CN103473508B - Safe verification method when operating system nucleus runs - Google Patents
Safe verification method when operating system nucleus runs Download PDFInfo
- Publication number
- CN103473508B CN103473508B CN201310425645.5A CN201310425645A CN103473508B CN 103473508 B CN103473508 B CN 103473508B CN 201310425645 A CN201310425645 A CN 201310425645A CN 103473508 B CN103473508 B CN 103473508B
- Authority
- CN
- China
- Prior art keywords
- instruction
- translation
- kernel
- module
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012795 verification Methods 0.000 title claims abstract description 25
- 238000013519 translation Methods 0.000 claims abstract description 121
- 238000010200 validation analysis Methods 0.000 claims abstract description 8
- 238000007689 inspection Methods 0.000 claims abstract description 4
- 238000005516 engineering process Methods 0.000 claims description 48
- 230000008569 process Effects 0.000 claims description 26
- 238000001514 detection method Methods 0.000 claims description 17
- 230000003068 static effect Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 7
- 231100000252 nontoxic Toxicity 0.000 claims description 5
- 230000003000 nontoxic effect Effects 0.000 claims description 5
- 230000009191 jumping Effects 0.000 claims description 3
- 241000700605 Viruses Species 0.000 abstract description 46
- 230000009545 invasion Effects 0.000 abstract description 3
- 230000014616 translation Effects 0.000 description 107
- 230000003139 buffering effect Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 11
- 238000011068 loading method Methods 0.000 description 7
- 238000011084 recovery Methods 0.000 description 6
- 238000005457 optimization Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 230000033001 locomotion Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000004321 preservation Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000001976 improved effect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241000222065 Lycoperdon Species 0.000 description 1
- 241000768494 Polymorphum Species 0.000 description 1
- 208000036142 Viral infection Diseases 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000004087 circulation Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 231100000572 poisoning Toxicity 0.000 description 1
- 230000000607 poisoning effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
Safe verification method when one operating system nucleus of the present invention runs, include validating that the module loaded in the legitimacy of all kernel module files of destination OS, validation of kernel legitimacy, the new kernel module loaded at any time is carried out legitimacy, checking resets all entrances of being switched to prerogative grade from user gradation, every instruction that binary translation to be translated in processor and carries out the steps such as inspection.This method may be used for computer security software, it is possible to fundamentally operating computer operating system is detected, and finds out the kernel virus wherein existed;And existing operating system can be taken precautions against, it has been found that attempt the kernel virus of invasion, and be purged conditionally.It it is the thorough solution to rootkit.
Description
Technical field
The present invention relates to computer safety field, particularly relate to detection, strick precaution and removing to computer operating system kernel virus, and guarantee the correlation technique of operating system nucleus safe operation.
Background technology
Existing computer information safe includes a lot of aspect.Wherein to the detection of the rogue programs such as virus, wooden horse with prevent the important ring into computer security.Wherein, run on computer operating system inner nuclear layer (kernellevel), employing the virus being referred to as rootkit technology is that in computer virus, technology content is the highest, is difficult to detection most, prevents and remove.
Kernel virus refers to the virus running on computer operating system inner nuclear layer.The technology that virus runs on computer operating system inner nuclear layer is made to be referred to as rootkit technology.
It is said that in general, modern day processor architectures has different privileged level, in order to run the software with different rights.There is according to the difference of processor architecture different titles, but its design is intended that identical.Such as being widely used in the IA32 processor of the Intel of personal computer (PC), it has tetra-different prerogative grades of r0, r1, r2, r3.The kernel of operating system runs on r0 grade, thus ensure that computer is had most highly privileged by operating system nucleus.And the program of the User space part of other application software and operating system all runs on r3 grade, computer hardware is only had limited authority, thus ensureing the safety of computer.Even if malicious code invasion runs on the software of r3, limited destruction also can only be caused.
Equally, the arm processor framework being widely used in mobile field then has the multiple-working modes such as " user model ", " system model ", " privileged mode ".The highest weight limit of the same kernel guaranteeing operating system with this, and limit the authority of user software, guarantee the safety of computer system.
So-called rootkit technology is then manage to obtain the privilege the same with operating system nucleus, invades the technology of operating system nucleus.Employ the virus of rootkit technology then to obtain the highest weight to computer operation and limit.From theory, a system having run kernel virus detects or removes kernel virus, in the existing work being technically and can not being properly completed.Because kernel virus self has the highest weight limit in computer operating system.And the fail-safe software attempting detection kernel virus also only has same authority.Kernel virus can use multiple technologies to hide oneself, and interference even stops the operation of fail-safe software, such as:
1. adapter system calls.Going detection hard disk when whether there is inner virus if system manager attempts use instrument, call due to system and taken over by virus, therefore instrument is called by system and returns the system situation seen and be likely to what virus was forged.Such as cannot see the file etc. being infected in fact existed.
2. kill or forge secure software process.Owing to virus runs on inner nuclear layer, it is possible to the operation of force termination secure software process in kernel, the secure software process that even can generate vacation further prevents from being found.Also the partial function that can remove fail-safe software from kernel makes the process not possessing safety.
Rootkit is likely to occur on the processor and various operating system of various frameworks.The such as PC of the various version of currently running Windows, and run the server of Linux, and it is mounted with the mobile equipment (such as mobile phone, flat board etc.) of android system, there is the report that the kernel virus using rootkit technology occurs.
In many great network security accidents, computer system are attacked, there are rootkit technology and the appearance of kernel virus.
Summary of the invention
It is an object of the invention to provide safe verification method when a kind of operating system nucleus runs, this method may be used for computer security software, it is possible to fundamentally operating computer operating system is detected, and finds out the kernel virus wherein existed;And existing operating system can be taken precautions against, it has been found that attempt the kernel virus of invasion, and be purged conditionally.It it is the thorough solution to rootkit.
The technical solution of the present invention is:
Safe verification method when a kind of operating system nucleus runs, it is characterized in that and comprises the following steps:
Step 1] confirm the legitimacy of all kernel module files of destination OS:
The legitimacy of the static all kernel module files confirming destination OS, and preserve the integrity verification information of all of legal kernel module in destination OS;
Step 2] legitimacy of module that loaded in validation of kernel:
By the kernel module that enumeration operation system has loaded, contrast with the integrity verification information preserved in step 1, thus the legitimacy of the module loaded in validation of kernel, obtain each address realm performing joint of each module simultaneously;
Step 3] the new kernel module loaded at any time is carried out legitimate verification:
The new kernel module that operating system is loaded at any time, contrasts with the integrity verification information preserved in step 1, thus verifying the legitimacy of this new load-on module, obtains each address realm performing joint of this module simultaneously;
Step 4] reset all entrances being switched to prerogative grade from user gradation in processor:
All instructions being switched to prerogative grade from user gradation in intercept process device, and reset the entrance of these instructions, so as to point to binary translation entrance;
Step 5] every instruction that binary translation to be translated checks:
Every instruction that binary translation to be translated checks, if this instruction is not in certain performed joint of certain legal kernel module, then processes according to exceptional instructions;If this instruction is arranged in certain performed joint of certain legal kernel module, then perform step 6;
Described process according to exceptional instructions refers to:
If system is under the highest safety requirements, then halt system runs and collects relevant information and automatically reports, and confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, then allows system to continue to run with or avoid this instruction and to manage to allow system can continue to properly functioning, collect relevant information simultaneously and report and carry out safety analysis;
If system is under low-security requirement, it is allowed to exceptional instructions continues to run with, gathers information simultaneously and carry out safety analysis;
Step 6] to step 5] in through inspection every instruction carry out binary translation.
Binary translation in above-mentioned steps 6 is to adopt directly to copy binary translation, and it specifically comprises the following steps that
6.1] call translation interface function, start translation from certain address that should perform instruction;
6.2] instruction decoding is carried out from this address, it is thus achieved that an instruction;
6.3] if this instruction is jump instruction, then translate into and jump to translation interface function, it is parameter that write redirects destination address, and retain former jump instruction redirect purpose, this group instruction jumps to translation interface and translates, after translation terminates, jumping to generation instruction buffer and start to perform, what a to the last instruction returned to former jump instruction after having performed redirects purpose;For without the instruction redirected, not doing any variation, being copied directly to generation instruction buffer and start to perform, simultaneously movable address is to next instruction;
6.4] return step 6.1 to start to translate next instruction.
Binary translation in above-mentioned steps 6 is the binary translation adopting slow buffer technology, fast buffer technology and/or straight chain technology.
Straight copy binary translation in above-mentioned steps 6 be adopt slow buffer technology, fast buffer technology and/or straight chain technology directly copy binary translation.
Compared with prior art, the invention have the advantages that
1, it is scanned with virus signature relative to traditional, find the scheme of virus, the present invention is a kind of universal scheme for all kernel viruses, special case not for any virus is on the defensive or removes, but carry out defence thoroughly for operating system nucleus this big class of virus and remove, it is a kind of current techique for operating system nucleus safety.
2 and traditional static file safety technology (as by calculation of integrity code such as md5 value etc, or executable file being carried out signature verification etc.) compare, the present invention is the scheme of a kind of dynamic authentication.Present invention utilizes existing file security and ensure that technology is to verify that the kernel module of all of operating system is legal.But in addition, present invention original creation is when operating system nucleus actual motion, it is ensured that the concordance of every instruction of actual motion and the code in the file of checking.Thus be one more comprehensively and thoroughly security verification technology.
3 compared with the technology of " Initiative Defense " that existing substantial amounts of fail-safe software on the market adopts, and the present invention concentrates on several " key points " limited in operating system nucleus to carry out checking and defending.It is actually any point in operating system nucleus, namely before every instruction operation, carries out checking and defending.Therefore, this technology, relative to existing " Initiative Defense " technology, is one more comprehensively and thoroughly technology.
4, the present invention uses the mode of similar virtual machine, but the scheme of simple much more efficient checks running any instruction on prerogative grade, it is ensured that every instruction is all the valid instruction in known kernel module.
Accompanying drawing explanation
Fig. 1 is the straight copy binary translation flow chart simplified, and in figure, the part of Lycoperdon polymorphum Vitt represents translation process, and the part of white represents execution process.
Detailed description of the invention
The present invention creates run time kernel module legitimacy detection method method, only by the instruction of detection actual motion in kernel and it has been acknowledged that the homogeneity between legal kernel module executable file determines whether have illegal instruction running in kernel, to guarantee the tight security of kernel, reach thoroughly detection and stop the purpose of kernel poisoning intrusion completely.
Safe verification method when a kind of operating system nucleus runs, comprises the following steps:
Step 1] confirm the legitimacy of all kernel module files of destination OS:
The legitimacy of the static all kernel module files confirming destination OS, and preserve the integrity verification information of all of legal kernel module in destination OS;
Step 2] legitimacy of module that loaded in validation of kernel:
By the kernel module that enumeration operation system has loaded, contrast with the integrity verification information preserved in step 1, thus the legitimacy of the module loaded in validation of kernel, obtain each address realm performing joint of each module simultaneously;Each legal executable module each performs after the address of joint determines, in kernel the address of all valid instructions all it has been determined that.Every privileged instruction occurring performing outside these addresses, is all regarded as virus or other are attacked.
Step 3] the new kernel module loaded at any time is carried out legitimate verification:
The new kernel module that operating system is loaded at any time, contrasts with the integrity verification information preserved in step 1, thus verifying the legitimacy of this new load-on module, obtains each address realm performing joint of this module simultaneously;
Step 4] reset all entrances being switched to prerogative grade from user gradation in processor:
All instructions being switched to prerogative grade from user gradation in intercept process device, and reset the entrance of these instructions, so as to point to binary translation entrance;Such processor is once be switched to prerogative grade, and all privileged instructions all will be translated.
Step 5] every instruction of binary translation entrance is checked:
Every instruction of binary translation entrance is checked, if this instruction is not in certain performed joint of certain legal kernel module, then processes according to exceptional instructions;If this instruction is arranged in certain performed joint of certain legal kernel module, then carry out step 6;
Described process according to exceptional instructions refers to:
If system is under the highest safety requirements, then halt system runs, and halt system runs and data collection reports automatically, confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, then allows system to continue to run with or avoid this instruction and to manage to allow system can continue to properly functioning, collect relevant information simultaneously and report and carry out safety analysis;
If system is under low-security requirement, it is allowed to exceptional instructions continues to run with, collects relevant information simultaneously and carry out safety analysis;
Step 6] step 5] in through inspection every instruction directly copy binary translation:
6.1] call translation interface function, start translation from certain address that should perform instruction;
6.2] instruction decoding is carried out from this address, it is thus achieved that an instruction;
6.3] if this instruction is jump instruction, then translate into and jump to translation interface function, it is parameter that write redirects destination address, and retain former jump instruction redirect purpose, this group instruction jumps to translation interface and translates, after translation terminates, jumping to generation instruction buffer and start to perform, what a to the last instruction returned to former jump instruction after having performed redirects purpose;For without the instruction redirected, not doing any variation, being copied directly to generation instruction buffer and start to perform, simultaneously movable address is to next instruction;
6.4] return step 6.1 to start to translate next instruction.
The principle of the invention:
Inventor thinks through research, why kernel virus is difficult in theory is detected, prevents and removes, its basic reason is that kernel virus runs on same prerogative grade (attention with fail-safe software, in this explanation, the Permission Levels that kernel code runs all are called prerogative grade by no matter various processor architectures.The Permission Levels that corresponding normal application software is run then are called user gradation).In this case, thoroughly detection, strick precaution and removing kernel virus can not be accomplished in theory.So present invention introduces another layer of control of authority, open road for thoroughly detection, strick precaution and removing kernel virus.
Notice that kernel virus has and must have two features, indispensable:
1. kernel virus must have instruction to run at prerogative grade.
2. above-mentioned instruction must not be the instruction in operating system nucleus and other legal kernel modules.But be utilized any method " additionally " and be injected in kernel.
Inventor thinks through research, utilizes above 2 features, is just enough to be accurately identified kernel virus.
Run time kernel module legitimacy detection method
The present invention uses " the run time kernel module legitimacy detection method " of uniqueness that kernel virus is detected.This is different from the schemes such as the static scanning virus code of the present fail-safe software employing of major part on the market, monitor in real time Scan for Viruses code, Initiative Defense completely.
The basic thought of " kernel module legitimacy detection method " is:
1, operating system nucleus is made up of several extractible executable files.As, on Windows, being made up of the file of one group of PE form.And on linux, be made up of the file of one group of ELF format.The integrity of these files and legitimacy can be by (signature verification etc. on such as Windows) that existing method is verified.By these through checking in the present invention, it is determined that the module not being modified is called legal module.
2, legal module can be resolved by static state.It is said that in general, containing all of executable instruction in performed joint (executablesections) in legal module.The content of these instructions can be by static parsing and obtains and confirm.
3, the loading of legal module can operationally be monitored.All of operating system, when loading legal module, has legal entrance to be monitored.On such as Windows, it is possible to register a call back function by interface PsSetLoadImageNotifyRoutine and be monitored.And Linux or Android can be monitored by the loading interface ins_mod of loadable module (LKM).When having kernel module to load in monitoring system, it is possible to by checking that module image (Image) confirms the legal module of the unmodified really of this module.After loading, it may be determined that the memory address range of module loading.
4, when illegal instruction (such as rootkit virus) is loaded operation is then difficult to control.Because virosis not necessarily loads (certainly, virus is also entirely possible to and is loaded by legal interface) by legal interface.Additionally, the file structures of illegal module etc. are also non-known.The instruction of virus is likely to be dynamically generated, and is absent from clear and definite file structure, it is also possible to that what does not have is different with legal modular structure.In any case but, in an operating system nucleus having strict security requirements, it is actually subjected to, if had, any instruction operating in prerogative grade, it is impossible to confirm by above-mentioned 1,2,3, then can suspect it is kernel virus instruction.At this point it is possible to set different strategies according to different safety requirements.
The problem of the prior art of fail-safe software is cannot to accomplish accurately monitor the instruction of every operation in kernel and it is checked on the market.Because one operating in the instruction of prerogative grade when running, the actual whole controls having grasped computer.Outside has no way of it is interfered.Therefore, prerogative grade runs before any instruction, it is necessary to add new one mechanism and instruction is checked.The original creation of the present invention is a bit, it is simply that use the mode of similar virtual machine, but these instructions are checked by the scheme of simple much more efficient.Namely so-called straight copy binary translation technology.
Binary translation (BinaryTranslation)
Binary translation (DynamicBinaryTranslation) is not present disclosure.This is a kind of technology openly having existed and being widely used.It is a kind of technology operationally directly translated and can perform binary program, it is possible to the binary program on a kind of processor is translated another processor performs.
Its principle is: read in the binary command stream of certain processor architecture on the one hand, on the other hand these instruction streams is decoded, and obtains its functional meaning, and compares the another kind of instruction stream being suitable for another kind of processor architecture of same function generation and perform.When going to the instruction of untranslated mistake, then proceed translation.Perform to intersect with translation to carry out.
This technology is widely used in operating to, with certain processor hardware, the situation that another kind of processor architecture is developed.The Mac notebook of such as Apple, after being changed the framework of core processor into IA32 by PowerPC, in order to before compatible be the software of PowerPC architecture processor, just employs binary translation technology.
Sometimes, it is also desirable to use the translation of processor architecture instruction of the same race.Such as, from IA32 instruction translation to IA32 instruction.Although instruction of the same race, but, instruction has been carried out some and has changed by the process of translation.That once used this technology has famous software virtual machine VMware.VMware is on the PC of an IA32 framework, use a processor, the processor of virtual multiple same framework, thus used binary translation technique (after Intel provides VT technology, VMWare uses the facility that VT technology provides to instead of binary translation technology).
Inventor finds through research, it is possible to the kernel being specifically designed for operating system carries out binary translation, thus accomplishing:
1, operating system nucleus is existing, operating instruction detects, it is ensured that every instruction is all the valid instruction in known kernel module.
2, instruction existing in operating system nucleus, operating is changed, forbidden code is shielded and removing etc..
3, the original function of operating system nucleus is not changed.User is transparent.
This is because after carrying out binary translation, every instruction that namely will run all must first pass through translation and could run.And the legitimacy of instruction just can be checked by the process translated.And after translating, if presumptive instruction is revised by malicious attack, it is possible to be found easily.Therefore what time above is that present invention detection, strick precaution and removing to kernel virus provides technical foundation.
Straight copy (directcopy) translation technology
Common binary translation involves address mapping and (transforms to another kind of address space from certain address space, for going the situation of a virtual complete computer with certain sector address space on main frame), hardware device virtual machine (virtual for hardware operation instruction), the record of state and recovery etc..The technology involved is extremely complex, equally, the loss of computing power is also big.Its reason is, binary translation is generally used between xenogenesis platform, or on certain platform, the processor of one-to-many virtual.Therefore have to realize the complicated functions such as address mapping, hardware is virtual.
Inventor it have been investigated that, to resist in the present invention for the purpose of kernel virus, it is not necessary to carry out that any hardware is virtual and address mapping.This is because:
1, this is not the translation between xenogenesis processor architecture.But the translation between processor architecture of the same race.Both the kind of instruction need not have been changed, it is not required that the address of the data operated by transformation directive.
2, the virtual of one-to-many is not needed, it is only necessary to translate one to one.So the state of multiple virtual processor need not be preserved especially extraly.Can directly run under the primordial condition of operating system.Need only assure that before and after translation, processor buffer status is constant.
Relative to traditional binary translation, the binary translation of the use wanted required for the present invention is relatively easy, it is only necessary to realizes straight copy, is namely frequently referred to the interpretative system of " directcopy " in foreign literature.Simplest straight copy interpretation method is (when without any optimization):
1, translation interface starts translation from certain address that should perform.The current state that processor runs first is preserved before translation.
2, for the instruction (without redirecting) that major part is common, then it is copied directly to generation instruction buffer, does not do any variation.This is simplest interpretative system, namely direct copying.(but have the instruction that small part relative address addresses, after translation, Self address is altered, so the addressing skew of relative addressing should be revised.Amendment must be simply translated in this kind of instruction).
3, for jump instruction, then one group of instruction is translated into: this group instruction jumps to translation interface, and the purpose that redirects retaining former jump instruction is parameter.Then translation is terminated, the processor state preserved before recovery, jump to generation instruction buffer and start to perform.Owing to non-jump instruction is entirely equivalence before and after translation, so the effect performing this relief area is consistent with the effect performing presumptive instruction.
4, after the instruction of copy has performed, go to last, translation interface can be called, and start translation from the purpose that redirects of former jump instruction.This has returned to an initial step.
Four step circulations above perform, it is achieved that translation and the cyclic process carried out that performs to intersect.And the effect performed is the same with primary process (when being not added with translating), " equally " herein means user oriented equivalent.Processor has the state difference of intermediate steps, such as performed instruction address and original difference etc. in the process of implementation, has no effect on the result that user is shown.
Certainly, above two steps have ignored the situation of some other needs translations, such as the situation of current instruction address relative address addressing.Also omit various optimization simultaneously.Optimize and describe in detail in content below.
When directly copying binary translation, flow process such as Fig. 1 that translation performs.
Noting, above translation process is due to its simplicity, it is possible to is directly inserted into operating system nucleus entrance and runs.Of course it is necessary to guarantee:
1, before and after the process of translation, user oriented depositor (specific to x86, mean these depositors relevant with operation result of general register, the flag register) state in the processor of processor is the same.This point can be backed-up before translation, and before performing after translation, recovery state realizes.
2, translation is without employing other the hardware resource except depositor, oneself exclusive internal memory.
3, translation does not need any code that call operation system itself provides.
Enter to translate this simple translation form owing to inventor have employed straight copy two, cause that be all become attainable at above 3.Thus, technology described in the invention can be mounted directly to run in operating system as the kernel module of operating system, without, as virtual machine, operating under operating system.Utilizing straight copy binary translation technique to carry out the translation only for operating system nucleus code, this is one of the original creation part of the present invention.
Directly copy binary translation (directcopy) and belong to simplest one in binary translation, be known technology.The commitment being generally used for development behavior binary translation project carries out simple analog development, but seldom occurs in actual applications.
Available binary translation optimisation technique in straight copy (directcopy)
Notice that the straight copy translation technology introduced in this explanation does not introduce its optimization process.Therefore, realize iff method as described above, can cause that operational efficiency is extremely low.But, the optimization method of all binary translations, similarly can be used in the present invention, and not affect security function provided by the present invention.These optimisation techniques have already by extensively, use publicly, such as: slow buffering (slowcache), fast buffering (fastcache), straight chain (chaining) etc..
Note the following introduction to these optimisation techniques situation directly to copy binary translation.Concrete condition in complicated binary translation (such as the translation between the instruction of xenogenesis platform) is likely to different, but because it doesn't matter so can ignore with the present invention.
In order to introduce the concrete grammar of optimization, here must first clearly a small amount of concept.In binary translation, we, by the instruction before being translated, are called " presumptive instruction ".And the instruction after translating, it is called " after translation instruction ".Carry out the program with interpretative function, be called " interpretive program ".And call the interface of interpretive program, it is called " translation interface ".One section of instruction (can not there be jump instruction centre) with jump instruction for end occurred continuously in internal memory, is called one " basic block ".
In normal translation situation, the basic block of presumptive instruction the chances are following appearance:
Non-jump instruction 1
Non-jump instruction 2
Jump to target A
Being loaded with on an operating system after interpretive program, actually Article 1 instruction " non-jump instruction 1 " will be intercepted before performing and translate, and becomes following appearance after translation:
Non-jump instruction 1
Non-jump instruction 2
Preservation state
Call " translation interface " (basic block that special translating purpose A starts)
It is envisioned that an original program is made up of numerous basic block.After translation, each basic block is finished, and all can jump to " translation interface " and start original jump target is translated.A basic block is relatively performed extremely consuming time, so whole process efficiency is extremely inefficient due to translation process.
So-called slow buffering, it is simply that refer to instruction basic block after translated translation, being saved in one can in the table of efficient lookup.When there being new target to translate, first check whether once translated in table.Just directly perform if translated, it is not necessary that again translate.Translation result above becomes following appearance after adding slow buffering:
Non-jump instruction 1
Non-jump instruction 2
Preservation state
Call and cushion lookup (target A) slowly
If the result of finding:
Recovery state, redirects translation post code corresponding for A and performs
Without finding:
Jump to " translation interface " (basic block that special translating purpose A starts)
Mode above appears to more complicated, but owing to for each basic block, translating Exactly-once in fact.Major part situation all becomes slow buffering lookup and just finds result.So becoming faster.
Slow buffering be one can constantly expand can so that the table (such as Hash table) searched.Owing to can constantly expand, so capacity is huge.But also limit the speed of lookup.When table is smaller time, search speed fast.The basic block served as interpreter gets more and more, and speed also just reduces.At this time fast buffering is necessary to.
So-called fast buffering refer to by be the most recently used one group from presumptive instruction address to translation after the corresponding relation of instruction address, be saved in a table having fixed size.Owing to the size of table is fixing, so it is also fixing for searching speed, for open-ended slow buffering, speed is a lot of soon.
But its shortcoming is size fixes.So buffered data up-to-date recently can only be held.Old data are capped in the buffer automatically.But owing to the use of data often has centrality, so the size of fast buffering is rationally set, it is possible to obtain high hit rate at high speeds.
Concrete test according to inventor shows, the hit rate of general fast buffering can reach more than 90%.Efficiency is improved effect notable.
It is typically in cushioning slowly after fast buffering is hit unsuccessfully.If cushioning hit slowly, then this buffering is added fast buffering.
After adding fast buffering, the result of translation becomes following appearance:
Non-jump instruction 1
Non-jump instruction 2
Preservation state
Call and cushion lookup (target A) soon
If the result of finding:
Recovery state, redirects translation post code corresponding for A and performs
Without finding:
Call and cushion lookup (target A) slowly
If the result of finding:
This slow cache entry is added fast buffering
Recovery state, redirects translation post code corresponding for A and performs.
Without finding:
Jump to " translation interface " (basic block that special translating purpose A starts)
After employing fast buffering, the efficiency of dynamic translation system can be significantly improved.If but add " straight chain " technology, then the efficiency that dynamic translation system is run can be made to bring up to the efficiency close to original untranslated system.Look back at the shape of presumptive instruction:
Non-jump instruction 1
Non-jump instruction 2
Jump to target A
If hard objectives A is translated, after translation, the address of instruction is B, then above-mentioned basic block can translate into following appearance in fact:
Non-jump instruction 1
Non-jump instruction 2
Jump to target B
So-called straight chain technology is exactly that the afterbody of instruction upon translation is directly added into one and jumps to the basic block of instruction after another translation.The middle lookup namely not carrying out any instruction, does not also translate.So, the speed of operation is just of little difference with before translation substantially.
About 90% redirect can complete with straight chain.But cannot directly use for " indefinite redirect " (indefinite redirecting refers to that jump target is not fixed in this document, it is necessary to just can know that the jump instruction of jump target in conjunction with processor state), but also have technological means can trade off utilization.
Practical studies through inventor, it has been found that on linux, when using the present invention to carry out actual time safety checking, the operational efficiency of operating system nucleus is still up to 70% when directly running.And the whole efficiency of whole operating system is up to the 90% of primordial condition.Therefore on user almost without appreciable impact.Note that above-mentioned data are different according to the difference of the used actual hardware platform of test.
The technology of the present invention goes for the various operating systems of existence now, includes but not limited to: Linux, Android of various versions, and Windows.It is readily adaptable for use in various different processor architecture simultaneously, includes but not limited to: IA32, ARM etc..But for different processor architectures, it is necessary to different codes realizes;In different operating system, also there is different implementations.But, in various systems and various processor platform, the present invention is realized as a software: both possibly as an independent software (but needing to run under prerogative grade), be arranged in existing operating system;Also possibly as a part for operating system, user it is supplied to together with operating system;Also being likely to the form being solidificated in certain hardware such as ROM, the part as machine is supplied to user.Following content carries out being installed as example as explanation as independent software all.Even if it should be noted, however, that the part as operating system directly provides, or it is solidificated in hardware memory and in the way of hardware, is supplied to client, is also feasible.
The present invention installs as independent software when being carried out, it is necessary to the steps:
Step one: the legitimacy of the static all kernel module files confirming goal systems.Notice that this point need not carry out when destination OS runs, it is only necessary to the file read on hard disk carries out checking just.Known number of ways is had to carry out.Such as checking that the kernel of operating system has the legitimate signature (the such as Microsoft signature to Windows kernel) of manufacturer, various drivers also have legal signature or can download legal version from official website.Linux useable code compiles out nontoxic kernel, and it is carried out integrity calculating, retains an integrity verification code (such as md5 value).At this time, it may be necessary to the integrity verification code by legal module all of in goal systems saves, in order to verify during module loading.
Step 2: the legitimacy of the module loaded in validation of kernel.All operations system both provides the open method enumerating the kernel module loaded.By enumerating these modules, and the integrity information retained in step one contrasts, it is possible to confirm these are already loaded into whether the module in internal memory is complete, not destroyed.Also can obtain each address realm performing joint (excutablesections) of each module simultaneously.
Step 3: install loadable module and load monitoring.This point is different in different operating system, but each with known method.And have been widely used for present all kinds of fail-safe softwares on the market.The kernel module of all loadings is verified.The method and steps two of checking is identical.Institute is that before this software is worked, the kernel module that loaded in system is verified the difference is that, step 2.And this step be this software is worked after, the new kernel module that operating system loads at any time is verified.
Step 4: intercept all of running status that may result in processor switching point from user gradation to prerogative grade.This point is on Windows and linux system, and different processor architecture (IA32 and ARM) is all different.But the processor architecture being to provide user gradation and two kinds of operational modes of prerogative grade must provide the switching entrance being switched to prerogative grade from user gradation, and this entrance can only be modified under prerogative grade.Owing to this software self-operating is under prerogative grade, these entrances therefore always can be revised.Concrete operation is different under different frameworks.Such as IA32 processor, all of interruption can result in being switched to prerogative grade from user gradation, additionally, the syscall of instruction sysenter(or 64) also can be switched to prerogative grade, instruction pointer points to a value being saved in MSR simultaneously.The implementation of the present invention, it is simply that reset these entrances, so as to point to binary translation entrance, directly copies binary translation to the code of script entrance.
Step 5: during straight copy binary translation, every instruction to be translated is checked.Guarantee that this instruction is arranged in certain performed joint of certain legal module really.If this point is negative, takes different measures according to different security strategies, be such as but not limited to:
Under the highest safety requirements, occurring that this situation is run with regard to halt system, machine send relevant department to detect.Confirm nontoxic after let pass again.
Under higher safety requirements, it is possible to permission system continues to run with, but collect enough information and be sent to relevant engineering department and be analyzed, to confirm its safety.
Sometimes, can manage to avoid for suspicion instruction, and it is properly functioning to manage to allow system can continue to.The user of gather information warning simultaneously has potential security risk, is sent to relevant engineering department and is analyzed.
Under the occasion that low-security requires, it is possible to allow illegal instruction to continue to run with, but collect relevant information and be sent to relevant engineering department and be analyzed.
Note, in legal operating system, the instruction that only a few dynamically generates that truly has be can not by the checking of step 5.But owing to this is known and the situation of only a few, special case can be regarded completely and exclude.
This technology depends on the grasp of the hardware entrance that user right grade to prerogative grade is switched.In theory, rootkit virus can also be changed these entrances and reach to obtain control, destroys the purpose of the technology of the present invention.But; instruction owing to only running prerogative grade can be changed these entrances and destroy this technology; and the instruction run on prerogative grade all can be carried out binary translation analysis by this technology, and find the intention of the other side, therefore can protect in theory and oneself be not subjected to attack.
Claims (2)
1. safe verification method when an operating system nucleus runs, it is characterised in that: comprise the following steps:
Step 1) confirm the legitimacy of all kernel module files of destination OS:
The legitimacy of the static all kernel module files confirming destination OS, and preserve the integrity verification information of all of legal kernel module in destination OS;
Step 2) legitimacy of module that loaded in validation of kernel:
By the kernel module that enumeration operation system has loaded, contrast with the integrity verification information preserved in step 1, thus the legitimacy of the module loaded in validation of kernel, obtain each address realm performing joint of each module simultaneously;
Step 3) the new kernel module loaded at any time is carried out legitimate verification:
The new kernel module that operating system is loaded at any time, contrasts with the integrity verification information preserved in step 1, thus verifying the legitimacy of this new load-on module, obtains each address realm performing joint of this module simultaneously;
Step 4) reset all entrances being switched to prerogative grade from user gradation in processor:
All instructions being switched to prerogative grade from user gradation in intercept process device, and reset the entrance of these instructions, so as to point to binary translation entrance;
Step 5) every instruction that binary translation to be translated checks:
Every instruction that binary translation to be translated checks, if this instruction is not in certain performed joint of certain legal kernel module, then processes according to exceptional instructions;If this instruction is arranged in certain performed joint of certain legal kernel module, then perform step 6;
Described process according to exceptional instructions refers to:
If system is under the highest safety requirements, then halt system runs and collects relevant information and automatically reports, and confirms new legal module after manual detection is nontoxic again;
If system is under higher safety requirements, then allows system to continue to run with or avoid this instruction and to manage to allow system can continue to properly functioning, collect relevant information simultaneously and report and carry out safety analysis;
If system is under low-security requirement, it is allowed to exceptional instructions continues to run with, gathers information simultaneously and carry out safety analysis;
Step 6) to step 5) in through inspection every instruction carry out binary translation, binary translation is to adopt directly to copy binary translation, and it specifically comprises the following steps that
6.1) call translation interface function, start translation from certain address that should perform instruction;
6.2) instruction decoding is carried out from this address, it is thus achieved that an instruction;
6.3) if this instruction is jump instruction, then translate into and jump to translation interface function, it is parameter that write redirects destination address, and retain former jump instruction redirect purpose, this group instruction jumps to translation interface and translates, after translation terminates, jumping to generation instruction buffer and start to perform, what a to the last instruction returned to former jump instruction after having performed redirects purpose;For without the instruction redirected, not doing any variation, being copied directly to generation instruction buffer and start to perform, simultaneously movable address is to next instruction;
6.4) return step 6.1 to start to translate next instruction.
2. safe verification method when operating system nucleus according to claim 1 runs, it is characterised in that: described step 6) in binary translation be the binary translation adopting slow buffer technology, fast buffer technology and/or straight chain technology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310425645.5A CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310425645.5A CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103473508A CN103473508A (en) | 2013-12-25 |
| CN103473508B true CN103473508B (en) | 2016-07-27 |
Family
ID=49798354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310425645.5A Expired - Fee Related CN103473508B (en) | 2013-09-17 | 2013-09-17 | Safe verification method when operating system nucleus runs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103473508B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942503B (en) * | 2014-04-28 | 2017-02-01 | 上海新储集成电路有限公司 | Safe state switching system and switching method |
| CN104572235B (en) * | 2014-12-31 | 2019-02-26 | 北京奇虎科技有限公司 | A method and device for compiling a loadable kernel module |
| WO2016141061A1 (en) * | 2015-03-03 | 2016-09-09 | AVG Netherlands B.V. | Method and system for offline scanning of computing devices |
| US10346168B2 (en) | 2015-06-26 | 2019-07-09 | Microsoft Technology Licensing, Llc | Decoupled processor instruction window and operand buffer |
| US10409606B2 (en) * | 2015-06-26 | 2019-09-10 | Microsoft Technology Licensing, Llc | Verifying branch targets |
| US11755484B2 (en) | 2015-06-26 | 2023-09-12 | Microsoft Technology Licensing, Llc | Instruction block allocation |
| CN107016283B (en) * | 2017-02-15 | 2019-09-10 | 中国科学院信息工程研究所 | Android privilege-escalation attack safety defense method and device based on integrity verification |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
| CN111241602B (en) * | 2018-11-29 | 2023-05-02 | 阿里巴巴集团控股有限公司 | FPGA IP core loading method, device and electronic equipment |
| CN111382433B (en) * | 2018-12-29 | 2022-12-13 | 龙芯中科技术股份有限公司 | Module loading method, device, equipment and storage medium |
| CN113010859B (en) * | 2021-02-18 | 2022-09-06 | 浪潮云信息技术股份公司 | Activation code generation method supporting self-checking |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
| CN102339371A (en) * | 2011-09-14 | 2012-02-01 | 奇智软件(北京)有限公司 | A method, device and virtual machine for detecting malicious programs |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8479195B2 (en) * | 2007-05-16 | 2013-07-02 | Vmware, Inc. | Dynamic selection and application of multiple virtualization techniques |
-
2013
- 2013-09-17 CN CN201310425645.5A patent/CN103473508B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102147843A (en) * | 2011-05-16 | 2011-08-10 | 湖南大学 | Rootkit intrusion detection and system recovery method based on inner core invariant protection |
| CN102339371A (en) * | 2011-09-14 | 2012-02-01 | 奇智软件(北京)有限公司 | A method, device and virtual machine for detecting malicious programs |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103473508A (en) | 2013-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103473508B (en) | Safe verification method when operating system nucleus runs | |
| CN107808094B (en) | System and method for detecting malicious code in a file | |
| CN104769604B (en) | Real time capable module is protected | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| US8763128B2 (en) | Apparatus and method for detecting malicious files | |
| US8117660B2 (en) | Secure control flows by monitoring control transfers | |
| US9262246B2 (en) | System and method for securing memory and storage of an electronic device with a below-operating system security agent | |
| EP2881881B1 (en) | Machine-readable medium, method and system for detecting java sandbox escaping attacks based on java bytecode instrumentation and java method hooking | |
| US20130312099A1 (en) | Realtime Kernel Object Table and Type Protection | |
| JP6909770B2 (en) | Systems and methods for creating antivirus records | |
| US20090271867A1 (en) | Virtual machine to detect malicious code | |
| CN101593259A (en) | software integrity verification method and system | |
| RU2724790C1 (en) | System and method of generating log when executing file with vulnerabilities in virtual machine | |
| Ladisa et al. | Towards the detection of malicious java packages | |
| US8086835B2 (en) | Rootkit detection | |
| US11170103B2 (en) | Method of detecting malicious files resisting analysis in an isolated environment | |
| Segal et al. | Uefi memory forensics: a framework for uefi threat analysis | |
| US9450960B1 (en) | Virtual machine file system restriction system and method | |
| Zhang et al. | Secure virtualization environment based on advanced memory introspection | |
| US20070056039A1 (en) | Memory filters to aid system remediation | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| Song et al. | JShellDetector: A Java Fileless Webshell Detector Based on Program Analysis | |
| Németh et al. | Detection of persistent rootkit components on embedded IoT devices | |
| US10061924B1 (en) | Detecting malicious code based on deviations in executable image import resolutions and load patterns | |
| Nguyen et al. | Direct Kernel Virtual Address Space Forensics for Live Memory Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160727 Termination date: 20190917 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |