }, { return _ lock _ el () } } and generate a set of kernel functions R called at this time Fx
In the present example, the kernel functions Legacy _ parse _ param (), push _ pipe (), ncp _ read _ kernel () called by the running executable files Legacy _ file _1, legacy _ file _3 correspond to kernel vulnerabilities CVE-2022-0185, CVE-2022-0847, CVE-2018-8822, and T3{ (P _ file ()) Fx ,F x ),Q Fx = 1. The current Linux system environment is provided with a patch CVE-2018-8822 \/PATCH, so that the called kernel vulnerability function collection RFx analyzed by the algorithm T3 is { Legacy _ pars _ param (), push _ pipe () }.
Further, step S160 acquires corresponding instrumentation code from the normal patch logic rewriting instrumentation feature data set according to the obtained called kernel vulnerability function collection RFx for instrumentation. The called kernel vulnerability function data set RFx is { Legacy _ parse _ param (), push _ pipe () }, kernel _ patch. Ini kernel vulnerability normal patch logic rewrite instrumentation provided in the instrumentation feature configuration fileThe peg feature dataset KFx is { CVE-2022-0185_PATCH, CVE-2022-0847_PATCH, CVE-2018-5390_PATCH, CVE-2018-8822_PATCH }, and the classification behavior feature dataset PFx of kernel invocation behavior is { Legacy _ park _ param (), push _ pipe (), ncp _ read _ kernel (), i.e., T4{ (RFx, KFx), PFx } = { { Legacy _ park _ param (), push _ pipe () }, { CVE-2022-0185_PATCH, CVE-2022-0847 PATCH, CVE-2018-5390_PATCH, CVE-2018-PATCH, 22_PATCH (), { Legacy _ park _ run _ map (), CVE-2022-0185_ run (), CVE-2022-0847 PATCH, CVE-2018-5390 PATCH, CVE-2018-p _ kernel (), and [ CVE _ park _. When T4{ (R) Fx ,K Fx ),P Fx When = 0, it represents that there is no exception currently for instrumentation injection operations of the two kernel functions of Legacy _ parse _ param (), push _ pipe (); when T4{ (RFx, KFx), PFx } = 1, it represents that there is currently an abnormality to the instrumentation injection operation of the two kernel functions of Legacy _ pars _ param (), push _ pipe (). The exception information is stored in a process and result information data set JFx.
In this example, the step S170 determines whether there is a basis for the network side behavior based on the step S140, and the step S140 obtains T2 (X) through analysis of the algorithm T2 x ,D x ) = 3, the present network side behavior is obtained in step S170.
Further, steps S180 and S190 will be based on the obtained classification behavior feature P Lx And intervening network side behaviors to analyze and judge network layer data packets. In this example, the classification behavior characteristic PLx is { packet8, packet4}, the kernel and patch data set Lx is { { docker0, ens, lo }, {172.17.0.1,192.168.51.105,127.0.0.1}, {80,110,31524,22}, { http, tcp, ssh } }, and packet _ check. Ini loophole-related network request packet detection characteristic configuration file has a loophole-related network request packet detection characteristic data set QLx of { packet1, packet2, packet3, packet4, packet5, packet6}, that is, T5{ (P3, packet 4) } Lx ,L x ),Q Lx } = { ({ packet8, packet4}, { { docker0, ens, lo }, {172.17.0.1,192.168.51.105,127.0.0.1}, {80,110,31524,22}, { http, tcp, ssh } }), { packet1, packet2, packet3, packet4, packet5, packet6} } and generates a network request data packet set R matching at this time Lx
In this example, packet4 of the network request packet hits { packet1, packet2, packet3, packet4, packet5, packet6}, T5{ (P) Lx ,L x ),Q Lx = 1, and the matching network request packet collection RLx analyzed by the algorithm T4 is { packet4}.
Further, step S200 will collect R the network request data packet according to the obtained matching Lx And acquiring the corresponding network response packet from the network response packet modification instrumentation feature data set for instrumentation modification. In this example, the called kernel vulnerability function dataset RLx is { packet4}, the packet _ packet is init kernel vulnerability network response packet modification instrumentation feature dataset KLx is { packet1_ response _ path, packet2_ response _ path, packet3_ response _ path, packet4_ response _ path, packet5_ response _ path, packet6_ response _ path }, the classification behavior feature dataset PLx of the network request behavior is { packet8, packet4}, that is, T6{ (R4) { (R4 } is calculated Lx ,K Lx ),P Lx { packet8, packet4} } { ({ packet4}, { packet1_ response _ PATCH, packet2_ response _ PATCH, packet3_ response _ PATCH, packet4_ response _ PATCH, packet5_ response _ PATCH, packet6_ response _ PATCH }). When T6{ (R) Lx ,K Lx ),P Lx When the rate is = 0, it indicates that no exception exists in the current instrumentation modification operation of the network response packet corresponding to the network request packet4; when T6{ (R) Lx ,K Lx ),P Lx When = 1, it indicates that there is an exception in the instrumentation modification operation of the network response packet corresponding to the network request packet 4. Exception information is stored in the process and result information dataset J Lx In (1).
Further, step S210 will determine whether there is an abnormality in the above-mentioned pile-inserting process, and if there is an abnormality, an abnormality alarm will be given. In the present example, step S140 obtains T2 (X) through analysis of the algorithm T2 x ,D x ) = 3, and there are both kernel invocation behavior and network side behavior, so the algorithm T7 is used for analysis, and the algorithm T7 is a combined multiplex of the four algorithms T3, T4, T5, T6, i.e. calculating T7{ (T3, T4), (T5, T6) } { ({ ({ Legacy _ space _ param (), push _ pipe (), ncp _ read _ kernel () }, { Ubuntu 16.04.2 LTS, linux version 4.8.0-52-genetic, CVE-2018-8822 PATCH }), { CVE-2022-0185, CVE-2022-0847, CVE-2018-5390, CVE-2018-8822}, { left _ space _ part (), { COAM _ copy _ page _ to \\\ and { copy _ to \iter _ pipe (), { push _ pipe () }, { tcp _ collapse _ ofo _ queue () }, { ncp _ read _ kernel () } }, { ({ Legacy _ park _ param (), { push _ pipe () }, { CVE-2022-0185_PATCH, CVE-2022-0847_PATCH, CVE-2018-5390_PATCH, CVE-2018-8822 PATCH }, { Legacy _ park _ param (), push _ pipe (), ncp _ read _ kernel () }, ({ ({ package 8, packet4}, { docker0, ens, lo }, {172.17.0.1,192.168.51.105,127.0.0.1}, {80,110,31524,22}, { http, tcp, ssh } }), { packet1, packet2, packet3, packet4, packet5, packet6} }, { ({ packet4}, { packet1_ response _ PATCH, packet2_ response _ PATCH, packet3_ response _ PATCH, packet4_ response _ PATCH, packet5_ response _ PATCH, packet6_ response _ PATCH }), { packet8, packet4} }. When T7{ (T3, T4), (T5, T6) } = 0, it indicates that there is no anomaly in the instrumentation for the kernel function and the instrumentation for the network-side behavior; when T7{ (T3, T4), (T5, T6) } = 1, it indicates that there is an abnormality in at least one process for instrumentation of the kernel function, instrumentation of the network-side behavior, and the like. The exception information is stored in a process and result information data set JFLx.
Further, step S220 processes and alarms the abnormal information. Analysis Using the algorithm T8, J Fx Abnormal information during the instrumentation of the kernel level, J Lx For exception information during instrumentation at the network level, J FLx Calculating abnormal information when kernel level instrumentation algorithm and network level instrumentation algorithm are combined and multiplexed by using algorithm T4, namely calculating T8{ J } Fx ,J Lx ,J FLx } = 0 or T8{ J Fx ,J Lx ,J FLx = 1. If the abnormal information does not exist in the embodiment, the release process of the non-inductive Linux kernel vulnerability patch is realized; otherwise, abnormal information exists, and the finally processed abnormal information J is obtained through analysis according to the algorithm T8 Allx And performing abnormal alarm.
By using the eBPF technology and means, the Linux system kernel vulnerability patch relieving method is based on monitoring of running behaviors and network behaviors of the executable file, code instrumentation of kernel function calling and instrumentation rewriting of the network packet, realizes dynamic patch injection during running of the executable file and before response of the network flow packet, and can accurately defend Linux kernel vulnerability attack without actually installing normal Linux kernel vulnerability patches.
Fig. 6 is a schematic block diagram of a Linux system kernel vulnerability patch mitigation system 300 based on eBPF technology according to an embodiment of the present invention. As shown in fig. 6, the present invention further provides a Linux system kernel vulnerability patch mitigation system 300 based on the eBPF technology, corresponding to the above Linux system kernel vulnerability patch mitigation method based on the eBPF technology. The Linux system kernel vulnerability patch mitigation system 300 based on the eBPF technology includes a unit for executing the Linux system kernel vulnerability patch mitigation method based on the eBPF technology, and the system may be configured in a server. Specifically, referring to fig. 6, the Linux system kernel vulnerability patch mitigation system 300 based on the eBPF technology includes a deployment unit 301, an extraction unit 302, a file operation unit 303, a first determination unit 304, a first instrumentation unit 305, a code insertion unit 306, a second determination unit 307, a second instrumentation unit 308, a third determination unit 309, a third instrumentation unit 310, a fourth determination unit 311, and an alarm unit 312.
A deployment unit 301, configured to deploy an eBPF patch mitigation program; an extracting unit 302, configured to extract relevant information about a Linux system network and a kernel; the file running unit 303 is configured to run the Linux system executable file by using the eBPF patch mitigation program, and monitor network side behavior monitoring to obtain a monitoring result; a first determining unit 304, configured to determine whether an executable file operation behavior or a network side behavior exists in the monitoring result; a first instrumentation unit 305, configured to, if an executable file running behavior or a network side behavior exists in the monitoring result, utilize an eBPF patch to mitigate kernel instrumentation when a program intervenes in the executable file running; a code insertion unit 306 for inserting a normal patch logic conversion code; a second judging unit 307, configured to judge whether a network side behavior exists in the monitoring result; a second instrumentation unit 308, configured to, if a network side behavior exists in the monitoring result, perform network instrumentation when an eBPF patch mitigation program intervenes in the network side behavior runtime to obtain an intervention result; a third determining unit 309, configured to determine whether the intervention result matches a network packet rule base; a third instrumentation unit 310, configured to, if the intervention result matches the network packet rule base, instrumentation a network layer function and modify a network response packet; a fourth judging unit 311, configured to judge whether an pile inserting process is abnormal; and an alarm unit 312, configured to generate alarm information with relevant information details if there is an abnormality in the instrumentation process, so as to perform an abnormality alarm.
In an embodiment, as shown in fig. 7, the first determining unit 304 includes a collection acquiring subunit 3041, a first data set acquiring subunit 3042, a second data set acquiring subunit 3043, and a calculating subunit 3044.
A union acquiring subunit 3041, configured to acquire a Linux system kernel and patch information union and a Linux system network information union; a first data set obtaining subunit 3042, configured to obtain each kernel and patch data set according to the Linux system kernel and patch information collection; a second data set obtaining subunit 3043, configured to obtain each network data set for the Linux system network information collection; the computing subunit 3044 is configured to compute whether there is an executable file running or a network side behavior occurrence according to each network data set and each kernel and patch data set, and generate a marked behavior feature set.
In one embodiment, as shown in FIG. 8, the code insertion unit 306 includes a code acquisition subunit 3061 and a code stake subunit 3062.
A code obtaining subunit 3061 configured to obtain corresponding instrumentation codes from the normal patch logical overwrite instrumentation feature data set; a code instrumentation subunit 3062 for performing instrumentation using the instrumentation code.
In one embodiment, as shown in fig. 9, the third instrumentation unit 310 includes a response packet acquisition subunit 3101 and an instrumentation modification subunit 3102.
A response packet obtaining subunit 3101, configured to obtain a corresponding network response packet from the network response packet modification instrumentation feature data set; an instrumentation modification subunit 3102, configured to perform instrumentation modification by using the network response packet.
It should be noted that, as can be clearly understood by those skilled in the art, for the specific implementation process of the foregoing Linux system kernel vulnerability patch mitigation system 300 based on the eBPF technology and each unit, reference may be made to the corresponding description in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.
The Linux system kernel vulnerability patch mitigation system 300 based on eBPF technology may be implemented in the form of a computer program that may run on a computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a Linux system kernel vulnerability patch mitigation method based on eBPF technology.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the computer program 5032 in the non-volatile storage medium 503 to run, and when the computer program 5032 is executed by the processor 502, the processor 502 may execute a Linux system kernel vulnerability patch mitigation method based on eBPF technology.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 10 is a block diagram of only a portion of the configuration relevant to the present teachings and is not intended to limit the computing device 500 to which the present teachings may be applied, and that a particular computing device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
deploying an eBPF patch mitigation program; extracting related information of a Linux system network and a kernel; running an executable file of a Linux system by using an eBPF patch relieving program, and monitoring the behavior of a network side to obtain a monitoring result; judging whether an executable file operation behavior or a network side behavior exists in the monitoring result; if the monitoring result has an executable file operation behavior or a network side behavior, utilizing an eBPF patch to relieve the insertion of a program in the executable file operation kernel; inserting normal patch logic conversion codes; judging whether a network side behavior exists in the monitoring result; if the network side behavior exists in the monitoring result, utilizing an eBPF patch relieving program to intervene network instrumentation during the operation of the network side behavior so as to obtain an intervention result; judging whether the intervention result is matched with a network packet rule base; if the intervention result matches a network packet rule base, a network layer function is inserted and a network response packet is modified; judging whether the pile inserting process is abnormal or not; and if the pile inserting process is abnormal, generating alarm information with relevant information details to alarm the abnormality.
Wherein, the eBPF patch relieving program realizes the patch relieving by the stake injection of the kernel and the network of the Linux system, two detection characteristics and two stake insertion characteristics are built in, and respectively modifying the instrumentation features for vulnerability-related kernel function detection features and normal patch logic rewriting instrumentation features of the kernel, and vulnerability-related network request data packet detection features and network response packets of the network.
The Linux system network and kernel related information comprises: network card information; network service and port opening information; the network service and the open port correspond to protocol type information; kernel version information; the current system has patch information; process, service, and executable file information.
In an embodiment, after implementing the step of determining whether a network side behavior exists in the monitoring result, the processor 502 further implements the following steps:
and if the monitoring result does not have network side behaviors, executing the judgment whether the pile inserting process is abnormal or not.
In an embodiment, after implementing the step of determining whether the intervention result matches the network packet rule base, the processor 502 further implements the following steps:
and if the intervention result does not match the network packet rule base, executing the judgment whether the pile inserting process is abnormal or not.
In an embodiment, when the step of determining whether the executable file running behavior or the network side behavior exists in the monitoring result is implemented by the processor 502, the following steps are specifically implemented:
acquiring a Linux system kernel and patch information collection and a Linux system network information collection; acquiring each kernel and patch data set according to the Linux system kernel and patch information collection; aiming at a network information collection of a Linux system, acquiring each network data set; and calculating whether executable file operation or network side behavior occurs according to each network data set and each kernel and patch data set, and generating a marked behavior feature set.
In an embodiment, when the processor 502 implements the step of inserting the normal patch logic conversion code, the following steps are specifically implemented:
acquiring corresponding instrumentation codes from the normal patch logic rewriting instrumentation feature data set; and performing pile inserting by using the pile inserting codes.
In an embodiment, when the processor 502 implements the step of instrumenting the network layer function and modifying the network response packet, the following steps are specifically implemented:
acquiring a corresponding network response packet from the network response packet modification instrumentation characteristic data set; and performing instrumentation modification by using the network response packet.
It should be understood that, in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:
deploying an eBPF patch mitigation program; extracting related information of a Linux system network and a kernel; running the Linux system executable file by using the eBPF patch relieving program, and monitoring the network side behavior to obtain a monitoring result; judging whether an executable file operation behavior or a network side behavior exists in the monitoring result; if the monitoring result has an executable file operation behavior or a network side behavior, utilizing an eBPF patch to relieve the insertion of a program in the executable file operation kernel; inserting normal patch logic conversion codes; judging whether a network side behavior exists in the monitoring result; if the network side behavior exists in the monitoring result, utilizing an eBPF patch relieving program to intervene network instrumentation during the operation of the network side behavior so as to obtain an intervention result; judging whether the intervention result is matching a network packet rule base; if the intervention result matches the network packet rule base, a network layer function is inserted and a network response packet is modified; judging whether the pile inserting process is abnormal or not; and if the pile inserting process is abnormal, generating alarm information with relevant information details to alarm the abnormality.
The eBPF patch relieving program realizes patch relieving by performing instrumentation injection on a kernel and a network of a Linux system, embeds two detection features and two instrumentation features, namely an vulnerability-related kernel function detection feature and a normal patch logic rewriting instrumentation feature aiming at the kernel, and an vulnerability-related network request data packet detection feature and a network response packet modification instrumentation feature aiming at the network.
The Linux system network and kernel related information comprises: network card information; network service and port opening information; the network service and the open port correspond to protocol type information; kernel version information; the current system has patch information; process, service, and executable file information.
In an embodiment, after the processor executes the computer program to implement the step of determining whether the network side behavior exists in the monitoring result, the processor further implements the following steps:
and if the monitoring result does not have network side behaviors, executing the judgment whether the pile inserting process is abnormal or not.
In one embodiment, after the step of determining whether the intervention result matches a network packet rule base is performed by the processor executing the computer program, the following steps are further performed:
and if the intervention result does not match the network packet rule base, executing the judgment whether the pile inserting process is abnormal or not.
In an embodiment, when the processor executes the computer program to implement the step of determining whether an executable file operation behavior or a network side behavior exists in the monitoring result, the following steps are specifically implemented:
acquiring a Linux system kernel and patch information collection and a Linux system network information collection; acquiring each kernel and patch data set according to the Linux system kernel and patch information collection; aiming at a network information collection of a Linux system, acquiring each network data set; and calculating whether executable file operation or network side behavior occurs according to each network data set and each kernel and patch data set, and generating a marked behavior feature set.
In an embodiment, when the processor executes the computer program to implement the step of inserting the normal patch logic conversion code, the following steps are specifically implemented:
acquiring corresponding instrumentation codes from the normal patch logic rewriting instrumentation feature data set; and utilizing the pile inserting code to insert piles.
In an embodiment, when the processor executes the computer program to implement the steps of instrumenting the network layer function and modifying the network response packet, the following steps are specifically implemented:
acquiring a corresponding network response packet from the network response packet modification instrumentation feature data set; and performing instrumentation modification by using the network response packet.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media of program codes.
Those of ordinary skill in the art will appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the system of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partly contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. The Linux system kernel vulnerability patch mitigation method based on the eBPF technology is characterized by comprising the following steps of:
deploying an eBPF patch mitigation program;
extracting relevant information of a Linux system network and a kernel;
running an executable file of a Linux system by using an eBPF patch relieving program, and monitoring the behavior of a network side to obtain a monitoring result;
judging whether an executable file operation behavior or a network side behavior exists in the monitoring result;
if the monitoring result has an executable file operation behavior or a network side behavior, utilizing an eBPF patch to relieve the insertion of a program in the executable file operation kernel;
inserting normal patch logic conversion codes;
judging whether a network side behavior exists in the monitoring result;
if the network side behavior exists in the monitoring result, network instrumentation is performed when an eBPF patch relieving program intervenes the network side behavior to obtain an intervention result;
judging whether the intervention result is matched with a network packet rule base;
if the intervention result matches the network packet rule base, a network layer function is inserted and a network response packet is modified;
judging whether the pile inserting process is abnormal or not;
and if the pile inserting process is abnormal, generating alarm information with relevant information details to alarm the abnormality.
2. The method for relieving the kernel vulnerability patch of the Linux system based on the eBPF technology of claim 1, wherein after judging whether the monitoring result has the network side behavior, the method further comprises the following steps:
if no network side behavior exists in the monitoring result, executing the judgment whether the pile inserting process is abnormal or not;
after the step of judging whether the intervention result matches the network packet rule base, the method further comprises the following steps:
and if the intervention result does not match the network packet rule base, executing the judgment whether the pile inserting process is abnormal or not.
3. The method for relieving the kernel vulnerability patch of the Linux system based on the eBPF technology as claimed in claim 1, wherein the eBPF patch relieving program realizes patch relief by performing instrumentation injection on a kernel and a network of the Linux system, and two detection features and two instrumentation features are built in, namely a vulnerability-related kernel function detection feature and a normal patch logic rewriting instrumentation feature for the kernel, and a vulnerability-related network request data packet detection feature and a network response packet modification instrumentation feature for the network.
4. The method for alleviating the kernel vulnerability patch in the Linux system based on the eBPF technology as claimed in claim 1, wherein the Linux system network and kernel related information comprises: network card information; network service and port opening information; the network service and the open port correspond to protocol type information; kernel version information; the current system has patch information; process, service, and executable file information.
5. The method for relieving the kernel vulnerability patch of the Linux system based on the eBPF technology of claim 1, wherein the determining whether the monitoring result has an executable file operation behavior or a network side behavior comprises:
acquiring a Linux system kernel and patch information collection and a Linux system network information collection;
acquiring each kernel and patch data set according to the Linux system kernel and patch information collection;
aiming at a network information collection of a Linux system, acquiring each network data set;
and calculating whether executable file operation or network side behavior occurs according to each network data set and each kernel and patch data set, and generating a marked behavior feature set.
6. A Linux system kernel vulnerability patch mitigation method based on eBPF technology as claimed in claim 1, wherein the inserting normal patch logic translation code comprises:
acquiring corresponding instrumentation codes from the normal patch logic rewriting instrumentation feature data set;
and utilizing the pile inserting code to insert piles.
7. The method for mitigating the kernel vulnerability patches of the Linux system based on eBPF technology of claim 1, wherein the instrumenting network layer functions and modifying network response packets comprises:
acquiring a corresponding network response packet from the network response packet modification instrumentation feature data set;
and performing instrumentation modification by using the network response packet.
8. Linux system kernel vulnerability patch relieving system based on eBPF technology is characterized by comprising:
the deployment unit is used for deploying the eBPF patch mitigation program;
the extraction unit is used for extracting the relevant information of the Linux system network and the kernel;
the file running unit is used for running the Linux system executable file by utilizing the eBPF patch relieving program and monitoring the network side behavior to obtain a monitoring result;
the first judgment unit is used for judging whether an executable file operation behavior or a network side behavior exists in the monitoring result;
a first instrumentation unit, configured to, if an executable file operation behavior or a network side behavior exists in the monitoring result, perform instrumentation on a kernel during an executable file operation by using an eBPF patch mitigation program;
a code insertion unit for inserting a normal patch logic conversion code;
the second judging unit is used for judging whether a network side behavior exists in the monitoring result;
a second instrumentation unit, configured to, if a network side behavior exists in the monitoring result, utilize an eBPF patch mitigation program to intervene in network instrumentation when the network side behavior runs, so as to obtain an intervention result;
a third judging unit, configured to judge whether the intervention result matches a network packet rule base;
a third instrumentation unit, configured to, if the intervention result matches a network packet rule base, instrumentation a network layer function and modify a network response packet;
the fourth judgment unit is used for judging whether the pile inserting process is abnormal or not;
and the warning unit is used for generating warning information with relevant information details to carry out abnormal warning if the pile inserting process is abnormal.
9. A computer device, characterized in that the computer device comprises a memory, on which a computer program is stored, and a processor, which when executing the computer program implements the method according to any of claims 1 to 7.
10. A storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202211065564.4A 2022-09-01 2022-09-01 Linux system kernel vulnerability patch relieving method and system based on eBPF technology Active CN115146262B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211065564.4A CN115146262B (en) 2022-09-01 2022-09-01 Linux system kernel vulnerability patch relieving method and system based on eBPF technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211065564.4A CN115146262B (en) 2022-09-01 2022-09-01 Linux system kernel vulnerability patch relieving method and system based on eBPF technology

Publications (2)

Publication Number Publication Date
CN115146262A true CN115146262A (en) 2022-10-04
CN115146262B CN115146262B (en) 2023-03-28

Family

ID=83416594

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211065564.4A Active CN115146262B (en) 2022-09-01 2022-09-01 Linux system kernel vulnerability patch relieving method and system based on eBPF technology

Country Status (1)

Country Link
CN (1) CN115146262B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116126732A (en) * 2023-03-08 2023-05-16 哈尔滨工业大学(深圳) Computer fault positioning method and computer

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180205754A1 (en) * 2017-01-17 2018-07-19 NextEv USA, Inc. Real-time network vulnerability analysis and patching
CN109492406A (en) * 2018-11-15 2019-03-19 百度在线网络技术(北京)有限公司 Monitor the methods, devices and systems of kernel loophole attack
CN111046390A (en) * 2019-07-12 2020-04-21 哈尔滨安天科技集团股份有限公司 Cooperative defense patch protection method and device and storage equipment
CN111324481A (en) * 2020-02-28 2020-06-23 中国工商银行股份有限公司 Linux platform repairing method and device
US20210026947A1 (en) * 2019-07-22 2021-01-28 Cloud Linux Software Inc. Intrusion detection and prevention for unknown software vulnerabilities using live patching
CN113794605A (en) * 2021-09-10 2021-12-14 杭州谐云科技有限公司 Method, system and device for detecting kernel packet loss based on eBPF
CN114726633A (en) * 2022-04-14 2022-07-08 中国电信股份有限公司 Flow data processing method and device, storage medium and electronic equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180205754A1 (en) * 2017-01-17 2018-07-19 NextEv USA, Inc. Real-time network vulnerability analysis and patching
CN109492406A (en) * 2018-11-15 2019-03-19 百度在线网络技术(北京)有限公司 Monitor the methods, devices and systems of kernel loophole attack
CN111046390A (en) * 2019-07-12 2020-04-21 哈尔滨安天科技集团股份有限公司 Cooperative defense patch protection method and device and storage equipment
US20210026947A1 (en) * 2019-07-22 2021-01-28 Cloud Linux Software Inc. Intrusion detection and prevention for unknown software vulnerabilities using live patching
CN111324481A (en) * 2020-02-28 2020-06-23 中国工商银行股份有限公司 Linux platform repairing method and device
CN113794605A (en) * 2021-09-10 2021-12-14 杭州谐云科技有限公司 Method, system and device for detecting kernel packet loss based on eBPF
CN114726633A (en) * 2022-04-14 2022-07-08 中国电信股份有限公司 Flow data processing method and device, storage medium and electronic equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
刘智: "《二进制代码级的漏洞攻击检测研究》", 《中国博士学位论文全文数据库(信息科技辑)》 *
李昆仑等: "《二进制代码级函数指针攻击机理与检测研究》", 《小型微型计算机系统》 *
王凯龙: "《一种结合eBPF与KFENCE的Linux内核态内存漏洞检测方法的研究》", 《电子世界》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116126732A (en) * 2023-03-08 2023-05-16 哈尔滨工业大学(深圳) Computer fault positioning method and computer

Also Published As

Publication number Publication date
CN115146262B (en) 2023-03-28

Similar Documents

Publication Publication Date Title
US8365297B1 (en) System and method for detecting malware targeting the boot process of a computer using boot process emulation
EP3783515B1 (en) Method of malware detection and system thereof
Bayer et al. Scalable, behavior-based malware clustering.
US7779472B1 (en) Application behavior based malware detection
RU2454705C1 (en) System and method of protecting computing device from malicious objects using complex infection schemes
US9015814B1 (en) System and methods for detecting harmful files of different formats
US20050204205A1 (en) Methodology, system, and computer readable medium for detecting operating system exploitations
US20110283358A1 (en) Method and system to detect malware that removes anti-virus file system filter driver from a device stack
US20200193031A1 (en) System and Method for an Automated Analysis of Operating System Samples, Crashes and Vulnerability Reproduction
US8332941B2 (en) Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor
RU2724790C1 (en) System and method of generating log when executing file with vulnerabilities in virtual machine
CN109409089B (en) Windows encryption type Lego software detection method based on virtual machine introspection
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
CN115146262B (en) Linux system kernel vulnerability patch relieving method and system based on eBPF technology
CN111428239A (en) Detection method of malicious mining software
CN113746781A (en) Network security detection method, device, equipment and readable storage medium
Gupta Buffer overflow attack
RU2510530C1 (en) Method for automatic generation of heuristic algorithms for searching for malicious objects
CN112784268A (en) Method, device, equipment and storage medium for analyzing host behavior data
Levine et al. A methodology to characterize kernel level rootkit exploits that overwrite the system call table
EP4160455A1 (en) Behavior analysis based on finite-state machine for malware detection
US20230315850A1 (en) Rootkit detection based on system dump sequence analysis
CN116127453A (en) APT attack detection method, system, device, medium and equipment
CN112953895B (en) Attack behavior detection method, device and equipment and readable storage medium
KR100632204B1 (en) Attack detection device on network and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 311100 Rooms 103-27, Building 19, No. 1399 Liangmu Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province

Applicant after: Hangzhou Meichuang Technology Co.,Ltd.

Address before: 310013 floor 12, building 7, Tianxing International Center, No. 508, Fengtan Road, Gongshu District, Hangzhou, Zhejiang Province

Applicant before: HANGZHOU MEICHUANG TECHNOLOGY CO.,LTD.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant