Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Anti-kernel-hook method based on address randomization

An address and kernel technology, applied in computer security devices, program/content distribution protection, instruments, etc., can solve problems such as high performance overhead, limited effect, and insufficient timeliness, to reduce performance overhead, enhance integrity and security, Effect of Kernel Protection Assurance

Inactive Publication Date: 2016-06-08
THE PLA INFORMATION ENG UNIV
View PDF4 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Existing kernel hooking attack prevention and control methods mainly focus on detection, which is not timely enough, and may be detected after a period of time after the rootkit is executed; the effect is limited, and only known rootkits can be detected; and the performance overhead is high, and it cannot be deployed to the actual in the operating system

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Anti-kernel-hook method based on address randomization
  • Anti-kernel-hook method based on address randomization
  • Anti-kernel-hook method based on address randomization

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0035] Example 1, see figure 1 As shown, an anti-kernel hooking method based on address randomization includes the following steps:

[0036] Step 1. Load the kernel module, perform symbol analysis and address relocation, execute the initialization function in the kernel module, and record the registration information of the kernel module during the initialization process. The memory space area occupied by the memory module includes the module initialization area and the module core area. After initialization, the module initialization area is released;

[0037] Step 2. Randomly apply for a memory space, copy the data information of the kernel module from the original memory space to the randomly applied memory space, relocate the address of the kernel module in the randomly applied memory space, and release the kernel module occupied In the original memory space, the registration information is recorded in the memory address of the kernel subsystem;

[0038]Step 3. Modify th...

Embodiment 2

[0039] Example 2, see Figures 1 to 3 As shown, an anti-kernel hooking method based on address randomization includes the following steps:

[0040] Step 1. Load the kernel module, perform symbol analysis and address relocation, execute the initialization function in the kernel module, and record the registration information of the kernel module during the initialization process. The memory space area occupied by the memory module includes the module initialization area and the module core area. After initialization, the module initialization area is released, which includes the following steps:

[0041] Step 1.1 Load the section information in the kernel module into the module initialization area and the module core area respectively. After the kernel module is initialized, the module initialization area is released, and the module core area resides in the memory space until the kernel module is unloaded;

[0042] Step 1.2 Convert the kernel module's own symbols and the exter...

Embodiment 3

[0053] Example three, participate in Figures 1 to 9 As shown, in conjunction with specific embodiment, the present invention is further described in further detail:

[0054] Load the kernel module in the normal way, perform symbol analysis and address relocation, execute the initialization function in the kernel module, complete the preparation of the kernel module, record the registration information of the kernel module during the initialization process, and the memory space area occupied by the kernel module Contains module_init and module_core. According to the section information in the module, the sections in the module are loaded into the module_init and module_core areas of the memory respectively. The section information of the module can be viewed through the tool readelf, where the sections whose names start with .init are loaded into In the module_init area of ​​the memory, after the module initialization function is executed, the module_init area will be released...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to an anti-kernel-hook method based on address randomization. The method comprises the following steps of copying an initialized kernel model to a randomly selected new memory position, and releasing an old memory space occupied by the kernel module; performing address relocation on the kernel module in the new position; correcting kernel module management information and registration information of the kernel module to a kernel sub system; and changing a normal registration function of the kernel module or an operation set address into a new memory position. The method has the advantages that rootkit can be discovered during the first execution of a hook function of the rootkit; an unknown rootkit kernel hook can be prevented; after the module initialization is completed, the random processing is added; partial kernel interface functions are modified; a registration function recording function is added; the performance expense is effectively reduced; the operating system kernel protection is guaranteed; and the security and the completeness of a system kernel are effectively enhanced.

Description

technical field [0001] The invention relates to the technical field of Linux kernel protection, in particular to an anti-kernel hooking method based on random addresses. Background technique [0002] With the development of computer technology, computer security has gradually attracted more and more attention. As one of the biggest threats to the current operating system and its security tools, kernel-level rootkits seriously affect the integrity and security of the system kernel. Research shows that 96% of Rookits use kernel hooking. The kernel hook mainly transfers the execution flow of the kernel program to the system by modifying the key data structures or codes in the operating system kernel, such as the functions or data structures in the subsystems such as file system, process scheduling, memory management, system calls, and interrupt handling. A specific function in the rootkit module to implement hidden functions. Therefore, it is particularly important to design...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/12
CPCG06F21/126G06F21/1013
Inventor 郭玉东林键何红旗董卫宇王立新娄睿李登周少皇蔄羽佳魏小锋陈刚
Owner THE PLA INFORMATION ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com