Operating system security is the foundation and prerequisite of computer system security,and it is mainly depend on the security of the system kernel.By tampering some key data structures inside kernel space,kernel noncontrol-data attacks induce some kernel vulnerabilities and a series of stability problems,which will severely affect the security of operating system and even that of the whole computer system.Thus,a runtime detection method based on the Kprobes debugging mechanism and a monitor kernel thread is proposed.The former is used to monitor the execution of key kernel functions and to check the consistency of related dynamic data structures,while the latter is used to check the invariance of some static kernel data structures.Then the corresponding prototype named by KNCDefender is designed and implemental in C language on Linux platform and a series of experiments for verification and performance testing have been carried out.Experimental results show that the method proposed in this paper is completely lightweight,and various attacks against kernel non-control-data can be detected timely.%操作系统安全是计算机系统安全的基础保障和前提条件,而操作系统安全则主要依赖于系统内核的安全.针对内核的非控制数据攻击是指通过篡改内核中的某些关键数据结构,诱发内核出现漏洞和产生一系列稳定性问题,从而严重影响操作系统乃至整个计算机系统的安全.提出一种基于Kprobes内核调试机制和监视器内核线程的在线检测方法,前者用于监控内核关键函数的执行和检查相关动态性数据结构的一致性,后者通过设立专门的内核线程实现静态性内核数据结构的持续监测和不变性验证.然后在Linux平台上运用C语言设计实现了相应的内核非控制数据攻击在线检测器KNCDefender,进行了一系列验证实验和性能测试实验.实验结果表明,该方法是完全轻量级的,并能够及时检测出针对内核的各种非控制数据攻击.
展开▼
