WO2020114342A1 - Kernel security check method, apparatus, and device, and storage medium - Google Patents
Kernel security check method, apparatus, and device, and storage medium Download PDFInfo
- Publication number
- WO2020114342A1 WO2020114342A1 PCT/CN2019/122335 CN2019122335W WO2020114342A1 WO 2020114342 A1 WO2020114342 A1 WO 2020114342A1 CN 2019122335 W CN2019122335 W CN 2019122335W WO 2020114342 A1 WO2020114342 A1 WO 2020114342A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- process authority
- credential set
- stored
- kernel
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present invention relates to the field of kernel security, and in particular to a kernel security detection method, device, equipment, and storage medium.
- the existing kernel protection scheme mainly divides the kernel cred structure into read-only and writable parts for protection, but the pointer of the cred structure (not the structure itself) is stored in the kernel process structure, although it is critical to cred The data forms a read-only protection, but if the pointer of cred in the process structure is modified, the scheme can be bypassed.
- An object of the present invention is to provide a more effective kernel security detection method, device, equipment and storage medium to enhance kernel security.
- a kernel security detection method which includes: comparing the current process authority credential set with a pre-stored process authority credential set on the usage path of the process authority credential set, the process authority credential The set includes information related to process permissions; and according to the comparison result, it is determined whether the current process permission credential set is maliciously modified.
- the step of comparing the current process authority voucher set with the pre-stored process authority voucher set includes: calculating the hash value of the current process authority voucher set on the usage path of the process authority voucher set to obtain the first hash Hope; compare the first hash value with the second hash value, where the second hash value is obtained by hashing the pre-stored set of process authority credentials.
- the step of determining whether the current process authority credential set is maliciously modified includes: in the case where the first hash value and the second hash value are inconsistent, it is determined that the process authority credential set is maliciously modified.
- the method further includes: in response to modifying the set of process authority credentials in a secure manner, calculating a hash value for the modified set of process authority credentials to obtain a second hash value.
- the pre-stored process authority credential set is a process authority credential set obtained by modifying the process authority credential set based on the security method before.
- the security method is to call a standard interface function corresponding to the set of process authority credentials.
- the process authority credential set includes at least one of the following: group ID; user ID; effective user ID; capabilities; security pointer; security context; current process authority credential set address; startup random number.
- comparing the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set includes: at the system call entry, the current process authority credential set and the pre-stored process authority credential are included Set comparison; and/or compare the current process authority credential set with the pre-stored process authority credential set when the fork/exec function is executed.
- a kernel security detection device comprising: a comparison module for comparing the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set For comparison, the process authority credential set includes information related to the process authority; and the judgment module is used to judge whether the current process authority credential set is maliciously modified according to the comparison result.
- the comparison module includes: a first calculation module for calculating the hash value of the current process authority credential set on the usage path of the process authority credential set to obtain a first hash value; a comparison submodule for The first hash value is compared with the second hash value, where the second hash value is obtained by hashing the pre-stored set of process authority credentials.
- the judgment module determines that the process authority credential set is maliciously modified.
- the device further includes: a second calculation module, configured to calculate a hash value for the modified process authority credential set in response to modifying the process authority credential set in a secure manner to obtain a second hash value.
- a second calculation module configured to calculate a hash value for the modified process authority credential set in response to modifying the process authority credential set in a secure manner to obtain a second hash value.
- the pre-stored process authority credential set is a process authority credential set obtained by modifying the process authority credential set based on the security method before.
- the security method is to call a standard interface function corresponding to the set of process authority credentials.
- the process authority credential set includes at least one of the following: group ID; user ID; effective user ID; capabilities; security pointer; security context; current process authority credential set address; startup random number.
- the comparison module compares the current process authority credential set with the pre-stored process authority credential set at the system call entry, and/or the comparison module compares the current process authority credential set with the pre-stored process when the fork/exec function is executed Compare the set of authority credentials.
- a computing device including: a processor; and a memory on which executable code is stored, and when the executable code is executed by the processor, the processor is executed as in the present invention The method mentioned in the first aspect.
- a non-transitory machine-readable storage medium on which executable code is stored, and when the executable code is executed by the processor of the electronic device, the processor is executed as The method mentioned in the first aspect of the invention.
- the invention is based on the scenario where the process authority credential set is used in the kernel, and finds a path that is difficult to be bypassed after the attacker modifies the process authority credential set, and performs integrity detection on the process authority credential set.
- the passive check of fork/exec can be based on system calls. Although the timing of the check is delayed for a relatively real attack, it is difficult for the attacker to bypass it.
- Figure 1 shows a schematic diagram of the data structure of the kernel structure of the process.
- FIG. 2 is a schematic flowchart illustrating a kernel security detection method according to an embodiment of the present invention.
- Figure 3 shows a schematic diagram of the fields added to the hash calculation.
- FIG. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention.
- FIG. 5 shows a schematic structural diagram of a computing device that can be used to implement the data processing of the kernel security detection method according to an embodiment of the present invention.
- Kernel privilege escalation Use kernel vulnerabilities to gain an attack method for the process that is higher than the system specified authority
- Kernel structure Each process has an instance of task_struct structure in the kernel. From the perspective of the kernel, this structure represents this process.
- cred structure There are two cred structure pointers in the kernel structure of each process.
- the cred structure records the identity and permissions of the current process as the host/object, including uid, gid, euid, capability, security context, etc.
- uid is UserId, that is, user ID, a unique identifier used to identify each user.
- gid is GroupId, which is the group ID, a unique identifier used to identify the user group.
- euid is a valid user ID, indicating the process's access rights to files and resources.
- the Linux operating system is taken as an example to illustrate the implementation principle of the kernel security detection scheme of the present invention. It should be known that the present invention can also be applied to other operating systems similar to the Linux operating system.
- Each process in the Linux operating system has different access rights to system resources.
- the management of system permissions is changed from the initial autonomous access control (DAC, including UID, capability) to the later mandatory access control of SELinux.
- DAC autonomous access control
- UID UID
- SELinux the later mandatory access control of SELinux.
- the access rights to the process provide more fine-grained management and more secure guarantees, and all these guarantees are based on a structure called cred in the kernel.
- cred is a data structure that each process has, which stores information related to process permissions, such as user/group information, capability information, and so on.
- information related to process permissions such as user/group information, capability information, and so on.
- the specific definition of the cred structure is the prior art, and will not be repeated here.
- Each process has a kernel stack, usually in kernel mode, the process will get the address of its own cred through the kernel stack (current_thread_info()->task.cred).
- the process information (thread_info) in the kernel stack is stored at the lowest end of the stack, including the address space (addr_limit) and process control block (task_struct) structure accessible by the process, and process permission credentials can be obtained from task_struct Set (that is, cred structure).
- the set of process authority credentials may include but not limited to uid, gid, euid, capability, security context, and so on.
- Kernel privilege escalation refers to an attack method that uses kernel vulnerabilities to obtain higher privileges than specified by the system. For an attacker, implementing kernel privilege escalation in a Linux system generally includes the following two methods.
- modify the cred operation function including but not limited to modify the check function of xid, cap_xxx, security/context to bypass the security check.
- Modifying the cred operation function actually modifies the code of the kernel.
- This attack should be protected by security features such as RODATA.
- security features such as RODATA.
- the cred structure of the process is in the data segment of the kernel. Unless RO protection is provided, there is no mechanism in the kernel that can detect this operation at the moment when the attacker modifies the cred.
- the cost of cred's protection of security features such as RODATA is greater than the benefit, which is determined by the attack vector against cred.
- the present invention is mainly directed to an attack method that directly modifies the content of the cred, and proposes a kernel security detection scheme.
- a kernel security detection scheme By checking the integrity of the cred to determine whether the cred has been maliciously modified, it can be used to prevent an attacker from directly reading and writing through the kernel state memory Modify the content of cred directly.
- the kernel security detection scheme proposed by the present invention cannot completely prevent all attacks that directly modify the cred (such as the attacker's reverse cred check algorithm, obtain the verification key, etc.), but it will greatly improve the attacker's Attack difficulty and cost.
- FIG. 2 is a schematic flowchart illustrating a kernel security detection method according to an embodiment of the present invention.
- the method shown in FIG. 2 can be used to detect whether a process running in the environment of the Linux operating system (or other operating systems similar to the Linux operating system) is maliciously modified, that is, the kernel escalates privileges.
- step S210 on the usage path of the process authority credential set, the current process authority credential set is compared with the pre-stored process authority credential set.
- the process authority credential set includes information related to process authority.
- the process authority credential set may refer to a cred structure, which may include but not limited to group ID (gid), user ID (uid), effective user ID (euid), capability, security pointer ( security pointer), security context, current process authority credential set address (such as cred address), boot random number (boot random).
- the data stored in the process permission credential set in advance can be regarded as the access right possessed by the process under normal circumstances.
- the pre-stored process authority credential set may be a process authority credential set obtained by modifying the process authority credential set in a secure manner, for example, it may be based on calling a standard interface function corresponding to the process authority credential set The set of process authority credentials obtained after modification.
- the hash value of the current process authority credential set may be calculated on the usage path of the process authority credential set.
- the obtained hash value may be referred to as a first hash value.
- the first hash value can be compared with the second hash value, where the second hash value is obtained by performing the same hash calculation on the pre-stored set of process authority credentials.
- the storage location of the second hash value can be predefined, for example, it can be stored in the task_struct structure of the process, or it can be stored separately in memory, and indexed according to the process authority credential set address, or it can also be stored in trusted memory.
- step S220 according to the comparison result, it is determined whether the current process authority credential set is maliciously modified.
- the current process authority credential set is consistent with the pre-stored process authority credential set, it can be considered that the current process authority credential set has not been maliciously modified, and when the current process authority credential set is inconsistent with the pre-stored process authority credential set, It can be considered that the current process authority credential set has been maliciously modified.
- the process can be terminated or the system can be crashed to actively prevent the attacker from further damaging the system.
- the attack process for an attacker to escalate the kernel is:
- the process modifies the set of process authority credentials in kernel mode
- Step 1-2 is how to obtain root authority
- step 3 is how to return to user mode after obtaining root authority
- step 4 is the harm after root authority. If the attacker only performs steps 1-3, then the attacker actually does not pose any harm to the system. At this time, the attacker can be considered to be capable of harming the system, but the attacker has not performed any dangerous operations.
- step 4 There are many ways to implement step 4, the common ones are: a) obtain a temporary shell through fork+exec (the most common); b) obtain a temporary shell through shellcode/next (occasionally seen); c) through shellcode/next code directly performs other operations (relatively uncommon).
- the invention proposes that the process authority credentials of the current process can be detected in the fork/exec call Whether the set meets expectations, that is, whether it is consistent with the previous set of process authority credentials.
- step S210 may be executed at the system call entry, and/or step S210 may also be executed when the fork/exec function is executed to detect whether the process authority credential set has been maliciously modified.
- the integrity of cred can be divided into the following two steps.
- the fields added to the hash calculation may include various ids such as uid/gid/euid, cap_xxx, security pointer or context, the current cred address, and a boot random number (boot random).
- ids such as uid/gid/euid, cap_xxx, security pointer or context, the current cred address, and a boot random number (boot random).
- the hash modified by the cred standard interface function will pass the verification.
- the attacker directly modifies the cred structure and cannot pass the hash verification.
- the storage location of the hash can be pre-defined. For example, it can be saved in the task_struct structure of the process or can be saved separately. In memory, and indexed by cred address, or can be stored in trusted memory.
- the system call entry detection can ensure that each time a system call occurs, the cred hash of the current process will be checked first to ensure that the modification of the cred can be detected within a system call cycle. Detection in the fork/exec function can ensure that the attacker can detect the previous malicious modification of the cred when performing most operations through the shell or by running a new process.
- the present invention finds a path that is difficult to be bypassed after an attacker modifies the process authority credential set, and performs an integrity check on the process authority credential set.
- the passive check of fork/exec can be based on system calls.
- the timing of the check is delayed for a relatively real attack, it is difficult for the attacker to bypass it.
- FIG. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention.
- the functional module of the kernel safety detection device may be implemented by hardware, software, or a combination of hardware and software that implements the principles of the present invention.
- the functional modules described in FIG. 4 can be combined or divided into sub-modules, so as to implement the principles of the above invention. Therefore, the description herein may support any possible combination, division, or further definition of the functional modules described herein.
- the kernel security detection device 400 includes a comparison module 410 and a judgment module 420.
- the comparison module 410 is used to compare the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set.
- the process authority credential set includes information related to the process authority.
- the judging module 420 is used to judge whether the current process authority credential set is maliciously modified according to the comparison result.
- the comparison module 410 may compare the current process authority credential set with the pre-stored process authority credential set at the system call entry, and/or the comparison module 410 may also compare the current process authority credential set when the fork/exec function is executed Compare with pre-stored set of process authority credentials.
- the comparison module 410 includes a first calculation module and a comparison submodule (not shown in the figure).
- the first calculation module is used to calculate the hash value of the current process authority credential set on the usage path of the process authority credential set to obtain the first hash value
- the comparison submodule is used to compare the first hash value with the second hash Hope to compare, where the second hash value is obtained by hashing the pre-stored set of process authority credentials.
- the determining module 420 may determine that the set of process authority credentials is maliciously modified when the first hash value and the second hash value are inconsistent.
- the kernel security detection device 400 may further include a second calculation module (not shown in the figure).
- the second calculation module is configured to calculate a hash value for the modified process authority credential set in response to modifying the process authority credential set in a secure manner to obtain a second hash value.
- the pre-stored set of process authority credentials is the set of process authority credentials obtained after modifying the set of process authority credentials based on the security method before.
- the security method may be to call a standard interface function corresponding to the process authority credential set.
- FIG. 5 shows a schematic structural diagram of a computing device that can be used to implement the data processing of the kernel security detection method according to an embodiment of the present invention.
- the computing device 500 includes a memory 510 and a processor 520.
- the processor 520 may be a multi-core processor, or may include multiple processors.
- the processor 520 may include a general-purpose main processor and one or more special co-processors, such as a graphics processor (GPU), a digital signal processor (DSP), and so on.
- the processor 520 may be implemented using a customized circuit, such as an application specific integrated circuit (ASIC, Application Integrated Circuit) or field programmable logic gate array (FPGA, Field Programmable Gate Arrays).
- ASIC application specific integrated circuit
- FPGA Field Programmable Gate Arrays
- the memory 510 may include various types of storage units, such as system memory, read-only memory (ROM), and permanent storage devices.
- the ROM may store static data or instructions required by the processor 520 or other modules of the computer.
- the permanent storage device may be a readable and writable storage device.
- the permanent storage device may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off.
- the permanent storage device uses a mass storage device (eg, magnetic or optical disk, flash memory) as the permanent storage device.
- the permanent storage device may be a removable storage device (for example, a floppy disk or an optical drive).
- the system memory may be a readable and writable storage device or a volatile readable and writable storage device, such as dynamic random access memory.
- the system memory can store some or all instructions and data required by the processor during operation.
- the memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks, and/or optical disks may also be used.
- the memory 510 may include readable and/or writeable removable storage devices, such as compact discs (CDs), read-only digital versatile discs (eg, DVD-ROM, dual-layer DVD-ROM), Read-only Blu-ray discs, ultra-density discs, flash memory cards (such as SD cards, min SD cards, Micro-SD cards, etc.), magnetic floppy disks, etc.
- CDs compact discs
- DVD-ROM read-only digital versatile discs
- dual-layer DVD-ROM Read-only Blu-ray discs
- ultra-density discs such as SD cards, min SD cards, Micro-SD cards, etc.
- flash memory cards such as SD cards, min SD cards, Micro-SD cards, etc.
- magnetic floppy disks etc.
- the computer-readable storage medium does not contain carrier waves and instantaneous electronic signals transmitted through wireless or wired.
- Executable code is stored on the memory 510.
- the processor 520 can be executed to perform the kernel security detection method mentioned above.
- the method according to the present invention may also be implemented as a computer program or computer program product, the computer program or computer program product including computer program code instructions for performing the above steps defined in the above method of the present invention.
- the present invention may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) on which executable code (or computer program, or computer instruction code) is stored ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or computing device, server, etc.), causing the processor to execute the steps of the above method according to the present invention .
- each block in the flowchart or block diagram may represent a module, program segment, or part of code that contains one or more of the Executable instructions.
- the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks can actually be executed in parallel, and sometimes they can also be executed in reverse order, depending on the functions involved.
- each block in the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented with dedicated hardware-based systems that perform specified functions or operations Or, it can be realized by a combination of dedicated hardware and computer instructions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
Description
本申请要求2018年12月07日递交的申请号为201811495107.2、发明名称为“内核安全检测方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application submitted on December 07, 2018 with the application number 201811495107.2 and the invention titled "Kernel Security Detection Method, Device, Equipment, and Storage Media", the entire contents of which are incorporated by reference in this application .
本发明涉及内核安全领域,特别是涉及一种内核安全检测方法、装置、设备及存储介质。The present invention relates to the field of kernel security, and in particular to a kernel security detection method, device, equipment, and storage medium.
近年来,Linux系统应用范围不断扩大,现已广泛应用于服务器、桌面以及嵌入式设备等领域,随着Linux系统在全世界范围内的普及与使用,系统的安全问题也日益受到关注。In recent years, the application range of Linux systems has been continuously expanded, and it has been widely used in the fields of servers, desktops, and embedded devices. With the popularization and use of Linux systems around the world, the security issues of the system have also received increasing attention.
目前攻击者主要是通过内核漏洞获取高于自身的权限,然后利用此权限对系统执行进一步的危害以达到其目的。现有的内核保护方案主要是将内核cred结构体分为只读和可写两部分分别保护,但内核进程结构体中保存着cred结构体的指针(而不是结构体本身),虽然对cred关键数据形成了只读保护,但若进程结构体中cred的指针被修改,则可绕过该方案。At present, attackers mainly obtain higher authority than themselves through kernel vulnerabilities, and then use this authority to perform further harm to the system to achieve its purpose. The existing kernel protection scheme mainly divides the kernel cred structure into read-only and writable parts for protection, but the pointer of the cred structure (not the structure itself) is stored in the kernel process structure, although it is critical to cred The data forms a read-only protection, but if the pointer of cred in the process structure is modified, the scheme can be bypassed.
因此,需要一种更为有效的内核安全检测方案。Therefore, a more effective kernel safety detection scheme is needed.
发明内容Summary of the invention
本发明的一个目的在于提供一种更为有效的内核安全检测方法、装置、设备及存储介质,以增强内核安全。An object of the present invention is to provide a more effective kernel security detection method, device, equipment and storage medium to enhance kernel security.
根据本发明的第一个方面,提供了一种内核安全检测方法,包括:在进程权限凭证集的使用路径上,将当前进程权限凭证集与预先存储的进程权限凭证集进行比较,进程权限凭证集包括与进程权限相关的信息;以及根据比较结果,判断当前进程权限凭证集是否被恶意修改。According to the first aspect of the present invention, a kernel security detection method is provided, which includes: comparing the current process authority credential set with a pre-stored process authority credential set on the usage path of the process authority credential set, the process authority credential The set includes information related to process permissions; and according to the comparison result, it is determined whether the current process permission credential set is maliciously modified.
可选地,将当前进程权限凭证集与预先存储的进程权限凭证集进行比较的步骤包括:在进程权限凭证集的使用路径上,计算当前进程权限凭证集的哈希值,以得到第一哈希值;将第一哈希值与第二哈希值进行比较,其中,第二哈希值是对预先存储的进程权限 凭证集进行哈希计算得到的。Optionally, the step of comparing the current process authority voucher set with the pre-stored process authority voucher set includes: calculating the hash value of the current process authority voucher set on the usage path of the process authority voucher set to obtain the first hash Hope; compare the first hash value with the second hash value, where the second hash value is obtained by hashing the pre-stored set of process authority credentials.
可选地,判断当前进程权限凭证集是否被恶意修改的步骤包括:在第一哈希值与第二哈希值不一致的情况下,判定进程权限凭证集被恶意修改。Optionally, the step of determining whether the current process authority credential set is maliciously modified includes: in the case where the first hash value and the second hash value are inconsistent, it is determined that the process authority credential set is maliciously modified.
可选地,该方法还包括:响应于通过安全方式对进程权限凭证集进行修改,为修改后的进程权限凭证集计算哈希值,以得到第二哈希值。Optionally, the method further includes: in response to modifying the set of process authority credentials in a secure manner, calculating a hash value for the modified set of process authority credentials to obtain a second hash value.
可选地,预先存储的进程权限凭证集是之前基于安全方式对进程权限凭证集进行修改后得到的进程权限凭证集。Optionally, the pre-stored process authority credential set is a process authority credential set obtained by modifying the process authority credential set based on the security method before.
可选地,安全方式为调用与进程权限凭证集对应的标准接口函数。Optionally, the security method is to call a standard interface function corresponding to the set of process authority credentials.
可选地,进程权限凭证集包括以下至少一项:组ID;用户ID;有效用户ID;能力;安全指针;安全上下文;当前进程权限凭证集地址;启动随机数。Optionally, the process authority credential set includes at least one of the following: group ID; user ID; effective user ID; capabilities; security pointer; security context; current process authority credential set address; startup random number.
可选地,在进程权限凭证集的使用路径上将当前进程权限凭证集与预先存储的进程权限凭证集进行比较的步骤包括:在系统调用入口将当前进程权限凭证集与预先存储的进程权限凭证集进行比较;并且/或者在fork/exec函数执行时将当前进程权限凭证集与预先存储的进程权限凭证集进行比较。Optionally, comparing the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set includes: at the system call entry, the current process authority credential set and the pre-stored process authority credential are included Set comparison; and/or compare the current process authority credential set with the pre-stored process authority credential set when the fork/exec function is executed.
根据本发明的第二个方面,还提供了一种内核安全检测装置,包括:比较模块,用于在进程权限凭证集的使用路径上,将当前进程权限凭证集与预先存储的进程权限凭证集进行比较,进程权限凭证集包括与进程权限相关的信息;和判断模块,用于根据比较结果,判断当前进程权限凭证集是否被恶意修改。According to the second aspect of the present invention, there is also provided a kernel security detection device, comprising: a comparison module for comparing the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set For comparison, the process authority credential set includes information related to the process authority; and the judgment module is used to judge whether the current process authority credential set is maliciously modified according to the comparison result.
可选地,比较模块包括:第一计算模块,用于在进程权限凭证集的使用路径上,计算当前进程权限凭证集的哈希值,以得到第一哈希值;比较子模块,用于将第一哈希值与第二哈希值进行比较,其中,第二哈希值是对预先存储的进程权限凭证集进行哈希计算得到的。Optionally, the comparison module includes: a first calculation module for calculating the hash value of the current process authority credential set on the usage path of the process authority credential set to obtain a first hash value; a comparison submodule for The first hash value is compared with the second hash value, where the second hash value is obtained by hashing the pre-stored set of process authority credentials.
可选地,判断模块在第一哈希值与第二哈希值不一致的情况下,判定进程权限凭证集被恶意修改。Optionally, when the first hash value and the second hash value are inconsistent, the judgment module determines that the process authority credential set is maliciously modified.
可选地,该装置还包括:第二计算模块,用于响应于通过安全方式对进程权限凭证集进行修改,为修改后的进程权限凭证集计算哈希值,以得到第二哈希值。Optionally, the device further includes: a second calculation module, configured to calculate a hash value for the modified process authority credential set in response to modifying the process authority credential set in a secure manner to obtain a second hash value.
可选地,预先存储的进程权限凭证集是之前基于安全方式对进程权限凭证集进行修改后得到的进程权限凭证集。Optionally, the pre-stored process authority credential set is a process authority credential set obtained by modifying the process authority credential set based on the security method before.
可选地,安全方式为调用与进程权限凭证集对应的标准接口函数。Optionally, the security method is to call a standard interface function corresponding to the set of process authority credentials.
可选地,进程权限凭证集包括以下至少一项:组ID;用户ID;有效用户ID;能力; 安全指针;安全上下文;当前进程权限凭证集地址;启动随机数。Optionally, the process authority credential set includes at least one of the following: group ID; user ID; effective user ID; capabilities; security pointer; security context; current process authority credential set address; startup random number.
可选地,比较模块在系统调用入口将当前进程权限凭证集与预先存储的进程权限凭证集进行比较,并且/或者比较模块在fork/exec函数执行时将当前进程权限凭证集与预先存储的进程权限凭证集进行比较。Optionally, the comparison module compares the current process authority credential set with the pre-stored process authority credential set at the system call entry, and/or the comparison module compares the current process authority credential set with the pre-stored process when the fork/exec function is executed Compare the set of authority credentials.
根据本发明的第三个方面,还提供了一种计算设备,包括:处理器;以及存储器,其上存储有可执行代码,当可执行代码被处理器执行时,使处理器执行如本发明第一个方面述及的方法。According to a third aspect of the present invention, there is also provided a computing device, including: a processor; and a memory on which executable code is stored, and when the executable code is executed by the processor, the processor is executed as in the present invention The method mentioned in the first aspect.
根据本发明的第四个方面,还提供了一种非暂时性机器可读存储介质,其上存储有可执行代码,当可执行代码被电子设备的处理器执行时,使处理器执行如本发明第一个方面述及的方法。According to the fourth aspect of the present invention, there is also provided a non-transitory machine-readable storage medium on which executable code is stored, and when the executable code is executed by the processor of the electronic device, the processor is executed as The method mentioned in the first aspect of the invention.
本发明是根据进程权限凭证集在内核中被使用的情景,找到攻击者修改进程权限凭证集后很难被绕过的路径,在路径上对进程权限凭证集进行完整性检测。如可以基于系统调用,fork/exec的被动检查,虽然相对真正的攻击,检查的时机有所延缓,但很难被攻击者绕过。The invention is based on the scenario where the process authority credential set is used in the kernel, and finds a path that is difficult to be bypassed after the attacker modifies the process authority credential set, and performs integrity detection on the process authority credential set. For example, the passive check of fork/exec can be based on system calls. Although the timing of the check is delayed for a relatively real attack, it is difficult for the attacker to bypass it.
通过结合附图对本公开示例性实施方式进行更详细的描述,本公开的上述以及其它目的、特征和优势将变得更加明显,其中,在本公开示例性实施方式中,相同的参考标号通常代表相同部件。The above and other objects, features, and advantages of the present disclosure will become more apparent by describing the exemplary embodiments of the present disclosure in more detail in conjunction with the accompanying drawings. In the exemplary embodiments of the present disclosure, the same reference numerals generally represent The same parts.
图1示出了进程的内核结构体的数据结构示意图。Figure 1 shows a schematic diagram of the data structure of the kernel structure of the process.
图2是示出了根据本发明一实施例的内核安全检测方法的示意性流程图。FIG. 2 is a schematic flowchart illustrating a kernel security detection method according to an embodiment of the present invention.
图3示出了加入哈希计算的字段的示意图。Figure 3 shows a schematic diagram of the fields added to the hash calculation.
图4是示出了根据本发明一实施例的内核安全检测装置的结构的示意性方框图。FIG. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention.
图5示出了根据本发明一实施例可用于实现上述内核安全检测方法的数据处理的计算设备的结构示意图。FIG. 5 shows a schematic structural diagram of a computing device that can be used to implement the data processing of the kernel security detection method according to an embodiment of the present invention.
下面将参照附图更详细地描述本公开的优选实施方式。虽然附图中显示了本公开的优选实施方式,然而应该理解,可以以各种形式实现本公开而不应被这里阐述的实施方式所限制。相反,提供这些实施方式是为了使本公开更加透彻和完整,并且能够将本公 开的范围完整地传达给本领域的技术人员。Hereinafter, preferred embodiments of the present disclosure will be described in more detail with reference to the accompanying drawings. Although the drawings show preferred embodiments of the present disclosure, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided to make the present disclosure more thorough and complete, and to fully convey the scope of the present disclosure to those skilled in the art.
【术语解释】【Term Explanation】
内核提权:利用内核漏洞为进程获取高于系统指定权限的攻击方法。Kernel privilege escalation: Use kernel vulnerabilities to gain an attack method for the process that is higher than the system specified authority
内核结构体:每个进程在内核均有一个task_struct结构体的实例对应,在内核看来,此结构体即代表此进程。Kernel structure: Each process has an instance of task_struct structure in the kernel. From the perspective of the kernel, this structure represents this process.
cred结构体:每个进程的内核结构体中都有两个cred结构体指针,cred结构体内记录了当前进程作为主/客体的身份与权限,包括uid、gid、euid、capability、安全上下文等。cred structure: There are two cred structure pointers in the kernel structure of each process. The cred structure records the identity and permissions of the current process as the host/object, including uid, gid, euid, capability, security context, etc.
uid为UserId,即用户ID,用来标识每个用户的唯一标示符。uid is UserId, that is, user ID, a unique identifier used to identify each user.
gid为GroupId,即组ID,用来标识用户组的唯一标识符。gid is GroupId, which is the group ID, a unique identifier used to identify the user group.
euid为有效用户ID,表示进程对于文件和资源的访问权限。euid is a valid user ID, indicating the process's access rights to files and resources.
capability:能力,从2.1版开始,Linux内核有了能力(capability)的概念,它打破了UNIX/LINUX操作系统中超级用户/普通用户的概念,由普通用户也可以做只有超级用户可以完成的工作。capability: Since version 2.1, the Linux kernel has the concept of capability, which breaks the concept of superuser/ordinary user in the UNIX/LINUX operating system. Ordinary users can also do work that only superusers can complete .
【方案概述】[Overview of the program]
下面以Linux操作系统为例,就本发明的内核安全检测方案的实现原理进行示例性说明。应该知道,本发明也可以适用于其他与Linux操作系统类似的操作系统。The Linux operating system is taken as an example to illustrate the implementation principle of the kernel security detection scheme of the present invention. It should be known that the present invention can also be applied to other operating systems similar to the Linux operating system.
Linux操作系统中各个进程对系统资源拥有不同的访问权限,随着Linux的发展,对系统权限的管理由最初的自主访问控制(DAC,包括UID,capability)到后来SELinux的强制访问控制,操作系统对进程的访问权限提供了更细粒度的管理,以及更安全的保障,而所有的这些保障在内核看来都是基于一个名为cred的结构体。Each process in the Linux operating system has different access rights to system resources. With the development of Linux, the management of system permissions is changed from the initial autonomous access control (DAC, including UID, capability) to the later mandatory access control of SELinux. The access rights to the process provide more fine-grained management and more secure guarantees, and all these guarantees are based on a structure called cred in the kernel.
cred是每个进程都拥有的一个数据结构,其中存储了与进程权限相关的信息,如用户/组信息、capability信息等等。关于cred结构的具体定义为现有技术,此处不再赘述。cred is a data structure that each process has, which stores information related to process permissions, such as user/group information, capability information, and so on. The specific definition of the cred structure is the prior art, and will not be repeated here.
每个进程都拥有一个内核栈,通常在内核态进程会通过内核栈获取自身cred的地址(current_thread_info()->task.cred)。如图1所示,内核栈中的进程信息(thread_info)保存在栈的最低端,包括进程可访问的地址空间(addr_limit)和进程控制块(task_struct)结构体,可以从task_struct中获取进程权限凭证集(也即cred结构体)。如图所示,进程权限凭证集可以包括但不限于uid、gid、euid、capability、安全上下文等等。Each process has a kernel stack, usually in kernel mode, the process will get the address of its own cred through the kernel stack (current_thread_info()->task.cred). As shown in Figure 1, the process information (thread_info) in the kernel stack is stored at the lowest end of the stack, including the address space (addr_limit) and process control block (task_struct) structure accessible by the process, and process permission credentials can be obtained from task_struct Set (that is, cred structure). As shown in the figure, the set of process authority credentials may include but not limited to uid, gid, euid, capability, security context, and so on.
内核提权是指利用内核漏洞为进程获取高于系统指定权限的攻击方法,对于攻击者而言,在Linux系统内实现内核提权总结起来一般包括如下两种方法。Kernel privilege escalation refers to an attack method that uses kernel vulnerabilities to obtain higher privileges than specified by the system. For an attacker, implementing kernel privilege escalation in a Linux system generally includes the following two methods.
1)从代码角度,修改cred操作函数,包括但不限于修改xid、cap_xxx、security/context的检查函数绕过安全检查。1) From the perspective of code, modify the cred operation function, including but not limited to modify the check function of xid, cap_xxx, security/context to bypass the security check.
2)从数据角度,直接修改cred内容,包括但不限于直接修改xid、cap_xxx、security/context的内容。2) From the perspective of data, directly modify the content of cred, including but not limited to directly modify the content of xid, cap_xxx, security/context.
修改cred操作函数实际上是修改了内核的代码,这种攻击应由RODATA等安全特性保护。对于修改cred内容这种攻击手段来说,进程的cred结构体处于内核的data段,除非做RO保护,否则内核中没有任何机制能在攻击者对cred的修改的时刻检测到此操作,而对cred进行RODATA等安全特性保护的代价要大于收益,这是由针对cred的攻击向量决定的。Modifying the cred operation function actually modifies the code of the kernel. This attack should be protected by security features such as RODATA. For the attack method of modifying the content of the cred, the cred structure of the process is in the data segment of the kernel. Unless RO protection is provided, there is no mechanism in the kernel that can detect this operation at the moment when the attacker modifies the cred. The cost of cred's protection of security features such as RODATA is greater than the benefit, which is determined by the attack vector against cred.
本发明主要是针对直接修改cred内容的攻击方式,提出的一种内核安全检测方案,通过检查cred的完整性,来判断cred是否被恶意修改,可以用于防御攻击者直接通过内核态内存读写直接修改cred的内容。虽然在理论上,本发明提出的内核安全检测方案无法完全防御所有直接修改cred的攻击(如攻击者逆向处cred校验算法、获取到校验关键key等),但会极大提高攻击者的攻击难度与成本。The present invention is mainly directed to an attack method that directly modifies the content of the cred, and proposes a kernel security detection scheme. By checking the integrity of the cred to determine whether the cred has been maliciously modified, it can be used to prevent an attacker from directly reading and writing through the kernel state memory Modify the content of cred directly. Although in theory, the kernel security detection scheme proposed by the present invention cannot completely prevent all attacks that directly modify the cred (such as the attacker's reverse cred check algorithm, obtain the verification key, etc.), but it will greatly improve the attacker's Attack difficulty and cost.
下面就本发明的内核安全检测方案的具体实现流程进行说明。The specific implementation process of the kernel security detection scheme of the present invention will be described below.
【内核安全检测方案】[Kernel Security Inspection Scheme]
图2是示出了根据本发明一实施例的内核安全检测方法的示意性流程图。其中,图2所示的方法可以用于检测Linux操作系统(或者类似Linux操作系统的其他操作系统)环境下运行的进程是否被恶意修改,即内核提权。FIG. 2 is a schematic flowchart illustrating a kernel security detection method according to an embodiment of the present invention. Among them, the method shown in FIG. 2 can be used to detect whether a process running in the environment of the Linux operating system (or other operating systems similar to the Linux operating system) is maliciously modified, that is, the kernel escalates privileges.
参见图2,在步骤S210,在进程权限凭证集的使用路径上,将当前进程权限凭证集与预先存储的进程权限凭证集进行比较。Referring to FIG. 2, in step S210, on the usage path of the process authority credential set, the current process authority credential set is compared with the pre-stored process authority credential set.
进程权限凭证集包括与进程权限相关的信息。以Linux操作系统为例,进程权限凭证集可以是指cred结构体,可以包括但不限于组ID(gid)、用户ID(uid)、有效用户ID(euid)、能力(capability)、安全指针(security指针)、安全上下文、当前进程权限凭证集地址(如cred地址)、启动随机数(boot random)。The process authority credential set includes information related to process authority. Taking the Linux operating system as an example, the process authority credential set may refer to a cred structure, which may include but not limited to group ID (gid), user ID (uid), effective user ID (euid), capability, security pointer ( security pointer), security context, current process authority credential set address (such as cred address), boot random number (boot random).
预先存储的进程权限凭证集中的数据可以视为正常情况下进程所拥有的访问权限。作为本发明的一个示例,预先存储的进程权限凭证集可以是基于安全方式对进程权限凭证集进行修改后得到的进程权限凭证集,如可以是基于调用与进程权限凭证集对应的标准接口函数进行修改后得到的进程权限凭证集。The data stored in the process permission credential set in advance can be regarded as the access right possessed by the process under normal circumstances. As an example of the present invention, the pre-stored process authority credential set may be a process authority credential set obtained by modifying the process authority credential set in a secure manner, for example, it may be based on calling a standard interface function corresponding to the process authority credential set The set of process authority credentials obtained after modification.
在将当前进程权限凭证集与预先存储的进程权限凭证集进行比较时,主要是比较当 前进程权限凭证集与预先存储的进程权限凭证集是否一致,即对当前进程权限凭证集进行完整性比较。When comparing the current process authority credential set with the pre-stored process authority credential set, it is mainly to compare whether the current process authority credential set is consistent with the pre-stored process authority credential set, that is, to compare the integrity of the current process authority credential set.
作为示例,可以通过比较哈希值的方式来判定当前进程权限凭证集与预先存储的进程权限凭证集是否一致。具体地,可以在进程权限凭证集的使用路径上,计算当前进程权限凭证集的哈希值,为了便于区分,所得到的哈希值可以称为第一哈希值。然后可以将第一哈希值与第二哈希值进行比较,其中,第二哈希值是对预先存储的进程权限凭证集进行同样的哈希计算得到的。第二哈希值的存储位置可以预先定义,如可以保存在进程的task_struct结构体中,也可以单独保存在内存中,并根据进程权限凭证集地址索引,或者也可以保存在可信内存中。As an example, it can be determined whether the current set of process authority credentials is consistent with the pre-stored set of process authority credentials by comparing hash values. Specifically, the hash value of the current process authority credential set may be calculated on the usage path of the process authority credential set. For convenience of distinction, the obtained hash value may be referred to as a first hash value. Then, the first hash value can be compared with the second hash value, where the second hash value is obtained by performing the same hash calculation on the pre-stored set of process authority credentials. The storage location of the second hash value can be predefined, for example, it can be stored in the task_struct structure of the process, or it can be stored separately in memory, and indexed according to the process authority credential set address, or it can also be stored in trusted memory.
在步骤S220,根据比较结果,判断当前进程权限凭证集是否被恶意修改。In step S220, according to the comparison result, it is determined whether the current process authority credential set is maliciously modified.
在当前进程权限凭证集与预先存储的进程权限凭证集一致的情况下,可以认为当前进程权限凭证集没有被恶意修改,在当前进程权限凭证集与预先存储的进程权限凭证集不一致的情况下,可以认为当前进程权限凭证集被恶意修改。并且,在判定进程的权限被恶意修改的情况下,可以结束进程或者使系统崩溃,来主动阻止攻击者对系统的进一步的破坏。In the case where the current process authority credential set is consistent with the pre-stored process authority credential set, it can be considered that the current process authority credential set has not been maliciously modified, and when the current process authority credential set is inconsistent with the pre-stored process authority credential set, It can be considered that the current process authority credential set has been maliciously modified. In addition, when it is determined that the permissions of the process are maliciously modified, the process can be terminated or the system can be crashed to actively prevent the attacker from further damaging the system.
【进程权限凭证集的比较时机】[Comparison timing of process authority credential set]
通常攻击者进行内核提权的攻击流程是:The attack process for an attacker to escalate the kernel is:
1、利用某一用户态进程调用系统调用触发内核漏洞;1. Use a user mode process to call a system call to trigger a kernel vulnerability;
2、进程在内核态修改进程权限凭证集;2. The process modifies the set of process authority credentials in kernel mode;
3、系统调用返回至用户态,当前进程拥有root权限;3. The system call returns to user mode, and the current process has root authority;
4、拥有root权限之后的操作。4. Operation after having root authority.
步骤1-2是如何获取root权限,步骤3是获取root权限后如何返回用户态,步骤4是root权限之后的危害。如果攻击者只执行了步骤1-3,那么实际上攻击者对系统构不成任何危害,此时可以认为攻击者有能力对系统形成危害,但是攻击者没有执行任何危险操作。Step 1-2 is how to obtain root authority, step 3 is how to return to user mode after obtaining root authority, and step 4 is the harm after root authority. If the attacker only performs steps 1-3, then the attacker actually does not pose any harm to the system. At this time, the attacker can be considered to be capable of harming the system, but the attacker has not performed any dangerous operations.
实现步骤4的方式有很多,常见的有:a)通过fork+exec获取一个临时shell(最常见);b)通过shellcode/next code获取一个临时shell(偶尔见到);c)通过shellcode/next code直接执行其他操作(相对不常见)。There are many ways to implement step 4, the common ones are: a) obtain a temporary shell through fork+exec (the most common); b) obtain a temporary shell through shellcode/next (occasionally seen); c) through shellcode/next code directly performs other operations (relatively uncommon).
a、b最终都会获取一个临时shell,则根据shell的特性,后续的操作很难避免会执行到fork/exec系统调用,所以本发明提出,可以在fork/exec调用中检测当前进程的进程 权限凭证集是否符合预期,即是否与之前的进程权限凭证集一致。a and b will eventually obtain a temporary shell, according to the characteristics of the shell, it is difficult to avoid subsequent fork/exec system calls according to the characteristics of the shell, so the invention proposes that the process authority credentials of the current process can be detected in the fork/exec call Whether the set meets expectations, that is, whether it is consistent with the previous set of process authority credentials.
另外,在a、b、c这三种攻击方式中,如果攻击者想要对系统形成进一步的危害就一定会再次调用系统调用,如fork/exec/open/close/read/write等操作都需要调用系统调用,所以本发明提出,可以在系统调用入口检查当前进程的进程权限凭证集是否符合预期,保证攻击者即使获得root权限,也无法对系统形成危害。也就是说,可以在系统调用入口执行步骤S210,并且/或者,也可以在fork/exec函数执行时执行步骤S210,以检测进程权限凭证集是否被恶意修改。In addition, in the three attack methods a, b, and c, if the attacker wants to cause further harm to the system, he will call the system call again, such as fork/exec/open/close/read/write, etc. The system call is called, so the present invention proposes to check whether the set of process authority credentials of the current process meets expectations at the system call entrance, to ensure that even if an attacker gains root authority, it will not harm the system. That is, step S210 may be executed at the system call entry, and/or step S210 may also be executed when the fork/exec function is executed to detect whether the process authority credential set has been maliciously modified.
具体应用例Specific application examples
以进程权限凭证集为cred结构体为例,对cred的完整性进行检测可以分为如下两步。Taking the credential structure of the process authority credential as an example, the integrity of cred can be divided into the following two steps.
1)通过标准cred接口函数修改cred时对新的cred生成hash。1) When the cred is modified by the standard cred interface function, a hash is generated for the new cred.
作为示例,如图3所示,加入hash计算的字段可以包括uid/gid/euid等各种id、cap_xxx、security指针或context、当前cred地址,一个启动随机数(boot random)。As an example, as shown in FIG. 3, the fields added to the hash calculation may include various ids such as uid/gid/euid, cap_xxx, security pointer or context, the current cred address, and a boot random number (boot random).
2)在系统调用的入口、fork/exec函数执行时重新计算hash,并与原有hash做对比。2) Recalculate the hash at the entrance of the system call and the fork/exec function, and compare it with the original hash.
通过cred标准接口函数修改的hash会通过校验,攻击者直接修改cred结构体则无法通过hash校验,hash的存储位置可以预先定义,如可以保存在进程的task_struct结构体中,也可以单独保存在内存中,并根据cred地址索引,或者也可以保存在可信内存中。The hash modified by the cred standard interface function will pass the verification. The attacker directly modifies the cred structure and cannot pass the hash verification. The storage location of the hash can be pre-defined. For example, it can be saved in the task_struct structure of the process or can be saved separately. In memory, and indexed by cred address, or can be stored in trusted memory.
由此,在系统调用入口检测可以保证每次发生系统调用时,都会先检查当前进程的cred的hash是否正确,保证对cred的修改可以在一个系统调用周期内被检测到。在fork/exec函数中检测可以保证攻击者通过shell执行大部分操作或通过运行新进程执行操作时可以检测到之前对cred的恶意修改。Therefore, the system call entry detection can ensure that each time a system call occurs, the cred hash of the current process will be checked first to ensure that the modification of the cred can be detected within a system call cycle. Detection in the fork/exec function can ensure that the attacker can detect the previous malicious modification of the cred when performing most operations through the shell or by running a new process.
综上,本发明是根据进程权限凭证集在内核中被使用的情景,找到攻击者修改进程权限凭证集后很难被绕过的路径,在路径上对进程权限凭证集进行完整性检测。如可以基于系统调用,fork/exec的被动检查,虽然相对真正的攻击,检查的时机有所延缓,但很难被攻击者绕过。In summary, according to the scenario where the process authority credential set is used in the kernel, the present invention finds a path that is difficult to be bypassed after an attacker modifies the process authority credential set, and performs an integrity check on the process authority credential set. For example, the passive check of fork/exec can be based on system calls. Although the timing of the check is delayed for a relatively real attack, it is difficult for the attacker to bypass it.
【内核安全检测装置】【Kernel Security Testing Device】
图4是示出了根据本发明一实施例的内核安全检测装置的结构的示意性方框图。其中,内核安全检测装置的功能模块可以由实现本发明原理的硬件、软件或硬件和软件的结合来实现。本领域技术人员可以理解的是,图4所描述的功能模块可以组合起来或者划分成子模块,从而实现上述发明的原理。因此,本文的描述可以支持对本文描述的功能模块的任何可能的组合、或者划分、或者更进一步的限定。FIG. 4 is a schematic block diagram showing the structure of a kernel security detection device according to an embodiment of the present invention. Among them, the functional module of the kernel safety detection device may be implemented by hardware, software, or a combination of hardware and software that implements the principles of the present invention. Those skilled in the art can understand that the functional modules described in FIG. 4 can be combined or divided into sub-modules, so as to implement the principles of the above invention. Therefore, the description herein may support any possible combination, division, or further definition of the functional modules described herein.
内核安全检测装置可以具有的功能模块以及各功能模块可以执行的操作做简要说明,对于其中涉及的细节部分可以参见上文描述,这里不再赘述。The functional modules that the kernel security detection device can have and the operations that each functional module can perform are briefly described. For the details involved, please refer to the above description, which will not be repeated here.
参见图4,内核安全检测装置400包括比较模块410和判断模块420。比较模块410用于在进程权限凭证集的使用路径上,将当前进程权限凭证集与预先存储的进程权限凭证集进行比较,进程权限凭证集包括与进程权限相关的信息。判断模块420用于根据比较结果,判断当前进程权限凭证集是否被恶意修改。Referring to FIG. 4, the kernel security detection device 400 includes a comparison module 410 and a judgment module 420. The comparison module 410 is used to compare the current process authority credential set with the pre-stored process authority credential set on the usage path of the process authority credential set. The process authority credential set includes information related to the process authority. The judging module 420 is used to judge whether the current process authority credential set is maliciously modified according to the comparison result.
可选地,比较模块410可以在系统调用入口将当前进程权限凭证集与预先存储的进程权限凭证集进行比较,并且/或者比较模块410也可以在fork/exec函数执行时将当前进程权限凭证集与预先存储的进程权限凭证集进行比较。Optionally, the comparison module 410 may compare the current process authority credential set with the pre-stored process authority credential set at the system call entry, and/or the comparison module 410 may also compare the current process authority credential set when the fork/exec function is executed Compare with pre-stored set of process authority credentials.
作为本发明的一个示例,比较模块410包括第一计算模块和比较子模块(图中未示出)。第一计算模块用于在进程权限凭证集的使用路径上,计算当前进程权限凭证集的哈希值,以得到第一哈希值,比较子模块用于将第一哈希值与第二哈希值进行比较,其中,第二哈希值是对预先存储的进程权限凭证集进行哈希计算得到的。判断模块420可以在第一哈希值与第二哈希值不一致的情况下,判定进程权限凭证集被恶意修改。As an example of the present invention, the comparison module 410 includes a first calculation module and a comparison submodule (not shown in the figure). The first calculation module is used to calculate the hash value of the current process authority credential set on the usage path of the process authority credential set to obtain the first hash value, and the comparison submodule is used to compare the first hash value with the second hash Hope to compare, where the second hash value is obtained by hashing the pre-stored set of process authority credentials. The determining module 420 may determine that the set of process authority credentials is maliciously modified when the first hash value and the second hash value are inconsistent.
作为本发明的一个示例,内核安全检测装置400还可以包括第二计算模块(图中未示出)。第二计算模块用于响应于通过安全方式对进程权限凭证集进行修改,为修改后的进程权限凭证集计算哈希值,以得到第二哈希值。As an example of the present invention, the kernel security detection device 400 may further include a second calculation module (not shown in the figure). The second calculation module is configured to calculate a hash value for the modified process authority credential set in response to modifying the process authority credential set in a secure manner to obtain a second hash value.
在本发明中,预先存储的进程权限凭证集是之前基于安全方式对进程权限凭证集进行修改后得到的进程权限凭证集。安全方式可以为调用与进程权限凭证集对应的标准接口函数。In the present invention, the pre-stored set of process authority credentials is the set of process authority credentials obtained after modifying the set of process authority credentials based on the security method before. The security method may be to call a standard interface function corresponding to the process authority credential set.
【计算设备】【Computer equipment】
图5示出了根据本发明一实施例可用于实现上述内核安全检测方法的数据处理的计算设备的结构示意图。FIG. 5 shows a schematic structural diagram of a computing device that can be used to implement the data processing of the kernel security detection method according to an embodiment of the present invention.
参见图5,计算设备500包括存储器510和处理器520。Referring to FIG. 5, the computing device 500 includes a memory 510 and a processor 520.
处理器520可以是一个多核的处理器,也可以包含多个处理器。在一些实施例中,处理器520可以包含一个通用的主处理器以及一个或多个特殊的协处理器,例如图形处理器(GPU)、数字信号处理器(DSP)等等。在一些实施例中,处理器520可以使用定制的电路实现,例如特定用途集成电路(ASIC,Application Specific Integrated Circuit)或者现场可编程逻辑门阵列(FPGA,Field Programmable Gate Arrays)。The processor 520 may be a multi-core processor, or may include multiple processors. In some embodiments, the processor 520 may include a general-purpose main processor and one or more special co-processors, such as a graphics processor (GPU), a digital signal processor (DSP), and so on. In some embodiments, the processor 520 may be implemented using a customized circuit, such as an application specific integrated circuit (ASIC, Application Integrated Circuit) or field programmable logic gate array (FPGA, Field Programmable Gate Arrays).
存储器510可以包括各种类型的存储单元,例如系统内存、只读存储器(ROM), 和永久存储装置。其中,ROM可以存储处理器520或者计算机的其他模块需要的静态数据或者指令。永久存储装置可以是可读写的存储装置。永久存储装置可以是即使计算机断电后也不会失去存储的指令和数据的非易失性存储设备。在一些实施方式中,永久性存储装置采用大容量存储装置(例如磁或光盘、闪存)作为永久存储装置。另外一些实施方式中,永久性存储装置可以是可移除的存储设备(例如软盘、光驱)。系统内存可以是可读写存储设备或者易失性可读写存储设备,例如动态随机访问内存。系统内存可以存储一些或者所有处理器在运行时需要的指令和数据。此外,存储器510可以包括任意计算机可读存储媒介的组合,包括各种类型的半导体存储芯片(DRAM,SRAM,SDRAM,闪存,可编程只读存储器),磁盘和/或光盘也可以采用。在一些实施方式中,存储器510可以包括可读和/或写的可移除的存储设备,例如激光唱片(CD)、只读数字多功能光盘(例如DVD-ROM,双层DVD-ROM)、只读蓝光光盘、超密度光盘、闪存卡(例如SD卡、min SD卡、Micro-SD卡等等)、磁性软盘等等。计算机可读存储媒介不包含载波和通过无线或有线传输的瞬间电子信号。The memory 510 may include various types of storage units, such as system memory, read-only memory (ROM), and permanent storage devices. The ROM may store static data or instructions required by the processor 520 or other modules of the computer. The permanent storage device may be a readable and writable storage device. The permanent storage device may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off. In some embodiments, the permanent storage device uses a mass storage device (eg, magnetic or optical disk, flash memory) as the permanent storage device. In some other embodiments, the permanent storage device may be a removable storage device (for example, a floppy disk or an optical drive). The system memory may be a readable and writable storage device or a volatile readable and writable storage device, such as dynamic random access memory. The system memory can store some or all instructions and data required by the processor during operation. In addition, the memory 510 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks, and/or optical disks may also be used. In some embodiments, the memory 510 may include readable and/or writeable removable storage devices, such as compact discs (CDs), read-only digital versatile discs (eg, DVD-ROM, dual-layer DVD-ROM), Read-only Blu-ray discs, ultra-density discs, flash memory cards (such as SD cards, min SD cards, Micro-SD cards, etc.), magnetic floppy disks, etc. The computer-readable storage medium does not contain carrier waves and instantaneous electronic signals transmitted through wireless or wired.
存储器510上存储有可执行代码,当可执行代码被处理器520处理时,可以使处理器520执行上文述及的内核安全检测方法。Executable code is stored on the memory 510. When the executable code is processed by the processor 520, the processor 520 can be executed to perform the kernel security detection method mentioned above.
上文中已经参考附图详细描述了根据本发明的内核安全检测方法、装置及设备。The kernel security detection method, apparatus and device according to the present invention have been described in detail above with reference to the drawings.
此外,根据本发明的方法还可以实现为一种计算机程序或计算机程序产品,该计算机程序或计算机程序产品包括用于执行本发明的上述方法中限定的上述各步骤的计算机程序代码指令。In addition, the method according to the present invention may also be implemented as a computer program or computer program product, the computer program or computer program product including computer program code instructions for performing the above steps defined in the above method of the present invention.
或者,本发明还可以实施为一种非暂时性机器可读存储介质(或计算机可读存储介质、或机器可读存储介质),其上存储有可执行代码(或计算机程序、或计算机指令代码),当所述可执行代码(或计算机程序、或计算机指令代码)被电子设备(或计算设备、服务器等)的处理器执行时,使所述处理器执行根据本发明的上述方法的各个步骤。Alternatively, the present invention may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) on which executable code (or computer program, or computer instruction code) is stored ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or computing device, server, etc.), causing the processor to execute the steps of the above method according to the present invention .
本领域技术人员还将明白的是,结合这里的公开所描述的各种示例性逻辑块、模块、电路和算法步骤可以被实现为电子硬件、计算机软件或两者的组合。Those skilled in the art will also understand that the various exemplary logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or a combination of both.
附图中的流程图和框图显示了根据本发明的多个实施例的系统和方法的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标记的功能也可以以不同于附图中所标记的顺序发生。例如,两个连续的方框实际上可以基本并 行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the drawings show the possible implementation architecture, functions, and operations of systems and methods according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagram may represent a module, program segment, or part of code that contains one or more of the Executable instructions. It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks can actually be executed in parallel, and sometimes they can also be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts, can be implemented with dedicated hardware-based systems that perform specified functions or operations Or, it can be realized by a combination of dedicated hardware and computer instructions.
以上已经描述了本发明的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。The embodiments of the present invention have been described above. The above description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the illustrated embodiments. The selection of terms used herein is intended to best explain the principle, practical application or improvement of the technology in the embodiments of the embodiments, or to enable other ordinary skilled in the art to understand the embodiments disclosed herein.
Claims (11)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811495107.2 | 2018-12-07 | ||
| CN201811495107.2A CN111291364B (en) | 2018-12-07 | 2018-12-07 | Kernel security detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2020114342A1 true WO2020114342A1 (en) | 2020-06-11 |
Family
ID=70973579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2019/122335 Ceased WO2020114342A1 (en) | 2018-12-07 | 2019-12-02 | Kernel security check method, apparatus, and device, and storage medium |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN111291364B (en) |
| TW (1) | TW202044079A (en) |
| WO (1) | WO2020114342A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407933A (en) * | 2021-06-16 | 2021-09-17 | 成都欧珀通信科技有限公司 | Kernel function reinforcing method and device, storage medium and electronic equipment |
| CN113987435A (en) * | 2021-09-26 | 2022-01-28 | 奇安信科技集团股份有限公司 | Illegal copyright detection method and device, electronic equipment and storage medium |
| CN114896021A (en) * | 2022-03-29 | 2022-08-12 | 浪潮云信息技术股份公司 | Malicious container detection method, system, device and host |
| CN116796308A (en) * | 2023-02-03 | 2023-09-22 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
| CN119065925A (en) * | 2024-08-21 | 2024-12-03 | 四川凝思软件有限公司 | A process memory monitoring method, monitoring device and storage medium |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784274A (en) * | 2021-03-16 | 2021-05-11 | 斑马网络技术有限公司 | Linux platform based malicious sample detection and collection method and system, storage medium and equipment |
| CN113836510B (en) * | 2021-08-13 | 2022-07-12 | 北京吉大正元信息技术有限公司 | Token-based application access control method and device, equipment and storage medium thereof |
| CN115033889B (en) * | 2022-06-22 | 2023-10-31 | 中国电信股份有限公司 | Illegal right-raising detection method and device, storage medium and computer equipment |
| US12443694B2 (en) * | 2022-08-31 | 2025-10-14 | Bluerock Security, Inc. | Process credential protection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9772953B2 (en) * | 2014-02-03 | 2017-09-26 | Samsung Electronics Co., Ltd. | Methods and apparatus for protecting operating system data |
| CN107908958B (en) * | 2017-11-30 | 2020-01-03 | 中国人民解放军国防科技大学 | SELinux security identifier anti-tampering detection method and system |
-
2018
- 2018-12-07 CN CN201811495107.2A patent/CN111291364B/en active Active
-
2019
- 2019-08-23 TW TW108130239A patent/TW202044079A/en unknown
- 2019-12-02 WO PCT/CN2019/122335 patent/WO2020114342A1/en not_active Ceased
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN105260653A (en) * | 2015-10-20 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Safe loading method and system of program on the basis of Linux |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407933A (en) * | 2021-06-16 | 2021-09-17 | 成都欧珀通信科技有限公司 | Kernel function reinforcing method and device, storage medium and electronic equipment |
| CN113987435A (en) * | 2021-09-26 | 2022-01-28 | 奇安信科技集团股份有限公司 | Illegal copyright detection method and device, electronic equipment and storage medium |
| CN113987435B (en) * | 2021-09-26 | 2025-01-03 | 奇安信科技集团股份有限公司 | Illegal privilege escalation detection method, device, electronic device and storage medium |
| CN114896021A (en) * | 2022-03-29 | 2022-08-12 | 浪潮云信息技术股份公司 | Malicious container detection method, system, device and host |
| CN116796308A (en) * | 2023-02-03 | 2023-09-22 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
| CN116796308B (en) * | 2023-02-03 | 2024-04-12 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
| CN119065925A (en) * | 2024-08-21 | 2024-12-03 | 四川凝思软件有限公司 | A process memory monitoring method, monitoring device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111291364B (en) | 2024-03-01 |
| CN111291364A (en) | 2020-06-16 |
| TW202044079A (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111291364B (en) | Kernel security detection method, device, equipment and storage medium | |
| US11269989B2 (en) | Systems and methods of protecting data from injected malware | |
| US8788763B2 (en) | Protecting memory of a virtual guest | |
| US9367328B2 (en) | Out-of-band host OS boot sequence verification | |
| US11100242B2 (en) | Restricted resource classes of an operating system | |
| US8782351B2 (en) | Protecting memory of a virtual guest | |
| WO2020114262A1 (en) | Kernel security detection method, apparatus, and device, and storage medium | |
| CN104751063B (en) | A kind of operating system trusted bootstrap method based on real pattern technology | |
| US9516056B2 (en) | Detecting a malware process | |
| US10284564B1 (en) | Systems and methods for dynamically validating remote requests within enterprise networks | |
| US10929537B2 (en) | Systems and methods of protecting data from malware processes | |
| CN101593259A (en) | software integrity verification method and system | |
| US9411947B2 (en) | Method for managing security of a data processing system with configurable security restrictions | |
| US9942268B1 (en) | Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments | |
| CN102110213A (en) | Detection of hided object in computer system | |
| US20240095362A1 (en) | Methods and apparatuses for starting application on target platform | |
| US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| WO2020019971A1 (en) | Active security protection method for operating system, system and terminal device | |
| KR102149711B1 (en) | An apparatus for detecting and preventing ransom-ware behavior using camouflage process, a method thereof and computer recordable medium storing program to perform the method | |
| WO2023104013A1 (en) | Data integrity protection method and related apparatus | |
| US11277436B1 (en) | Identifying and mitigating harm from malicious network connections by a container | |
| CN112395609B (en) | Application layer shellcode detection method and device | |
| EP4156010B1 (en) | Data processing method and data processing apparatus | |
| US11308231B2 (en) | Security control management for information security | |
| CN112948863A (en) | Sensitive data reading method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19893691 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 19893691 Country of ref document: EP Kind code of ref document: A1 |