操作系统是整个计算机系统的基础,只有保证操作系统的安全性,才能确保上层软件的安全性。本文采用保护内核控制流的方法提高操作系统安全性,提出一种基于编译器插件的轻量级内核重构加固方法。该方法是在相关转移指令前动态插入控制流断言,确保执行路径在有效的内核边界内,保护程序、指令运行的位置和顺序被修改。它能有效加强用户地址空间与内核地址空间的隔离,对内核起到有效加固的作用,同时可以防止通过篡改内核关键数据结构而引发权限提升类漏洞的攻击。实验结果证明,该方法是轻量级的内核加固方法,能够防止空指针引用漏洞及相关内核权限提升类漏洞攻击。%Operating system is the fundamental to computer system. If only guarantee the security of operating system, can we ensure the security of high-level software. In this paper, a security enhancement method for lightweight kernel re-built-up by compiler plugin is presented to protect kernel control flow. In this method, control flow assertion is inserted be-fore relate transfer instruction to guarantee the privileged execution remains valid boundaries and protect the location and sequence of program from being modified. It is a method that enhances the separation of user address space and kernel ad-dress space effectively. It can also protect the kernel from being attack by privilege escalation vulnerabilities by tempering kernel critical data structure. Experiments show that the solution is a lightweight kernel enhancement method and it can prevent kernel from being attack by relate privilege escalation vulnerabilities and NULL pointer dereference.
展开▼
