语种选择
浏览全部资源
扫码关注微信
- About us
- About Journal
- Journal Information
- Literature
- Latest Issue
- Archive
- Online First
- Instructions
- Instructions for Authors
- Manuscript Format
- Review Process
- Download
您当前的位置:
首页 >
文章列表页 >
Design and implementation of a model for OS kernel integrity protection
Academic paper | 更新时间:2024-06-05
|
Design and implementation of a model for OS kernel integrity protection
- Journal on Communications Vol. 36, Issue Z1, Pages: 118-125(2015)
- 作者机构:
1. 北京理工大学 北京市软件安全工程技术重点实验室,北京 100081
2. Key Laboratory of IDT Application Technology of Universities in Yunnam Province,Yunnam Minzu University,Kunming 650500,China
3. 中国科学院 信息工程研究所 信息安全国家重点实验室,北京 100093
- 作者简介:
- 基金信息:The National High Technology Research and Development Program of China (863 Program)(2012AA013101);The Strategic Priority Research Program of the Chinese Academy of Sciences(XDA06030601);The National Natural Science Foundation of China(61100228);The National Natural Science Foundation of China(61202479);Open Found of Key Laboratory of IOT Application Technology of Universities in Yunnan Province(2015IOT03)
DOI:10.11959/j.issn.1000-436x.2015289
CLC: TP309-
Online First:2015-11,
Published:25 November 2015
- 稿件说明:
移动端阅览
Dong-hai TIAN, Jun-hua CHEN, Xiao-qi JIA, et al. Design and implementation of a model for OS kernel integrity protection[J]. Journal on Communications, 2015, 36(Z1): 118-125.
Dong-hai TIAN, Jun-hua CHEN, Xiao-qi JIA, et al. Design and implementation of a model for OS kernel integrity protection[J]. Journal on Communications, 2015, 36(Z1): 118-125. DOI: 10.11959/j.issn.1000-436x.2015289.
Design and implementation of a model for OS kernel integrity protection
摘要
非可信内核扩展模块是对操作系统内核完整性安全的重要威胁之一,因为它们一旦被加载到内核空间,将可能任意破坏操作系统内核数据和代码完整性。针对这一问题,提出了一种基于强制访问控制对操作系统内核完整性保护的模型—MOKIP。该模型的基本思想是为内核空间中的不同实体设置不同的完整性标签,然后保证具有低完整性标签的实体不能破坏具有高完整性标签的实体。基于硬件辅助的虚拟化技术实现了原型系统,实验结果表明,本系统能够抵御各种恶意内核扩展模块的攻击,其性能开销被控制在13%以内。
Abstract
Untrusted kernel extensions were considered to be a big threat to OS kernel integrity because once they were loaded into the kernel space
then they may corrupt both the OS kernel data and code at will.To address this problem
MAC-based model named MOKIP for OS kernel integrity protection was presented.The basic idea of MOKIP was to set different integrity labels for different entities in the kernel space
and then ensure that the entities with low integrity label cannot harm the entities with high integrity label.A prototype system based on the hardware assisted virtualization technology was implemented.The experimental results show that proposed system is effective at defending against various malicious kernel extension attacks within a little performance overhead which is less than 13%.
关键词
Keywords
references
DANIELA A S O , WU S F . Protecting kernel code and data with a virtualization-aware collaborative operating system [A ] . Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC) [C ] . Honolulu,Hawaii , 2009 . 451 - 460 .
BIBA K J . Integrity consideration for secure compuer system [R ] . Technical report,Mitre Corp.Report TR-3153,Bedford,Mass , 1977 .
XU M , JIANG X X , RAVI S , et al . Towards a VMM-based usage control framework for OS kernel integrity protection [A ] . Proceedings of the 12th ACM Symposium on Access Control Models and Technologies [C ] . Sophia Antipolis,France , 2007 . 71 - 80 .
Microsoft Corporation . Windows Driver Signing [EB/OL ] . http://www.microsoft.com/ http://www.microsoft.com/ .
Windows Vista Security Blog [EB/OL ] . http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/16/ http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/16/ .
GUTTMAN J , HERZOG A , RAMSDELL J . Information flow in operating systems:eager formal methods [A ] . Workshop on Issues in the Theory of Security (WITS) [C ] . 2003 .
SANDHU R S . Lattice-based access control models [J ] . IEEE Computer , 1993 , 26 ( 11 ): 9 - 19 .
SHANKAR U , JAEGER T , SAILER R . Toward automated information-flow integrity verification for security-critical applications [A ] . Proceedings of the 13th Network and Distributed System Security Symposium (NDSS) [C ] . 2006 .
BARHAM P , DRAGOVIC B , FRASER K , et al . Xen and the art of virtualization [A ] . Proceedings of the 19th ACM Symposium on Operating System Principles (SOSP) [C ] . 2003 . 164 - 177 .
Intel Corporation . Intel 64 and IA-32 Architectures Software Developer's Manuals [EB/OL ] . http://www.intel.com/Assets/PDF/manual/253669.pdf http://www.intel.com/Assets/PDF/manual/253669.pdf .
PETER M C , BRIAN D N . When virtual is better than real [A ] . Proceedings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS) [C ] . 2001 .0133.
DANIEL B , MARCO C , Understanding the Linux Kernel [M ] . O'Reilly& Associates Inc,third edition , 2005 .
SESHADRI A L M Q N . PERRIG A . SecVisor:a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes [A ] . Proceedings of the 24th ACM Symposium on Operating System Principles (SOSP) [C ] . 2007 . 335 - 350 .
RYAN R , JIANG X X , XU D Y . Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing [A ] . Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID) [C ] . 2008 . 1 - 20 .
MICHAEL G , WANG Z , DEEPA S , et al . Transparent protection of commodity OS kernels using hardware virtualization [A ] . Proceedings of the 6th International Conference on Security and Privacy in Communication Networks (SecureComm) [C ] . 2010 . 162 - 180 .
RALF H , THORSTEN H , FELIX C F . Return-oriented rootkits:bypassing kernel code integrity protection mechanisms [A ] . Proceedings of 18th Usenix Security Symposium (Usenix Security) [C ] . 2009 . 383 - 398 .
MAO Y D , CHEN H G , ZHOU D , et al . Software fault isolation with API integrity and multi-principal modules [A ] . Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP) [C ] . 2011 . 115 - 128 .
马超 , 尹杰 , 刘虎球 , 等 . KFUR:一个新型内核扩展安全模型 [J ] . 计算机学报 , 2012 , 35 ( 10 ): 2091 - 2100 .
MA C , YIN J , LIU H Q , et al . KFUK:a new rernel extension security model [J ] . Chinese Journal of Computers , 2012 , 35 ( 10 ): 2091 - 2100 .
郑豪 , 董小社 , 王恩东 , 等 . VM 内部隔离驱动程序的可靠性架构 [J ] . 软件学报 , 2014 ,( 10 ): 2235 - 2250 .
ZHENG H , DONG X S , WANG E D , et al . Reliability architecture to isolate the driver inside the VM [J ] . Journal of Software , 2014 ,( 10 ): 2235 - 2252 .
查看原文
0
Views
2339
下载量
0
CSCD
Alert me when the article has been cited
文章被引用时,请邮件提醒。
提交
Tools
Download
- L-PDFDownload
- XMLDownload
- Meta-XMLDownload
Export Citation
- BibTeXDownload
- EndnoteDownload
- RefMan Download
- NoteExpressDownload
- NoteFirstDownload
Share
Share with wechat friends or circle of friends
Add to favorites
Add to my album
Publicity Resources
Related Articles
Applying MapReduce frameworks to a virtualization platform for Deep Web data source discovery
Related Author
XIN Jie
CUI Zhi-ming
ZHAO Peng-peng
ZHANG Guang-ming
XIAN Xue-feng
Related Institution
Institute of Intelligent Information Processing and Application,Soochow University
AI问答选择翻译语言
- Technical support is provided by Beijing Founder electronics co., LTD 京ICP备09064830号-19
京公网安备11010802024621 - It is recommended to read the content of this site in Chrome&IE9+. Please switch to extreme mode in browser 360.
- Cookies We use cookies to help provide and enhance our service and tailor content. By continuing, you agree to the use of cookies.
- Total Visits:665182 Visits Today:864
0
Bulk Citation
Export to
BibTeXEndnoteRefManNoteExpressNoteFirst
TOP