Kernel-level code reuse type attack detection method based on QEMU

A technology for code reuse and attack detection, applied in the field of computer science and technology, to achieve the effects of strong scalability, low cost, and high performance

Active Publication Date: 2016-01-20
XIDIAN UNIV
View PDF2 Cites 20 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Moreover, none of the existing detection methods provide detection of the kernel interrupt process, and attackers can also implement attacks by changing the process of kernel interrupt processing

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Kernel-level code reuse type attack detection method based on QEMU

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0051] Below in conjunction with accompanying drawing and embodiment the present invention is described in further detail:

[0052] refer to figure 1 , the present invention includes preprocessing and QEMU-based record of jump instruction target address and interrupt process verification, and legality verification of jump instruction target address. Among them, the jump instructions related to the control flow include indirect call instructions and ret instructions. By recording their jump target addresses, and then comparing these target addresses with the target addresses in the normal system execution process, it is detected whether the system is running normally. be attacked.

[0053] The present invention is proposed based on such an observation: no matter what type of code reuse attack, if they want to implement the attack, they must change the original execution flow (or control flow) of the system and jump to the attacker's selected The first instruction fragment is ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a kernel-level code reuse type attack detection method based on QEMU. The method mainly solves the problem of relying on hardware or need of modifying kernel source code in the prior art. According to the method, a function module of a QEMU virtual machine manager is expanded; each instruction which operates on the function module and in an operating system kernel is traversed and detected; jumping instructions relevant to the control flow process are recognized from the instructions, wherein the jumping instructions include ret and indirect call instructions; the jumping target addresses of the instructions are recorded; then, the target addresses are compared with legal target addresses in the system normal execution flow process for detecting whether a system is normally executed or not; and meanwhile, the interruption return addresses pushed into a stack during the interruption occurrence and the return addresses used during interruption actual return are subjected to comparison verification, so that whether attack occurs or not is judged. The kernel-level code reuse type attack detection method has the advantages that by aiming at the characteristic that the system original execution flow process needs to be changed for the code reuse type attack, the attack can be effectively discovered by monitoring the kernel execution flow process change instructions (and positions), and the kernel-level code reuse type attack detection method can be used for protecting the security of an operating system.

Description

technical field [0001] The invention belongs to the field of computer science and technology, relates to the protection of malicious software, in particular to a QEMU-based kernel-level code reuse type attack detection method. Background technique [0002] As a new contemporary attack method, the kernel-level code reuse attack does not need to inject any new code, and only uses (or reuses) the existing (legal) code in the kernel to construct a complete attack and fundamentally subvert the entire operation. system, it can escape the protection of the kernel code integrity protection mechanism, which brings a huge threat to the security of the user's computer system. [0003] Code reuse attacks need two steps to complete: (1) The attacker carefully selects available instruction fragments and connects them through specific instructions (such as ret); (2) Changes the original execution flow of the system (by tampering Some control data in the kernel execution, such as function ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 李金库程坤孙聪卢笛姚青松马建峰
Owner XIDIAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap