检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:傅建明[1,2,3] 沙乐天[1,2] 李鹏伟[1,2] 彭国军[1,2]
机构地区:[1]武汉大学空天信息安全与可信计算教育部重点实验室,湖北武汉430072 [2]武汉大学计算机学院,湖北武汉430072 [3]武汉大学软件工程国家重点实验室,湖北武汉430072
出 处:《四川大学学报(工程科学版)》2014年第1期8-13,共6页Journal of Sichuan University (Engineering Science Edition)
基 金:国家自然科学基金资助项目(61202387;90718005);高等学校博士学科点专项科研基金资助项目(20120141110002)
摘 要:为保护操作系统内核的完整性,提出了一种基于硬件虚拟化技术的保护方案。该方法对关键寄存器、代码指针表、函数代码等恶意代码攻击的关键点进行识别和放入保护区,利用硬件虚拟化的自动陷入机制检测对保护区的非法篡改。同时,利用单步执行技术和事件转发技术保障OS其它操作的兼容性。另外,通过保护页的合并减少保护区的长度以提高异常处理的效率。最后,实现了一个采用该技术的原型工具——HV_KDAP,该工具检测了主流的9款Rootkit样本,实验结果证实其增加的负载为12.7%。该工具还可以抑制内核本地权限提升的攻击,以及用于内核攻击的取证。In order to protect the integrity of operating system kernel files, a method of a^tive protection of kernel data was proposed based on hardware-assisted virtualization. The method recognizes the key points of some registers, code pointers, and function codes, which are often attacked by malicious codes, and mops these points into a protection tgble, and then it can avoid kernel modification through R/W bit of PTE. At the same time, single step execution is used to legally write data in protected points, and events injection keeps the compatibility of operation system. In addition, c0nt.inuous pages in the protection table are merged to reduce the size of the protection table and improve the efficiency. Finally,based on this method, a prototype system ,called HY_KDAp, was designed and im- plemented, HV_KDAP can detect 9 kinds of Rootkits, which contain popular techniques in Rootkit, and its overhead is about 13.7%. Moreover,HV_KDAP can also detect the attocking of local privilege escalation exploiting,and be applied to the kernel forensics..
分 类 号:TP31[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.144.178.82