不可信内核环境下的系统安全技术研究

发布时间：2018-03-19 17:19

本文选题：不可信内核　切入点：系统安全　出处：《南京大学》2016年博士论文　论文类型：学位论文

【摘要】：在现代操作系统中,内核运行在整个系统的最高特权层,管理和控制底层硬件资源,为上层应用程序提供安全隔离的资源抽象和访问接口,是整个系统的可信基。然而,内核代码量庞大、数据结构复杂、攻击窗口广泛、通常采用不安全的程序语言编写；越来越多的安全漏洞报告表明内核存在着大量的漏洞和错误,内核是不可信的。攻击者一旦攻陷了内核,就能够获得系统的最高权限,实施任意攻击行为,包括恶意操作底层硬件、执行系统中的任意代码、读写内存和磁盘上的任何数据等等。针对内核的不可信问题,现有工作通常在不可信内核的更高特权层引入新可信基(比如虚拟机监控器),部署和实施安全保护机制、防御内核层攻击；然而,可信基和内核之间频繁的特权层切换导致了较高的系统性能开销。针对该问题,本文提出了同层可信基方法。该方法不依赖于更高特权层,而是在不可信内核的同一特权层引入新可信基,部署和实施安全保护机制、防御内核层攻击。本文论证了同层可信基方法和传统的更高特权层可信基方法具有同样的安全性；同时,同层可信基方法有效的避免了可信基和内核之间的特权层切换,极大的提高了系统性能。本文研究的主要内容如下：本文提出了基于硬件虚拟化的同层可信基方法。利用硬件虚拟化机制,对内核特权操作进行截获和验证,为应用程序的运行部署安全的执行环境,从而实现对安全敏感应用程序的保护。本文提出了基于指令地址长度的同层可信基方法。通过修改内核指令的地址长度,对内核的地址空间访问进行限制,同时结合内核代码完整性保护和内核控制流完整性保护,实现了对安全敏感应用程序的保护。本文提出了基于SFI和地址空间隔离的同层可信基方法。将传统代码沙箱技术与地址空间隔离相结合,对内核特权操作进行截获和验证,保证同层可信基的安全隔离和可信执行,从而实现了对不可信内核的主动监控。本文提出了基于x86硬件机制的同层可信基方法。利用x86的WP和NXE硬件机制,对内核特权操作进行截获和验证,有效防御不可信内核对同层可信基的各种攻击,在此基础上,实现了对不可信内核的主动监控。本文对以上4类同层可信基方法进行了系统的安全分析和性能分析。分析结果表明同层可信基能够提供同传统更高特权层可信基同样的安全性；同时,在性能方面有了巨大的提升。
[Abstract]:In the modern operating system, the kernel runs at the highest privilege layer of the whole system, manages and controls the underlying hardware resources, provides the secure isolated resource abstraction and access interface for the upper application program, is the trusted base of the whole system. The kernel code is huge, the data structure is complex, the attack window is widespread, and it is usually written in unsafe programming language, and more and more security vulnerability reports show that the kernel has a lot of vulnerabilities and errors. The kernel is not trusted. Once an attacker has captured the kernel, he can gain the highest privileges of the system and carry out arbitrary attacks, including malicious manipulation of the underlying hardware, execution of arbitrary code in the system, Read and write memory and any data on disk and so on. For kernel untrusted issues, existing work typically introduces new trusted bases into the higher privileged layers of an untrusted kernel (such as virtual machine monitors, deploying and implementing security protection mechanisms, etc.). However, frequent privilege layer switching between trusted bases and kernels leads to high system performance overhead. To solve this problem, this paper proposes a colayer trusted base method, which does not depend on higher privilege layers. The new trusted base is introduced into the same privileged layer of the untrusted kernel, the security protection mechanism is deployed and implemented, and the kernel layer attack is defended. This paper demonstrates that the same layer trusted base method and the traditional higher privilege layer trusted base method have the same security. At the same time, the same layer trusted base method effectively avoids the privilege layer switching between the trusted base and the kernel. The main contents of this paper are as follows: this paper proposes a method based on hardware virtualization to intercept and verify the privilege operation of the kernel. The secure execution environment is deployed for the running of the application program, so that the security sensitive application can be protected. In this paper, a new method based on the instruction address length is proposed, which can modify the address length of the kernel instruction. Restrictions on kernel address space access, combined with kernel code integrity protection and kernel control stream integrity protection, This paper presents a method based on SFI and address space isolation, which combines the traditional code sandbox technology with address space isolation to intercept and verify the kernel privilege operation. In order to ensure the security isolation and trusted execution of the same layer trusted base, the active monitoring of the untrusted kernel is realized. In this paper, a new method of the same layer trusted base based on x86 hardware mechanism is proposed, which utilizes the WP and NXE hardware mechanism of x86. Intercepts and verifies the privilege operation of the kernel, effectively defends all kinds of attacks of the untrusted kernel on the trusted base of the same layer, and on this basis, The system security analysis and performance analysis of the four methods mentioned above are carried out. The analysis results show that the same layer trusted base can provide the same higher privilege layer trust as the traditional one. Base on the same security; At the same time, there has been a huge improvement in performance.
【学位授予单位】：南京大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP309

【相似文献】