[go: up one dir, main page]

CN106845238A - A kind of cloud host operating system reinforcement means - Google Patents

A kind of cloud host operating system reinforcement means Download PDF

Info

Publication number
CN106845238A
CN106845238A CN201710076194.7A CN201710076194A CN106845238A CN 106845238 A CN106845238 A CN 106845238A CN 201710076194 A CN201710076194 A CN 201710076194A CN 106845238 A CN106845238 A CN 106845238A
Authority
CN
China
Prior art keywords
operating system
smm
cloud host
host operating
reinforcement method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710076194.7A
Other languages
Chinese (zh)
Inventor
王利朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710076194.7A priority Critical patent/CN106845238A/en
Publication of CN106845238A publication Critical patent/CN106845238A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a kind of cloud host operating system reinforcement means, comprise the following steps:1)Chock code is inserted in the module of operating system, chock code can be triggered and be absorbed in SMM SMM actions;2)After triggering, CPU is switched under SMM SMM, and detection module is verified to operating system integrality, and detection Malware is distorted to operating system.The method of the program is verified under SMM SMM mode to operating system important module, and method of calibration is realized based on HASH methods, and corresponding Hash numerical value deposits in system management ram(System Management RAM,SMRAM)In space, because client's domain system software can not usually access the spatial data, therefore scan module and hash file storehouse are transparent to upper strata operating system, possess greater security.

Description

一种云主机操作系统加固方法A cloud host operating system reinforcement method

技术领域technical field

本发明涉及的是一种云主机操作系统加固方法。The invention relates to a method for strengthening the operating system of a cloud host.

背景技术Background technique

在现有技术中,公知的技术是系统管理模式(System Management Mode, SMM)是Intel在386SL之后引入x86体系结构的执行模式,它是CPU四种运行模式中的一种,其它三种是实模式、保护模式、v86模式。SMM只能通过系统管理中断(System ManagementInterrupt, SMI) 进入,并只能通过执行RSM指令退出。SMM模式对操作系统透明,换句话说,操作系统根本不知道系统何时进入SMM模式,也无法感知SMM模式曾经执行过,In the prior art, the known technology is that System Management Mode (System Management Mode, SMM) is the execution mode that Intel introduced into the x86 architecture after the 386SL. It is one of the four operating modes of the CPU, and the other three are real mode, protected mode, v86 mode. SMM can only be entered through a System Management Interrupt (SMI), and can only be exited by executing an RSM instruction. The SMM mode is transparent to the operating system. In other words, the operating system does not know when the system enters the SMM mode, nor can it perceive that the SMM mode has been executed.

随着互联网带宽的不断升级,云计算在日常生活中的应用已经相当普及。计算机安全问题,例如病毒、木马等导致数据泄露和数据篡改等问题,也变得更为严重。在上述背景下,解决面向操作系统安全问题、保障使用云客户机系统安全已成为计算机安全的一个重要关键技术点。With the continuous upgrading of Internet bandwidth, the application of cloud computing in daily life has become quite popular. Computer security issues, such as viruses, Trojan horses, etc. leading to data leakage and data tampering, have also become more serious. In the above background, solving the security issues facing the operating system and ensuring the security of the cloud client system has become an important key technical point of computer security.

发明内容Contents of the invention

本发明的目的就是针对现有技术所存在的不足而提供一种技术方案,该方案的方法在系统管理模式SMM模式下,对操作系统重要模块进行校验,校验方法是基于HASH方法进行实现,对应的Hash数值存放于系统管理内存(System Management RAM,SMRAM)空间中,由于客户域系统软件一般是不能访问该空间数据的,因此扫描模块和Hash文件库对上层操作系统透明,具备更高安全性。The purpose of the present invention is to provide a technical solution for the existing deficiencies in the prior art. The method of the solution is to verify the important modules of the operating system under the system management mode SMM mode, and the verification method is realized based on the HASH method , and the corresponding Hash value is stored in the system management RAM (SMRAM) space. Since the client domain system software generally cannot access the data in this space, the scanning module and the Hash file library are transparent to the upper operating system and have higher safety.

本方案是通过如下技术措施来实现的:1. 一种云主机操作系统加固方法,其特征在于包括如下步骤:This scheme is realized by following technical measure: 1. a kind of cloud host operating system reinforcement method, it is characterized in that comprising the steps:

1)在操作系统的模块中插入楔子代码,楔子代码会触发陷入系统管理模式SMM动作;1) Insert the wedge code into the module of the operating system, and the wedge code will trigger the action of falling into the system management mode SMM;

2)触发后,CPU切换在系统管理模式SMM下,每次进入SMM后执行程序入口地址都不会一样,检测模块对操作系统完整性进行校验,检测恶意软件对操作系统的篡改。2) After triggering, the CPU switches to the system management mode SMM, and the execution program entry address will be different every time it enters SMM. The detection module verifies the integrity of the operating system and detects the tampering of the operating system by malicious software.

所述的校验采用HASH算法进行实现。The verification is implemented using the HASH algorithm.

HASH算法对应的HASH数值存放在系统管理内存SMRAM的空间内。The HASH value corresponding to the HASH algorithm is stored in the space of the system management memory SMRAM.

通过TPM芯片对HASH数值型加密。The HASH value is encrypted by the TPM chip.

在系统管理模式SMM中对HASH数值建立白名单,使HASH算法正常执行。Create a whitelist for HASH values in the system management mode SMM, so that the HASH algorithm can be executed normally.

所述的白名单包括特殊软件和操作系统的数据结构,所述的特殊软件包括杀毒软件,数据结构包括GDT表、驱动程序。The white list includes special software and the data structure of the operating system, the special software includes anti-virus software, and the data structure includes a GDT table and a driver.

楔子代码插入的位置选择的是sysenter和syscall指令指向的内核代码的入口位置。The location of the wedge code insertion is selected to be the entry location of the kernel code pointed to by the sysenter and syscall instructions.

本方案的有益效果可根据对上述方案的叙述得知,由于在该方案中在操作系统的关键模块插入楔子代码,该代码会触发陷入SMM动作,触发成功后,CPU将切换在SMM模式下,此时检测模块会对操作系统完整性进行校验,以检测恶意软件对操作系统的篡改。楔子代码插入位置,这里选择的是sysenter和syscall指令指向的内核代码的入口位置。在SMM模式下一切被都屏蔽,包括所有的中断。SMM模式下的执行的程序被称作SMM处理程序,所有的SMM处理程序只能在系统管理内存(System Management RAM,SMRAM)的空间内运行。操作系统不可以访问该空间,恶意软件和病毒一般是不能访问该空间,因此扫描模块具备较强的隔离型,而SMM处理程序能够访问整个内存空间;每次进入SMM后执行程序入口地址都不会一样,使得跟踪SMM执行变得更为困难。The beneficial effect of this scheme can be known according to the narration to above-mentioned scheme, because insert wedge code in the key module of operating system in this scheme, this code can trigger and fall into SMM action, after triggering successfully, CPU will switch under the SMM mode, At this time, the detection module verifies the integrity of the operating system to detect tampering of the operating system by malicious software. Wedge code insertion position, the entry position of the kernel code pointed to by the sysenter and syscall instructions is selected here. Everything is masked in SMM mode, including all interrupts. The programs executed in the SMM mode are called SMM handlers, and all SMM handlers can only run in the space of System Management RAM (SMRAM). The operating system cannot access this space, and malware and viruses generally cannot access this space, so the scanning module has a strong isolation type, and the SMM processing program can access the entire memory space; each time after entering SMM, the execution program entry address is not will be the same, making it more difficult to trace SMM execution.

Hash数值经TPM芯片进行了加密,即使第三方能获取到这些数值,解密修改这些数据也将具备更高的复杂度,基于TPM芯片进行加密和解密操作,减少了CPU执行计算任务负荷,节省了系统资源,缩减了每次执行检验的时间间隔The Hash value is encrypted by the TPM chip. Even if a third party can obtain these values, decryption and modification of these data will have higher complexity. Encryption and decryption operations based on the TPM chip reduce the CPU's calculation task load and save system resources, reducing the time interval between each inspection execution

本方案是基于白名单方式校验Hash数值,加入到白名单主要包括了操作系统主要的数据结构和一些特殊应用软件。操作系统重要的数据结构包括了GDT表、驱动程序等;特殊应用软件主要包括了杀毒软件等特殊程序。本方案同时适合于校验运行在物理机中操作系统完整性,也可以校验运行在虚拟域中操作系统的完整性。本方法不仅能够校验运行在虚拟域中操作系统完整性,同时能够校验hypervisor层重要数据结构的完整性,为云计算环境提供更完整的数据校验功能。This solution is based on the whitelist method to verify the Hash value. Adding to the whitelist mainly includes the main data structure of the operating system and some special application software. The important data structure of the operating system includes GDT tables, drivers, etc.; the special application software mainly includes special programs such as anti-virus software. This solution is also suitable for verifying the integrity of the operating system running in the physical machine, and can also verify the integrity of the operating system running in the virtual domain. The method can not only verify the integrity of the operating system running in the virtual domain, but also can verify the integrity of the important data structure of the hypervisor layer, and provide a more complete data verification function for the cloud computing environment.

由此可见,本发明与现有技术相比,具有突出的实质性特点和显著的进步,其实施的有益效果也是显而易见的。It can be seen that, compared with the prior art, the present invention has outstanding substantive features and remarkable progress, and the beneficial effects of its implementation are also obvious.

具体实施方式detailed description

为能清楚说明本方案的技术特点,下面通过一个具体实施方式,对本方案进行阐述。In order to clearly illustrate the technical features of the solution, the solution will be described below through a specific implementation manner.

本方案的云主机操作系统加固方法,包括如下步骤:The cloud host operating system reinforcement method in this solution includes the following steps:

1)在操作系统的模块中插入楔子代码,楔子代码会触发陷入系统管理模式SMM动作;1) Insert the wedge code into the module of the operating system, and the wedge code will trigger the action of falling into the system management mode SMM;

2)触发后,CPU切换在系统管理模式SMM下,每次进入SMM后执行程序入口地址都不会一样,检测模块对操作系统完整性进行校验,检测恶意软件对操作系统的篡改。2) After triggering, the CPU switches to the system management mode SMM, and the execution program entry address will be different every time it enters SMM. The detection module verifies the integrity of the operating system and detects the tampering of the operating system by malicious software.

所述的校验采用HASH算法进行实现,HASH算法对应的HASH数值存放在系统管理内存SMRAM的空间内,通过TPM芯片对HASH数值型加密,在系统管理模式SMM中对HASH数值建立白名单,使HASH算法正常执行,所述的白名单包括特殊软件和操作系统的数据结构,所述的特殊软件包括杀毒软件,数据结构包括GDT表、驱动程序。The verification is implemented using the HASH algorithm, the HASH value corresponding to the HASH algorithm is stored in the space of the system management memory SMRAM, the HASH value is encrypted by the TPM chip, and a white list is established for the HASH value in the system management mode SMM, so that The HASH algorithm is normally executed, and the white list includes special software and the data structure of the operating system. The special software includes antivirus software, and the data structure includes a GDT table and a driver.

楔子代码插入的位置选择的是sysenter和syscall指令指向的内核代码的入口位置。The location of the wedge code insertion is selected to be the entry location of the kernel code pointed to by the sysenter and syscall instructions.

本发明并不仅限于上述具体实施方式,本领域普通技术人员在本发明的实质范围内做出的变化、改型、添加或替换,也应属于本发明的保护范围。The present invention is not limited to the above-mentioned specific implementation methods, and changes, modifications, additions or substitutions made by those skilled in the art within the essential scope of the present invention should also fall within the protection scope of the present invention.

Claims (7)

1.一种云主机操作系统加固方法,其特征在于包括如下步骤:1. A cloud host operating system reinforcement method is characterized in that comprising the steps: 1)在操作系统的模块中插入楔子代码,楔子代码会触发陷入系统管理模式SMM动作;1) Insert the wedge code into the module of the operating system, and the wedge code will trigger the action of falling into the system management mode SMM; 2)触发后,CPU切换在系统管理模式SMM下,每次进入SMM后执行程序入口地址都不会一样,检测模块对操作系统完整性进行校验,检测恶意软件对操作系统的篡改。2) After triggering, the CPU switches to the system management mode SMM, and the execution program entry address will be different every time it enters SMM. The detection module verifies the integrity of the operating system and detects the tampering of the operating system by malicious software. 2.根据权利要求1所述的云主机操作系统加固方法,其特征是:所述的校验采用HASH算法进行实现。2. The cloud host operating system reinforcement method according to claim 1, characterized in that: the verification is implemented using a HASH algorithm. 3.根据权利要求2所述的云主机操作系统加固方法,其特征是:HASH算法对应的HASH数值存放在系统管理内存SMRAM的空间内。3. The cloud host operating system reinforcement method according to claim 2, characterized in that: the HASH value corresponding to the HASH algorithm is stored in the space of the system management memory SMRAM. 4.根据权利要求3所述的云主机操作系统加固方法,其特征是:通过TPM芯片对HASH数值型加密。4. The cloud host operating system reinforcement method according to claim 3, characterized in that: the HASH numerical type is encrypted by the TPM chip. 5.根据权利要求4所述的云主机操作系统加固方法,其特征是:在系统管理模式SMM中对HASH数值建立白名单,使HASH算法正常执行。5. The cloud host operating system reinforcement method according to claim 4, characterized in that: in the system management mode SMM, a whitelist is established for HASH values, so that the HASH algorithm can be executed normally. 6.根据权利要求4所述的云主机操作系统加固方法,其特征是:所述的白名单包括特殊软件和操作系统的数据结构,所述的特殊软件包括杀毒软件,数据结构包括GDT表、驱动程序。6. The cloud host operating system reinforcement method according to claim 4, characterized in that: the white list includes special software and the data structure of the operating system, the special software includes antivirus software, and the data structure includes a GDT table, driver. 7.根据权利要求1所述的云主机操作系统加固方法,其特征是:楔子代码插入的位置选择的是sysenter和syscall指令指向的内核代码的入口位置。7. The cloud host operating system reinforcement method according to claim 1, characterized in that: the position for inserting the wedge code is selected to be the entry position of the kernel code pointed to by the sysenter and syscall instructions.
CN201710076194.7A 2017-02-13 2017-02-13 A kind of cloud host operating system reinforcement means Pending CN106845238A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710076194.7A CN106845238A (en) 2017-02-13 2017-02-13 A kind of cloud host operating system reinforcement means

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710076194.7A CN106845238A (en) 2017-02-13 2017-02-13 A kind of cloud host operating system reinforcement means

Publications (1)

Publication Number Publication Date
CN106845238A true CN106845238A (en) 2017-06-13

Family

ID=59128752

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710076194.7A Pending CN106845238A (en) 2017-02-13 2017-02-13 A kind of cloud host operating system reinforcement means

Country Status (1)

Country Link
CN (1) CN106845238A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110362983A (en) * 2019-05-31 2019-10-22 北京中电飞华通信股份有限公司 A method, device and electronic equipment for ensuring consistency of a dual-domain system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101149690A (en) * 2006-09-22 2008-03-26 三星电子株式会社 Computer system and method including devices directing stand-alone system management operations
US7558966B2 (en) * 2004-06-09 2009-07-07 Intel Corporation Notifying remote administrator of platform integrity determination
CN101770406A (en) * 2008-12-30 2010-07-07 英特尔公司 Apparatus and method for runtime integrity checking

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7558966B2 (en) * 2004-06-09 2009-07-07 Intel Corporation Notifying remote administrator of platform integrity determination
CN101149690A (en) * 2006-09-22 2008-03-26 三星电子株式会社 Computer system and method including devices directing stand-alone system management operations
CN101770406A (en) * 2008-12-30 2010-07-07 英特尔公司 Apparatus and method for runtime integrity checking

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王璟: "基于硬件虚拟技术的Rootkit检测技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110362983A (en) * 2019-05-31 2019-10-22 北京中电飞华通信股份有限公司 A method, device and electronic equipment for ensuring consistency of a dual-domain system

Similar Documents

Publication Publication Date Title
US11861005B2 (en) Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features
Zhao et al. Sectee: A software-based approach to secure enclave architecture using tee
Ge et al. Sprobes: Enforcing kernel code integrity on the trustzone architecture
Jiang et al. Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction
Payne et al. Lares: An architecture for secure active monitoring using virtualization
Zhang et al. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization
Demigha et al. Hardware-based solutions for trusted cloud computing
CN103841198B (en) A kind of clean room cloud computing data processing method and system
Boivie et al. SecureBlue++: CPU support for secure execution
Duflot et al. What if you can’t trust your network card?
WO2019056761A1 (en) Tpm-based industrial control trusted embedded platform activation method
Wang et al. TZ‐MRAS: A Remote Attestation Scheme for the Mobile Terminal Based on ARM TrustZone
US8800052B2 (en) Timer for hardware protection of virtual machine monitor runtime integrity watcher
CN111194447B (en) Monitoring control flow integrity
WO2023104013A1 (en) Data integrity protection method and related apparatus
CN106845238A (en) A kind of cloud host operating system reinforcement means
Thomas et al. Multi-task support for security-enabled embedded processors
Wang et al. Kernel and application integrity assurance: Ensuring freedom from rootkits and malware in a computer system
Fu et al. Subverting system authentication with context-aware, reactive virtual machine introspection
Gu et al. Outlier: Enabling effective measurement of hypervisor code integrity with group detection
Vibhute EPA-RIMM-V: Efficient Rootkit Detection for Virtualized Environments
Lou et al. A Multi-level Perception Security Model Using Virtualization.
Liu et al. Multi-Variant Execution Research of Software Diversity
Takekoshi et al. BadAML: Exploiting Legacy Firmware Interfaces to Compromise Confidential Virtual Machines
Srinivasan et al. Determining the integrity of application binaries on unsecure legacy machines using software based remote attestation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170613