内核完整性保护模型的设计与实现

doi:10.11959/j.issn.1000-436x.2015289

通信学报 ›› 2015, Vol. 36 ›› Issue (Z1): 118-125.doi: 10.11959/j.issn.1000-436x.2015289

内核完整性保护模型的设计与实现

田东海^1,²,陈君华²,贾晓启³,胡昌振¹

¹ 北京理工大学北京市软件安全工程技术重点实验室，北京 100081
² Key Laboratory of IDT Application Technology of Universities in Yunnam Province,Yunnam Minzu University,Kunming 650500,China
³ 中国科学院信息工程研究所信息安全国家重点实验室，北京 100093

出版日期:2015-11-25 发布日期:2015-12-29
基金资助:
国家高技术研究发展计划（“863”计划)基金资助项目;中科院先导科技专项基金资助项目;国家自然科学基金资助项目;国家自然科学基金资助项目;云南省高校物联网应用技术重点实验室开放基金资助项目

Design and implementation of a model for OS kernel integrity protection

Dong-hai TIAN^1,²,Jun-hua CHEN²,Xiao-qi JIA³,Chang-zhen HU¹

¹ Beijing Key Laboratory of Software Security Engineering Technology,Beijing Institute of Technology,Beijing 100081 China
² School of Management Zhengzhou 451191, China
³ State Key Laboratory of Information Security,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China

Online:2015-11-25 Published:2015-12-29
Supported by:
The National High Technology Research and Development Program of China (863 Program);The Strategic Priority Research Program of the Chinese Academy of Sciences;The National Natural Science Foundation of China;The National Natural Science Foundation of China;Open Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province

摘要/Abstract

摘要：

非可信内核扩展模块是对操作系统内核完整性安全的重要威胁之一，因为它们一旦被加载到内核空间，将可能任意破坏操作系统内核数据和代码完整性。针对这一问题，提出了一种基于强制访问控制对操作系统内核完整性保护的模型—MOKIP。该模型的基本思想是为内核空间中的不同实体设置不同的完整性标签，然后保证具有低完整性标签的实体不能破坏具有高完整性标签的实体。基于硬件辅助的虚拟化技术实现了原型系统，实验结果表明，本系统能够抵御各种恶意内核扩展模块的攻击，其性能开销被控制在13%以内。

关键词: 内核扩展模块, 操作系统内核, 完整性保护, 虚拟化技术

Abstract:

Untrusted kernel extensions were considered to be a big threat to OS kernel integrity because once they were loaded into the kernel space,then they may corrupt both the OS kernel data and code at will.To address this problem,MAC-based model named MOKIP for OS kernel integrity protection was presented.The basic idea of MOKIP was to set different integrity labels for different entities in the kernel space,and then ensure that the entities with low integrity label cannot harm the entities with high integrity label.A prototype system based on the hardware assisted virtualization technology was implemented.The experimental results show that proposed system is effective at defending against various malicious kernel extension attacks within a little performance overhead which is less than 13%.

Key words: kernel extensions, OS kernel, integrity protection, virtualization technology

田东海,陈君华,贾晓启,胡昌振. 内核完整性保护模型的设计与实现[J]. 通信学报, 2015, 36(Z1): 118-125.

Dong-hai TIAN,Jun-hua CHEN,Xiao-qi JIA,Chang-zhen HU. Design and implementation of a model for OS kernel integrity protection[J]. Journal on Communications, 2015, 36(Z1): 118-125.

图/表 8

图1

图2

图3

图4

图5

表1

表2

表3

参考文献 19

[1]	DANIELA A S O , WU S F . Protecting kernel code and data with a virtualization-aware collaborative operating system[A]. Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC)[C]. Honolulu,Hawaii, 2009. 451-460.
[2]	BIBA K J . Integrity consideration for secure compuer system[R]. Technical report,Mitre Corp.Report TR-3153,Bedford,Mass, 1977.
[3]	XU M , JIANG X X , RAVI S , et al. Towards a VMM-based usage control framework for OS kernel integrity protection[A]. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies[C]. Sophia Antipolis,France, 2007. 71-80.
[4]	Microsoft Corporation. Windows Driver Signing[EB/OL]. .
[5]	Windows Vista Security Blog[EB/OL]. .
[6]	GUTTMAN J , HERZOG A , RAMSDELL J . Information flow in operating systems:eager formal methods[A]. Workshop on Issues in the Theory of Security (WITS)[C]. 2003.
[7]	SANDHU R S . Lattice-based access control models[J]. IEEE Computer, 1993,26(11): 9-19.
[8]	SHANKAR U , JAEGER T , SAILER R . Toward automated information-flow integrity verification for security-critical applications[A]. Proceedings of the 13th Network and Distributed System Security Symposium (NDSS)[C]. 2006.
[9]	BARHAM P , DRAGOVIC B , FRASER K , et al. Xen and the art of virtualization[A]. Proceedings of the 19th ACM Symposium on Operating System Principles (SOSP)[C]. 2003. 164-177.
[10]	Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manuals[EB/OL]. .
[11]	PETER M C , BRIAN D N . When virtual is better than real[A]. Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS)[C]. 2001.0133.
[12]	DANIEL B , MARCO C , Understanding the Linux Kernel[M]. O'Reilly＆ Associates Inc,third edition, 2005.
[13]	SESHADRI A L M Q N . PERRIG A . SecVisor:a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[A]. Proceedings of the 24th ACM Symposium on Operating System Principles (SOSP)[C]. 2007. 335-350.
[14]	RYAN R , JIANG X X , XU D Y . Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing[A]. Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID)[C]. 2008. 1-20.
[15]	MICHAEL G , WANG Z , DEEPA S , et al. Transparent protection of commodity OS kernels using hardware virtualization[A]. Proceedings of the 6th International Conference on Security and Privacy in Communication Networks (SecureComm)[C]. 2010. 162-180.
[16]	RALF H , THORSTEN H , FELIX C F . Return-oriented rootkits:bypassing kernel code integrity protection mechanisms[A]. Proceedings of 18th Usenix Security Symposium (Usenix Security)[C]. 2009. 383-398.
[17]	MAO Y D , CHEN H G , ZHOU D , et al. Software fault isolation with API integrity and multi-principal modules[A]. Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP)[C]. 2011. 115-128.
[18]	马超, 尹杰, 刘虎球 , 等. KFUR:一个新型内核扩展安全模型[J]. 计算机学报, 2012,35(10): 2091-2100. MA C , YIN J , LIU H Q , et al. KFUK:a new rernel extension security model[J]. Chinese Journal of Computers, 2012,35(10): 2091-2100.
[19]	郑豪, 董小社, 王恩东 , 等. VM 内部隔离驱动程序的可靠性架构[J]. 软件学报, 2014,(10): 2235-2250. ZHENG H , DONG X S , WANG E D , et al. Reliability architecture to isolate the driver inside the VM[J]. Journal of Software, 2014,(10): 2235-2252.

恶意内核模块	恶意行为	检测结果	检测原因
Adore-ng 0.56	修改内核函数指针	成功检测	低完整性S_UE写高完整性O_OS-data
EnyeLKM	修改内核二进制代码	成功检测	低完整性S_UE写高完整性O_OS-code
Override	修改内核系统调用表	成功检测	低完整性S_UE写高完整性O_OS-data
All-root	修改内核进程链表和系统调用表	成功检测	低完整性S_UE写高完整性O_OS-data
Hp	修改内核进程链表	成功检测	低完整性S_UE写高完整性O_OS-data
Lvtes	修改内核系统调用表和模块链表	成功检测	低完整性S_UE写高完整性O_OS-data
ROP rootkit	修改自身堆栈地址和利用现有内核代码	成功检测	低完整性S_UE执行高完整性O_OS-other
破坏IDT rootkit	修改IDT特权寄存器	成功检测	低完整性S_UE写高完整性O_reg

性能	受控内核模块	Xen	MOKIP
解压内核压缩包的时间	ext3	35 367 ms	39 568 ms
编译内核代码的时间	ext3	2 812 s	3 176 s
Apache服务器的传输率	8 139too	2 253 kbit/s	2 013 kbit/s
Lighttpd服务器的吞吐率	8 139too	5 362 kbit /s	4 867 kbit /s
拷贝文件的传输率	uhci-hcd	692 kbit/s	611 kbit/s

操作	受控内核模块	Xen	MOKIP
编译内核代码	ext3	5 183	5 227
访问Apache服务器	8139too	4 719	4 736
拷贝文件	uhci-hcd	4 862	4 883

内核完整性保护模型的设计与实现

Design and implementation of a model for OS kernel integrity protection

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 19

相关文章 2

Metrics

推荐阅读 0

[1]	吴敬征,丁丽萍,王永吉. 云计算环境下隐蔽信道关键问题研究[J]. 通信学报, 2011, 32(9A): 184-203.
[2]	辛洁,崔志明,赵朋朋,张广铭,鲜学丰. 基于MapReduce虚拟机的Deep Web数据源发现方法[J]. 通信学报, 2011, 32(7): 189-195.