虚拟化平台操作系统内核级Rootkits防护方法研究

发布时间：2017-12-26 18:39

本文关键词：虚拟化平台操作系统内核级Rootkits防护方法研究　出处：《北京理工大学》2016年博士论文　论文类型：学位论文

【摘要】：随着信息技术的发展,社会对信息安全的需求日益迫切,信息安全已经成为一个不容忽视的问题。而操作系统作为信息系统的基础要素之一,其安全问题会威胁到整个信息系统,其内核的安全是操作系统安全防护的主要内容,一旦遭到威胁则可能影响到整个操作系统甚至信息系统的安全。内核级Rootkits攻击是威胁操作系统内核安全性的主要问题,它可以篡改操作系统内核代码或数据,进而控制整个操作系统,隐藏其恶意行为。论文以对抗内核级Rootkits攻击的防护方法为研究目标,以保护操作系统内核数据完整性为技术路线,首先针对多平台构建数据访问关系图和函数调用关系图;而后以此为判断依据,分别对内核中非栈数据和栈数据进行防护;再建立操作系统内核级Rootkits防护模型和实验原型。论文的主要成果和创新点包括:1.提出了一种利用虚拟化异常机制、兼容多种平台架构的操作系统内核级数据访问和函数调用关系图自动构建方法,该方法不依赖于其软件结构或编译规定,准确率和查全率高。为了给内核中非栈数据防护方法和内核中栈数据防护方法提供判断依据,提出了一种数据访问和函数调用关系图自动构建方法。该方法利用虚拟机监控器的页异常机制监控特定内存数据的写访问,记录访问内存数据的指令,从而建立数据访问关系图;利用虚拟机监控器的软件断点异常机制劫持内存函数的头地址指令、调用指令和返回指令等,从而监控内存函数间的父子调用关系,再建立从子函数到父函数的函数调用关系图。实验分别针对x86架构的32位Windows XP、32位Linux和x64架构的64位Windows 7进行关系图构建,结果表明,数据访问关系图的构建准确率为100%;函数调用关系图的构建准确率为100%,查全率在87%以上。该方法可兼容x86和x64处理器架构的多种操作系统,且不依赖于其软件结构或编译规定。构建的这两类关系图可直接作为内核中非栈数据和栈数据防护方法的判断依据。2.提出了一种以合法内核模块代码段、数据访问关系图和函数调用关系图为可信区间的内核中非栈数据防护方法,对内核中的代码、堆数据、数据段、BSS段等进行保护,该方法可有效对抗多种类型的Rootkits攻击,可靠性高。为了对抗MEP、KOH和DKOM类型的Rootkits对内核中非栈数据的攻击,提出了一种建立可信区间的内核中非栈数据防护方法。该方法以合法内核模块代码段建立可信区间,检测内核中非栈数据里的离散函数指针是否指向合法内核模块代码段;然后以数据访问关系图和函数调用关系图建立可信区间,确保内核中非栈数据里其它类型的目标数据只能由数据访问关系图中的指令进行修改,且调用这些指令的父函数也需要满足函数调用关系图。实验针对32位Windows XP选取6种典型的恶意Rootkits并构建14种攻击样本进行测试,结果表明,该方法可防护各种典型的恶意Rootkits和攻击样本,成功地抵御了MEP、KOH和DKOM类型的Rootkits攻击,并且能够同时阻止页映射攻击,对内核中非栈数据进行了有效的保护。与同类方法相比,该方法的显著优势在于对DKOM类型攻击的防护上,它能够阻止这类恶意代码的运行,且防护方法更加完备、可靠。3.提出了一种通过监控内核栈的切换、替换、创建和删除等过程,将可执行单元与其内核栈进行绑定的内核中栈数据防护方法,该方法防护能力强,作用范围广,能够对内核栈中所有类型的数据进行同步保护。为了阻止“return-to-schedule”及其扩展类型的Rootkits对内核中栈数据的攻击,提出了一种绑定可执行单元的内核中栈数据防护方法。该方法通过监控内核栈的切换、替换、创建和删除等过程,同步地改变内核栈所在内存区域的读写属性,使得可执行单元只能修改自身的内核栈数据,无法篡改其他内核栈数据,从而达到将可执行单元与其内核栈进行绑定的效果;然后依据数据访问和函数调用关系图对内核中的相关代码、数据进行保护,从而保证可执行单元不会通过执行恶意代码来篡改自身的内核栈数据。实验针对32位Windows XP构建了6种攻击内核栈数据的测试样本进行检验,结果表明,该方法可以防护全部攻击样本,成功阻止了return-to-schedule”及其扩展类型的Rootkits攻击,可以有效防护内核栈上的返回地址、参数、局部变量等所有类型的数据。4.构建了一个基于虚拟化技术支持多种平台架构的内核级Rootkits防护模型,设计实现了其实验原型系统,该实验系统防护能力强,占用资源少。为了抵御Rootkits对操作系统内核数据的攻击,构建了一种内核级Rootkits防护模型,并设计实现其实验原型系统。该系统主要利用了内核中非栈数据和栈数据防护方法来对操作系统内核中的内存数据进行保护;同时监控对操作系统关键寄存器的写操作,从而保证这些寄存器数据的完整性;为了能够兼容多种平台,该系统通过识别客户虚拟机中操作系统类型,然后重构其语义信息并加以保护。实验针对32位Windows XP选取6种典型的恶意Rootkits并构建25种攻击样本进行测试,结果表明,该实验系统可有效抵御各种典型的Rootkits和测试样本,性能开销不足3.1%。同时,也可以防护64位Windows 7和32位Linux环境下的典型恶意Rootkits的攻击。该实验系统以较少的占用资源有效地保护多种操作系统的内核数据。
[Abstract]:With the development of information technology, the demand for information security is becoming more and more urgent, and information security has become a problem that can not be ignored. As one of the basic elements of information system, the security problem of operation system will threaten the whole information system. The safety of its kernel is the main content of the security protection of the operation system. Once threatened, it may affect the safety of the whole operation system or even the information system. The kernel level Rootkits attack is a major problem threatening the security of the operation system kernel. It can tamper with the kernel code or data of the operation system, and then control the whole operation system and hide its malicious behavior. The protection methods against the kernel level Rootkits attack as the research target, technical route to protect the operating system kernel data integrity, firstly constructing platform of data access diagram and function call graph; then take this as the basis of judging, respectively for the protection of non stack data and kernel stack data; then establish the kernel operation Rootkits system protection model and experimental prototype. The main achievements and innovations of this thesis include: 1. proposes the use of a virtual exception mechanism, compatible automatic construction method of multi platform architecture of the operating system kernel level data access and function call graph, the method does not depend on the software structure or compile regulations, high accuracy and recall. In order to provide a judgement basis for the non stack data protection method in the kernel and the stack data protection method in the kernel, a data access and function call graph automatic building method is proposed. The method uses write access monitoring page exception mechanism specific memory data of virtual machine monitor, record data memory access instructions, so as to establish a data access diagram; software breakpoint exception mechanism using virtual machine monitor memory function hijacking address instruction, with head instruction and return instruction, so as to monitor the memory function between the father and son the call, then set up from the function to the parent function call graph. Experiments were conducted on the relationship diagrams of 64 bit Windows 7 of 32 bit Windows XP, 32 bit Linux and x64 architecture for x86 architecture. The results show that the accuracy of data access diagram construction is 100%, and the accuracy rate of function call diagram construction is 100%, and the recall rate is above 87%. This method is compatible with a variety of operating systems of X86 and x64 processor architecture, and is not dependent on its software structure or compilation requirements. The two class diagrams constructed directly as the basis to determine the stack data and stack data protection method in non core. 2. we proposed a legitimate kernel module code segment, data access diagram and function call graph for the stack data protection method of non confidence intervals of the kernel, the kernel code, stack data, data and BSS sections of protection, this method can be effective against many types of Rootkits attacks, reliability high. In order to resist the attacks of MEP, KOH and DKOM type Rootkits on non stack data in the kernel, a protection method of non stack data in kernel is established, which is based on confidence interval. The method to establish legal kernel module code segment Ci, whether the discrete function pointer in the stack data to legitimate kernel module code non detection kernel; establish confidence interval graph and function call graph and then access to data, to ensure that other types of target data can only stack data by data access diagram instructions modify the non kernel, and the father of function call these instructions also need to satisfy the function call graph. Experiment on 32 Windows XP selected 6 typical malicious Rootkits and construct 14 kinds of attack samples. Results show that this method can protect all kinds of typical Rootkits attacks and malicious samples, successfully defend the MEP, KOH and DKOM type of Rootkits attacks, and can also prevent the page mapping attack on stack data the kernel has been effectively protected. Compared with similar methods, the obvious advantage of this method lies in its protection against DKOM type attacks. It can prevent such malicious code from running, and the protection method is more complete and reliable. 3. proposed a kernel stack monitoring by switching, replace, create and delete process will stack data protection method of executable unit and its kernel stack bound kernel, the method of strong protective ability, wide range, can be synchronized to protect all types of data in the kernel stack. In order to prevent return-to-schedule and its extension type Rootkits from attacking the stack data in the kernel, a method of protecting stack data in the kernel of binding executable unit is proposed. The method of monitoring by switching, kernel stack replacement, create and delete process, synchronous change kernel stack memory area where the read and write attributes, in which the executable unit can only modify the kernel stack data itself, can not be tampered with other kernel stack data, so as to achieve the executable unit and its kernel stack binding effect; then on the basis of data access and function call graph for the protection of the relevant code, the kernel data, so as to ensure the execution unit not by executing malicious code to tamper with the kernel stack data itself. Experiment on 32 Windows XP to build a test sample 6 attack kernel stack data test results show that this method can protect all samples of the attack, successfully blocked return-to-schedule and its extension type Rootkits attack, can prevent the kernel stack on the return address, parameters and local variables such as all types of data. 4., we built a kernel level Rootkits protection model based on virtualization technology to support multiple platforms. We designed and implemented its prototype system, which has strong protection ability and less resources. In order to resist Rootkits's attack on the operating system kernel data, a kernel is built.
【学位授予单位】：北京理工大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP309;TP316

【参考文献】