Rootkit detection mechanism and detection method based on kernel-based virtual machine

Abstract

The invention provides a rootkit detection method based on a kernel-based virtual machine. By adopting the rootkit detection method, the types of objects attacked by rootkit are subjected to abstract classification into static code segment, static data segment, dynamic distribution function and heap space data, and different protection and detection mechanisms are provided specific to different types; while specific rootkit sensitive information is obtained through a runtime module operating in a client machine, information interaction between the kernel-based virtual machine and the client machine is realized by adding a semantic processing pathway, and by extending a corresponding page-fault exception handler and a vmcall active trap-in mechanism, the normal execution of the client machine is guaranteed under the rootkit detection mechanism. The rootkit detection mechanism and detection method, provided by the invention, can be used for effectively preventing the attack specific to static codes and data segments, and realizing isolated storage, detection and recovery of dynamic information at very low cost under a secure environment.

Description

technical field [0001] The invention belongs to the field of operating system security, in particular to a rootkit detection mechanism and detection method based on a kernel virtual machine (KVM for short). Background technique [0002] With the deepening of the application of computer technology, in the field of computer technology and research, performance is no longer the main focus, but high reliability and security of the system is replaced. A computer failure or security risk may cause immeasurable losses to the applications running on it. Rootkit, as a kind of malicious code running in the core state of the operating system, can provide hidden functions of processes, files, and communication connections for upper-layer applications. Once the backdoor program uses Rootkit, it can evade system administrators and monitoring programs to achieve its own purpose, thus bringing harm to key applications. [0003] The existing detection mechanism for Rootkit mainly has two m...

AI Technical Summary

Problems solved by technology

Specifically, the basic measure of this method is to save a copy of the key data segment or code segment that is vulnerable to rootkit attacks, run a detection thread and a recovery thread in the kernel, and the detection thread periodically detects these sensitive areas. If an exception is found, the recovery thread will be started immediately to recover; the second method is to customize or modify the kernel. For rootkits, it is often implemented as a loadable kernel module. This function can be forcibly disabled during compilation, but the system scalability is poor. In addition, by modifying the operating system kernel, the loading process is expanded by modifying the module loading function sys_init_module in the kernel. This method detects sensitive areas after executing the module initialization function. Kernel module unloading

[0004] Among the above two schemes, the method based on the detection-recovery mechanism is the most conventional method, and its disadvantages are also obvious. First, it cannot prevent the occurrence of rootkits. Regular detection has a certain lag, and the detection thread brings a certain amount of time. overhead, detection threads are also susceptible to rootkits

The second way to modify the source code, because its mechanism is triggered in the loading module, compared with the first method, has a certain ability to prevent rootkits, but it needs to modify the operating system kernel, the coupling is not good, and if the rootkit behavior is not Executed during module loading, can still escape detection mechanisms

Images