基于KylinOS平台进程监控审计关键技术的实现  被引量：1

作　　者：王飞平 郑秀琴[1] WANG Feiping;ZHENG Xiuqin(Digital Campus Construction Center,Quzhou College of Technology,Quzhou 324000,Zhejiang)

机构地区：[1]衢州职业技术学院数字校园建设中心,浙江衢州324000

出　　处：《长江信息通信》2023年第12期149-152,共4页Changjiang Information & Communications

基　　金：衢州市指导性科技计划项目(2021064)。

摘　　要：Linux内核是Kylin OS内核的基础,目前支持KylinOS进程生命周期监控与审计的产品还比较少,尤其是针对KylinOS Kernel层轻量级的进程生命周期的监控与审计。在入侵检测的过程中,新进程的创建监控是必不可少的一点,因为攻击者的绝大多数攻击行为都是以进程的方式呈现,所以实时获取新进程创建的信息能帮助安全管理员快速地定位攻击行为。恶意进程、影子进程等的启动造成服务器等内网信息泄露事件屡见不鲜,因此在传统Linux平台上一般都是利用sopreload的机制覆盖libc.so中的execve等函数来监控第三方进程的创建,该方法允许定义优先加载的动态链接库,方便使用者有选择地载入不同动态链接库中的相同函数,只需要替换、覆盖execve应用层面的函数即可。该方式带来实现便利的同时,也产生了很多安全漏洞,如:1)无法监控静态链接的程序;2)易被攻击者绕过,通过int 80h绕过libc直接进行系统调用等;3)易被攻击者通过修改/etc/ld.so.preload使so preload机制失效。文章从系统调用入手,提出了一种基于inline hook内核系统调用的进程监控方案。该方案通过修改操作系统内核的sys_call_table对应的函数地址,实现内核系统调用劫持,在自定义的调用函数中完成进程创建的监控。分析及实验结果表明,该方法能对新进程创建有较好的监控与审计。The Linux kernel is the basis of the KylinOS kernel.At present,there are few products that support KylinOS process lifecycle monitoring and auditing,especially for the lightweight process lifecycle monitoring and auditing of the KylinOs Kernel layer.In the process of intrusion detection,monitoring the creation of new processes is essential,as the vast majority of attackers'attack behaviors are presented in the form of processes.Therefore,obtaining real-time information about the creation of new processes can help security administrators quickly locate attack behaviors.The startup of malicious processes,shadow processes,etc.causes the disclosure of server and other intranet information.Therefore,on the traditional Linux platform,the mechanism of so preload is generally used to cover the"Do you want to use"in libc.so Execve and other functions to monitor the creation of thirdparty processes.This method allows you to define the Dynamic-link library to be loaded first,so that users can selectively load the same functions in different Dynamic-link library.You only need to replace and overwrite the functions at the application level of execve.This method not only brings convenience to implementation,but also creates many security vulnerabilities,such as:1)being unable to monitor programs with static links;2)Easily bypassed by attackers,bypassing libc through int 8Oh and making system calls directly;3)Easily modified by attackers/Etc/ld.so.reload enable The so preload mechanism is invalid.This article starts with system calls and proposes a process monitoring scheme based on inline hook kernel system calls.This solution involves modifying the sys_call_table of the operating system.The function address corresponding to the table implements kernel system call hijacking and completes process creation monitoring in a custom calling function.The analysis and experimental results indicate that this method can effectively monitor and audit the creation of new processes.

关 键 词：inline hook 系统调用 Kprobe 进程监控 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]