CN116089960A

CN116089960A - Trusted class measurement method and system based on Linux kernel host

Info

Publication number: CN116089960A
Application number: CN202310097745.3A
Authority: CN
Inventors: 赵波; 上官晨晗; 陈喜丰; 钟倩; 李蔚栋
Original assignee: Wuhan University WHU
Current assignee: Wuhan University WHU
Priority date: 2023-01-28
Filing date: 2023-01-28
Publication date: 2023-05-09

Abstract

The invention provides a method and a system for measuring a credible level based on a Linux kernel host, which belong to the technical field of computers and comprise the following steps: acquiring a protection strategy of a Linux kernel host, and determining a target to be protected based on the protection strategy; determining a credibility metric value of a target to be protected according to a system resource index and a dynamic credibility index of a Linux kernel host; and adjusting the trust level of the target to be protected based on the trust measurement value, and generating a system overall trust result. According to the invention, the system equipment state is dynamically monitored by adopting a trusted real-time measurement technology on a local or cloud Linux kernel host, a monitoring log of the system operation trusted state is reflected in real time, and a system total trust result is generated based on an evaluation element system, so that an administrator can adopt different coping strategies according to the system total trust result, the trusted level of the system is flexibly adjusted, and the host system can be ensured to safely and stably operate.

Description

Trusted class measurement method and system based on Linux kernel host

Technical Field

The invention relates to the technical field of computers, in particular to a method and a system for measuring a trust level based on a Linux kernel host.

Background

When a Linux kernel host is deployed, information security problems are inevitably involved, whether in the local or cloud, and a trusted computing technology is a crucial component technology in information security. Trusted computing technology is the use of trusted computing platforms based on secure hardware in computing and communication systems, thereby enhancing the security of the overall system, where the secure hardware typically includes trusted platform modules (Trusted Platform Module, TPM), secure flash memory cards (TF), USB-keys, and other hardware. The technology has been developed and applied for many years, and becomes an indispensable safety component of various computing platforms.

In practical application of the trusted computing technology, because of complexity of networking, the whole system participates in measurement resources of trusted computing in the running process, and often because measurement granularity is not fine enough, the whole system is considered to be unreliable as long as one resource abnormality is found, so that the usability and safety of the running of the whole system are affected. Particularly, in a cloud platform deployment environment, a huge variety of heterogeneous computing resource distributed structures exist, and once a certain entity fails to pass the measurement verification, the cooperative work among the security entities is greatly influenced.

Therefore, there is a need to propose a more flexible and finer computing resource reliability measure.

Disclosure of Invention

The invention provides a method and a system for measuring a credible level based on a Linux kernel host, which are used for solving the defects that detection and measurement of abnormal operation of system resources are generally inflexible and fine and have low accuracy when a credible computing technology is realized in the Linux kernel host in the prior art.

In a first aspect, the present invention provides a method for measuring a trust level based on a Linux kernel host, including:

acquiring a protection strategy of a Linux kernel host, and determining a target to be protected based on the protection strategy;

determining the credibility metric value of the target to be protected according to the system resource index and the dynamic trust index of the Linux kernel host;

and adjusting the trust level of the target to be protected based on the trust measurement value, and generating a system overall trust result.

According to the method for measuring the trust level based on the Linux kernel host, the protection strategy of the Linux kernel host is obtained, and the target to be protected is determined based on the protection strategy, which comprises the following steps:

acquiring a backup mechanism of the target to be protected, and determining the target to be backed up based on the backup mechanism;

and acquiring a monitoring mechanism of the target to be protected, and determining the target to be monitored based on the monitoring mechanism.

According to the method for measuring the trust level based on the Linux kernel host, the backup mechanism for obtaining the target to be protected and determining the target to be backed up based on the backup mechanism comprise the following steps:

acquiring a storage path of the target to be backed up, and generating a compressed backup file and a compressed backup file abstract value according to the storage path;

if the fact that the target to be backed up is mounted with the trusted platform module is determined, managing a secret key corresponding to the target to be backed up based on the trusted platform module, otherwise encrypting the target to be backed up based on an administrator password;

and encrypting the compressed backup file and the abstract value of the compressed backup file to generate an encrypted file.

According to the method for measuring the trust level based on the Linux kernel host, the monitoring mechanism for obtaining the target to be protected and determining the target to be monitored based on the monitoring mechanism comprise the following steps:

acquiring system monitoring parameters, registering a monitoring process based on the system monitoring parameters, initializing the monitoring process, acquiring operation parameters of the monitoring process, ending the monitoring process if the operation times of the monitoring process are judged to reach the preset monitoring times, otherwise, updating the operation parameters;

determining a monitoring strategy of the target to be monitored, creating a process monitoring file based on the monitoring strategy, acquiring an operation log of the process monitoring file, and reading and updating the operation log.

According to the method for measuring the trust level based on the Linux kernel host, which is provided by the invention, the trust level value of the target to be protected is determined according to the system resource index and the dynamic trust index of the Linux kernel host, and the method comprises the following steps:

monitoring system resources by utilizing a preset identification process to obtain discrete type trust element and continuous type trust element in the system;

obtaining the system resource index and the dynamic trust index based on the discrete type trust element and the continuous type trust element;

and integrating the system resource index and the dynamic trust index to obtain the credibility metric value.

According to the method for measuring the trust level based on the Linux kernel host, the system resource index is obtained based on the discrete type trust element and the continuous type trust element, and the method comprises the following steps:

determining the number of idle resources of the system and the total number of system resources;

obtaining a single system resource trust index based on the number of the system idle resources and the total number of the system resources;

acquiring resource trust index sets of each discrete type trust element and each continuous type trust element corresponding to a single system resource;

and carrying out normalization processing on the resource trust index set based on a resource trust index preset range to obtain the system resource index.

According to the trust level measurement method based on the Linux kernel host, the dynamic trust index is obtained based on the discrete trust element and the continuous trust element, and the method comprises the following steps:

determining abnormal operation scores and abnormal operation times of the monitoring file;

obtaining a single dynamic trust index based on the abnormal operation scores, the abnormal operation times and a natural constant;

acquiring dynamic trust index sets of each discrete type trust element and each continuous type trust element corresponding to a single monitoring file;

and differencing the resource trust index set based on a dynamic trust index preset range to obtain the dynamic trust index.

According to the method for measuring the trust level of the Linux kernel host, which is provided by the invention, the trust level of the target to be protected is adjusted based on the trust measurement value, and a system overall trust result is generated, and the method comprises the following steps:

acquiring a trusted evaluation system;

and comparing the credibility measurement value of the target to be protected with the credibility evaluation system, adjusting the credibility level of the target to be protected, and outputting a system overall trust value.

According to the method for measuring the trust level based on the Linux kernel host, the trust level of the target to be protected is adjusted based on the trust measurement value, and after the system overall trust result is generated, the method further comprises the following steps:

acquiring a storage path, a compressed backup file and a compressed backup file abstract value of a target to be backed up in the target to be protected;

decrypting the compressed backup file to generate a decrypted backup file abstract value;

comparing the compressed backup file abstract value with the decrypted backup file abstract value to generate a target to be backed up if the comparison value is consistent, otherwise, reporting an error to a system.

In a second aspect, the present invention further provides a trusted class measurement system based on a Linux kernel host, including:

the determining module is used for acquiring a protection strategy of the Linux kernel host and determining a target to be protected based on the protection strategy;

the measurement module is used for determining the credibility measurement value of the target to be protected according to the system resource index and the dynamic credibility index of the Linux kernel host;

and the adjusting module is used for adjusting the trust level of the target to be protected based on the trust measurement value and generating a system overall trust result.

In a third aspect, the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements any of the Linux kernel host-based trust level measurement methods described above when the program is executed.

In a fourth aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a Linux kernel host based trust level measurement method as described in any of the above.

According to the method and the system for measuring the trust level based on the Linux kernel host, the system equipment state is dynamically monitored by adopting the trusted real-time measurement technology and deployed on the Linux kernel host of the local or cloud, the monitoring log of the system operation trust state is reflected in real time, and the system overall trust result is generated based on the evaluation element system, so that an administrator can adopt different coping strategies according to the system overall trust result, the trust level of the system is flexibly adjusted, and the safe and stable operation of the host system is ensured.

Drawings

In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a trust level measurement method based on a Linux kernel host provided by the invention;

FIG. 2 is a general design diagram of a trust level measurement method based on a Linux kernel host provided by the invention;

FIG. 3 is a flow chart of a secure backup provided by the present invention;

FIG. 4 is a flow chart of system resource monitoring provided by the present invention;

FIG. 5 is a flow chart of file monitoring provided by the present invention;

FIG. 6 is a flow chart of a security recovery provided by the present invention;

FIG. 7 is a schematic diagram of a trusted class measurement system based on a Linux kernel host;

fig. 8 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Aiming at the limitations of the trusted security technology of the Linux kernel host in the prior art in deployment, the invention provides a trusted class measurement method based on the Linux kernel host, wherein the trust class is divided according to the influence degree of system resources after being attacked and the actual condition of a current running system platform by an improved trust class division method, the trust class assessment supports the runtime assessment and the offline assessment, and provides a response and recovery association model to obtain the overall trust result. Fig. 1 is a flow chart of a trusted class measurement method based on a Linux kernel host, as shown in fig. 1, including:

step 100: acquiring a protection strategy of a Linux kernel host, and determining a target to be protected based on the protection strategy;

step 200: determining the credibility metric value of the target to be protected according to the system resource index and the dynamic trust index of the Linux kernel host;

step 300: and adjusting the trust level of the target to be protected based on the trust measurement value, and generating a system overall trust result.

The Linux kernel host related to the invention can be deployed and operated on a local or cloud end, and the state of the system equipment is dynamically monitored by adopting a trusted real-time measurement technology, so that the current running trusted state of the system is reflected in real time.

And according to the actual running condition of the system, adopting a corresponding protection strategy, acquiring an actual target to be protected, monitoring system resources and files, generating a log, outputting system resource indexes and dynamic trust indexes in real time based on an evaluation element system, and comprehensively forming a credibility metric value. By presenting the trust state of the system terminal entity by the trust measurement value, the system administrator can set a fine-grained coping strategy based on the trust value, adjust the trust level of the target to be protected and generate a system overall trust result.

Specifically, as shown in fig. 2, in the overall system design, the invention realizes the credibility measurement by respectively calling different functional modules for the backup file and the system file. The backup module and the recovery module are called to the backup file, a backup file system is generated by adopting a Dump command respectively, the backup file is safely encrypted by calling an Openssl library by adopting an encryption and hash algorithm, and the recovery of the backup file is executed by a Restore command; and calling a file monitoring module and a process monitoring module to the system file, and monitoring the system file through the audio module. And then, the information transmitted among the comprehensive backup module, the recovery module, the file monitoring module and the process monitoring module is output by the scoring module to be used for process monitoring and processing by a system administrator.

According to the invention, the system equipment state is dynamically monitored by adopting a trusted real-time measurement technology on a local or cloud Linux kernel host, a monitoring log of the system operation trusted state is reflected in real time, and a system total trust result is generated based on an evaluation element system, so that an administrator can adopt different coping strategies according to the system total trust result, the trusted level of the system is flexibly adjusted, and the host system can be ensured to safely and stably operate.

Based on the above embodiment, step 100 includes:

step 101: acquiring a backup mechanism of the target to be protected, and determining the target to be backed up based on the backup mechanism;

step 102: and acquiring a monitoring mechanism of the target to be protected, and determining the target to be monitored based on the monitoring mechanism.

Wherein, step 101 includes:

Wherein step 102 comprises:

Specifically, after installing a program and a program dependency library file on a Linux kernel host, a system administrator is required to set rules by using root users, including:

firstly, setting a file/folder path needing backup protection;

if the files/folders needing backup protection are set, the program automatically detects whether the system is provided with the TPM, if the system is provided with the TPM, the TPM carries out key management, and if the system is not provided with the TPM, an administrator is required to provide a password to encrypt the backup files;

the file/folder path to be monitored is then set, and monitored actions are set, including read operations, write operations, execute operations, and modify operations on the file.

The safety backup process proposed by the present invention as shown in fig. 3 is executed by the backup module in fig. 2, and includes: and acquiring a backup file path, generating and compressing a backup file, generating a backup file abstract value, judging whether a TPM is mounted, further encrypting the backup file and the backup file abstract value, and storing the encrypted file.

The system resource monitoring flow shown in fig. 4 is executed by the process monitoring module in fig. 2, and includes: acquiring monitoring parameters, registering a monitoring process, initializing the process and starting to monitor, recording, reading and outputting the corresponding monitoring parameters, counting whether the monitoring parameters reach preset monitoring times, ending the system monitoring flow if the monitoring parameters reach the preset monitoring times, and otherwise, continuously updating the data of the monitoring parameters.

The file monitoring process shown in fig. 5, executed by the file monitoring module in fig. 2, includes: firstly, configuring a monitoring rule, starting an audio service, monitoring in a daemon form, namely creating a process monitoring file, starting the daemon after the kernel is loaded, continuously running the monitoring file, updating a log in real time and transmitting the log to a scoring system until the system is closed or the manager forcibly closes the system with root rights, outputting a running log of the monitoring file, and continuously reading and updating the running log.

The invention can acquire the running state of the system in real time by setting the backup and monitoring flows of the system files and the backup files, and reasonably set the backup strategy, so that the system can efficiently implement the calculation of the credible measurement.

Based on the above embodiment, step 200 includes:

Wherein obtaining the system resource index based on the discrete type trust element and the continuous type trust element comprises:

Wherein, based on the discrete type trust element and the continuous type trust element, obtaining the dynamic trust index includes:

Specifically, based on setting a backup strategy and a monitoring strategy, the system resources are subjected to trusted real-time measurement, the system resources to be monitored are comprehensively selected according to the characteristics of the system index information type, cloud system security, elastic fluctuation of resource requirements and the like related to a host system, the basis standard suitable for the selection of the current running system platform index is determined, discrete type trust element and continuous type trust element in the system are obtained, the system resources are monitored by taking a process as a unit, and the use condition of the CPU, the memory, the network IO and other resources by the monitoring process can be realized by identifying the PID number of the designated process.

And evaluating the security index element of each system terminal by adopting a forward evaluation system for the discrete element and the continuous element which are quantized by the standard, wherein the element value is a component part of the total trust value, the total trust value is decomposed into the element values, the composition relation between the total trust value and the element values is constructed, and the possible internal cause of the fluctuation of the total trust value is judged by the change of the element values. The continuous type element of trust is shown in table 1 and the discrete type element of trust is shown in table 2.

TABLE 1

TABLE 2

Index name	Index definition
		MemMinfltRate	Frequency of occurrence of minor fault
MemMajfltRate	Frequency of occurrence of major faults
		CpuIndex	Current run process cup number

Further, the system resource index and the dynamic trust index are adopted and are reflected as a system resource score and a dynamic trust score. Without loss of generality, taking a full 100 point as an example, the present embodiment sets the system resource score and the dynamic trust score to each account for 50 points.

For system resource scoring, the program obtains the usage of the system resource, including discrete and continuous trust elements, which are included in the trust score. When these metrics are low, the system resources are sufficient and the trust score is high. When some indexes are too high, the response capability and the risk coping capability of the system are reduced, the trust score is reduced, and the score reduction speed is gradually increased as the indexes gradually approach 100%.

Adopting F to represent idle resources, T to represent total number of resources, and obtaining trust scores of each type of resources as follows:

G＝7*T/(T-F)-7,G∈[0,10]；

after obtaining the trust score of each resource, normalizing the score to obtain:

G(s)＝50*(G(CpuRatio)+G(CpuUsrRatio)+…+G(MemMajfltRate))/30。

for dynamic trust grading, when illegal read-write operation, modification, addition and deletion of files, execution of files and access failure (insufficient authority and the like) of the monitored files are detected, the trust grading is reduced, the reduction grading is gradually increased along with the increase of the occurrence times of illegal behaviors, the reduced grading is represented by D each time, the occurrence times are t, and a natural constant e is introduced, so that:

D＝[5*(e^t)]/x,D∈[0,50]；

G(d)＝50-D。

where x is a self-set parameter, typically taking the average of the number of unauthorized access logs received within a period of time before the system.

It should be noted that, when the recovery behavior is started, the system is considered to be damaged to a certain extent, and a flag is transmitted to the scoring system, for example, trust score reduced by 10 points is set; if the recovery fails, the attack degree is considered to be higher, and if the trust score is set to be reduced by 20 minutes.

After obtaining the system resource index and the dynamic trust index, determining the trust metric value of the system trust level evaluation, wherein the trust metric value is used for evaluating the trust overall situation of the current running state of the system and represents the situation of the security risk possibly faced in the system. The credibility metric value is further refined into a composition of the credibility element value, the credibility state can be further refined from a microscopic angle, and microscopic analysis and judgment of risks can be realized.

The final confidence measure is the sum of the two part scores, namely:

G＝G(s)+G(d)。

the system monitors through the system resources and the files, generates the log, forms the credibility metric value based on the evaluation element system in real time, and has the characteristics of high accuracy and strong objectivity.

Based on the above embodiment, step 300 includes:

acquiring a trusted evaluation system;

Specifically, the program monitors authority information, password files and set files and folders which need to be protected of a system user group according to rules set by an administrator, once the occurrence of an override event is monitored, a system warning is thrown out, corresponding log file detailed records including details of illegal program addresses, time and the like are generated, microscopic trust values of corresponding trust elements are adjusted down according to the division of the behavior severity in a trusted evaluation system, and finally the microscopic trust values are reflected on the overall trust values of the system.

It should be noted that, here, the rule set by the administrator is that the protection of the authority information, the password file and the system setting related file of the system user group is written in the program by default, which is different from the protection file set by the administrator according to the actual condition of the system, which is determined as the target to be protected in the foregoing embodiment.

Wherein, after step 300, further comprises:

Specifically, as shown in the security recovery flow shown in fig. 6, the security recovery needs to be performed on the backup file, and the specific implementation steps include:

and obtaining a storage path, a compressed backup file and a compressed backup file abstract value of a target to be backed up in the target to be protected, judging whether different decryption modes are adopted according to whether the TPM is mounted or not, decrypting the compressed backup file to generate a new decrypted backup file abstract value, comparing the compressed backup file abstract value with the decrypted backup file abstract value, judging whether the two are consistent, if so, directly recovering the file, if not, reporting an error to a system, and stopping the operation of recovering the file.

The invention adjusts the credibility level of the system through the credibility measurement value, and provides backup and recovery of the system designated file, thereby having higher fault tolerance.

The trust level measurement system based on the Linux kernel host provided by the invention is described below, and the trust level measurement system based on the Linux kernel host described below and the trust level measurement method based on the Linux kernel host described above can be correspondingly referred to each other.

Fig. 7 is a schematic structural diagram of a trusted class measurement system based on a Linux kernel host, as shown in fig. 7, including a determining module 71, a measurement module 72 and an adjusting module 73, where:

the determining module 71 is configured to obtain a protection policy of the Linux kernel host, and determine a target to be protected based on the protection policy; the measurement module 72 is configured to determine a trusted measurement value of the target to be protected according to a system resource index and a dynamic trust index of the Linux kernel host; the adjustment module 73 is configured to adjust the trust level of the target to be protected based on the trust metric value, and generate a system overall trust result.

Fig. 8 illustrates a physical structure diagram of an electronic device, as shown in fig. 8, which may include: processor 810, communication interface (Communications Interface) 820, memory 830, and communication bus 840, wherein processor 810, communication interface 820, memory 830 accomplish communication with each other through communication bus 840. The processor 810 may invoke logic instructions in the memory 830 to perform a Linux kernel host based trust level measurement method comprising: acquiring a protection strategy of a Linux kernel host, and determining a target to be protected based on the protection strategy; determining the credibility metric value of the target to be protected according to the system resource index and the dynamic trust index of the Linux kernel host; and adjusting the trust level of the target to be protected based on the trust measurement value, and generating a system overall trust result.

Further, the logic instructions in the memory 830 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the method for measuring a trust level based on a Linux kernel host provided by the above methods, the method comprising: acquiring a protection strategy of a Linux kernel host, and determining a target to be protected based on the protection strategy; determining the credibility metric value of the target to be protected according to the system resource index and the dynamic trust index of the Linux kernel host; and adjusting the trust level of the target to be protected based on the trust measurement value, and generating a system overall trust result.

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. The method for measuring the credibility level based on the Linux kernel host is characterized by comprising the following steps:

2. The method for measuring the trust level of a Linux kernel host according to claim 1, wherein the obtaining a protection policy of the Linux kernel host, and determining the target to be protected based on the protection policy, comprises:

3. The method for measuring the trust level of a Linux kernel host according to claim 2, wherein the obtaining the backup mechanism of the target to be protected, and determining the target to be backed up based on the backup mechanism, comprises:

4. The method for measuring the trust level of a Linux kernel host according to claim 2, wherein the obtaining the monitoring mechanism of the target to be protected, and determining the target to be monitored based on the monitoring mechanism, comprises:

5. The method for measuring the trust level of a Linux kernel host according to claim 1, wherein the determining the trust level of the object to be protected according to the system resource index and the dynamic trust index of the Linux kernel host comprises:

6. The Linux kernel host-based trust level measurement method of claim 5, wherein obtaining the system resource indicator based on the discrete and continuous trust elements comprises:

7. The Linux kernel host-based trust level measurement method of claim 5, wherein obtaining the dynamic trust index based on the discrete trust element and the continuous trust element comprises:

8. The method for measuring trust level based on Linux kernel host according to claim 1, wherein said adjusting the trust level of the object to be protected based on the trust measurement value, generating a system overall trust result, comprises:

acquiring a trusted evaluation system;

9. The method for measuring trust level based on Linux kernel host according to claim 1, wherein said adjusting the trust level of the object to be protected based on the trust measurement value, after generating a system overall trust result, further comprises:

10. A Linux kernel host-based trust level measurement system, comprising: