基于内存取证的内核完整性度量方法  被引量：7

作　　者：陈志锋[1,2] 李清宝[1,2] 张平[1,2] 王炜[1,2] 

机构地区：[1]解放军信息工程大学,河南郑州450001 [2]数学工程与先进计算国家重点实验室,河南郑州450001

出　　处：《软件学报》2016年第9期2443-2458,共16页Journal of Software

基　　金："核高基"国家科技重大专项(2013JH00103);国家高技术研究发展计划(863)(2009AA01Z434)~~

摘　　要：内核级攻击对操作系统的完整性和安全性造成严重威胁.当前,内核完整性度量方法在度量对象选取上存在片面性,且大部分方法采用周期性度量,无法避免TOC-TOU攻击.此外,基于硬件的内核完整性度量方法因添加额外的硬件使得系统成本较高;基于Hypervisor的内核完整性度量方法,应用复杂的VMM带来的系统性能损失较大.针对现有方法存在的不足,提出了基于内存取证的内核完整性度量方法 KIMBMF.该方法采用内存取证分析技术提取静态和动态度量对象,提出时间随机化算法弱化TOC-TOU攻击,并采用Hash运算和加密运算相结合的算法提高度量过程的安全性.在此基础上,设计实现了基于内存取证的内核完整性度量原型系统,并通过实验评测了KIMBMF的有效性和性能.实验结果表明:KIMBMF能够有效度量内核的完整性,及时发现对内核完整性的攻击和破坏,且度量的性能开销小.Kernel-level attacks are serious threat to the integrity and security of operating systems. Existing kernel integrity measurement methods are one-sided when selecting the measurement objects, as most of these methods suffer from periodic detection shortcoming that makes themselves vulnerable to TOC-TOU attacks. Besides, hardware-based kernel integrity measurement methods are usually too expensive, while hypervisor-based kernel integrity measurement methods are always likely to degrade system performance due to the introduction of complex VMMs. To address these problems, this study proposes a kernel integrity measurement approach based on memory forensics technique （KIMBMF）. First, the static and dynamic measurement objects are extracted with the memory forensics technique, and a time random algorithm is presented to degrade the impact caused by TOC-TOU attacks. At the same time, a novel algorithm is also introduced by combining the Hash operation with cryptographic operation, thereby ensuring the security of the measurement progress. Next, a kernel integrity measurement prototype is implemented according to the above techniques and algorithms, and its effectiveness and overhead are evaluated. Experimental results show that KIMBMF can measure the integrity of operating system effectively, and has a reasonable time overhead.

关 键 词：内核完整性 完整性度量 TOC-TOU 内存取证 时间随机化 

分 类 号：TP316[自动化与计算机技术—计算机软件与理论]