Unlock instant, AI-driven research and patent intelligence for your innovation.

A kernel data access control method and system

A technology of kernel data and access control, applied in program control design, program control device, electrical digital data processing, etc., can solve the problem of Sentry being undetectable and achieve high security and reliability

Active Publication Date: 2020-11-20
INST OF SOFTWARE - CHINESE ACAD OF SCI
View PDF8 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The Sentry architecture protects kernel data through the designed access control method, but if the Trojan horse is a Loadablekernel module (LKM) type Trojan horse (LKM Trojan horse is the most common type of Trojan horse), and the attack code is placed in the LKM initialization code segment (that is, the module initialization function), Sentry cannot detect

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A kernel data access control method and system
  • A kernel data access control method and system
  • A kernel data access control method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment approach

[0047] If the LKM initiates a write request to the protected area and causes EPT_VIOLATION, it is necessary to use the suspicious behavior kernel module tracking algorithm to capture the LKM module that causes the suspicious behavior. The algorithm traverses the kernel call stack of the guest operating system from the function that triggers EPT_VIOLATION until it finds the function that the kernel initializes the module. In order to implement the suspicious behavior kernel module tracking algorithm, the guest operating system kernel needs to add the option of maintaining the call stack when compiling. When executing the suspicious behavior kernel module tracking algorithm, it is necessary to suspend the kernel of the guest operating system to maintain the consistency of the stack frame page table of the guest operating system.

[0048] The suspicious behavior kernel module tracking algorithm proposed by the present invention utilizes the mechanism of Linux kernel initializatio...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a kernel data access control method and system. The method comprises the following steps of: 1) establishing a protection list which is used for recording an address area for protecting kernel data, and establishing a module list which is used for recording credible kernel modules; 2) storing an access interval corresponding to a code section which is allowed to modify to-be-protected kernel data to a core method module, wherein the address interval corresponding to the code section is called as a credible code area; 3) judging whether a received instruction is legal or not by the core method module, when a data address operated by the instruction is an address in the protection list, if the instruction is sent by a module in the module list and an address of the instruction belongs to the credible code area, considering that the instruction is legal, and otherwise, considering that the instruction is illegal; and 4) determining whether to execute the instruction or not by an exception handling module according to the judging result of the core method module: if the instruction is legal, allowing to execute the instruction, and otherwise, stopping executing the instruction. According to the method, the safety and reliability of operation systems can be improved.

Description

technical field [0001] The invention relates to a kernel data access control method and system, in particular to a module whitelist-based kernel data access control method and system, belonging to the field of computer operating system security. Background technique [0002] With the development of hacking technology, the Trojan horse has caused a huge threat to the security of the operating system. With the help of DKOM attack, the Trojan horse can delete the specified process or module structure from the process list or module list, so as to achieve the purpose of hiding malicious processes or modules. In other types of DKOM attacks, the Trojan horse modifies the system call table or interrupt descriptor table, and replaces the address of the normal system call service program or interrupt service program with a malicious function address. Trojans can also elevate the privileges of malicious processes by replacing the process's user credentials with those of the superuser...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F9/455G06F21/56
CPCG06F9/45558G06F21/566G06F2009/45587G06F2221/2141
Inventor 马恒太王建平
Owner INST OF SOFTWARE - CHINESE ACAD OF SCI