CN116415300A - File protection method, device, equipment and medium based on eBPF - Google Patents
File protection method, device, equipment and medium based on eBPF Download PDFInfo
- Publication number
- CN116415300A CN116415300A CN202310395381.7A CN202310395381A CN116415300A CN 116415300 A CN116415300 A CN 116415300A CN 202310395381 A CN202310395381 A CN 202310395381A CN 116415300 A CN116415300 A CN 116415300A
- Authority
- CN
- China
- Prior art keywords
- file
- system call
- target system
- ebpf
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 88
- 238000012795 verification Methods 0.000 claims abstract description 53
- 230000008569 process Effects 0.000 claims abstract description 20
- 230000001960 triggered effect Effects 0.000 claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims description 48
- 238000001514 detection method Methods 0.000 claims description 46
- 238000012423 maintenance Methods 0.000 claims description 35
- 230000000903 blocking effect Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 17
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 14
- 241000700605 Viruses Species 0.000 claims description 13
- 238000002347 injection Methods 0.000 claims description 13
- 239000007924 injection Substances 0.000 claims description 13
- 230000015654 memory Effects 0.000 claims description 12
- 238000010586 diagram Methods 0.000 description 21
- 238000007726 management method Methods 0.000 description 20
- 238000004891 communication Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000004438 eyesight Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Abstract
The disclosure provides a file protection method based on eBPF, which can be applied to the technical field of information security. The method comprises the following steps: responding to the current triggered target system call as the system call of the eBPF program hook, capturing the target system call through the eBPF program, and setting the eBPF program and the system call hook for file operation in the file protection configuration information in the process of injecting the eBPF program into the kernel space; when the file operation type to which the target system call belongs is file writing operation, verifying the validity of data to be written in the target system call; when the file operation type to which the target system call belongs is a non-file write operation, verifying the legitimacy of the access authority of the target system call; when the verification result is illegal, the eBPF program intercepts the target system call; and when the verification result is legal, the eBPF program releases the target system call. The present disclosure also provides an eBPF-based file protection apparatus, device, storage medium, and program product.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to an eBPF-based file protection method, apparatus, device, medium, and program product.
Background
With the development of network technology, the cloud age comes, and large enterprises rapidly get on the cloud so as to better provide services and development iteration of an information system. But the security risks present therein are not so small. Along with the cloud of enterprise business, important data and services are stored and run in a cloud environment, an attacker also transfers the eyesight to the cloud, and in order to privately attack the facilities on the enterprise cloud to steal key data, or upload webshell to control an enterprise cloud server or a virtual machine, the cloud server or the virtual machine becomes an entry point for the penetration of a hacker's intranet.
Common file operation monitoring and processing means have a plurality of defects. If the file operation condition is monitored through the log, a worker usually needs to spend a great deal of time to audit the log, so that not only is a great deal of labor cost spent, but also the worker is required to have a security capability to identify the sensitive file operation; the security device for performing sensitive file operation detection based on the flow cannot cope with the flow encryption condition; there is also a file protection device based on application instrumentation that becomes futile once a hacker makes use of an operating system level vulnerability to perform file high risk operations.
Disclosure of Invention
In view of the above, the present disclosure provides an eBPF-based file protection method, apparatus, device, medium, and program product that can go deep into the kernel space of a system to monitor and effectively intercept file operations of the system in real time.
According to a first aspect of the present disclosure, there is provided an eBPF-based file protection method. The method comprises the following steps: responding to a currently triggered target system call which is a system call of an eBPF program hook, capturing the target system call through the eBPF program, wherein the eBPF program is a program injected into a kernel space, the eBPF program comprises file protection configuration information, and the eBPF program and the system call hook for file operation, which is arranged in the file protection configuration information, are in the process of injecting the eBPF program; judging the file operation type to which the target system call belongs; according to a verification mode corresponding to the file operation type of the target system call, which is set in the file protection configuration information, verifying the validity of the target system call to obtain a verification result; when the verification result is illegal, the eBPF program intercepts the target system call; and when the verification result is legal, the eBPF program releases the target system call. The verifying the validity of the target system call according to a verification mode corresponding to the file operation type of the target system call, which is set in the file protection configuration information, comprises: when the file operation type to which the target system call belongs is file write operation, verifying the validity of data to be written in the target system call; when the file operation type to which the target system call belongs is a non-file write operation, verifying the validity of the access authority of the target system call;
According to an embodiment of the disclosure, when the file operation type to which the target system call belongs is a file write operation, verifying the validity of the data to be written in the target system call includes: the eBPF program transmits the data to be written in the target system call to a file feature detection subsystem; and verifying the validity of the data to be written by using the file characteristic detection subsystem, and sending a verification result to the eBPF program.
According to an embodiment of the disclosure, the verifying, by using the file feature detection subsystem, the validity of the data to be written includes: and based on the file characteristic comparison of the data to be written and the data in the high-risk virus Trojan file library, verifying the validity of the data to be written.
According to an embodiment of the present disclosure, the document feature comparison includes comparison from at least one of: file hash value, specific signature, or file structure.
According to an embodiment of the present disclosure, the non-file write operation includes at least one of the following file operations: file read operations, file close operations, or file open operations.
According to an embodiment of the present disclosure, the file protection configuration information includes access prohibition information, where when the file operation type to which the target system call belongs is a non-file write operation, verifying the validity of the access right of the target system call includes: the eBPF program matches the parameters of the target system call and the access prohibition information; if the matching is successful, determining that the access authority of the target system call is illegal; and if the matching is unsuccessful, determining that the access authority of the target system call is legal.
According to an embodiment of the present disclosure, the parameters of the target system call include at least one of: and the target system calls the accessed file name, the target system calls the accessed file path or triggers the program of the target system call. The access-prohibited information includes parameters of at least one of the following dimensions: a file name that is access-prohibited, a file path that is access-prohibited, or a blacklist program.
According to an embodiment of the present disclosure, the procedure of injecting the eBPF program into the kernel space is as follows: acquiring the file protection configuration information provided by a user, wherein the file operation type of the system call for the file operation is set in the file protection configuration information and comprises file writing operation and non-file writing operation, and different verification modes are set for the file writing operation and the non-piece writing operation; generating codes of the eBPF program based on the file protection configuration information; and injecting code of the eBPF program into the kernel space.
According to an embodiment of the present disclosure, the system is not restarted during injection of the code of the eBPF program into the kernel space.
According to an embodiment of the present disclosure, the injecting the code of the eBPF program into the kernel space includes: compiling codes of the eBPF program into byte codes; calling an eBPF program loading interface function in the system; and loading the bytecode into the kernel space using the eBPF program load interface function.
According to an embodiment of the present disclosure, the obtaining the file protection configuration information provided by the user includes: providing a rule template for the operation and maintenance terminal; and receiving a message sent by the operation and maintenance terminal, wherein the message is generated based on the file protection configuration information which is filled in the rule template.
According to an embodiment of the present disclosure, after the eBPF program intercepts the target system call, the method further includes: and sending interception information of the target system call to the operation and maintenance terminal.
On the other hand, the embodiment of the disclosure also provides a file protection device based on the eBPF. The device comprises a monitoring blocking module. The monitoring blocking module is an eBPF program injected into a kernel space, wherein the eBPF program comprises file protection configuration information, and a system call hook for file operation, which is arranged in the eBPF program and the file protection configuration information, is arranged in the process of injecting the eBPF program. The monitoring blocking module comprises a monitoring unit, a judging unit, a checking unit and a processing unit. And the monitoring unit is used for responding to the current triggered target system call to be the system call of the eBPF program hook, and capturing the target system call through the eBPF program. The judging unit is used for judging the file operation type to which the target system call belongs. And the verification unit is used for verifying the validity of the target system call according to a verification mode corresponding to the file operation type of the target system call, which is set in the file protection configuration information, so as to obtain a verification result. The processing unit is used for intercepting the target system call when the verification result is illegal; and releasing the target system call when the verification result is legal. The verification unit comprises a file writing operation verification subunit and other file operation verification subunits. And the file write operation verification subunit is used for verifying the validity of the data to be written in the target system call when the file operation type to which the target system call belongs is file write operation. And the other file operation verification subunit is used for verifying the validity of the access authority of the target system call when the file operation type to which the target system call belongs is a non-file write operation.
According to an embodiment of the disclosure, the apparatus further comprises a code generation and injection module. The code generation and injection module is used for: acquiring the file protection configuration information provided by a user, wherein the file operation type of the system call for the file operation is set in the file protection configuration information and comprises file writing operation and non-file writing operation, and different verification modes are set for the file writing operation and the non-piece writing operation; generating codes of the eBPF program based on the file protection configuration information; and injecting code of the eBPF program into the kernel space.
In a third aspect of the disclosed embodiments, an electronic device is provided. The electronic device includes one or more processors and memory. The memory is configured to store one or more programs that, when executed by the one or more processors, cause the one or more processors to perform the above-described method.
In a fourth aspect of the disclosed embodiments, there is also provided a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
In a fifth aspect of the disclosed embodiments, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements the above method.
One or more of the above embodiments have the following advantages or benefits: the method can at least partially solve the problem that the protection of file data in a system is incomplete and untimely in the related art, can inject self-defined file protection configuration information into the kernel space of the system, and can monitor and detect file operation in the kernel space through an eBPF program, wherein according to the file protection configuration information, the method can pertinently screen the system in a mode that different types of file operation possibly cause harm, improves the comprehensiveness and accuracy of file protection, and ensures the robustness of the system.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of an eBPF-based file protection method, apparatus, device, medium and program product according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flowchart of an eBPF-based file protection method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flowchart of performing validity check on a system call of a file write operation type in an eBPF-based file protection method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flowchart of performing validity check on a system call of a non-file write operation type in an eBPF-based file protection method according to another embodiment of the present disclosure;
fig. 5 schematically illustrates a flowchart of an eBPF procedure injected in an eBPF-based file protection method according to another embodiment of the present disclosure;
figure 6 schematically illustrates a schematic diagram of code loading of an eBPF program into kernel space;
fig. 7 schematically illustrates a flowchart of an eBPF-based file protection method of a further embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a file protection apparatus according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a monitoring blocking module in a file protection device according to an embodiment of the present disclosure;
FIG. 10 schematically illustrates a system architecture to which a file protection device according to another embodiment of the present disclosure is applied;
FIG. 11 schematically illustrates a block diagram of a policy management subsystem in the file protection device shown in FIG. 10;
FIG. 12 schematically illustrates a block diagram of a file protection subsystem in the file protection device illustrated in FIG. 10;
FIG. 13 schematically illustrates a block diagram of a file feature detection subsystem in the file protection device illustrated in FIG. 10; and
fig. 14 schematically illustrates a block diagram of an electronic device adapted to implement an eBPF-based file protection apparatus according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first," "second," and the like, herein are used solely for distinguishing, and not as a limitation, and any number of elements in the figures are used for illustration, and not as a limitation.
The inventor analyzes and considers that common file operation monitoring and processing means, such as security equipment for monitoring file operation conditions through logs, detecting sensitive file operation based on flow and file protection equipment based on application instrumentation, cannot go deep into the bottom layer of a host or a virtual machine to detect file operation. Therefore, once the file system of the host or the virtual machine is invaded by an attacker, an effective coping mechanism is lacked, and the file security of the system is difficult to comprehensively protect.
In view of this, the present disclosure provides a file protection method, apparatus, device, medium and program product based on eBPF. Wherein, eBPF is an abbreviation of Extended Berkeley Packet Filter, is fully called as an extended Berkeley packet filter, and is an advanced kernel mode programming technology by which custom programming can be realized and loaded into kernel space.
According to the embodiment of the disclosure, an eBPF program containing user-defined file protection configuration information is injected into a kernel space of a system by means of eBPF technology, wherein the eBPF program and a system call hook for file operation, which is arranged in the file protection configuration information, are hooked in the process of injecting the eBPF program. Thus, when a system call for a file operation is triggered, the eBPF program can capture the system call in real time. The captured system call may then be validated. The embodiment of the disclosure can distinguish whether the system call is a file write operation or not, and the verification is performed in different modes in a targeted manner. Specifically, for a system call of a file writing operation, verifying the validity of data to be written; and checking whether the access authority of the system call is legal or not for the system call of the non-file writing operation. And then only legal system calls are released according to the verification result, and illegal system calls are intercepted.
In this way, the embodiment of the disclosure can inject the self-defined file protection configuration information into the kernel space of the system, and perform real-time monitoring and detection of file operation according to the file protection configuration information through the eBPF program, so that the comprehensiveness of file protection is improved, and the robustness of the system is ensured.
Fig. 1 schematically illustrates an application scenario diagram of an eBPF-based file protection method, apparatus, device, medium and program product according to an embodiment of the present disclosure. Fig. 1 schematically illustrates an application scenario diagram of a system protection method, apparatus, device, medium and program product according to an embodiment of the invention.
As shown in fig. 1, an application scenario 100 according to this embodiment may include user terminals 101, 102, 103, a network 104, and a server 105. Further, in other embodiments, the application scenario 100 may further include an operation and maintenance terminal 107 and a network 106, where the operation and maintenance terminal 107 may communicate with the server 105 through the network 106. The networks 104 and 106 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others. In one embodiment, network 104 may be the Internet and network 106 may be an intranet.
A user (e.g., consumer, general employee, etc.) may interact with the server 105 via the network 104 using the user terminals 101, 102, 103 to receive or send messages, etc. Various communication client applications, such as shopping class applications, web browser applications, search class applications, office class applications, mailbox clients, social platform software, etc., may be installed on the user terminals 101, 102, 103, as just examples.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the user terminals 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., web pages, information, or data acquired or generated according to the user request) to the user terminals 101, 102, 103. The server 105 may be disposed at a cloud end, and may be a cloud server host or a virtual machine.
The operation terminal 107 may be a terminal device used by an operation person. The operation and maintenance personnel can issue an instruction to the server 105 through an operation in the operation and maintenance terminal 107 to control injection of the eBPF program in the kernel space of the server 105. Thus, during the interaction of the server 105 with the user terminals 101, 102, 103, the eBPF program monitors the file system of the server 105, protecting the files in the server 105 from malicious tampering or theft, etc.
It can be seen that, in the application scenario 100, the file protection method based on eBPF provided by the embodiments of the present disclosure may be performed by the server 105. Accordingly, the file protection apparatus, device, medium and program product based on eBPF provided by the embodiments of the present invention may be provided in the server 105. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present invention may be applied to help those skilled in the art understand the technical content of the present invention, and does not mean that the present invention may not be used in other devices, systems, environments, or scenarios.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
It should be noted that, the file protection method, device, equipment, medium and program product based on the eBPF determined in the embodiments of the present disclosure may be used in the financial field, and may also be used in any field other than the financial field, and the application field is not limited in this disclosure.
Hereinafter, a file protection method based on an eBPF according to various embodiments of the present disclosure will be described in detail with reference to fig. 2 to 7 based on the scenario described in fig. 1. It should be noted that the sequence numbers of the respective operations in the following methods are merely representative of the operations for the purpose of description, and should not be construed as representing the order of execution of the respective operations. The method need not be performed in the exact order shown unless explicitly stated.
Fig. 2 schematically illustrates a flowchart of an eBPF-based file protection method according to an embodiment of the present disclosure.
As shown in fig. 2, the eBPF-based file protection method according to this embodiment may include operations S210 to S260.
In operation S210, in response to the currently triggered target system call being a system call of the eBPF program hook, capturing the target system call by the eBPF program, wherein the eBPF program is a program injected into the kernel space, wherein the eBPF program includes file protection configuration information, wherein the eBPF program is hooked with the system call for file operation set in the file protection configuration information during the injection of the eBPF program.
Next, in operation S220, it is determined whether the target system call belongs to a file write operation. If yes, executing operation S231; if not, operation S232 is performed.
In one embodiment, the target system call is a write () belonging to a file write operation, and otherwise belonging to a non-file write operation.
The non-file write operations may include at least one of the following file operations: file read operations, file close operations, or file open operations, such as open (), read (), close (), and the like.
By judging the file operation type to which the target system call belongs through operation S220, the validity of the target system call can be checked conveniently in the next processing according to the checking mode corresponding to the file operation type to which the target system call belongs, which is set in the file protection configuration information, so as to obtain a checking result.
Specifically, in operation S231, when the file operation type to which the target system call belongs is a file write operation, the validity of the data to be written in the target system call is checked. For example, parameters are extracted from the write () operation, data to be written is obtained, and then the data to be written is detected. For example, it may be detected by a machine learning model of the training number whether the data to be written relates to non-compliant information. Or for example, the data to be detected may be compared with the data of the high-risk Trojan virus file collected in advance, etc., to determine whether the data to be checked is the Trojan file.
In operation S232, when the file operation type to which the target system call belongs is a non-file write operation, the validity of the access right of the target system call is checked. For example, parameters of the target system call, such as a file name to be accessed, a file path, or a program name triggering the target system call, may be extracted, and it is determined whether the parameters belong to preset access prohibition information.
Specifically, the file write operation (e.g., write ()) is implemented by writing the virus carried in the data if the system is to be compromised, so that the validity of the data to be written is uniformly detected for such a system call in operation S231. Non-file write operations, if the system is compromised, are typically implemented by stealing file data in an unauthorized access manner or changing the state of the file, so that the legitimacy of the access rights is detected for such system calls in operation S232. In this way, the embodiment of the disclosure can perform verification in a targeted manner according to a specific mode that the target system call may bring harm to the system, so as to improve the pertinence of file protection.
Next, in operation S240, it is determined whether the verification result obtained from operation S231 or operation S232 is legal. If not, executing operation S250; if yes, operation S260 is performed.
In operation S250, when the check result is illegal, the eBPF program intercepts the target system call.
In operation S260, when the verification result is legal, the eBPF program releases the target system call.
According to the embodiment of the disclosure, the file operation system call which is caught by the eBPF program hook is captured through the eBPF program, so that the file operation which is harmful to the system is monitored and intercepted in real time in the kernel space by adopting an automatic mode. Compared with the scheme that the operation endangering the security of the system file is searched through the manual audit file operation log in the related art, the embodiment of the disclosure not only can reduce the labor cost, but also can intercept the file in advance before the execution of the file operation endangering the security of the system file, thereby playing a role in preventing the file protection.
According to the embodiment of the disclosure, the system call for executing the file operation can be monitored and intercepted from the kernel space of the system, and the defect that the security device for detecting the sensitive file operation based on the flow cannot monitor the encrypted flow can be solved. In particular, a security device for detecting a sensitive file operation based on traffic detects and intercepts an operation that jeopardizes the security of a system file in a user space of the system, but it is difficult for such a security device to cope with such a situation if a parameter of the operation (e.g., data to be written) received in the user space is encrypted data. In contrast, in the embodiment of the present disclosure, interception of a system call of a file operation is performed in a kernel space of a system, after receiving encrypted data, a user space needs to decrypt the encrypted data, and then the system call can be triggered, because only after decrypting, the system call to be triggered and what parameters of the system call are specifically can be known. Compared with the security device for detecting the sensitive file operation based on the traffic, the embodiment of the disclosure can effectively detect the encrypted traffic, and the embodiment of the disclosure intercepts and detects the file operation in the kernel space, so that the detection range is wider and the protection effect on the file security of the system is higher.
In addition, compared with the scheme that the file protection device based on the application instrumentation can only intercept the file operation at the application layer in the related art, the embodiment of the disclosure not only can monitor and intercept the sensitive high-risk file operation triggered by application processes or threads such as web, but also can intercept the sensitive high-risk file operation triggered by the operating system layer processes or threads caused by the loopholes of the operating system, thereby improving the comprehensiveness of protecting the system file and strengthening the security capability of the system.
Fig. 3 schematically illustrates a flowchart of performing validity check on a system call of a file write operation type in operation S231 in an eBPF-based file protection method according to an embodiment of the present disclosure.
As shown in fig. 3, according to the embodiment, when a target system call belongs to a system call of a file write operation type, the process of performing validity check in operation S231 described above may include operations S301 to S303.
In operation S301, the eBPF program transmits the data to be written in the target system call to the file feature detection subsystem, and verifies the validity of the data to be written using the file feature detection subsystem.
The file feature detection subsystem can run in a user space or a kernel space, and can be integrated with some databases (such as a high-risk virus Trojan horse file library) for verification or artificial intelligent detection models and the like.
The detection of the data to be written is carried out through the file characteristic detection subsystem, so that not only can the detection means of the data to be written be expanded, but also the trouble of writing the detection flow of the data to be written into the eBPF program can be avoided, and the modularization and standardization of the detection of the data to be written are realized. Meanwhile, the volume of the eBPF program injected into the kernel space can be reduced, and the injection efficiency and the running efficiency of the eBPF program in the kernel space are improved.
When the file feature detection subsystem operates in the user space of the system, resources consumed by the detection flow for operating the data to be written in the kernel space can be reduced.
In an embodiment, in operation S302, the file feature detection subsystem may verify the validity of the data to be written based on the file feature comparison of the data to be written and the data in the high-risk virus Trojan file library.
Document feature comparison includes comparison from at least one of the following: file hash value, specific signature, or file structure. Through file feature comparison, whether the data to be written carries high-risk virus Trojan information or not can be analyzed and determined.
Then in operation S303, the file feature detection subsystem transmits the detection result to the eBPF program. When the data to be written carries high-risk virus Trojan information, the detection result is illegal. And when the data to be written does not carry the high-risk virus Trojan information, the detection result is legal.
Fig. 4 schematically illustrates a flowchart of performing validity check on a system call of a non-file write operation type in operation S232 in an eBPF-based file protection method according to another embodiment of the present disclosure.
As shown in fig. 4, according to the embodiment, the file protection configuration information included in the eBPF program may further include access prohibition information, and the process of performing the validity check in the above-described operation S232 may include operations S401 to S404 when the target system call is a system call of a non-file write operation type.
In operation S401, the eBPF program matches the parameters of the target system call and the access prohibition information.
The access barring information may for example comprise parameters of at least one of the following dimensions: a file name that is access-prohibited, a file path that is access-prohibited, or a blacklist program. Or in some embodiments, the access barring information may further include an association between a plurality of dimension parameters. For example, it may be specified that certain files do not allow specific program access, such as: files under the \data\folder cannot be accessed by which blacklist programs.
Accordingly, the parameters of the target system call include at least one of: the target system calls the accessed file name, the target system calls the accessed file path, or triggers the program of the target system call.
Next, in operation S402, it is determined whether the matching result of operation S401 is successful. If yes, executing operation S403; if not, operation S404 is performed.
In operation S403, if the matching is successful, it is determined that the access right of the target system call is illegal.
In operation S404, if the matching is unsuccessful, it is determined that the access authority of the target system call is legal.
In this way, according to the configuration in the file protection configuration information, the embodiment of the disclosure only allows the target system with access authority to call and execute the corresponding file operation (such as file reading, file closing or file opening), thereby avoiding the leakage of sensitive data caused by malicious file reading or the damage to the system state caused by malicious opening or closing of the sensitive file.
Fig. 5 schematically illustrates a flowchart of an eBPF procedure injected in an eBPF-based file protection method according to another embodiment of the present disclosure.
As shown in fig. 5, the file protection method according to the embodiment further includes operations S501 to S503. Among them, operations S501 to S503 are performed before operation S210 for injecting an eBPF program into the kernel space.
First, in operation S501, file protection configuration information provided by a user is obtained, where a file operation type set in the file protection configuration information for a system call of a file operation includes a file write operation and a non-file write operation, and different verification manners are set for the file write operation and the non-component write operation.
The file protection configuration information may be information carried in a message transmitted according to an operation of a developer or an operation and maintenance person in the operation and maintenance terminal 107, or may be information stored in a user document at a cloud end or the like.
Next, in operation S502, code of the eBPF program is generated based on the file protection configuration information. The code of the eBPF program may be, for example, a language code such as C, C ++ or Python.
For example, a user interface may be provided in which file protection configuration information is edited by a user (e.g., an operation and maintenance person), for example, by filling in parameters of each dimension in the above access prohibition information, or by filling in information such as a transmission address or a transmission manner for transmitting a system call for a file writing operation to the file feature detection subsystem. In one embodiment, the user interaction interface may be a rule template containing a list, drop down or select buttons, logical operators, and the like. For example, the rule template may be provided to the operation and maintenance terminal 107 used by the operation and maintenance personnel or the developer, and the operation and maintenance personnel or the developer fills in the file protection configuration information in the rule template, and after filling in, the file protection configuration information is sent to the server 105 in a message manner. The server 105 then extracts the file protection configuration information from the message after receiving it and converts it to code of the eBPF program. The rule template can be used for reducing the threshold for writing file protection configuration information and improving the generation efficiency of the eBPF program.
Then, in operation S503, the code of the eBPF program is injected into the kernel space. And in the process of injecting the eBPF program, the eBPF program and a system call hook for file operation, which is arranged in the file protection configuration information, are hooked.
Fig. 6 schematically shows a schematic diagram of code loading of an eBPF program into kernel space. In connection with fig. 6, when code of an eBPF program is injected into kernel space, the code of the eBPF program is first compiled into bytecode by a Clang compiler or underlying virtual machine (Low Level Virtual Machine, LLVM), and then the bytecode can be dynamically loaded into kernel space by calling an eBPF program loading interface function (e.g., bpf_attach_kprobe (), bpf_prog_load () or the like function in the system of the server 105, which can be a full-process hot deployment without restarting the server 105.
The embodiment can facilitate the non-professional developer or operation and maintenance personnel to write the self-defined file protection configuration information and automatically inject the eBPF program into the kernel space.
Fig. 7 schematically illustrates a flowchart of an eBPF-based file protection method of a further embodiment of the present disclosure.
As shown in fig. 7, the eBPF-based file protection method according to this embodiment may include operations S1 to S7.
First in operation S1: the operation and maintenance personnel can edit the file protection configuration information in the monitoring management interface of the operation and maintenance terminal 107. For example, a rule template may be provided in the operation and maintenance terminal 107 to facilitate the non-professional programmer to custom fill out the file protection configuration information via the rule template.
Next in operation S2: and forwarding the file protection configuration information filled by the user in the form of a message. The operation and maintenance terminal generates a message based on the file protection configuration information filled by the user, and forwards the message to the server 105.
Next in operation S3: the server 105 generates an eBPF program according to the file protection configuration information in the message and injects the eBPF program into the kernel space of the server 105.
Next in operation S4: when the eBPF program loaded in the kernel space monitors that a process or a thread performs file operation, triggering a file protection eBPF hook to capture the current triggered target system call.
In operation S5: the eBPF program determines whether the target system call is a file write operation.
In operation S6: if the file writing operation is performed, outputting the data to be written in the target system call to a file feature detection subsystem, judging whether the data is file data with threat through file feature verification, and feeding back a verification result to the eBPF program. The eBPF program judges whether to release the target system call or not according to the feedback result, and finally feeds back the result to the operation and maintenance terminal 107 for operation and maintenance personnel to check.
In operation S7: if the file write operation is not performed, whether the access authority called by the target system is legal (such as whether to access the access-forbidden sensitive path and the sensitive file configured by the operation and maintenance personnel or not) is checked by means of rule matching and the like of the access-forbidden information in the file protection configuration information, and the result is fed back to the operation and maintenance terminal 107 for the operation and maintenance personnel to check.
The results fed back to the operation and maintenance terminal 107 may include information such as the file operation type to which the target system call belongs, the used verification mode, the verification result, release or interception, etc., so that the operation and maintenance personnel can conveniently check the running state of the eBPF program according to the result of the operation and maintenance terminal 107, and monitor and analyze illegal file operations.
Fig. 8 schematically illustrates a block diagram of a file protection apparatus 800 according to an embodiment of the present disclosure.
As shown in fig. 8, a file protection device 800 according to an embodiment of the present disclosure may include a monitoring blocking module 810. According to further embodiments of the present disclosure, the file protection device 800 may further include a file feature detection subsystem 820 and/or a code generation and injection module 830. The file protection device 800 may perform the methods described with reference to the foregoing fig. 2-7.
The monitoring blocking module 810 is an eBPF program injected into the kernel space, wherein the eBPF program includes file protection configuration information, and a system call hook for file operation, which is set in the eBPF program and the file protection configuration information, is set in the process of injecting the eBPF program. The monitoring blocking module 810 is configured to check validity of the target system call according to a validity check manner configured in the file protection configuration information when the triggered target system call is a system call of the eBPF program hook, and release the target system call when the target system call is checked to be valid, and intercept the target system call when the target system call is not valid. The file operation type of the system call for the file operation, which is set in the file protection configuration information, comprises a file write operation and a non-file write operation, wherein different verification modes are set for the file write operation and the non-component write operation.
The file feature detection subsystem 820 is configured to receive data to be written in the target system call transmitted by the monitoring blocking module 810 when the target system call belongs to a file write operation, check validity of the data to be written, and send a check result to the monitoring blocking module 810. In one embodiment, the file feature detection subsystem 820 may verify the legitimacy of the data to be written based on a comparison of the file features of the data to be written to the data in the high-risk virus Trojan file library.
The code generation and injection module 830 is configured to: acquiring file protection configuration information provided by a user, wherein the file operation type of system call used for file operation is set in the file protection configuration information and comprises file writing operation and non-file writing operation, and different verification modes are set for the file writing operation and the non-component writing operation; generating codes of eBPF programs based on the file protection configuration information; and injecting code of the eBPF program into the kernel space.
Fig. 9 schematically illustrates a block diagram of the monitoring blocking module 810 in the file protection device according to an embodiment of the present disclosure.
Referring to fig. 8 and 9, in an embodiment, the monitoring blocking module 810 may include a monitoring unit 811, a judging unit 812, a checking unit 813, and a processing unit 814.
The monitoring unit 811 is configured to capture a target system call through an eBPF program in response to the target system call currently triggered being a system call hooked by the eBPF program. In one embodiment, the monitoring unit 811 may perform operation S210 described previously.
The determining unit 812 is configured to determine a file operation type to which the target system call belongs. In one embodiment, the judging unit 812 may perform operation S220 described previously.
The verification unit 813 is configured to verify validity of the target system call according to a verification manner set in the file protection configuration information and corresponding to a file operation type to which the target system call belongs, so as to obtain a verification result.
The check unit 813 includes a file write operation check subunit 8131 and other file operation check subunits 8132.
The file write operation checking subunit 8131 is configured to check validity of data to be written in the target system call when the file operation type to which the target system call belongs is a file write operation. In one embodiment, the file write operation checking subunit 8131 may perform operation S231 described previously.
In one embodiment, the file write operation checking subunit 8131 is configured to transmit, when the file operation type to which the target system call belongs is a file write operation, the data to be written in the target system call to the file characteristic detecting subsystem 820 by using the eBPF program. The file characteristic detecting subsystem 820 is used for verifying the validity of the data to be written, and sending the verification result to the file writing operation verifying subunit 8131.
The other file operation checking subunit 8132 is configured to check validity of access authority of the target system call when the file operation type to which the target system call belongs is a non-file write operation. In one embodiment, the other file operation checking subunit 8132 may perform operation S232 described previously.
The processing unit 840 is configured to intercept the target system call when the verification result is illegal; and releasing the target system call when the verification result is legal. In one embodiment, the processing unit 840 may perform operation S260 described previously.
Any of the monitoring blocking module 810, the file feature detection subsystem 820, the code generation and injection module 830, the monitoring unit 811, the judging unit 812, the verifying unit 813, and the processing unit 814 may be combined into one module to be implemented, or any of the modules may be split into a plurality of modules according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the monitoring blocking module 810, the file feature detection subsystem 820, the code generation and injection module 830, the monitoring unit 811, the determination unit 812, the verification unit 813, and the processing unit 814 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the monitoring blocking module 810, the file feature detection subsystem 820, the code generation and injection module 830, the monitoring unit 811, the judging unit 812, the verifying unit 813, and the processing unit 814 may be at least partially implemented as a computer program module, which may perform corresponding functions when being executed.
Fig. 10 schematically illustrates a system architecture to which a file protection device 1000 according to another embodiment of the present disclosure is applied.
As shown in fig. 10, the system architecture includes a monitoring management panel 1001, a file protection device 1000, and a cloud server host or virtual machine 1002. In this system architecture, the file protection apparatus 1000 can interact with an operation and maintenance person through the monitoring management panel 1001. Meanwhile, the file protection apparatus 1000 may perform the file protection method of the embodiment of the present disclosure, for protecting file data in the cloud server host or the virtual machine 1002.
Monitoring management panel 1001: the file protection configuration information can be configured manually by operation and maintenance personnel, and the operation state of the file protection device 1000, an alarm and malicious file blocking operation can be checked.
Document protection device 1000: according to the file protection method based on the eBPF, file operation can be monitored in the kernel space of an operating system, and malicious file operation behaviors can be intercepted according to file protection configuration information.
Among them, the file protection apparatus 1000 includes a policy management subsystem 1003, a file protection subsystem 1004, and a file feature detection subsystem 820.
Policy management subsystem 1003: the file protection configuration information is used for receiving the file protection configuration information manually configured from the monitoring management panel 1001, converting the file protection configuration information into a message, calling the message through a remote interface, and sending the message to the file protection subsystem 1004. The policy management subsystem 1003 may be integrated with the monitoring management panel 1001 in the operation and maintenance terminal 107.
File protection subsystem 1004: the message from the policy management subsystem 1003 is received, file protection configuration information is extracted therefrom, and then code of the eBPF program is generated according to information conversion rules or a predetermined conversion template. After compiling the code of the eBPF program into the bytecode in the manner illustrated in fig. 6, the code is dynamically attached to the system kernel space of the cloud server host or the virtual machine 1002 through the eBPF program loading interface function, and the hot deployment is performed in the process, so that the cloud server host or the virtual machine 1002 does not need to be restarted. After the eBPF program is loaded, if a thread or a process in the cloud server host or the virtual machine 1002 triggers a system call hooked by the eBPF program, an interception rule in file protection configuration information in the eBPF program is triggered. The specific steps can be as follows: firstly judging whether the intercepted system call is a file writing operation or not, if so, sending the intercepted system call to a file feature detection subsystem 105, and checking through comparison of file features; if the file is not written (for example, file read, file close, file open), the validity check of the access right is performed according to the prohibited access information in the file protection configuration information, and if the check is not passed, the file is regarded as dangerous operation, interception is performed, and meanwhile, the interception information is fed back to the monitoring management panel 1001.
File feature detection subsystem 820: if the detection of a system call of a file write operation type by the file protection subsystem 1004 is triggered, for example, it is detected that a system of the cloud server host or the virtual machine 1002 is performing a file upload or overwrite action, the file protection subsystem 1004 transfers the data to be written for uploading or overwriting to the file feature detection subsystem 820 first. In the file feature detection subsystem 820, file features such as file feature codes in data to be written are extracted, and then compared with file features in a high-risk virus Trojan horse file library to identify whether the file is a malicious virus Trojan horse file. If the file is a malicious Trojan horse file, the file is discarded, the writing into the cloud server host or the virtual machine 1002 is refused, otherwise, the file protection subsystem 104 is informed to release the operation, and finally, the processing result is fed back to the monitoring management panel 1001.
Fig. 11 schematically shows a block diagram of the policy management subsystem 1003 in the file protection device 1000 shown in fig. 10.
As shown in fig. 11, the policy management subsystem 1003 includes a configuration information receiving module 301, an instruction integrating and issuing module 302, and a result receiving module 303.
The configuration information receiving module 301 is built in a rule base for writing file protection configuration information. The operation and maintenance personnel self-define rule parameters in the configuration information, such as setting file names or file paths, through the rule templates in the monitoring management interface 1001, and specify that a certain specific file or a certain specific path is not allowed to be downloaded; for another example, a file name or a file path and a program name may be set in association to specify that a file under a folder, such as \data\cannot be read and written by a certain blacklist program; for another example, security detection is required to set all the data to be written in the uploaded file. And then generating a set of templated and structured file protection configuration information.
The instruction integration and issue module 302 converts the file protection configuration information into a specific message, where the message parameters may include the IP address of the cloud server host or virtual machine 1002 and the file protection configuration information. The message is then sent to the file protection subsystem 1004 via a remote interface call.
The result receiving module 303 receives interception information and malicious files or malicious operation information fed back by the file protecting subsystem 1004, and dynamically displays the interception information and the malicious files or the malicious operation information to the monitoring management panel 1001 for operation and maintenance personnel to check.
Fig. 12 schematically shows a block diagram of the file protection subsystem 1004 of the file protection device 1000 shown in fig. 10.
As shown in fig. 12, the file protection subsystem 1004 may include a message receiving module 401, a code generating and injecting module 830, a monitoring blocking module 810, and a result feedback module 404.
The message receiving module 401 is responsible for receiving messages sent by the policy management subsystem 1003.
The code generating and injecting module 830 converts the file protection configuration information in the received message into codes of the eBPF program, compiles the codes of the eBPF program through the process as shown in fig. 6, and then automatically injects the eBPF program into a system kernel of the cloud server host or the virtual machine 1002 through a eBP program loading interface function of the cloud server host or the system of the virtual machine 1002, thereby forming the monitoring blocking module 810.
The result feedback module 404 is connected with the result receiving module 303 in a butt joint way and feeds back to operation and maintenance personnel to check file protection processing results.
The code generating and injecting module 830 is mainly used for converting the received set of structured and templated file protection configuration information written based on the rule template into an eBPF program with a file protection function, and injecting the eBPF program into a cloud host or virtual machine corresponding to an IP address in a message, such as a database server, a web server, or a cloud host or virtual machine. In one embodiment, the injection process is a call to the system API: "bpf ()" functions (e.g., bpf_attach_kprobe (), bpf_prog_load ()) set file operating system calls (system file call functions such as open (), read (), write (), close ()) in system kernel space are hooked for monitoring purposes
The monitor blocking module 820: after the eBPF program is injected, it becomes a monitor blocking module 820 running in the system kernel space. The monitor blocking module 820 triggers the file protection eBPF hook to capture the file operation when waiting for the thread (or process) to make a file operation class system call, and then filters and blocks the file operation according to the file protection configuration information (for example, access is not allowed if the access file path is a user-defined/dra/path stored sensitive file is detected); if the writing operation is a file writing operation, the data to be written is output to the file feature detection subsystem 830, and after the file feature detection subsystem 830 finishes detecting the file, the result is fed back to the monitoring blocking module 403. The details of the monitoring blocking module 820 may be referred to the foregoing description, and will not be described herein.
Fig. 13 schematically shows a block diagram of a file characteristic detection subsystem 820 in the file protection device 1000 shown in fig. 10.
As shown in fig. 13, the file feature detection subsystem 820 includes a file receiving module 501, a file feature comparison module 502, and a comparison result module 503.
The file receiving module 501 is responsible for receiving the data to be written transmitted by the monitoring blocking module 810, and transmitting the data to be written to the file feature comparison module 502.
The file feature comparison module 502 determines whether the data to be written is a high-risk virus Trojan horse file through feature comparison analysis of file feature comparison including but not limited to a file hash value, a specific signature, a file structure and the like.
The comparison result module 503 feeds back the analysis result of the document feature comparison module 502 to the monitoring blocking module 810.
The file protection device 1000 in the embodiment of the present disclosure may inject custom file protection configuration information into the bottom layer of the cloud server host or the virtual machine 1002 through an eBPF technology, when a system executes a file operation, trigger a detection flow of the file operation, perform a file operation check, and if it is determined that a malicious file operation or a malicious file upload is performed, intercept and discard in the kernel space of the cloud server host or the virtual machine 1002. In this way, the comprehensiveness of monitoring the file operation of the cloud server host or the virtual machine 1002 is improved, real-time sensitive high-risk operation interception can be performed, the robustness of the system is ensured, and the security of the cloud server host or the virtual machine 1002 is improved.
Fig. 14 schematically illustrates a block diagram of an electronic device 1400 adapted to implement an eBPF-based file protection apparatus in accordance with an embodiment of the present disclosure.
As shown in fig. 14, an electronic device 1400 according to an embodiment of the present disclosure includes a processor 1401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1402 or a program loaded from a storage section 1408 into a Random Access Memory (RAM) 1403. The processor 1401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1401 may also include on-board memory for caching purposes. The processor 1401 may include a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1403, various programs and data necessary for the operation of the electronic device 1400 are stored. The processor 1401, ROM 1402, and RAM 1403 are connected to each other through a bus 1404. The processor 1401 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 1402 and/or the RAM 1403. Note that the program may be stored in one or more memories other than the ROM 1402 and the RAM 1403. The processor 1401 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 1400 may also include an input/output (I/O) interface 1405, the input/output (I/O) interface 1405 also being connected to the bus 1404. Electronic device 1400 may also include one or more of the following components connected to I/O interface 1405: an input section 1406 including a keyboard, a mouse, and the like; an output portion 1407 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1408 including a hard disk or the like; and a communication section 1409 including a network interface card such as a LAN card, a modem, and the like. The communication section 1409 performs communication processing via a network such as the internet. The drive 1410 is also connected to the I/O interface 1405 as needed. Removable media 1411, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is installed as needed on drive 1410 so that a computer program read therefrom is installed as needed into storage portion 1408.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1402 and/or RAM 1403 described above and/or one or more memories other than ROM 1402 and RAM 1403.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1401. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, and downloaded and installed via the communication portion 1409, and/or installed from the removable medium 1411. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1409 and/or installed from the removable medium 1411. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1401. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (16)
1. An eBPF-based file protection method, comprising:
responding to a currently triggered target system call which is a system call of an eBPF program hook, capturing the target system call through the eBPF program, wherein the eBPF program is a program injected into a kernel space, the eBPF program comprises file protection configuration information, and the eBPF program and the system call hook for file operation, which is arranged in the file protection configuration information, are in the process of injecting the eBPF program;
Judging the file operation type to which the target system call belongs;
according to a verification mode corresponding to the file operation type of the target system call, which is set in the file protection configuration information, verifying the validity of the target system call to obtain a verification result, wherein the verification method comprises the following steps:
when the file operation type to which the target system call belongs is file write operation, verifying the validity of data to be written in the target system call; and
when the file operation type to which the target system call belongs is a non-file write operation, verifying the validity of the access authority of the target system call;
when the verification result is illegal, the eBPF program intercepts the target system call; and
and when the verification result is legal, the eBPF program releases the target system call.
2. The method of claim 1, wherein the verifying the validity of the data to be written in the target system call when the file operation type to which the target system call belongs is a file write operation comprises:
the eBPF program transmits the data to be written in the target system call to a file feature detection subsystem; and
And verifying the validity of the data to be written by using the file characteristic detection subsystem, and sending a verification result to the eBPF program.
3. The method of claim 2, wherein the verifying the legitimacy of the data to be written with the file feature detection subsystem comprises:
and based on the file characteristic comparison of the data to be written and the data in the high-risk virus Trojan file library, verifying the validity of the data to be written.
4. A method according to claim 3, wherein the document feature comparison comprises comparing from at least one of: file hash value, specific signature, or file structure.
5. The method of claim 1, wherein the non-file write operation comprises at least one of the following file operations: file read operations, file close operations, or file open operations.
6. The method of claim 5, wherein the file protection configuration information includes access prohibition information, wherein the verifying the legitimacy of the access right of the target system call when the file operation type to which the target system call belongs is a non-file write operation includes:
the eBPF program matches the parameters of the target system call and the access prohibition information;
If the matching is successful, determining that the access authority of the target system call is illegal; and
and if the matching is unsuccessful, determining that the access authority of the target system call is legal.
7. The method of claim 6, wherein,
the parameters of the target system call include at least one of: the file name accessed by the target system call, the file path accessed by the target system call or the program triggering the target system call;
the access-prohibited information includes parameters of at least one of the following dimensions: a file name that is access-prohibited, a file path that is access-prohibited, or a blacklist program.
8. The method of any of claims 1-7, wherein injecting the eBPF program into the kernel space is performed as follows:
acquiring the file protection configuration information provided by a user, wherein the file operation type of the system call for the file operation is set in the file protection configuration information and comprises file writing operation and non-file writing operation, and different verification modes are set for the file writing operation and the non-piece writing operation;
generating codes of the eBPF program based on the file protection configuration information; and
Code of the eBPF program is injected into the kernel space.
9. The method of claim 8, wherein the system is not restarted during injection of code of the eBPF program into the kernel space.
10. The method of claim 8, wherein the injecting code of the eBPF program into the kernel space comprises:
compiling codes of the eBPF program into byte codes;
calling an eBPF program loading interface function in the system; and
and loading the byte code into the kernel space by using the eBPF program loading interface function.
11. The method of claim 8, wherein the obtaining the file protection configuration information provided by the user comprises:
providing a rule template for the operation and maintenance terminal; and
and receiving a message sent by the operation and maintenance terminal, wherein the message is generated based on the file protection configuration information which is filled in the rule template.
12. The method of claim 11, wherein after the eBPF program intercepts the target system call, the method further comprises:
and sending interception information of the target system call to the operation and maintenance terminal.
13. The file protection device based on the eBPF comprises a monitoring blocking module, wherein the monitoring blocking module is an eBPF program injected into a kernel space, the eBPF program comprises file protection configuration information, and a system call hook for file operation, which is arranged in the eBPF program and the file protection configuration information, is arranged in the process of injecting the eBPF program; wherein, the monitoring blocking module includes:
the monitoring unit is used for responding to the current triggered target system call to be the system call of the eBPF program hook, and capturing the target system call through the eBPF program;
the judging unit is used for judging the file operation type to which the target system call belongs;
the verification unit is used for verifying the validity of the target system call according to a verification mode corresponding to the file operation type of the target system call, which is set in the file protection configuration information, so as to obtain a verification result; and
the processing unit is used for intercepting the target system call when the verification result is illegal; and when the verification result is legal, releasing the target system call;
wherein, the check unit includes:
A file write operation checking subunit, configured to check validity of data to be written in the target system call when the file operation type to which the target system call belongs is a file write operation; and
and the other file operation verification subunit is used for verifying the validity of the access authority of the target system call when the file operation type to which the target system call belongs is a non-file write operation.
14. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-12.
15. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method of any of claims 1 to 12.
16. A computer program product comprising computer program instructions which, when executed by a processor, implement the method of any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310395381.7A CN116415300A (en) | 2023-04-13 | 2023-04-13 | File protection method, device, equipment and medium based on eBPF |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310395381.7A CN116415300A (en) | 2023-04-13 | 2023-04-13 | File protection method, device, equipment and medium based on eBPF |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116415300A true CN116415300A (en) | 2023-07-11 |
Family
ID=87055994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310395381.7A Pending CN116415300A (en) | 2023-04-13 | 2023-04-13 | File protection method, device, equipment and medium based on eBPF |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116415300A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312099A (en) * | 2023-11-28 | 2023-12-29 | 麒麟软件有限公司 | File system event monitoring method |
-
2023
- 2023-04-13 CN CN202310395381.7A patent/CN116415300A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312099A (en) * | 2023-11-28 | 2023-12-29 | 麒麟软件有限公司 | File system event monitoring method |
| CN117312099B (en) * | 2023-11-28 | 2024-04-05 | 麒麟软件有限公司 | File system event monitoring method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alwan et al. | Detection and prevention of SQL injection attack: a survey | |
| Li et al. | A survey on server-side approaches to securing web applications | |
| US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US7613918B2 (en) | System and method for enforcing a security context on a downloadable | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| US20160241574A1 (en) | Systems and methods for determining trustworthiness of the signaling and data exchange between network systems | |
| US20100037317A1 (en) | Mehtod and system for security monitoring of the interface between a browser and an external browser module | |
| Yang et al. | Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications | |
| CN110968872A (en) | File vulnerability detection processing method and device, electronic equipment and storage medium | |
| CN111131303A (en) | Request data verification system and method | |
| Yang et al. | {Iframes/Popups} Are Dangerous in Mobile {WebView}: Studying and Mitigating Differential Context Vulnerabilities | |
| CN116415300A (en) | File protection method, device, equipment and medium based on eBPF | |
| Toreini et al. | DOMtegrity: ensuring web page integrity against malicious browser extensions | |
| Zheng et al. | Enpublic apps: Security threats using ios enterprise and developer certificates | |
| CN107122664B (en) | Safety protection method and device | |
| Gu et al. | Continuous intrusion: Characterizing the security of continuous integration services | |
| Feng et al. | Defense-in-depth security strategy in LOG4J vulnerability analysis | |
| CN116074130B (en) | System protection method, device, equipment and medium | |
| Prajapati et al. | Analysis of keyloggers in cybersecurity | |
| Agarwal et al. | First, Do No Harm: Studying the manipulation of security headers in browser extensions | |
| CN112733157B (en) | File uploading method, system and medium based on non-executable directory | |
| CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
| Qi et al. | A comparative study on the security of cryptocurrency wallets in android system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |