WO2017133442A1 - Real-time measurement method and device - Google Patents

Real-time measurement method and device Download PDF

Info

Publication number
WO2017133442A1
WO2017133442A1 PCT/CN2017/071397 CN2017071397W WO2017133442A1 WO 2017133442 A1 WO2017133442 A1 WO 2017133442A1 CN 2017071397 W CN2017071397 W CN 2017071397W WO 2017133442 A1 WO2017133442 A1 WO 2017133442A1
Authority
WO
WIPO (PCT)
Prior art keywords
sensitive
monitored area
real
sensitive operation
time
Prior art date
Application number
PCT/CN2017/071397
Other languages
French (fr)
Chinese (zh)
Inventor
崔云峰
刘�东
王继刚
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017133442A1 publication Critical patent/WO2017133442A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present invention relates to the field of IT (Information Technology) and information security, and in particular, to a real-time measurement method and apparatus.
  • IT Information Technology
  • Embedded systems are widely used in communications, industrial control, transportation and other industries, but for traditional IT systems, the processor performance of embedded systems is generally lower than the processor performance of servers and PCs (personal computers), and embedded The system is often in an unattended state. Unlike the IT system, which has a special administrator role and can often maintain or upgrade the system security continuously, the security problems in the embedded system cannot copy the anti-virus software used by the IT system. Thoughts such as continuous update of patches need to consider the active security mechanism suitable for embedded systems to achieve security automation.
  • the trusted computing utilizes the TPM/TCM trusted chip to perform integrity measurement on the operating system and the business system step by step at startup, which can ensure that the system is trusted and has not been tampered with when the system is started.
  • IBM developed IMA/PRIMA to use the Linux-based LSM (Linux Security Module) hook mechanism to measure the integrity of the subject, object or mandatory access control policy of the current function in the process of file reading and writing and key function invocation.
  • LSM Linux-based LSM
  • the measurement timing depends on the Linux LSM registration hook function point, and the measurement timing is completely dependent on whether the LSM hook is complete.
  • the timing of the dynamic measurement is derived from a fixed event, or a periodic timing metric, or determined by the user or an external system, so that there is a risk of a TOCTOU (Time of check, Time of use) attack, that is, System integrity is not attacked when measured, but is attacked by hacker code when it is used.
  • TOCTOU Time of check, Time of use
  • the main technical problem to be solved by the present invention is to provide a metric method and apparatus to avoid the problem of the risk of TOCTOU attack caused by the inability to measure in real time in the prior art.
  • the present invention provides a real-time measurement method, including:
  • the monitored area is a storage address corresponding to the sensitive information
  • the sensitive information is a predefined information that needs to be measured
  • the method before monitoring the operation on the monitored area in real time, the method further includes: determining sensitive information, determining whether the sensitive information has been created in the system, and if yes, reading the corresponding information of the sensitive information.
  • the address is stored and the storage address is set as the monitored area.
  • determining whether the operation is legal comprises: determining whether the sensitive operation is legal comprises: determining the sensitivity by determining whether the sensitive operation or the subject performing the sensitive operation satisfies a corresponding metric rule Whether the operation is legal, if it is satisfied, the sensitive operation is legal; if not, the sensitive operation is illegal.
  • the sensitive information includes stack, heap, process, and kernel key data
  • the metric rule includes: a current operation address belongs to a valid range of the stack, a body accessing the stack is an owner of the stack, and the stack conforms to an application binary interface specification convention. ;
  • the metric rule includes: the current operation address does not belong to the free heap space range, the current operation interval does not span different heap space objects, and the current operation thread is a legal thread;
  • the metric rule includes: the code segment corresponding to the current process can be operated, and the stack interval of the current process is executable;
  • the metric rule includes: the access thread of the key data belongs to a legal thread, and the address of the program that performs the operation belongs to a legally trusted code interval.
  • the method further includes: generating an abnormality, so that the sensitive operation process is interrupted.
  • the system abnormal interface is invoked to trigger the system abnormality; if the sensitive operation is in the user state, the system is no longer The execution of the operation allocates resources.
  • monitoring the operation on the monitored area in real time includes: monitoring the operation of the memory in real time through the memory management unit, and determining whether the operation is a sensitive operation initiated by the monitored area.
  • the invention also provides a real-time measuring device, comprising:
  • the monitoring module is configured to monitor the operation on the monitored area in real time, where the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured;
  • a judging module configured to determine whether the sensitive operation is legal when monitoring a sensitive operation initiated on the monitored area for the monitored area;
  • a first execution module configured to allow the sensitive operation to continue when the judgment result is that the sensitive operation is legal;
  • the second execution module is configured to determine that the sensitive operation is illegal, and prevent the sensitive operation from continuing.
  • the device further includes a setting module for monitoring the monitored area in real time.
  • the sensitive information is determined, and it is determined whether the sensitive information has been created in the system, and if so, the storage address corresponding to the sensitive information is read, and the storage address is set as the monitored area.
  • the apparatus further includes a notification module, configured to notify the user when the sensitive operation is illegal.
  • the device further includes an abnormality generating module, configured to generate an abnormality after determining whether the sensitive operation is legal after detecting the sensitive operation initiated on the monitored area on the monitored area, so that The sensitive operation process is interrupted.
  • the monitoring module includes a memory management unit, and the memory management unit monitors the operation of the memory in real time, and determines whether the operation is a sensitive operation initiated by the monitored area.
  • the present invention provides a real-time metric method and apparatus.
  • the real-time metric device monitors operations on a monitored area in real time.
  • the monitored area is a storage address corresponding to sensitive information, and the sensitive information is Defined information that needs to be measured; when it is detected that there is a sensitive operation on the monitored area for the monitored area, it is judged whether the operation is legal, if it is legal, it is allowed to continue, and if it is not legal, it is prevented from continuing. run.
  • FIG. 1 is a flowchart of implementing a real-time metric method according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of setting a monitored area in a real-time metric method according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic structural diagram of a real-time metric apparatus according to Embodiment 1 of the present invention.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • This embodiment provides a real-time metric method, which is particularly applicable to, but not limited to, an embedded system. Compared with the prior art, the method has the advantage of avoiding the risk of TOCTOU attack. Referring to FIG. 1, the method includes:
  • S101 real-time monitoring operation on the monitored area
  • a database is usually set, and if a sensitive letter is detected in the process of setting the monitored area.
  • the information is being created by the system.
  • the running address of the sensitive information is calculated, and the running address is set as the monitored area; and the corresponding relationship is stored in a database, and the database is specifically used for storing information related to sensitive information.
  • the database can be stored using data structures such as arrays, linked lists, and trees, and can be retrieved accordingly.
  • the sensitive information is determined by the user, and the objects that are relatively high in security or vulnerable to attack are determined as sensitive information according to the comprehensive consideration of the demand and the actual use scenario. Therefore, in fact, the monitored area is the storage address corresponding to the sensitive information, and the sensitive information is the predefined information that needs to be measured.
  • FIG. 2 including:
  • S203 Read an address corresponding to the sensitive information, and set the address as a monitored area;
  • S101 is executed to monitor the operation on the monitored area in real time.
  • the sensitive operation is necessary to determine whether the sensitive operation is legal or not.
  • the sensitive operation is allowed to continue, otherwise the sensitive operation is prevented from continuing.
  • an abnormality is usually generated to interrupt the ongoing operation, so as to take different measures according to the judgment result.
  • determining whether the sensitive operation is legal may be implemented by determining whether the sensitive operation or the execution subject of the sensitive operation satisfies the metric rule, and is legal when satisfied, otherwise illegal.
  • About metrics are set based on sensitive information and its operational privileges. Depending on the actual situation, sensitive information usually includes stack, heap, process, and kernel critical data.
  • the metric rule When the sensitive information is a stack, the metric rule includes: the current operation address belongs to the valid range of the stack, the body accessing the stack is the owner of the stack, and the stack conforms to the application binary interface specification; when the sensitive information is a heap, The metric rule includes: the current operation address does not belong to the free heap space range, the current operation interval must not span different heap space objects, and the current operation thread is a legal thread; when the sensitive information is a process, the metric rule includes: the code segment corresponding to the current process It can be operated and the stack interval of the current process can be executed; when the sensitive information is the kernel key data, the metric rule includes: the access thread of the key data belongs to the legal thread, and the address of the program that performs the operation belongs to the legally trusted code interval.
  • the "sensitive operation” in this embodiment generally includes “reading”, “writing” or “execution”.
  • the subject of the sensitive operation or the sensitive operation should simultaneously satisfy all corresponding metric rules, for example, when the sensitive information is The corresponding sensitive operation of the heap is read.
  • it is necessary to determine whether the sensitive operation of reading the heap is legal it is necessary to determine whether the current access address does not belong to the free heap space range, and also to determine whether the function access interval does not span different heap spaces.
  • a common method is to determine whether the sensitive operation is in the kernel state or the user state, and if it is in the kernel state, the system is called.
  • the exception interface triggers a system exception, and if it is in user mode, the system suspends the program that performs the sensitive operation and does not allocate resources for the execution of the sensitive operation.
  • the user is also notified that the notification may be in the form of a prompt box or in other ways.
  • the metric can be canceled, or the sensitive information is detected to have died.
  • the metric is automatically canceled in the system. It is only necessary to remove sensitive information, monitored areas, and corresponding metrics from the data. In the case of a metric that the user voluntarily cancels, sensitive actions that were previously blocked can now be allowed to execute after the metric is canceled.
  • the operation on the monitored area can be monitored in real time through the memory management unit.
  • Real-time monitoring of operations on the monitored area includes: monitoring the operation of the memory in real time through the memory management unit, and determining whether the operation is a sensitive operation initiated for the monitored area.
  • the memory management unit is located inside the CPU and is used to manage the hardware of the virtual address and physical memory. The user first sets sensitive information and determines the monitored area and the corresponding metrics. Save the set data information to the database. The memory management unit monitors the sensitive operations on the monitored area in the database.
  • the memory management unit When any program (including legitimate programs and hacker programs) accesses the monitored device, the memory management unit will An exception is generated and the current access site (including the current access address, current program address register, current stack frame register, etc.) is automatically saved. Due to the properties of the memory management unit, the memory management unit management on the market is usually managed by paging. When the program accesses sensitive information, the memory management unit can obtain a monitoring page, and the monitoring page is sensitive to the program. The address that the information uses when performing actual sensitive operations. Compare the control page with the address of the monitored area to see if it is consistent. If it is inconsistent, it may be an error such as an address error during the running of the program. In this case, it only needs to be processed according to the exception handling rule originally set by the sensitive operating system.
  • the memory management unit is concerned only with the address, and is managed by paging, there may be sensitive information on one page, and there may be non-sensitive information. So it depends on whether sensitive information is sensitive to the program. If not, then the object accessed by the program is not private information, then the sensitive operation is allowed to continue; if so, the program needs to be targeted to the privacy according to the metrics.
  • the sensitive operation performed by the information is measured. The specific measurement process includes whether the sensitive operation or the subject performing the sensitive operation satisfies the corresponding metric rule. When it is satisfied, the metric is passed to prove that it is legal; if not, then It is not legal.
  • Example 1 When the private information is a stack.
  • the user first sets the sensitive information, that is, the stack of the thread or process; then adds the stack and its address and the corresponding metrics to the database; since it is necessary to see whether the sensitive operation for the private information satisfies the metric rule, It is also necessary to obtain some metric benchmark values, because the stack metric rule requires that the current sensitive operation address belongs to the valid range of the stack, the body accessing the stack is the owner of the stack, and the stack conforms to the application binary interface specification convention, so Need to get the thread or process of the stack The stack corresponds to the thread or the effective code segment interval of the process; and in the memory management unit, the sensitive operation access permission of the page table corresponding to the corresponding address space is canceled, and the sensitive operation on the address corresponding to the stack is monitored.
  • the control process or the execution process is destroyed. Since the memory management unit has monitored the sensitive operation of the stack in real time, the sensitive operation for the stack is monitored by the memory management unit and an exception is generated; the real-time metric module matches the previously acquired monitoring address of the stack with the dynamic metric monitoring page. The stack is found and confirmed to be currently being sensitively operated; then the sensitive operation is measured according to the metric rule corresponding to the stack, including: confirming whether the current access address belongs to the valid range of the current stack frame, and whether the body of the access stack frame is a stack. Whether the owner, the current stack frame conforms to the stack frame structure specified by the ABI.
  • the exception processing module performs subsequent processing: first, the user is notified by a signal or the like; secondly, because the user is currently in the user state, the running flag of the thread is modified, and the illegal access thread that has been attacked is suspended.
  • Example 2 When the privacy information is kernel critical data.
  • the core of a sensitive operating system is the foundation of the entire system, especially the key data of the kernel is the basis of security.
  • the user first sets the sensitive information, that is, the key data of the kernel, such as the thread control block of all threads of the system; then adds the stack and its address and corresponding metrics to the database; because of the subsequent need to look at sensitive operations for the private information Whether the metric rule is met, so some metric values need to be obtained at this time, because the metric rule for the kernel key data is that the access thread that requires the key data belongs to the legal thread, and the current program address belongs to the legally trusted code interval, so it is also required to obtain The legal access thread group and the legal access code interval of the critical data of the kernel; and the sensitive operation access authority corresponding to the page table of the corresponding address space is canceled in the memory management unit, and the sensitive operation on the address corresponding to the key data of the kernel is monitored.
  • the sensitive information that is, the key data of the kernel, such as the thread control block of all threads of the system.
  • the thread control block is accessed in the kernel module to achieve the purpose of controlling the thread execution.
  • the memory management unit has real-time monitoring of sensitive operations on the critical data of the kernel, the sensitive operation of the critical data of the kernel is monitored and generated by the memory management unit; the real-time metric module is based on the address and dynamics of the key data of the kernel acquired before. The monitoring page of the metric is matched, the key data of the kernel is found and the current sensitive operation is confirmed; then the sensitive operation is measured according to the metric rule corresponding to the key data of the kernel, including: whether the access thread of the key data is a legal thread, Whether the current program address belongs to a legally trusted code interval.
  • the exception processing module performs subsequent processing: first, the user is notified by a signal or the like; secondly, because the current state is in the kernel state, the system exception interface is directly called to suspend the current access context.
  • the present embodiment further provides a real-time metric device 3, including a monitoring module 31 for real-time monitoring of operations on a monitored area, where the monitored area is a storage address corresponding to sensitive information, and the sensitive information is a predefined metric that needs to be measured.
  • the determining module 32 is configured to determine whether the sensitive operation is legal when the sensitive operation initiated on the monitored area is detected on the monitored area, and the first executing module 33 is configured to: when the determination result is that the sensitive operation is legal Allowing the sensitive operation to continue; the second execution module 34 is configured to determine that the result is The sensitive operation is illegal, preventing the sensitive operation from continuing.
  • the real-time metrology device 3 further includes a setting module 35, configured to determine sensitive information and determine whether the sensitive information has been created in the system before real-time monitoring of operations on the monitored area, and if And reading the storage address corresponding to the sensitive information, and setting the storage address as the monitored area;
  • the real-time measuring device 3 further includes a notification module 36, configured to notify the user when the sensitive operation is illegal
  • the real-time metric device 3 further includes an abnormality generating module 37, configured to generate an abnormality after determining whether the sensitive operation is legal after detecting the sensitive operation initiated on the monitored area on the monitored area, so that the sensitive The operation was interrupted.
  • the monitoring module is a memory management unit, and the memory management unit monitors the operation of the memory in real time and determines whether the operation is a sensitive operation initiated by the monitored area.
  • the first execution module 33 when the first execution module 33 allows the sensitive operation to continue to execute, first set a single step register of the CPU or insert a breakpoint instruction at the next instruction to restore the permission setting of the relevant sensitive operation on the monitored area, allowing The corresponding sensitive operation is executed; after the exception returns, the program continues to execute, and a single-step exception or a breakpoint exception occurs in the next instruction, and the behavior permission flag of the corresponding page table is re-cancelled in the single-step exception or the breakpoint exception, and the single-step is cancelled. Register the flag or restore the original instruction at the breakpoint.
  • the second execution module 34 determines whether the illegal access is in the kernel state or the user state, and if the abnormal access occurs in the kernel state, the system abnormal interface is invoked to trigger the system exception; if the abnormal access occurs in the user state Set the running flag of the user state thread and suspend the illegal access thread.
  • the real-time metric device monitors the operation on the monitored area in real time
  • the monitored area is a storage address corresponding to the sensitive information
  • the sensitive information is a predefined information that needs to be measured
  • the solution in this embodiment determines the legality of the sensitive operation on the monitored area according to the metric rule, and the whole process is performed in real time when the program is executed. Therefore, when performing the measurement, only relevant information required for the measurement needs to be obtained. There is no need to obtain all the information of the entire software, so compared with the prior art, it has the advantages of small performance overhead and short time.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • they may be implemented by program code executable by the computing device such that they may be stored in a storage medium (ROM/RAM, diskette, optical disk) by a computing device, and in some cases
  • the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or a plurality of the modules or steps may be implemented as a single integrated circuit module. Therefore, the invention is not limited to any particular combination of hardware and software.
  • the invention relates to the field of information technology and information security, and solves the problem that the TOCTOU attack wind exists in the prior art.
  • the problem of risk has reached the effect of reducing the risk of TOCTOU attack.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A real-time measurement method and device, comprising: a real-time measurement device monitors an operation on a monitored area in real time (S101), wherein the monitored area is a storage address corresponding to sensitive information, and the sensitive information is predefined information that needs to be measured; when detecting that a sensitive operation for the monitored area is initiated on the monitored area, the real-time measurement device determines whether the sensitive operation is legitimate (S102), if it is legitimate, allows the operation to be performed (S103), and if it is not legitimate, stops the operation (S104). Whenever an operation is initiated on a monitored area, the legitimacy of the operation is determined, and real-time measurement is implemented by determining the legitimacy of a sensitive operation, thereby solving the problem of TOCTOU attack risks in the prior art, and achieving the effect of reducing the TOCTOU attack risks.

Description

一种实时度量方法及装置Real-time measuring method and device 技术领域Technical field
本发明涉及IT(Information Technology,信息技术)与信息安全领域,尤其涉及一种实时度量方法及装置。The present invention relates to the field of IT (Information Technology) and information security, and in particular, to a real-time measurement method and apparatus.
背景技术Background technique
嵌入式系统广泛的应用于通信、工控、交通等行业,但是对传统IT系统而言,嵌入式系统的处理器性能普遍低于服务器和PC(personal computer,个人计算机)的处理器性能,并且嵌入式系统常常处于无人值守的状态,不同于IT系统可以专门的管理员角色并可以经常对系统安全进行持续维护或升级版本,所以在嵌入式系统的安全问题不能照搬IT系统的使用杀毒软件、持续更新补丁等思路,需要考虑适合嵌入式系统的主动安全机制实现安全自动化。Embedded systems are widely used in communications, industrial control, transportation and other industries, but for traditional IT systems, the processor performance of embedded systems is generally lower than the processor performance of servers and PCs (personal computers), and embedded The system is often in an unattended state. Unlike the IT system, which has a special administrator role and can often maintain or upgrade the system security continuously, the security problems in the embedded system cannot copy the anti-virus software used by the IT system. Thoughts such as continuous update of patches need to consider the active security mechanism suitable for embedded systems to achieve security automation.
在现有技术中,可信计算利用TPM/TCM可信芯片在启动时对操作系统、业务系统等逐级进行完整性度量,可以确保系统启动时系统是可信的、未被篡改的。IBM在此基础上开发IMA/PRIMA采用基于Linux的LSM(Linux Security Module)钩子机制,在文件读写、关键函数调用的过程中对当前函数行为的主体、客体或强制访问控制策略进行完整性度量,保证系统运行时可信并且未被篡改。采用这种动态完整性度量方法,其度量时机依赖Linux的LSM注册钩子函数点,度量时机是否完整依赖LSM钩子是否完整。而在具体执行时,动态度量的时机来源于固定的事件、或周期性的定时度量、或者由用户或外部系统决定,这样就存在TOCTOU(Time of check,Time of use)攻击的风险,也即当度量时系统完整性未被攻击,但在使用时却被攻击注入黑客代码。In the prior art, the trusted computing utilizes the TPM/TCM trusted chip to perform integrity measurement on the operating system and the business system step by step at startup, which can ensure that the system is trusted and has not been tampered with when the system is started. Based on this, IBM developed IMA/PRIMA to use the Linux-based LSM (Linux Security Module) hook mechanism to measure the integrity of the subject, object or mandatory access control policy of the current function in the process of file reading and writing and key function invocation. To ensure that the system is trusted and not tampered with. With this dynamic integrity measurement method, the measurement timing depends on the Linux LSM registration hook function point, and the measurement timing is completely dependent on whether the LSM hook is complete. In the specific execution, the timing of the dynamic measurement is derived from a fixed event, or a periodic timing metric, or determined by the user or an external system, so that there is a risk of a TOCTOU (Time of check, Time of use) attack, that is, System integrity is not attacked when measured, but is attacked by hacker code when it is used.
发明内容Summary of the invention
本发明要解决的主要技术问题是,提供一种度量方法及装置,避免现有技术中由于不能实时的度量而导致的存在TOCTOU攻击风险的问题。The main technical problem to be solved by the present invention is to provide a metric method and apparatus to avoid the problem of the risk of TOCTOU attack caused by the inability to measure in real time in the prior art.
为解决上述问题,本发明提供一种实时度量方法,包括:To solve the above problems, the present invention provides a real-time measurement method, including:
实时监控被监控区域上的操作;所述被监控区域为敏感信息对应的存储地址,所述敏感信息为预先定义的需要进行度量的信息;Monitoring the operation on the monitored area in real time; the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured;
当监控到所述被监控区域上针对被监控区域发起的敏感操作,判断所述敏感操作是否合法;Determining whether the sensitive operation is legal when monitoring the sensitive operation initiated on the monitored area for the monitored area;
若判断结果为所述敏感操作为合法,允许所述敏感操作继续执行;If the result of the determination is that the sensitive operation is legal, the sensitive operation is allowed to continue;
若判断结果为所述敏感操作为非法,阻止所述敏感操作继续执行。 If the result of the determination is that the sensitive operation is illegal, the sensitive operation is prevented from continuing.
本发明一种实施例中,在实时监控被监控区域上的操作之前还包括:确定敏感信息,并判断所述敏感信息是否已在系统中被创建,若是,则读取所述敏感信息对应的存储地址,并将所述存储地址设置为被监控区域。In an embodiment of the present invention, before monitoring the operation on the monitored area in real time, the method further includes: determining sensitive information, determining whether the sensitive information has been created in the system, and if yes, reading the corresponding information of the sensitive information. The address is stored and the storage address is set as the monitored area.
本发明一种实施例中,判断所述操作是否合法包括:判断所述敏感操作是否合法包括:通过判断所述敏感操作或执行所述敏感操作的主体是否满足对应的度量规则来判断所述敏感操作是否合法,若满足,则所述敏感操作是合法的;若不满足,则所述敏感操作是非法的。In an embodiment of the present invention, determining whether the operation is legal comprises: determining whether the sensitive operation is legal comprises: determining the sensitivity by determining whether the sensitive operation or the subject performing the sensitive operation satisfies a corresponding metric rule Whether the operation is legal, if it is satisfied, the sensitive operation is legal; if not, the sensitive operation is illegal.
本发明一种实施例中,所述敏感信息包括栈、堆、进程和内核关键数据;In an embodiment of the invention, the sensitive information includes stack, heap, process, and kernel key data;
当所述敏感信息为栈时,所述度量规则包括:当前操作地址属于所述栈的有效范围、访问所述栈的主体为所述栈的所有者、所述栈符合应用程序二进制接口规范约定;When the sensitive information is a stack, the metric rule includes: a current operation address belongs to a valid range of the stack, a body accessing the stack is an owner of the stack, and the stack conforms to an application binary interface specification convention. ;
当所述敏感信息为堆时,所述度量规则包括:当前操作的地址不属于空闲堆空间范围、当前操作区间不得跨越不同的堆空间对象、当前操作线程为合法线程;When the sensitive information is a heap, the metric rule includes: the current operation address does not belong to the free heap space range, the current operation interval does not span different heap space objects, and the current operation thread is a legal thread;
当所述敏感信息为进程时,所述度量规则包括:当前进程对应的代码段可被操作、当前进程的栈区间可执行;When the sensitive information is a process, the metric rule includes: the code segment corresponding to the current process can be operated, and the stack interval of the current process is executable;
当所述敏感信息为内核关键数据时,所述度量规则包括:关键数据的访问线程属于合法线程、执行操作的程序的地址属于合法可信的代码区间。When the sensitive information is kernel critical data, the metric rule includes: the access thread of the key data belongs to a legal thread, and the address of the program that performs the operation belongs to a legally trusted code interval.
本发明一种实施例中,当所述敏感操作为非法时,通知用户。In an embodiment of the invention, when the sensitive operation is illegal, the user is notified.
本发明一种实施例中,在监控到所述被监控区域上针对被监控区域发起的敏感操作之后,判断所述敏感操作是否合法之前还包括:产生异常,使所述敏感操作过程被中断。In an embodiment of the present invention, after detecting the sensitive operation initiated on the monitored area for the monitored area, before determining whether the sensitive operation is legal, the method further includes: generating an abnormality, so that the sensitive operation process is interrupted.
本发明一种实施例中,当所述敏感操作为非法的,若所敏感述操作处于内核态,则调用系统异常接口触发系统异常;若所述敏感操作处于用户态,则系统不再为所述操作的执行分配资源。In an embodiment of the present invention, when the sensitive operation is illegal, if the sensitive operation is in the kernel state, the system abnormal interface is invoked to trigger the system abnormality; if the sensitive operation is in the user state, the system is no longer The execution of the operation allocates resources.
本发明一种实施例中,实时监控被监控区域上的操作包括:通过内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。In an embodiment of the present invention, monitoring the operation on the monitored area in real time includes: monitoring the operation of the memory in real time through the memory management unit, and determining whether the operation is a sensitive operation initiated by the monitored area.
本发明还提供一种实时度量装置,包括:The invention also provides a real-time measuring device, comprising:
监控模块:用于实时监控被监控区域上的操作,所述被监控区域为敏感信息对应的存储地址,所述敏感信息为预先定义的需要进行度量的信息;The monitoring module is configured to monitor the operation on the monitored area in real time, where the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured;
判断模块:用于当监控到所述被监控区上针对被监控区域发起的敏感操作,判断所述敏感操作是否合法;a judging module: configured to determine whether the sensitive operation is legal when monitoring a sensitive operation initiated on the monitored area for the monitored area;
第一执行模块:用于当判断结果为所述敏感操作为合法,允许所述敏感操作继续执行;a first execution module: configured to allow the sensitive operation to continue when the judgment result is that the sensitive operation is legal;
第二执行模块:用于判断结果为所述敏感操作为非法,阻止所述敏感操作继续执行。The second execution module is configured to determine that the sensitive operation is illegal, and prevent the sensitive operation from continuing.
本发明一种实施例中,所述装置还包括设置模块,用于在实时监控被监控区域上 的操作之前,确定敏感信息,并判断所述敏感信息是否已在系统中被创建,若是,则读取所述敏感信息对应的存储地址,并将所述存储地址设置为被监控区域。In an embodiment of the invention, the device further includes a setting module for monitoring the monitored area in real time. Before the operation, the sensitive information is determined, and it is determined whether the sensitive information has been created in the system, and if so, the storage address corresponding to the sensitive information is read, and the storage address is set as the monitored area.
本发明一种实施例中,所述装置还包括通知模块,用于当所述敏感操作为非法时,通知用户。In an embodiment of the invention, the apparatus further includes a notification module, configured to notify the user when the sensitive operation is illegal.
本发明一种实施例中,所述装置还包括异常产生模块,用于在监控到所述被监控区域上针对被监控区域发起的敏感操作之后,判断所述敏感操作是否合法之前产生异常,使所述敏感操作过程被中断。In an embodiment of the present invention, the device further includes an abnormality generating module, configured to generate an abnormality after determining whether the sensitive operation is legal after detecting the sensitive operation initiated on the monitored area on the monitored area, so that The sensitive operation process is interrupted.
本发明一种实施例中,所述监控模块包括内存管理单元,内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。In an embodiment of the invention, the monitoring module includes a memory management unit, and the memory management unit monitors the operation of the memory in real time, and determines whether the operation is a sensitive operation initiated by the monitored area.
本发明的有益效果是:本发明提供了一种实时度量方法及装置,实时度量装置实时地监控被监控区域上的操作,该被监控区域是敏感信息对应的存储地址,而该敏感信息是预先定义的需要进行度量的信息;当监控到被监控区域上有针对被监控区域发起的敏感操作的时候,判断该操作是否合法,如果合法就允许继续执行,而如果不合法的话,便阻止其继续运行。每当被监控区域上有针对被监控区域发起的敏感操作,就会进行判断,看该操作是否合法,通过判断敏感操作的合法性实现实时度量;而不需要等到某一固定时间或固定周期通过判断数据的合法性进行度量,解决现有技术中存在TOCTOU攻击风险的问题,达到降低TOCTOU攻击风险的效果。The present invention provides a real-time metric method and apparatus. The real-time metric device monitors operations on a monitored area in real time. The monitored area is a storage address corresponding to sensitive information, and the sensitive information is Defined information that needs to be measured; when it is detected that there is a sensitive operation on the monitored area for the monitored area, it is judged whether the operation is legal, if it is legal, it is allowed to continue, and if it is not legal, it is prevented from continuing. run. Whenever there is a sensitive operation on the monitored area for the monitored area, it will judge whether the operation is legal or not, and realize the real-time measurement by judging the legality of the sensitive operation; without waiting for a fixed time or fixed period to pass Judging the legality of the data, solving the problem of the TOCTOU attack risk in the prior art, and achieving the effect of reducing the TOCTOU attack risk.
附图说明DRAWINGS
图1为本发明实施例一中实施实时度量方法的流程图;1 is a flowchart of implementing a real-time metric method according to Embodiment 1 of the present invention;
图2为本发明实施例一中实施实时度量方法中设置被监控区域的流程图;2 is a flowchart of setting a monitored area in a real-time metric method according to Embodiment 1 of the present invention;
图3为本发明实施例一中实时度量装置的结构示意图。FIG. 3 is a schematic structural diagram of a real-time metric apparatus according to Embodiment 1 of the present invention.
具体实施方式detailed description
下面通过具体实施方式结合附图对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings.
实施例一:Embodiment 1:
本实施例提供一种实时度量方法,该方法尤其适用于但不限于嵌入式系统,其与现有技术相比具有可以避免TOCTOU攻击风险的优点,请参见图1,包括:This embodiment provides a real-time metric method, which is particularly applicable to, but not limited to, an embedded system. Compared with the prior art, the method has the advantage of avoiding the risk of TOCTOU attack. Referring to FIG. 1, the method includes:
S101:实时监控被监控区域上的操作;S101: real-time monitoring operation on the monitored area;
S102:当监控到所述被监控区上针对被监控区域发起的敏感的操作,判断所述敏感操作是否合法,若是,则执行S103,否则,执行S104;S102: When monitoring the sensitive operation initiated on the monitored area for the monitored area, determining whether the sensitive operation is legal, if yes, executing S103, otherwise, executing S104;
S103:允许该敏感操作继续执行;S103: Allow the sensitive operation to continue to execute;
S104:阻止该敏感操作继续执行。S104: Prevent the sensitive operation from continuing.
在执行步骤S101之前,通常还需要设置敏感信息对应的被监控区域。在一种具体实施方式中,通常会设置有数据库,在设置被监控区域的过程中,若检测到敏感信 息正在被系统创建,此时会计算该敏感信息的运行地址,并将所述运行地址设置为被监控区域;并将其对应关系存储到数据库中,该数据库专门用于存放敏感信息的相关信息,该数据库可以使用数组、链表、树等数据结构进行存储,并且可以提供相应检索。通常该敏感信息是由用户来选择确定的,根据需求和实际使用场景的综合考量,将那些对安全性要求比较高或者容易遭受攻击的对象确定为敏感信息。所以,事实上被监控区域就是敏感信息对应的存储地址,而这些敏感信息就是预先定义的需要进行度量的信息,设置被监控区域的具体设置过程请参考图2,包括:Before performing step S101, it is usually necessary to set a monitored area corresponding to the sensitive information. In a specific implementation, a database is usually set, and if a sensitive letter is detected in the process of setting the monitored area. The information is being created by the system. At this time, the running address of the sensitive information is calculated, and the running address is set as the monitored area; and the corresponding relationship is stored in a database, and the database is specifically used for storing information related to sensitive information. The database can be stored using data structures such as arrays, linked lists, and trees, and can be retrieved accordingly. Usually, the sensitive information is determined by the user, and the objects that are relatively high in security or vulnerable to attack are determined as sensitive information according to the comprehensive consideration of the demand and the actual use scenario. Therefore, in fact, the monitored area is the storage address corresponding to the sensitive information, and the sensitive information is the predefined information that needs to be measured. For the specific setting process of setting the monitored area, please refer to FIG. 2, including:
S201:确定敏感信息;S201: determining sensitive information;
S202:判断该敏感信息是否已在系统中创建,若是,则执行S203;否则,执行S204;S202: determining whether the sensitive information has been created in the system, and if so, executing S203; otherwise, executing S204;
S203:读取该敏感信息对应的地址,并将该地址设置为被监控区域;S203: Read an address corresponding to the sensitive information, and set the address as a monitored area;
S204:结束本次对被监控区域的设置。S204: End the setting of the monitored area.
设置好被监控区域后,执行S101,实时地监控被监控区域上的操作,当监控到被监控区域上有针对被监控区域发起的敏感操作时,就需要判断该敏感操作是否合法,当合法的时候,允许该敏感操作继续执行,否则阻止该敏感操作继续执行。在监控到被监控区上针对被监控区域发起的敏感操作之后,判断该敏感操作是否合法之前,通常要产生异常,使正在进行的操作中断,以便于后续根据判断结果采取不同的措施。After the monitored area is set, S101 is executed to monitor the operation on the monitored area in real time. When monitoring the sensitive operation initiated by the monitored area on the monitored area, it is necessary to determine whether the sensitive operation is legal or not. At that time, the sensitive operation is allowed to continue, otherwise the sensitive operation is prevented from continuing. After monitoring the sensitive operation initiated on the monitored area for the monitored area, before determining whether the sensitive operation is legal, an abnormality is usually generated to interrupt the ongoing operation, so as to take different measures according to the judgment result.
在一种具体实施例中,判断该敏感操作是否合法,可以通过判断该敏感操作或者执行该敏感操作的执行主体是否满足度量规则来实现,当满足时为合法,否则为非法。关于度量规则,是根据敏感信息及其操作权限来进行设置的,根据实际情况,敏感信息通常会包括,栈、堆、进程和内核关键数据。当敏感信息为栈时,度量规则包括:当前操作地址属于该栈的有效范围、访问该栈的主体为该栈的所有者、该栈符合应用程序二进制接口规范约定;当敏感信息为堆时,度量规则包括:当前操作的地址不属于空闲堆空间范围、当前操作区间不得跨越不同的堆空间对象、当前操作线程为合法线程;当敏感信息为进程时,度量规则包括:当前进程对应的代码段可被操作、当前进程的栈区间可执行;当敏感信息为内核关键数据时,度量规则包括:关键数据的访问线程属于合法线程、执行操作的程序的地址属于合法可信的代码区间。本实施例中的“敏感操作”通常包括“读”、“写”或“执行”,进行判断时,该敏感操作或敏感操作的主体应当同时满足对应的所有度量规则,例如,当敏感信息为堆,对应的敏感操作为读,此时要判断对该堆进行读的敏感操作是否合法,就需要判断当前访问地址是否不属于空闲堆空间范围,还要判断函数访问区间是否没有跨越不同堆空间对象,还要判断当前访问线程是否是合法线程;当上述几个判断结果都为“是”,那么证明,对该“堆”进行的“读”敏感操作是合法的,就允许对该“堆”进行“读”敏感操作;但是若上述判断结果中有任意一个判断的结果为“否”,也就是不满足度量 规则,此时将组织对该“堆”进行“读”敏感操作。In a specific embodiment, determining whether the sensitive operation is legal may be implemented by determining whether the sensitive operation or the execution subject of the sensitive operation satisfies the metric rule, and is legal when satisfied, otherwise illegal. About metrics are set based on sensitive information and its operational privileges. Depending on the actual situation, sensitive information usually includes stack, heap, process, and kernel critical data. When the sensitive information is a stack, the metric rule includes: the current operation address belongs to the valid range of the stack, the body accessing the stack is the owner of the stack, and the stack conforms to the application binary interface specification; when the sensitive information is a heap, The metric rule includes: the current operation address does not belong to the free heap space range, the current operation interval must not span different heap space objects, and the current operation thread is a legal thread; when the sensitive information is a process, the metric rule includes: the code segment corresponding to the current process It can be operated and the stack interval of the current process can be executed; when the sensitive information is the kernel key data, the metric rule includes: the access thread of the key data belongs to the legal thread, and the address of the program that performs the operation belongs to the legally trusted code interval. The "sensitive operation" in this embodiment generally includes "reading", "writing" or "execution". When making a judgment, the subject of the sensitive operation or the sensitive operation should simultaneously satisfy all corresponding metric rules, for example, when the sensitive information is The corresponding sensitive operation of the heap is read. At this time, to determine whether the sensitive operation of reading the heap is legal, it is necessary to determine whether the current access address does not belong to the free heap space range, and also to determine whether the function access interval does not span different heap spaces. The object, but also to determine whether the current access thread is a legitimate thread; when the above several judgment results are "yes", then it is proved that the "read" sensitive operation on the "heap" is legal, allowing the "heap" "Perform "read" sensitive operation; but if any of the above judgment results is "No", that is, the measurement is not satisfied Rules, at which point the organization will "read" sensitive operations on the "heap".
当判断为某一敏感操作为非法的之后,需要阻止该敏感操作的继续运行,一种常用的方式是,判断该敏感操作是处于内核态还是用户态,如果是处于内核态的话,则调用系统异常接口触发系统异常,而如果是处于用户态的话,系统将执行该敏感操作的程序挂起,不在为该敏感操作的执行分配资源。在阻止该敏感操作继续执行时,还会向用户通知,通知的方式可以是以提示框的形式,也可以以其他方式。After it is determined that a sensitive operation is illegal, it is necessary to prevent the sensitive operation from continuing. A common method is to determine whether the sensitive operation is in the kernel state or the user state, and if it is in the kernel state, the system is called. The exception interface triggers a system exception, and if it is in user mode, the system suspends the program that performs the sensitive operation and does not allocate resources for the execution of the sensitive operation. When the sensitive operation is prevented from continuing, the user is also notified that the notification may be in the form of a prompt box or in other ways.
若用户觉得没有必要再进行度量,也可以取消度量,或者检测到敏感信息已经消亡,不存在系统中也会自动取消度量。只需要从数据中删除敏感信息,被监控区域,以及对应的度量规则。如果是用户主动取消的度量,那么在取消度量后,之前被阻止的敏感操作现在可以被允许执行。If the user feels that there is no need to measure again, the metric can be canceled, or the sensitive information is detected to have died. The metric is automatically canceled in the system. It is only necessary to remove sensitive information, monitored areas, and corresponding metrics from the data. In the case of a metric that the user voluntarily cancels, sensitive actions that were previously blocked can now be allowed to execute after the metric is canceled.
在一种具体实施方式中,可以通过内存管理单元实时监控被监控区域上的操作。实时监控被监控区域上的操作包括:通过内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。内存管理单元位于CPU内部,用于管理虚拟地址和物理内存的硬件。用户先设置敏感信息,并确定被监控区域,以及对应的度量规则。将设置好的数据信息保存到数据库中,内存管理单元会监控数据库中的被监控区域上的敏感操作,当有任何程序(包括合法程序和黑客攻击程序)访问被监控设备时,内存管理单元都会产生异常,并自动保存当前访问现场(包括当前访问地址、当前程序地址寄存器、当前栈帧寄存器等)。由于内存管理单元的属性,现在市面上的内存管理单元管理通常都是通过分页的方式进行内存管理的,程序访问敏感信息的时候,内存管理单元可以获得监控页面,该监控页面是该程序对敏感信息执行实际敏感操作时采用的地址。将该控制页面与被监控区域的地址进行对比看其是否一致,若不一致,则可能是程序运行时地址错误等错误,此时只需要按照敏感操作系统原本设置的异常处理规则进行处理即可;若是一致,则证明当前程序访问的确实可能是敏感信息,由于前面已经说过内存管理单元关心的只是地址,而且是分页进行管理,在一页上可能有敏感信息,也可能有非敏感信息,所以还要看敏感信息是不是被该程序敏感操作,如果不是,那么该程序访问的对象并不是隐私信息,则允许该敏感操作继续执行;如果是,就需要按照度量规则对该程序针对该隐私信息进行的敏感操作进行度量,具体度量过程包括看该敏感操作或执行该敏感操作的主体是否满足对应的度量规则,当满足时,则通过了度量,证明其是合法的;若不满足,则其不合法。In a specific embodiment, the operation on the monitored area can be monitored in real time through the memory management unit. Real-time monitoring of operations on the monitored area includes: monitoring the operation of the memory in real time through the memory management unit, and determining whether the operation is a sensitive operation initiated for the monitored area. The memory management unit is located inside the CPU and is used to manage the hardware of the virtual address and physical memory. The user first sets sensitive information and determines the monitored area and the corresponding metrics. Save the set data information to the database. The memory management unit monitors the sensitive operations on the monitored area in the database. When any program (including legitimate programs and hacker programs) accesses the monitored device, the memory management unit will An exception is generated and the current access site (including the current access address, current program address register, current stack frame register, etc.) is automatically saved. Due to the properties of the memory management unit, the memory management unit management on the market is usually managed by paging. When the program accesses sensitive information, the memory management unit can obtain a monitoring page, and the monitoring page is sensitive to the program. The address that the information uses when performing actual sensitive operations. Compare the control page with the address of the monitored area to see if it is consistent. If it is inconsistent, it may be an error such as an address error during the running of the program. In this case, it only needs to be processed according to the exception handling rule originally set by the sensitive operating system. If it is consistent, it proves that the current program access may indeed be sensitive information. As it has been said that the memory management unit is concerned only with the address, and is managed by paging, there may be sensitive information on one page, and there may be non-sensitive information. So it depends on whether sensitive information is sensitive to the program. If not, then the object accessed by the program is not private information, then the sensitive operation is allowed to continue; if so, the program needs to be targeted to the privacy according to the metrics. The sensitive operation performed by the information is measured. The specific measurement process includes whether the sensitive operation or the subject performing the sensitive operation satisfies the corresponding metric rule. When it is satisfied, the metric is passed to prove that it is legal; if not, then It is not legal.
下面以几个具体示例对本实施例中的实时度量方法进行说明:The real-time measurement method in this embodiment will be described below with several specific examples:
示例一:当隐私信息为栈时。用户先设置敏感信息,也即线程或进程的栈;然后将该栈以及其地址、对应的度量规则添加到数据库中;由于后续需要看针对该隐私信息的敏感操作是否满足度量规则,所以此时还需要获取一些度量基准值,因为栈的度量规则是要求当前敏感操作地址属于该栈的有效范围、访问该栈的主体为该栈的所有者、该栈符合应用程序二进制接口规范约定,所以还需要获取该栈的线程或进程所有 者、栈对应线程或进程有效代码段区间;并在内存管理单元中取消相应地址空间对应页表的敏感操作访问权限,监控该栈对应的地址上的敏感操作。Example 1: When the private information is a stack. The user first sets the sensitive information, that is, the stack of the thread or process; then adds the stack and its address and the corresponding metrics to the database; since it is necessary to see whether the sensitive operation for the private information satisfies the metric rule, It is also necessary to obtain some metric benchmark values, because the stack metric rule requires that the current sensitive operation address belongs to the valid range of the stack, the body accessing the stack is the owner of the stack, and the stack conforms to the application binary interface specification convention, so Need to get the thread or process of the stack The stack corresponds to the thread or the effective code segment interval of the process; and in the memory management unit, the sensitive operation access permission of the page table corresponding to the corresponding address space is canceled, and the sensitive operation on the address corresponding to the stack is monitored.
若此时黑客试图从外部对此栈发起非法篡改的攻击,达到控制流程或破坏执行流程的目的。由于内存管理单元已对栈的敏感操作进行实时监控,此时针对该栈的敏感操作被内存管理单元监控并产生异常;实时度量模块根据之前获取的该栈的地址与动态度量的监控页面进行匹配,找到该栈并确认当前正在被敏感操作;然后根据栈对应的度量规则对该敏感操作进行度量,具体包括:确认当前访问地址是否属于当前栈帧的有效范围、访问栈帧的主体是否为栈的所有者、当前栈帧是否符合ABI规定的栈帧结构。由于此时黑客访问线程并非栈的所有者线程,因此不符合第二条规则约束。此时通过异常处理模块进行后续处理:首先通过信号等机制通知用户;其次由于当前处于用户态因此修改线程的运行标志,挂起已被攻击的非法访问线程。If the hacker attempts to launch an illegal tampering attack on the stack from the outside, the control process or the execution process is destroyed. Since the memory management unit has monitored the sensitive operation of the stack in real time, the sensitive operation for the stack is monitored by the memory management unit and an exception is generated; the real-time metric module matches the previously acquired monitoring address of the stack with the dynamic metric monitoring page. The stack is found and confirmed to be currently being sensitively operated; then the sensitive operation is measured according to the metric rule corresponding to the stack, including: confirming whether the current access address belongs to the valid range of the current stack frame, and whether the body of the access stack frame is a stack. Whether the owner, the current stack frame conforms to the stack frame structure specified by the ABI. Since the hacker access thread is not the owner thread of the stack at this time, it does not comply with the second rule constraint. At this time, the exception processing module performs subsequent processing: first, the user is notified by a signal or the like; secondly, because the user is currently in the user state, the running flag of the thread is modified, and the illegal access thread that has been attacked is suspended.
示例二:当隐私信息为内核关键数据时。敏感操作系统的内核是整个系统的根基,尤其是内核的关键数据是安全性保障的基础。Example 2: When the privacy information is kernel critical data. The core of a sensitive operating system is the foundation of the entire system, especially the key data of the kernel is the basis of security.
用户先设置敏感信息,也即内核的关键数据,例如系统所有线程的线程控制块;然后将该栈以及其地址、对应的度量规则添加到数据库中;由于后续需要看针对该隐私信息的敏感操作是否满足度量规则,所以此时还需要获取一些度量基准值,因为针对内核关键数据的度量规则是要求关键数据的访问线程属于合法线程、当前程序地址属于合法可信的代码区间,所以还需要获取该内核关键数据的合法访问线程组、合法访问代码区间;并在内存管理单元中取消相应地址空间对应页表的敏感操作访问权限,监控该内核关键数据对应的地址上的敏感操作。The user first sets the sensitive information, that is, the key data of the kernel, such as the thread control block of all threads of the system; then adds the stack and its address and corresponding metrics to the database; because of the subsequent need to look at sensitive operations for the private information Whether the metric rule is met, so some metric values need to be obtained at this time, because the metric rule for the kernel key data is that the access thread that requires the key data belongs to the legal thread, and the current program address belongs to the legally trusted code interval, so it is also required to obtain The legal access thread group and the legal access code interval of the critical data of the kernel; and the sensitive operation access authority corresponding to the page table of the corresponding address space is canceled in the memory management unit, and the sensitive operation on the address corresponding to the key data of the kernel is monitored.
当黑客程序试图通过插入外部内核模块,在内核模块中对线程控制块进行访问,以便达到控制线程执行的目的。由于内存管理单元已对内核关键数据的敏感操作进行实时监控,此时针对该内核关键数据的敏感操作被内存管理单元监控并产生异常;实时度量模块根据之前获取的该内核关键数据的地址与动态度量的监控页面进行匹配,找到该内核关键数据并确认当前正在被敏感操作;然后根据内核关键数据对应的度量规则对该敏感操作进行度量,具体包括:关键数据的访问线程是否为合法的线程、当前程序地址是否属于合法可信的代码区间。由于此时程序地址为模块地址而不在内核镜像代码区间范围内,不符合第二条规则约束。此时通过异常处理模块进行后续处理:首先通过信号等机制通知用户;其次由于当前处于内核态因此直接调用系统异常接口挂起当前访问上下文。When the hacker tries to insert the external kernel module, the thread control block is accessed in the kernel module to achieve the purpose of controlling the thread execution. Since the memory management unit has real-time monitoring of sensitive operations on the critical data of the kernel, the sensitive operation of the critical data of the kernel is monitored and generated by the memory management unit; the real-time metric module is based on the address and dynamics of the key data of the kernel acquired before. The monitoring page of the metric is matched, the key data of the kernel is found and the current sensitive operation is confirmed; then the sensitive operation is measured according to the metric rule corresponding to the key data of the kernel, including: whether the access thread of the key data is a legal thread, Whether the current program address belongs to a legally trusted code interval. Since the program address is the module address and not within the kernel image code interval, the second rule constraint is not met. At this time, the exception processing module performs subsequent processing: first, the user is notified by a signal or the like; secondly, because the current state is in the kernel state, the system exception interface is directly called to suspend the current access context.
本实施例还提供一种实时度量装置3,包括监控模块31用于实时监控被监控区域上的操作,该被监控区域为敏感信息对应的存储地址,该敏感信息为预先定义的需要进行度量的信息;判断模块32用于当监控到所述被监控区上针对被监控区域发起的敏感操作,判断所述敏感操作是否合法;第一执行模块33用于当判断结果为所述敏感操作为合法,允许所述敏感操作继续执行;第二执行模块34用于判断结果为所 述敏感操作为非法,阻止所述敏感操作继续执行。在一种具体实施方式中,实时度量装置3还包括设置模块35,用于在实时监控被监控区域上的操作之前,确定敏感信息,并判断所述敏感信息是否已在系统中被创建,若是,则读取所述敏感信息对应的存储地址,并将所述存储地址设置为被监控区域;所述实时度量装置3还包括通知模块36,用于当所述敏感操作为非法时,通知用户;所述实时度量装置3还包括异常产生模块37,用于在监控到所述被监控区域上针对被监控区域发起的敏感操作之后,判断所述敏感操作是否合法之前产生异常,使所述敏感操作过程被中断。在本发明一种具体实施方式中,监控模块为内存管理单元,内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。The present embodiment further provides a real-time metric device 3, including a monitoring module 31 for real-time monitoring of operations on a monitored area, where the monitored area is a storage address corresponding to sensitive information, and the sensitive information is a predefined metric that needs to be measured. The determining module 32 is configured to determine whether the sensitive operation is legal when the sensitive operation initiated on the monitored area is detected on the monitored area, and the first executing module 33 is configured to: when the determination result is that the sensitive operation is legal Allowing the sensitive operation to continue; the second execution module 34 is configured to determine that the result is The sensitive operation is illegal, preventing the sensitive operation from continuing. In a specific embodiment, the real-time metrology device 3 further includes a setting module 35, configured to determine sensitive information and determine whether the sensitive information has been created in the system before real-time monitoring of operations on the monitored area, and if And reading the storage address corresponding to the sensitive information, and setting the storage address as the monitored area; the real-time measuring device 3 further includes a notification module 36, configured to notify the user when the sensitive operation is illegal The real-time metric device 3 further includes an abnormality generating module 37, configured to generate an abnormality after determining whether the sensitive operation is legal after detecting the sensitive operation initiated on the monitored area on the monitored area, so that the sensitive The operation was interrupted. In a specific implementation manner of the present invention, the monitoring module is a memory management unit, and the memory management unit monitors the operation of the memory in real time and determines whether the operation is a sensitive operation initiated by the monitored area.
在一种具体实施方式中,第一执行模块33允许敏感操作继续执行时,先设置CPU的单步寄存器或在下一条指令处插入断点指令,恢复被监控区域上相关敏感操作的权限设置,允许相应敏感操作执行;异常返回后被程序继续执行,并在下一条指令中发生单步异常或断点异常,在单步异常或断点异常中重新取消相应页表的行为权限标志,并取消单步寄存标志或恢复断点处的原始指令。In a specific implementation manner, when the first execution module 33 allows the sensitive operation to continue to execute, first set a single step register of the CPU or insert a breakpoint instruction at the next instruction to restore the permission setting of the relevant sensitive operation on the monitored area, allowing The corresponding sensitive operation is executed; after the exception returns, the program continues to execute, and a single-step exception or a breakpoint exception occurs in the next instruction, and the behavior permission flag of the corresponding page table is re-cancelled in the single-step exception or the breakpoint exception, and the single-step is cancelled. Register the flag or restore the original instruction at the breakpoint.
在一种具体实施方式中,第二执行模块34,判断非法访问处于内核态还是用户态,对于如果异常访问发生在内核态,调用系统的异常接口,触发系统异常;如果异常访问发生在用户态,设置用户态线程的运行标志位,挂起非法访问线程。In a specific implementation, the second execution module 34 determines whether the illegal access is in the kernel state or the user state, and if the abnormal access occurs in the kernel state, the system abnormal interface is invoked to trigger the system exception; if the abnormal access occurs in the user state Set the running flag of the user state thread and suspend the illegal access thread.
采用本实施例中方案,实时度量装置实时地监控被监控区域上的操作,该被监控区域是敏感信息对应的存储地址,而该敏感信息是预先定义的需要进行度量的信息;当实时度量装置监控到被监控区域上针对被监控区域发起的敏感操作时候,判断该敏感操作是否合法,如果合法就允许继续执行,而如果不合法的话,便阻止其继续运行。每当被监控区域上有敏感操作,就会进行判断,看该敏感操作是否合法,避免出现TOCTO攻击,达到降低TOCTOU攻击风险的效果。另一方面,本实施例中的方案根据度量规则对被监控区域上的敏感操作进行合法性判断,整个过程在执行程序的时候实时进行,因此在进行度量时,只需要获取度量需要的相关信息,不需要获取整个软件的所有信息,因此与现有技术相比,还具有性能开销小,同时耗时较短的优点。With the solution in this embodiment, the real-time metric device monitors the operation on the monitored area in real time, the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured; When monitoring the sensitive operation initiated on the monitored area for the monitored area, it is determined whether the sensitive operation is legal. If it is legal, it is allowed to continue execution, and if it is not legal, it is prevented from continuing to run. Whenever there is sensitive operation on the monitored area, it will judge whether the sensitive operation is legal, avoid the TOCTO attack, and reduce the risk of TOCTOU attack. On the other hand, the solution in this embodiment determines the legality of the sensitive operation on the monitored area according to the metric rule, and the whole process is performed in real time when the program is executed. Therefore, when performing the measurement, only relevant information required for the measurement needs to be obtained. There is no need to obtain all the information of the entire software, so compared with the prior art, it has the advantages of small performance overhead and short time.
显然,本领域的技术人员应该明白,上述本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储介质(ROM/RAM、磁碟、光盘)中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。所以,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in a storage medium (ROM/RAM, diskette, optical disk) by a computing device, and in some cases The steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or a plurality of the modules or steps may be implemented as a single integrated circuit module. Therefore, the invention is not limited to any particular combination of hardware and software.
工业实用性Industrial applicability
本发明涉及信息技术与信息安全领域,解决了现有技术中存在TOCTOU攻击风 险的问题,达到了降低TOCTOU攻击风险的效果。The invention relates to the field of information technology and information security, and solves the problem that the TOCTOU attack wind exists in the prior art. The problem of risk has reached the effect of reducing the risk of TOCTOU attack.
以上内容是结合具体的实施方式对本发明所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。 The above is a further detailed description of the present invention in connection with the specific embodiments, and the specific embodiments of the present invention are not limited to the description. It will be apparent to those skilled in the art that the present invention may be made without departing from the spirit and scope of the invention.

Claims (13)

  1. 一种实时度量方法,包括:A real-time measurement method that includes:
    实时监控被监控区域上的操作;所述被监控区域为敏感信息对应的存储地址,所述敏感信息为预先定义的需要进行度量的信息;Monitoring the operation on the monitored area in real time; the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured;
    当监控到所述被监控区域上针对被监控区域发起的敏感操作,判断所述敏感操作是否合法;Determining whether the sensitive operation is legal when monitoring the sensitive operation initiated on the monitored area for the monitored area;
    若判断结果为所述敏感操作为合法,允许所述敏感操作继续执行;If the result of the determination is that the sensitive operation is legal, the sensitive operation is allowed to continue;
    若判断结果为所述敏感操作为非法,阻止所述敏感操作继续执行。If the result of the determination is that the sensitive operation is illegal, the sensitive operation is prevented from continuing.
  2. 如权利要求1所述的实时度量方法,其中,在实时监控被监控区域上的操作之前还包括:确定敏感信息,并判断所述敏感信息是否已在系统中被创建,若是,则读取所述敏感信息对应的存储地址,并将所述存储地址设置为被监控区域。The real-time metric method according to claim 1, wherein before monitoring the operation on the monitored area in real time, the method further comprises: determining sensitive information, and determining whether the sensitive information has been created in the system, and if so, reading the location The storage address corresponding to the sensitive information is set, and the storage address is set as the monitored area.
  3. 如权利要求1所述的实时度量方法,其中,判断所述敏感操作是否合法包括:通过判断所述敏感操作或执行所述敏感操作的主体是否满足对应的度量规则来判断所述敏感操作是否合法,若满足,则所述敏感操作是合法的;若不满足,则所述敏感操作是非法的。The real-time metric method according to claim 1, wherein determining whether the sensitive operation is legal comprises: determining whether the sensitive operation is legal by determining whether the sensitive operation or the subject performing the sensitive operation satisfies a corresponding metric rule If satisfied, the sensitive operation is legal; if not, the sensitive operation is illegal.
  4. 如权利要求3所述的实时度量方法,其中,所述敏感信息包括栈、堆、进程和内核关键数据;The real-time metric method of claim 3, wherein the sensitive information comprises stack, heap, process, and kernel key data;
    当所述敏感信息为栈时,所述度量规则包括:当前操作地址属于所述栈的有效范围、访问所述栈的主体为所述栈的所有者、所述栈符合应用程序二进制接口规范约定;When the sensitive information is a stack, the metric rule includes: a current operation address belongs to a valid range of the stack, a body accessing the stack is an owner of the stack, and the stack conforms to an application binary interface specification convention. ;
    当所述敏感信息为堆时,所述度量规则包括:当前操作的地址不属于空闲堆空间范围、当前操作区间不得跨越不同的堆空间对象、当前操作线程为合法线程;When the sensitive information is a heap, the metric rule includes: the current operation address does not belong to the free heap space range, the current operation interval does not span different heap space objects, and the current operation thread is a legal thread;
    当所述敏感信息为进程时,所述度量规则包括:当前进程对应的代码段可被操作、当前进程的栈区间可执行;When the sensitive information is a process, the metric rule includes: the code segment corresponding to the current process can be operated, and the stack interval of the current process is executable;
    当所述敏感信息为内核关键数据时,所述度量规则包括:关键数据的访问线程属于合法线程、执行操作的程序的地址属于合法可信的代码区间。When the sensitive information is kernel critical data, the metric rule includes: the access thread of the key data belongs to a legal thread, and the address of the program that performs the operation belongs to a legally trusted code interval.
  5. 如权利要求1所述的实时度量方法,其中,当所述敏感操作为非法时,通知用户。The real-time metric method of claim 1, wherein the user is notified when the sensitive operation is illegal.
  6. 如权利要求1所述的实时度量方法,其中,在监控到所述被监控区域上针对被监控区域发起的敏感操作之后,判断所述敏感操作是否合法之前还包括:产生异常,使所述敏感操作过程被中断。The real-time metric method according to claim 1, wherein after detecting the sensitive operation initiated on the monitored area for the monitored area, determining whether the sensitive operation is legal or not further comprises: generating an abnormality to make the sensitive The operation was interrupted.
  7. 如权利要求1所述的实时度量方法,其中,当所述敏感操作为非法的,若所敏感述操作处于内核态,则调用系统异常接口触发系统异常;若所述敏感操作处于用户态,则系统不再为所述操作的执行分配资源。 The real-time metric method according to claim 1, wherein when the sensitive operation is illegal, if the sensitive operation is in a kernel state, the system abnormal interface is invoked to trigger a system abnormality; if the sensitive operation is in a user state, The system no longer allocates resources for the execution of the operation.
  8. 如权利要求1-7任意一项所述的实时度量方法,其中,实时监控被监控区域上的操作包括:通过内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。The real-time metric method according to any one of claims 1 to 7, wherein real-time monitoring of the operation on the monitored area comprises: monitoring the operation of the memory in real time through the memory management unit, and determining whether the operation is for the monitored area Sensitive actions initiated.
  9. 一种实施度量装置,包括:An implementation metric device comprising:
    监控模块,设置为实时监控被监控区域上的操作,所述被监控区域为敏感信息对应的存储地址,所述敏感信息为预先定义的需要进行度量的信息;The monitoring module is configured to monitor the operation on the monitored area in real time, where the monitored area is a storage address corresponding to the sensitive information, and the sensitive information is a predefined information that needs to be measured;
    判断模块,设置为当监控到所述被监控区上针对被监控区域发起的敏感操作,判断所述敏感操作是否合法;The judging module is configured to determine whether the sensitive operation is legal when monitoring the sensitive operation initiated on the monitored area for the monitored area;
    第一执行模块,设置为当判断结果为所述敏感操作为合法,允许所述敏感操作继续执行;a first execution module, configured to allow the sensitive operation to continue when the determination result is that the sensitive operation is legal;
    第二执行模块,设置为判断结果为所述敏感操作为非法,阻止所述敏感操作继续执行。The second execution module is configured to determine that the sensitive operation is illegal, and prevent the sensitive operation from continuing.
  10. 如权利要求9所述的实时度量装置,还包括设置模块,设置为在实时监控被监控区域上的操作之前,确定敏感信息,并判断所述敏感信息是否已在系统中被创建,若是,则读取所述敏感信息对应的存储地址,并将所述存储地址设置为被监控区域。The real-time metrology apparatus according to claim 9, further comprising a setting module configured to determine sensitive information before the operation on the monitored area is monitored in real time, and to determine whether the sensitive information has been created in the system, and if so, Reading a storage address corresponding to the sensitive information, and setting the storage address as a monitored area.
  11. 如权利要求9所述的实时度量装置,还包括通知模块,设置为当所述敏感操作为非法时,通知用户。The real-time metrology apparatus of claim 9, further comprising a notification module configured to notify the user when the sensitive operation is illegal.
  12. 如权利要求9所述的实时度量装置,还包括异常产生模块,设置为在监控到所述被监控区域上针对被监控区域发起的敏感操作之后,判断所述敏感操作是否合法之前产生异常,使所述敏感操作过程被中断。The real-time metrology apparatus according to claim 9, further comprising an abnormality generating module configured to generate an abnormality after determining whether the sensitive operation is legal after monitoring the sensitive operation initiated on the monitored area for the monitored area, so that The sensitive operation process is interrupted.
  13. 如权利要求9-12任意一项所述的实时度量装置,其中,所述监控模块包括内存管理单元,内存管理单元实时监控对内存的操作,并判断所述操作是否是针对被监控区域发起的敏感操作。 The real-time metrology device according to any one of claims 9 to 12, wherein the monitoring module comprises a memory management unit, and the memory management unit monitors the operation of the memory in real time and determines whether the operation is initiated for the monitored area. Sensitive operation.
PCT/CN2017/071397 2016-02-05 2017-01-17 Real-time measurement method and device WO2017133442A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610081103.4 2016-02-05
CN201610081103.4A CN107045605A (en) 2016-02-05 2016-02-05 A kind of real-time metrics method and device

Publications (1)

Publication Number Publication Date
WO2017133442A1 true WO2017133442A1 (en) 2017-08-10

Family

ID=59499327

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/071397 WO2017133442A1 (en) 2016-02-05 2017-01-17 Real-time measurement method and device

Country Status (2)

Country Link
CN (1) CN107045605A (en)
WO (1) WO2017133442A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107563187A (en) * 2017-08-30 2018-01-09 广东欧珀移动通信有限公司 Access operation monitoring method, device, mobile terminal and readable storage medium storing program for executing
CN108388517A (en) * 2018-03-14 2018-08-10 深圳怡化电脑股份有限公司 A kind of internal-memory detection method, device, equipment and storage medium
CN109785537B (en) * 2018-12-29 2022-09-30 奇安信安全技术(珠海)有限公司 Safety protection method and device for ATM
CN112269716A (en) * 2020-06-01 2021-01-26 中国科学院信息工程研究所 Flexibly defined processor abnormal access real-time monitoring method and electronic device
CN113157543B (en) * 2021-05-14 2023-07-21 海光信息技术股份有限公司 Trusted measurement method and device, server and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488176A (en) * 2009-02-20 2009-07-22 北京交通大学 TOCTOU attack response method aiming at TPM trusted computation
CN101901319A (en) * 2010-07-23 2010-12-01 北京工业大学 Trusted computing platform and method for verifying trusted chain transfer
CN102088348A (en) * 2010-12-22 2011-06-08 东南大学 Mobile phone security chip for embedded platform and protection system comprising same
CN201957034U (en) * 2010-12-22 2011-08-31 东南大学 Mobile phone security chip used in embedded platform and protection system comprising same
CN104866767A (en) * 2015-05-11 2015-08-26 北京航空航天大学 Embedded module of novel security mechanism

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100465899C (en) * 2007-07-25 2009-03-04 湖南大学 Method for implementing checkpoint of Linux program at user level based on virtual kernel object
CN104679645A (en) * 2013-11-28 2015-06-03 中国航空工业集团公司航空动力控制系统研究所 Method for detecting stack space allowance on real time
CN105095763B (en) * 2015-08-10 2018-09-11 北京金山安全软件有限公司 Vulnerability defense method and device and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488176A (en) * 2009-02-20 2009-07-22 北京交通大学 TOCTOU attack response method aiming at TPM trusted computation
CN101901319A (en) * 2010-07-23 2010-12-01 北京工业大学 Trusted computing platform and method for verifying trusted chain transfer
CN102088348A (en) * 2010-12-22 2011-06-08 东南大学 Mobile phone security chip for embedded platform and protection system comprising same
CN201957034U (en) * 2010-12-22 2011-08-31 东南大学 Mobile phone security chip used in embedded platform and protection system comprising same
CN104866767A (en) * 2015-05-11 2015-08-26 北京航空航天大学 Embedded module of novel security mechanism

Also Published As

Publication number Publication date
CN107045605A (en) 2017-08-15

Similar Documents

Publication Publication Date Title
WO2017133442A1 (en) Real-time measurement method and device
US8127316B1 (en) System and method for intercepting process creation events
US10733288B2 (en) Verifying controller code and system boot code
US9037873B2 (en) Method and system for preventing tampering with software agent in a virtual machine
US7076802B2 (en) Trusted system clock
US20180285561A1 (en) Method and system for detecting kernel corruption exploits
JP6481900B2 (en) Hardware configuration reporting apparatus, hardware configuration arbitration method, program, machine-readable recording medium, and hardware configuration arbitration apparatus
JP6370098B2 (en) Information processing apparatus, information processing monitoring method, program, and recording medium
US20040128528A1 (en) Trusted real time clock
CN113254949B (en) Control device, system for controlling access and method executed by controller
US10545851B2 (en) Breakpoint insertion into kernel pages
US10114948B2 (en) Hypervisor-based buffer overflow detection and prevention
US20070266435A1 (en) System and method for intrusion detection in a computer system
US11188321B2 (en) Processing device and software execution control method
US20210286877A1 (en) Cloud-based method to increase integrity of a next generation antivirus (ngav) security solution in a virtualized computing environment
JP2010182196A (en) Information processing apparatus and file verification system
US11636214B2 (en) Memory scan-based process monitoring
CN111919198A (en) Kernel function callback method and system
US20210026950A1 (en) Hypervisor-based redirection of system calls and interrupt-based task offloading
CN113919004A (en) System and method for measuring integrity of trusted computing software
US20110030036A1 (en) Running a software module at a higher privilege level in response to a requestor associated with a lower privilege level
WO2022077388A1 (en) Processor security measurement device and method
EP3879783A1 (en) Data security processing method and terminal thereof, and server
US20200244461A1 (en) Data Processing Method and Apparatus
CN117688552B (en) Stack space protection method, electronic device, storage medium and computer program product

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17746762

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17746762

Country of ref document: EP

Kind code of ref document: A1