基于内存取证的内核完整性度量方法
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

“核高基”国家科技重大专项(2013JH00103);国家高技术研究发展计划(863)(2009AA01Z434)


Kernel Integrity Measurement Method Based on Memory Forensic
Author:
Affiliation:

Fund Project:

National Science and Technology Major Project of China (2013JH00103); National High-Tech R&D Program of China (863) (2009AA01Z434)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    内核级攻击对操作系统的完整性和安全性造成严重威胁.当前,内核完整性度量方法在度量对象选取上存在片面性,且大部分方法采用周期性度量,无法避免TOC-TOU攻击.此外,基于硬件的内核完整性度量方法因添加额外的硬件使得系统成本较高;基于Hypervisor的内核完整性度量方法,应用复杂的VMM带来的系统性能损失较大.针对现有方法存在的不足,提出了基于内存取证的内核完整性度量方法KIMBMF.该方法采用内存取证分析技术提取静态和动态度量对象,提出时间随机化算法弱化TOC-TOU攻击,并采用Hash运算和加密运算相结合的算法提高度量过程的安全性.在此基础上,设计实现了基于内存取证的内核完整性度量原型系统,并通过实验评测了KIMBMF的有效性和性能.实验结果表明:KIMBMF能够有效度量内核的完整性,及时发现对内核完整性的攻击和破坏,且度量的性能开销小.

    Abstract:

    Kernel-level attacks are serious threat to the integrity and security of operating systems. Existing kernel integrity measurement methods are one-sided when selecting the measurement objects, as most of these methods suffer from periodic detection shortcoming that makes themselves vulnerable to TOC-TOU attacks. Besides, hardware-based kernel integrity measurement methods are usually too expensive, while hypervisor-based kernel integrity measurement methods are always likely to degrade system performance due to the introduction of complex VMMs. To address these problems, this study proposes a kernel integrity measurement approach based on memory forensics technique (KIMBMF). First, the static and dynamic measurement objects are extracted with the memory forensics technique, and a time random algorithm is presented to degrade the impact caused by TOC-TOU attacks. At the same time, a novel algorithm is also introduced by combining the Hash operation with cryptographic operation, thereby ensuring the security of the measurement progress. Next, a kernel integrity measurement prototype is implemented according to the above techniques and algorithms, and its effectiveness and overhead are evaluated. Experimental results show that KIMBMF can measure the integrity of operating system effectively, and has a reasonable time overhead.

    参考文献
    相似文献
    引证文献
引用本文

陈志锋,李清宝,张平,王炜.基于内存取证的内核完整性度量方法.软件学报,2016,27(9):2443-2458

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2014-11-04
  • 最后修改日期:2015-05-05
  • 录用日期:
  • 在线发布日期: 2016-09-02
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号