CN118194307A - Method for improving security of credit-invasive operating system - Google Patents
Method for improving security of credit-invasive operating system Download PDFInfo
- Publication number
- CN118194307A CN118194307A CN202410598508.XA CN202410598508A CN118194307A CN 118194307 A CN118194307 A CN 118194307A CN 202410598508 A CN202410598508 A CN 202410598508A CN 118194307 A CN118194307 A CN 118194307A
- Authority
- CN
- China
- Prior art keywords
- hook
- security
- operating system
- module
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 238000005516 engineering process Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 21
- 230000006399 behavior Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 238000011217 control strategy Methods 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 7
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 6
- 238000013461 design Methods 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 238000005070 sampling Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of operating systems, in particular to a method for improving security of a credit-invasive operating system. According to the method for improving the security of the information and wound operating system, a Linux security module LSM framework is adopted, a Hook technology is realized in an operating system kernel, the Linux security module LSM is allowed to intercept and process security decisions in the operating system kernel through Hook points, and system calls in the running process of the operating system are recorded and forcedly controlled by setting monitoring and checking at key Hook points. The method for improving the security of the credit-invasive operating system obviously improves the security of the operating system, can effectively resist various malicious software attacks, protects the information security and the system stability of users, is suitable for various computer operating systems, and has higher practical and popularization values.
Description
Technical Field
The invention relates to the technical field of operating systems, in particular to a method for improving security of a credit-invasive operating system.
Background
In the environment where information technology is highly developed nowadays, security of an operating system is becoming a focus of attention of users and enterprises. However, conventional security mechanisms often have difficulty in comprehensively coping with various complex security threats, and thus innovative security enhancement methods are continually sought. The Hook technology is used as an effective safety enhancement means, and the monitoring and control of the system behavior are realized by intercepting the system call and the application program behavior, so that the safety of an operating system is improved.
In order to solve the problem that the existing operating system is insufficient in safety when being attacked by malicious software, the invention provides a method for improving the safety of the information-created operating system.
Disclosure of Invention
The invention provides a simple and efficient method for improving the security of a credit-invasive operating system in order to make up the defects of the prior art.
The invention is realized by the following technical scheme:
A method for improving security of a credit-invasive operating system is characterized by comprising the following steps: adopting a Linux security module LSM (Linux Security Modules) framework, realizing a Hook technology in an operating system kernel, allowing a Linux security module LSM to intercept and process security decisions in the operating system kernel through Hook points, and recording and forcedly controlling system calls in the running process of the operating system by setting monitoring and checking at key Hook points;
The specific operation is as follows:
Monitoring is set at hook point: in the normal operation process of the operating system, recording parameters of a hook function, and then sampling and sorting the summary of the hook function;
check is set at hook point: after the check switch is turned on, when the system calls the hook point position, the forced control is executed according to the access control strategy set in advance, namely, the call is allowed or refused.
When a user executes system call, firstly, sequentially executing functional error check through an original kernel interface of an operating system, then, executing traditional autonomous access control DAC (Discretionary Access Control) check, and calling a Linux security module LSM through a Linux security module LSM hook function immediately before accessing an internal object of a kernel; the Linux security module LSM invokes a specific access control policy to determine the validity of the access.
The method comprises the following steps:
step S1, determining key system call points;
Analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
S2, designing a Hook module;
Aiming at the determined key system call points, a corresponding Hook module is designed and used for intercepting system call and carrying out security check;
s3, a Hook function is realized;
A Hook module is realized in an operating system, integrated into a system kernel, and the Hook module can be ensured to effectively intercept and process system calls;
S4, performing security check;
after the system call is intercepted by the Hook module, corresponding security check is carried out, including authority verification and parameter filtration, so as to ensure the security of the system behavior;
s5, monitoring and responding in real time;
and monitoring the execution condition of the system call in real time so as to discover abnormal behaviors in time and taking corresponding response measures, including access refusal and alarm prompt.
The system for improving the security of the credit-invasive operating system is characterized in that: a Linux security module LSM (Linux Security Modules) framework is adopted, and the Linux security module LSM and a hook point setting module are included;
the Hook point setting module is responsible for setting Hook points in an operating system kernel;
The Linux security module LSM is responsible for intercepting and processing security decisions in the kernel of the operating system through hook points, monitoring and checking the key hook point positions, and recording and forcedly controlling system calls in the running process of the operating system; specific access control policies are invoked to determine the legitimacy of the access.
The Linux security module LSM is responsible for setting a monitoring program at a hook point, monitoring the execution condition of system call in real time so as to discover abnormal behaviors in time, and taking corresponding response measures including access refusal and alarm prompt; meanwhile, in the normal operation process of the operating system, parameters of the hook function are recorded, and sampling and finishing are carried out on the summary of the hook function.
The Linux security module LSM is responsible for setting a checking program at a hook point; after the check switch is turned on, when the system calls the hook point position, corresponding security check is carried out, including authority verification and parameter filtering, forced control is carried out according to an access control strategy set in advance, namely, calling is allowed or refused, so that the security of the system behavior is ensured.
The Hook point setting module comprises a key system call point sub-module, a Hook design sub-module and a Hook integration sub-module;
the key system call point sub-module is responsible for analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
the Hook design sub-module is responsible for designing a corresponding Hook module aiming at a determined key system call point and is used for intercepting system call and carrying out security check;
The Hook integration sub-module is responsible for realizing a Hook module in an operating system, integrating the Hook module into a system kernel, and ensuring that the Hook module can effectively intercept and process system calls.
An apparatus for implementing a method for improving security of a trusted operating system, wherein the apparatus comprises: comprising a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the method steps described above when executing the computer program.
A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method steps as described above.
The beneficial effects of the invention are as follows: the method for improving the security of the credit-invasive operating system obviously improves the security of the operating system, can effectively resist various malicious software attacks, protects the information security and the system stability of users, is suitable for various computer operating systems, and has higher practical and popularization values.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a method for improving security of a credit-invasive operating system according to the present invention.
Fig. 2 is a schematic diagram of an execution process of the Linux security module LSM of the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
According to the method for improving the security of the credit-invasive operating system, a frame of a Linux security module LSM (Linux Security Modules) is adopted, a Hook technology is realized in an operating system kernel, a Linux security module LSM is allowed to intercept and process security decisions in the operating system kernel through Hook points, and system calls in the running process of the operating system are recorded and forcedly controlled by setting monitoring and checking at key Hook points;
The specific operation is as follows:
Monitoring is set at hook point: in the normal operation process of the operating system, recording parameters of a hook function, and then sampling and sorting the summary of the hook function;
check is set at hook point: after the check switch is turned on, when the system calls the hook point position, the forced control is executed according to the access control strategy set in advance, namely, the call is allowed or refused.
When a user executes system call, firstly, sequentially executing functional error check through an original kernel interface of an operating system, then, executing traditional autonomous access control DAC (Discretionary Access Control) check, and calling a Linux security module LSM through a Linux security module LSM hook function immediately before accessing an internal object of a kernel; the Linux security module LSM invokes a specific access control policy to determine the validity of the access.
Through the analysis of the LSM framework of the Linux safety module, the LSM interface of the Linux safety module is realized.
The method comprises the following steps:
step S1, determining key system call points;
Analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
S2, designing a Hook module;
Aiming at the determined key system call points, a corresponding Hook module is designed and used for intercepting system call and carrying out security check;
s3, a Hook function is realized;
A Hook module is realized in an operating system, integrated into a system kernel, and the Hook module can be ensured to effectively intercept and process system calls;
S4, performing security check;
after the system call is intercepted by the Hook module, corresponding security check is carried out, including authority verification and parameter filtration, so as to ensure the security of the system behavior;
s5, monitoring and responding in real time;
and monitoring the execution condition of the system call in real time so as to discover abnormal behaviors in time and taking corresponding response measures, including access refusal and alarm prompt.
These hook points are distributed across different parts of the operating system kernel, including file system, network and process management, etc. Common Linux security module LSM hook points. The following are provided:
inode permissions: for file system access control, a decision is made as to whether to allow access to a given inode.
File permission file_permission: similar to inode permissions, but is invoked when a file access permission check is performed.
Creating a process task_create: when a new process is created, is invoked to control the creation of the new process.
Process group number task_ setpgid is set: the method is used for calling when the process group number ID is set, and allows the process group to be set.
Sending message network control network_sendmsg: invoked when a network message is sent, allows interception and review of outgoing network traffic.
The receiving message network controls network_recvmsg: invoked when a network message is received, allows interception and review of incoming network traffic.
Creating a socket_create: for creating a socket, allowing control of the creation of the socket.
Binding socket_bind: calling when the socket binds the address allows control of the process of socket address binding.
Connection socket_connect: when the socket is connected to the target address, the connection process of the socket is allowed to be controlled.
Performing a security check bprm _check_security: and when the executable file is executed, for performing a security check to determine whether execution is permitted.
The following description will take an example of intercepting an inode authority hook point and performing authority verification and parameter filtering in the hook point.
A new security hook function my_inode_permission is defined to intercept inode permission hook points. In the function, the current process name, the current user name and the incoming parameters are recorded, whether the call is allowed or not is judged according to the access control strategy, if the call is allowed, a security_inode_permission function is called to execute default permission check, and otherwise, an error is returned to ensure the security of the system behavior.
The system for improving the security of the credit-invasive operating system adopts a Linux security module LSM (Linux Security Modules) framework which comprises a Linux security module LSM and a hook point setting module;
the Hook point setting module is responsible for setting Hook points in an operating system kernel;
The Linux security module LSM is responsible for intercepting and processing security decisions in the kernel of the operating system through hook points, monitoring and checking the key hook point positions, and recording and forcedly controlling system calls in the running process of the operating system; specific access control policies are invoked to determine the legitimacy of the access.
The Linux security module LSM is responsible for setting a monitoring program at a hook point, monitoring the execution condition of system call in real time so as to discover abnormal behaviors in time, and taking corresponding response measures including access refusal and alarm prompt; meanwhile, in the normal operation process of the operating system, parameters of the hook function are recorded, and sampling and finishing are carried out on the summary of the hook function.
The Linux security module LSM is responsible for setting a checking program at a hook point; after the check switch is turned on, when the system calls the hook point position, corresponding security check is carried out, including authority verification and parameter filtering, forced control is carried out according to an access control strategy set in advance, namely, calling is allowed or refused, so that the security of the system behavior is ensured.
The Hook point setting module comprises a key system call point sub-module, a Hook design sub-module and a Hook integration sub-module;
the key system call point sub-module is responsible for analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
the Hook design sub-module is responsible for designing a corresponding Hook module aiming at a determined key system call point and is used for intercepting system call and carrying out security check;
The Hook integration sub-module is responsible for realizing a Hook module in an operating system, integrating the Hook module into a system kernel, and ensuring that the Hook module can effectively intercept and process system calls.
The device for realizing the method for improving the security of the credit-created operating system comprises a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the method steps described above when executing the computer program.
The readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method steps as described above.
Compared with the prior art, the method for improving the security of the information creation operating system has the following characteristics:
1) The security capability of the system to malicious programs and attacks is improved, and the utilization risk of security vulnerabilities is reduced.
2) The system behavior is monitored and controlled in a refined mode, and the occurrence and influence of safety events are reduced.
3) The protection of the system to the user and the data is enhanced, and the security and privacy protection level of the user information are improved.
4) The overall safety and stability of the operating system are improved, and the anti-attack capability and fault tolerance capability of the system are enhanced.
The above examples are only one of the specific embodiments of the present invention, and the ordinary changes and substitutions made by those skilled in the art within the scope of the technical solution of the present invention should be included in the scope of the present invention.
Claims (9)
1. A method for improving security of a credit-invasive operating system is characterized by comprising the following steps: adopting a Linux security module LSM framework to realize a Hook technology in an operating system kernel, allowing the Linux security module LSM to intercept and process security decisions in the operating system kernel through Hook points, and recording and forcedly controlling system call in the running process of the operating system by setting monitoring and checking at key Hook points;
The specific operation is as follows:
Monitoring is set at hook point: in the normal operation process of the operating system, recording parameters of a hook function, and then sampling and sorting the summary of the hook function;
check is set at hook point: after the check switch is turned on, when the system calls the hook point position, the forced control is executed according to the access control strategy set in advance, namely, the call is allowed or refused.
2. The method for improving security of a credit-invasive operating system according to claim 1, wherein: when a user executes system call, firstly, sequentially executing functional error check through an original kernel interface of an operating system, then, executing traditional autonomous access control DAC check, and calling a Linux security module LSM through a Linux security module LSM hook function immediately before accessing an internal object of a kernel; the Linux security module LSM invokes a specific access control policy to determine the validity of the access.
3. The method for improving security of a credit operating system according to claim 1 or 2, wherein: the method comprises the following steps:
step S1, determining key system call points;
Analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
S2, designing a Hook module;
Aiming at the determined key system call points, a corresponding Hook module is designed and used for intercepting system call and carrying out security check;
s3, a Hook function is realized;
A Hook module is realized in an operating system, integrated into a system kernel, and the Hook module can be ensured to effectively intercept and process system calls;
S4, performing security check;
after the system call is intercepted by the Hook module, corresponding security check is carried out, including authority verification and parameter filtration, so as to ensure the security of the system behavior;
s5, monitoring and responding in real time;
and monitoring the execution condition of the system call in real time so as to discover abnormal behaviors in time and taking corresponding response measures, including access refusal and alarm prompt.
4. The system for improving the security of the credit-invasive operating system is characterized in that: a Linux security module LSM framework is adopted, and the Linux security module LSM and a hook point setting module are included;
the Hook point setting module is responsible for setting Hook points in an operating system kernel;
The Linux security module LSM is responsible for intercepting and processing security decisions in the kernel of the operating system through hook points, monitoring and checking the key hook point positions, and recording and forcedly controlling system calls in the running process of the operating system; specific access control policies are invoked to determine the legitimacy of the access.
5. The system for improving security of a credit operating system of claim 4, wherein: the Linux security module LSM is responsible for setting a monitoring program at a hook point, monitoring the execution condition of system call in real time so as to discover abnormal behaviors in time, and taking corresponding response measures including access refusal and alarm prompt; meanwhile, in the normal operation process of the operating system, parameters of the hook function are recorded, and sampling and finishing are carried out on the summary of the hook function.
6. The system for improving security of a credit operating system of claim 4, wherein: the Linux security module LSM is responsible for setting a checking program at a hook point; after the check switch is turned on, when the system calls the hook point position, corresponding security check is carried out, including authority verification and parameter filtering, forced control is carried out according to an access control strategy set in advance, namely, calling is allowed or refused, so that the security of the system behavior is ensured.
7. The system for improving security of a credit operating system of claim 4, wherein: the Hook point setting module comprises a key system call point sub-module, a Hook design sub-module and a Hook integration sub-module;
the key system call point sub-module is responsible for analyzing an operating system, and determining a key system call point as a Hook point so as to control file operation, network communication or process management;
the Hook design sub-module is responsible for designing a corresponding Hook module aiming at a determined key system call point and is used for intercepting system call and carrying out security check;
The Hook integration sub-module is responsible for realizing a Hook module in an operating system, integrating the Hook module into a system kernel, and ensuring that the Hook module can effectively intercept and process system calls.
8. An apparatus for implementing a method for improving security of a trusted operating system, wherein the apparatus comprises: comprising a memory and a processor; the memory is configured to store a computer program, the processor being configured to implement the method according to any one of claims 1 to 3 when the computer program is executed.
9. A readable storage medium, characterized by: a computer program stored on a readable storage medium, which when executed by a processor, implements a method according to any one of claims 1 to 3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410598508.XA CN118194307A (en) | 2024-05-15 | 2024-05-15 | Method for improving security of credit-invasive operating system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410598508.XA CN118194307A (en) | 2024-05-15 | 2024-05-15 | Method for improving security of credit-invasive operating system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN118194307A true CN118194307A (en) | 2024-06-14 |
Family
ID=91406553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410598508.XA Pending CN118194307A (en) | 2024-05-15 | 2024-05-15 | Method for improving security of credit-invasive operating system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN118194307A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
CN106096400A (en) * | 2016-06-06 | 2016-11-09 | 中国科学院信息工程研究所 | A kind of linux kernel parallel LSM framework implementation method |
US20180336360A1 (en) * | 2017-05-16 | 2018-11-22 | Beyondtrust Software, Inc. | Systems and methods for controlling privileged operations |
CN112181540A (en) * | 2020-09-28 | 2021-01-05 | 中孚安全技术有限公司 | Method and system for realizing hook on Linux application layer |
CN112668008A (en) * | 2021-01-06 | 2021-04-16 | 上海湖顶大数据科技有限公司 | Method for realizing dynamic system call hijacking based on LSM |
CN116010973A (en) * | 2023-02-09 | 2023-04-25 | 麒麟软件有限公司 | System call validity checking method and system of operating system |
WO2023197916A1 (en) * | 2022-04-12 | 2023-10-19 | 支付宝(杭州)信息技术有限公司 | Access control method and device for linux file system |
US20230362198A1 (en) * | 2022-05-09 | 2023-11-09 | Foundation Of Soongsil University-Industry Cooperation | Dynamic security policy enforcement method for container system, recording medium and system for performing the same |
CN117725583A (en) * | 2023-12-20 | 2024-03-19 | 北京大学 | Linux malicious code detection method and system based on virtual machine introspection |
-
2024
- 2024-05-15 CN CN202410598508.XA patent/CN118194307A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
CN106096400A (en) * | 2016-06-06 | 2016-11-09 | 中国科学院信息工程研究所 | A kind of linux kernel parallel LSM framework implementation method |
US20180336360A1 (en) * | 2017-05-16 | 2018-11-22 | Beyondtrust Software, Inc. | Systems and methods for controlling privileged operations |
CN112181540A (en) * | 2020-09-28 | 2021-01-05 | 中孚安全技术有限公司 | Method and system for realizing hook on Linux application layer |
CN112668008A (en) * | 2021-01-06 | 2021-04-16 | 上海湖顶大数据科技有限公司 | Method for realizing dynamic system call hijacking based on LSM |
WO2023197916A1 (en) * | 2022-04-12 | 2023-10-19 | 支付宝(杭州)信息技术有限公司 | Access control method and device for linux file system |
US20230362198A1 (en) * | 2022-05-09 | 2023-11-09 | Foundation Of Soongsil University-Industry Cooperation | Dynamic security policy enforcement method for container system, recording medium and system for performing the same |
CN116010973A (en) * | 2023-02-09 | 2023-04-25 | 麒麟软件有限公司 | System call validity checking method and system of operating system |
CN117725583A (en) * | 2023-12-20 | 2024-03-19 | 北京大学 | Linux malicious code detection method and system based on virtual machine introspection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
CN106326699B (en) | Server reinforcing method based on file access control and process access control | |
RU2618946C1 (en) | Method to lock access to data on mobile device with api for users with disabilities | |
CN110166459B (en) | Protection method, device and equipment for deserialization loophole and readable storage medium | |
CN103246834B (en) | Control method and electronic equipment | |
CN101667232B (en) | Terminal credible security system and method based on credible computing | |
CN112671807B (en) | Threat processing method, threat processing device, electronic equipment and computer readable storage medium | |
US20070044151A1 (en) | System integrity manager | |
CN109828824A (en) | Safety detecting method, device, storage medium and the electronic equipment of mirror image | |
CN113051034B (en) | Container access control method and system based on kprobes | |
CN105550595A (en) | Private data access method and system for intelligent communication equipment | |
CN111259348A (en) | Method and system for safely running executable file | |
CN112202704A (en) | Block chain intelligent contract safety protection system | |
CN113138836A (en) | Escape-proof honeypot system based on Docker container and method thereof | |
CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
CN110086824B (en) | Self-adaptive configuration method, device and equipment for firewall policy of virtual machine | |
CN108694329B (en) | Mobile intelligent terminal security event credible recording system and method based on combination of software and hardware | |
RU2514137C1 (en) | Method for automatic adjustment of security means | |
CN105701415B (en) | A kind of mobile terminal kernel Rights Management System and method | |
Cuppens et al. | Availability enforcement by obligations and aspects identification | |
CN118194307A (en) | Method for improving security of credit-invasive operating system | |
CN116996238A (en) | Processing method and related device for network abnormal access | |
CN114189383A (en) | Blocking method, device, electronic equipment, medium and computer program product | |
CN113518055A (en) | Data security protection processing method and device, storage medium and terminal | |
CN114928481B (en) | Processing system, method and device for unknown attack defense, central scheduling point and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination |