基于ARM的嵌入式系统网络接入安全研究

发布时间：2018-06-13 01:33

本文选题：嵌入式 + Linux　；参考：《武汉工程大学》2013年硕士论文

【摘要】：信息化、智能化、网络化已成为当今社会的标识符，嵌入式技术发展日趋稳定，嵌入式系统广泛地应用到生活的各个领域中：智能家电、汽车电子、3G应用等，并且对于这些应用程序的开发，具有非常重要的理论意义和现实意义。本文研究的是基于ARM微处理器以太网电路的设计与实现。文章中首先构造实现最小ARM系统中所外设的电路，其中包括SDRAM和FLASH芯片的接入。这里的ARM微处理器类型选取的是MICREL公司中的ARM922T芯片，该芯片集成了网络控制器等功能，使得设计简化，重点放在后面的数据加密和应用软件的识别中。然后搭建Linux系统使得通过宿主机来操作目标机，通过对交叉编译的建立、根据目标机U-Boot的移植、内核移植和根文件系统的构建实现Linux的操作。这些操作是必须的操作，是实现宿主机和目标机联系的重要过程。接着利用Linux实现协议栈各层协议之间的数据传递，包括ARP协议、ICMP协议、IP协议、TCP协议、UDP协议以及SOCKET通信机制。这些协议只和相邻层之间通信，与其他层间相互屏蔽，用当前模块协议中的函数调用相邻层中的函数实现信息的接收和发送等一系列操作。论文的最后讲述如何将数据报文安全在网络传输以及对网关流量的合理分配，，其中数据加密采用的是VPN中的IPSec技术；对流量合理分配主要是通过局域网中客户端的应用软件进行监控。 IPSec技术是在IP层对数据的加密/解密过程的操作，通过定义的或者动态获取到的关联数据库和安全策略数据提供的素材，IPSec进程模块实现数据的加密/解密功能，其中加密中的密钥是由IKE进程实现。IKE协商过程中主要包括两个阶段：第一个阶段为建立IPSec隧道准备相关素材，包括使用加密算法的选择、确认对方身份等。第二阶段正式建立IPSec隧道，这里进行AH或者ESP的加密处理方法。IKE协商完成后便可以正常通信。对具有娱乐性软件的监控主要的工作是识别这些有娱乐性的应用软件。识别这些软件的有对固定端口的识别、固定IP地址的识别以及对应用层数据包的特种字段识别。将这些识别出的软件以二则表达式的方式存储在配置文件中，以便以后的更新。搜索配置文件中的库和对包的过滤都采用的是HASH算法，在包过滤算法中以源地址、目的地址、源端口、目的端口、协议类型作用HASH中的关键字，然后对应特定的函数进行计算，若和之前设定好的列表中的值相同，则对该包进行处理；在与库中做比对时，主要以应用软件的固定端口、IP和对用的应用层特征字段进行匹配，用HASH算法算出的值若与库中的值相同，则通知用户管理模块某个用户使用了什么样的软件。社会信息化也向纵深方向发展，嵌入式系统应用也在不断加深，ARM和Linux技术这两大热点，应用范围也将扩大。所以在嵌入式系统中融入加密算法和监控功具有很好的应用价值。
[Abstract]:Information, intelligence and networking have become the identifiers of today's society. The development of embedded technology is becoming more and more stable. Embedded systems are widely used in various fields of life: intelligent home appliances, automotive electronics, 3G applications, etc. And for the development of these applications, has a very important theoretical and practical significance. This paper studies the design and implementation of Ethernet circuit based on arm microprocessor. In this paper, the peripheral circuits of the minimum arm system are constructed, including the access of SDRAM and flash chips. The ARM922T chip of MICREL company is selected as the type of arm microprocessor, which integrates the functions of network controller and makes the design simple. The emphasis is on the data encryption and application software identification. Then the Linux system is built to operate the target machine through the host computer, through the establishment of cross-compilation, according to the transplant of the target machine U-Boot, the kernel transplantation and the construction of root file system to realize the Linux operation. These operations are necessary operations and an important process to realize the connection between host and target machine. Then we use Linux to realize the data transfer between different layers of protocol stack, including ARP protocol, ICMP protocol, IP protocol, TCP protocol, UDP protocol and socket communication mechanism. These protocols only communicate with adjacent layers, shield each other with other layers, and use the functions in the current module protocol to call the functions in adjacent layers to realize a series of operations, such as receiving and sending information. At the end of the paper, how to transfer the data message safely in the network and distribute the gateway traffic reasonably, the IPSec technology in VPN is used in the data encryption. The reasonable distribution of traffic is mainly carried out through the application software of client in LAN. IPSec technology is the operation of encryption / decryption of data in IP layer. The IPSec process module realizes the encryption / decryption function of the data by defining or dynamically acquiring the associated database and the material provided by the security policy data. The key in encryption is implemented by Ike process. Ike negotiation mainly includes two stages: the first stage prepares relevant materials for establishing IPSec tunnel, including the choice of encryption algorithm, confirmation of the identity of the other party and so on. In the second stage, IPSec tunnel is formally established, where the encryption method of AH or ESP. Ike can communicate normally after negotiation. The main task of monitoring entertainment software is to identify these entertainment applications. The software can identify fixed ports, fixed IP addresses and special fields of application data packets. The identified software is stored in a configuration file as two expressions for future updates. The library in the search configuration file and the filter to the packet adopt the hash algorithm. In the packet filtering algorithm, the keywords in the hash are used as the source address, the destination address, the source port, the destination port, and the protocol type. If the values are the same as those in the previously set list, the packet is processed; when compared with the library, it is mainly matched by the fixed port IP of the application software and the application layer feature fields used. If the value calculated by the hash algorithm is the same as the value in the library, the user management module is informed of what kind of software is used by a user. With the development of social informatization, the application of embedded system is becoming more and more popular, such as arm and Linux technology, and the application scope will be expanded. So it has good application value to integrate encryption algorithm and monitoring work into embedded system.
【学位授予单位】：武汉工程大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP368.1;TN918.4

【共引文献】