CN115935373A - Method and apparatus for protecting operating system kernel - Google Patents
Method and apparatus for protecting operating system kernel Download PDFInfo
- Publication number
- CN115935373A CN115935373A CN202211606380.4A CN202211606380A CN115935373A CN 115935373 A CN115935373 A CN 115935373A CN 202211606380 A CN202211606380 A CN 202211606380A CN 115935373 A CN115935373 A CN 115935373A
- Authority
- CN
- China
- Prior art keywords
- key information
- preset key
- information
- operating system
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000001514 detection method Methods 0.000 claims abstract description 33
- 230000004044 response Effects 0.000 claims abstract description 20
- 238000004590 computer program Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the disclosure discloses a method and a device for protecting an operating system kernel, wherein the method comprises the following steps: after an image of an operating system is loaded, storing original information of preset key information of the operating system; in response to receiving a key information detection instruction, acquiring current information of the preset key information; detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information; and when the preset key information is detected to be tampered, alarming and/or recovering the preset key information. The method and the device can improve the safety of the kernel of the operating system and reduce the probability that the kernel information of the operating system is maliciously modified.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a method and an apparatus for protecting an operating system kernel.
Background
With the development of the community applied to the operating system, some software vendors may maliciously modify kernel information of the operating system by upgrading patches.
How to protect the kernel of the operating system and reduce the probability of malicious modification of kernel information of the operating system is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for protecting an operating system kernel, which improve the security of the operating system kernel and reduce the probability of malicious modification of operating system kernel information.
In a first aspect of the embodiments of the present disclosure, a method for protecting a kernel of an operating system is provided, including:
after loading an image of an operating system, storing original information of preset key information of the operating system;
in response to receiving a key information detection instruction, acquiring current information of the preset key information;
detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information;
and when the preset key information is detected to be tampered, alarming and/or recovering the preset key information.
In an embodiment of the present disclosure, after detecting whether the preset key information is tampered based on the original information of the preset key information and the current information of the preset key information, the method further includes:
in response to the fact that the preset key information is not tampered, carrying out encryption processing on a storage component of original information of the preset key information, and generating a self-decryption machine code of the storage component;
and storing the self-decryption machine code in a preset memory space, and restarting a calling source of the storage component, wherein the preset memory space is different from the original memory space of the storage component, and the calling source points to the preset memory space.
In an embodiment of the present disclosure, the encrypting a storage component of original information of the preset critical information to generate a self-decrypting machine code of the storage component includes:
dividing the program of the storage component into a plurality of program paragraphs;
determining, based on the plurality of program paragraphs, a tree structure that generates program paragraphs, wherein each node of the tree structure corresponds to one of the plurality of program paragraphs;
and setting an encryption relationship and a decryption relationship between a father node and a child node of the tree structure, and setting a root node of the tree structure as the self-decryption machine code.
In an embodiment of the present disclosure, the obtaining current information of the preset key information in response to receiving a key information detection instruction further includes:
in response to receiving the key information detection instruction, closing the interruption associated with the preset key information, and detecting whether a calling interface of the preset key information is safe;
and responding to the checking of the safety of the calling interface of the preset key information, and acquiring the current information of the preset key information.
In an embodiment of the present disclosure, the original information of the preset key information includes an original hash value of the preset key information, and the current information of the preset key information includes a current hash value of the preset key information; the detecting whether the preset key information is tampered based on the original information of the preset key information and the current information of the preset key information includes:
if the original hash value is the same as the current hash value, determining that the preset key information is not tampered;
and if the original hash value is different from the current hash value, determining that the preset key information is tampered.
In one embodiment of the present disclosure, the preset critical information includes at least one of a global variable, a common variable, a runtime variable, an interrupt descriptor table IDT, a system service descriptor table SSDT and a global descriptor table GDT of the operating system.
In a second aspect of the embodiments of the present disclosure, an apparatus for protecting an operating system kernel is provided, including:
the storage module is used for storing original information of preset key information of the operating system after the image of the operating system is loaded;
the acquisition module is used for responding to the received key information detection instruction and acquiring the current information of the preset key information;
the detection module is used for detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information;
and the tampering processing module is used for alarming and/or recovering the preset key information when the preset key information is tampered.
In an embodiment of the present disclosure, the storage module is further configured to, when it is determined that the preset key information is not tampered, encrypt a storage component of original information of the preset key information, and generate a self-decryption machine code of the storage component; the storage module is further configured to store the self-decrypting machine code in a preset memory space, and restart a calling source of the storage component, where the preset memory space is different from an original memory space of the storage component, and the calling source points to the preset memory space.
In one embodiment of the present disclosure, the storage module is configured to divide the program of the storage component into a plurality of program paragraphs; the storage module is further configured to determine, based on the plurality of program paragraphs, a tree structure that generates program paragraphs, wherein each node of the tree structure corresponds to one of the plurality of program paragraphs; the storage module is further configured to set an encryption relationship and a decryption relationship between a parent node and a child node of the tree structure, and set a root node of the tree structure as the self-decrypting machine code.
In an embodiment of the present disclosure, the obtaining module is configured to close an interrupt associated with the preset key information in response to receiving the key information detection instruction, and detect whether a call interface of the preset key information is safe; the obtaining module is further configured to obtain current information of the preset key information in response to detection of safety of a calling interface of the preset key information.
In an embodiment of the present disclosure, the original information of the preset key information includes an original hash value of the preset key information, and the current information of the preset key information includes a current hash value of the preset key information; the detection module is used for determining that the preset key information is not tampered if the original hash value is the same as the current hash value; the detection module is further configured to determine that the preset key information is tampered if the original hash value is different from the current hash value.
In one embodiment of the present disclosure, the preset critical information includes at least one of a global variable, a common variable, a runtime variable, an interrupt descriptor table IDT, a system service descriptor table SSDT and a global descriptor table GDT of the operating system.
In a third aspect of the embodiments of the present disclosure, there is provided an electronic device, including:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory, and the computer program, when executed, implements the method for protecting an operating system kernel of the first aspect described above.
In a fourth aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the method for protecting an operating system kernel according to the first aspect.
A fifth aspect of the embodiments of the present disclosure provides a computer program product for a computer, comprising software code portions for performing the method for protecting an operating system kernel of the first aspect when the product is run on the computer.
According to the method and the device for protecting the kernel of the operating system, after the image of the operating system is loaded, the original information of the preset key information of the operating system is stored, the key information detection instruction is generated according to the preset detection strategy after the operating system is started, the current information of the preset key information is obtained after the key information detection instruction is received, the original information of the preset key information is compared with the preset key information, whether the preset key information is tampered or not can be detected according to the comparison result, when the preset key information is tampered, an alarm is given and/or the information of the preset key information is restored, so that the key information of the kernel can be effectively prevented from being modified by a kernel upgrading patch or malicious program, the safety of the kernel of the operating system is improved, and the probability that the kernel information of the operating system is maliciously modified is reduced.
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a flow diagram illustrating a method for protecting an operating system kernel in one embodiment of the present disclosure;
FIG. 2 is a schematic illustration of encryption and decryption between self-decrypting machine code and a program of a storage component in one example of the present disclosure;
FIG. 3 is a block diagram of an apparatus for protecting an operating system kernel in one embodiment of the present disclosure;
fig. 4 is a block diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
It will be understood by those within the art that the terms "first", "second", etc. in the embodiments of the present disclosure are used only for distinguishing between different steps, devices or modules, etc., and do not denote any particular technical meaning or necessary logical order therebetween.
It is also understood that in embodiments of the present disclosure, "a plurality" may refer to two or more and "at least one" may refer to one, two or more.
It is also to be understood that any reference to any component, data, or structure in the embodiments of the disclosure, may be generally understood as one or more, unless explicitly defined otherwise or stated otherwise.
In addition, the term "and/or" in the present disclosure is only one kind of association relationship describing an associated object, and means that three kinds of relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in the present disclosure generally indicates that the former and latter associated objects are in an "or" relationship.
It should also be understood that the description of the various embodiments of the present disclosure emphasizes the differences between the various embodiments, and the same or similar parts may be referred to each other, so that the descriptions thereof are omitted for brevity.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
The disclosed embodiments may be applied to electronic devices such as terminal devices, computer systems, servers, etc., which are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known terminal devices, computing systems, environments, and/or configurations that may be suitable for use with electronic devices, such as terminal devices, computer systems, servers, and the like, include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above, and the like.
Electronic devices such as terminal devices, computer systems, servers, etc. may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
Fig. 1 is a flowchart illustrating a method for protecting an operating system kernel according to an embodiment of the present disclosure. As shown in fig. 1, a method for protecting an operating system kernel may include:
s1: and after the image of the operating system is loaded, storing the original information of the preset key information of the operating system.
The operating system may be one of a Linux system, a Unix system, a windows system, an android system, and an IOS system. For different operating systems, different pieces of original information of the key information may be selected to be stored, for example, for a Linux system, key information of at least one of a global variable, a common variable, a run-time variable, an interrupt descriptor table IDT, a system service descriptor table SSDT, and a global descriptor table GDT of the Linux operating system may be selected to be stored, for example, a storage component is used to store the original information of the preset key information.
S2: and responding to the received key information detection instruction, and acquiring current information of preset key information.
When the system time reaches the preset system check time, a key information detection instruction for detecting whether the system key information is tampered or not can be generated. And when the operating system receives the key information detection instruction, acquiring the current information of the preset key information. For example, when the preset key information includes a global variable, a common variable, a run-time variable, an interrupt descriptor table IDT, a system service descriptor table SSDT and a global descriptor table GDT of the Linux operating system, the global variable, the common variable, the run-time variable, the interrupt descriptor table IDT, the system service descriptor table SSDT and the global descriptor table GDT of the current Linux operating system are acquired from the Linux operating system.
S3: and detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information.
The method comprises the steps of obtaining original information of preset key information from a storage space of the preset key information of an operating system, comparing the original information of the preset key information with the original information of the preset key information one by one, and determining whether the preset key information is tampered according to a comparison result.
S4: and when the preset key information is detected to be tampered, alarming and/or performing information recovery on the preset key information.
When the preset key information is detected to be tampered, the alarm can be given to the user in a prompt box mode, so that the user can know that the preset key information of the operating system is tampered in time, and the asset protection or the rapid repair of the operating system is facilitated for the user. When the preset key information is detected to be tampered, information recovery can be carried out on the tampered information, and therefore system safety is guaranteed.
In this embodiment, after loading an image of an operating system, storing original information of preset key information of the operating system, generating a key information detection instruction according to a preset detection strategy after the operating system is started, obtaining current information of the preset key information after receiving the key information detection instruction, comparing the original information of the preset key information with the preset key information, detecting whether the preset key information is tampered according to a comparison result, and alarming and/or recovering information of the preset key information when the preset key information is tampered, so that the security of an operating system kernel can be improved, and the probability of malicious modification of the operating system kernel information is reduced.
In an embodiment of the present disclosure, after step S3, the method may further include:
s5: and in response to the fact that the preset key information is not tampered, carrying out encryption processing on the storage component of the original information of the preset key information, and generating a self-decryption machine code of the storage component.
When it is detected that the preset key information is not tampered, a preset self-encryption method can be adopted to encrypt the storage component of the original information of the preset key information, and a self-decryption machine code of the storage component is generated. The storage component of the original information of the preset key information can be obtained by adopting self-decryption corresponding to a self-encryption method, and then the original information of the preset key information can be obtained through the storage component.
S6: and storing the self-decryption machine code in a preset memory space, and restarting a calling source of the storage component. The preset memory space is different from the original memory space of the storage component, and the calling source points to the preset memory space.
And storing the self-decryption machine code into a preset memory space different from the original memory space of the storage component according to a preset storage strategy, and restarting a calling source of the storage component.
In this embodiment, after detecting whether the preset key information is tampered, a self-decryption machine code of the storage component is generated by a self-encryption method, the self-decryption machine code is stored in different preset memory spaces of the original storage space of the storage component according to a preset storage strategy, and a calling source of the storage component is restarted, so that a kernel upgrading patch or a malicious program can be effectively prevented from modifying the key information of the kernel, the security of the storage component of the preset key information is greatly improved, and the probability of tampering the preset key information can be greatly reduced.
In one embodiment of the present disclosure, step S5 may include:
s5-1: in response to determining that the preset critical information has not been tampered, dividing the program of the storage component into a plurality of program sections.
S5-2: based on the plurality of program paragraphs, a tree structure is determined that generates the program paragraphs. Wherein each node of the tree structure corresponds to one of the plurality of program paragraphs.
S5-3: and setting an encryption relation and a decryption relation between a parent node and a child node of the tree structure, and setting a root node of the tree structure as a self-decryption machine code.
FIG. 2 is a schematic illustration of encryption and decryption between self-decrypting machine code and a program of a storage component in one example of the present disclosure. As shown in fig. 2, in the present example, after detecting that the preset key information is not tampered, the program of the storage component is scribed into 4 program paragraphs, which are program paragraph 1, program paragraph 2, program paragraph 3, and program paragraph 4. The program paragraph 1, the program paragraph 2, the program paragraph 3, and the program paragraph 4 correspond to the node A1, the node A2, the node A3, and the node A4 of the tree structure, respectively.
Setting by a self-encryption method: the child nodes A1 and A2, the encryption and decryption relationship with the parent node B1, the encryption and decryption relationship between the child nodes A3 and A4, the parent node B2, the encryption and decryption relationship between the nodes B1 and B2, and the root node C.
The self-encryption process comprises the following steps: the node B1 is obtained by encrypting the node A1 and the node A2, the node B2 is obtained by encrypting the node A3 and the node A4, and the root node C is obtained by encrypting the node B1 and the node B2. Root node C corresponds to the self-decrypting machine code.
Corresponding to the self-encryption process, the self-decryption process includes: the node B1 and the node B2 are obtained by decrypting the root node C, the node A1 and the node A2 are obtained by decrypting the node B1, and the node A3 and the node A4 are obtained by decrypting the node B2.
It should be noted that the number of program paragraphs into which the program of the storage component is divided is not limited in the embodiments of the present disclosure, that is, the program of the storage component may be divided into N program paragraphs. Wherein N is an integer greater than 1. In addition, the embodiments of the present disclosure are not limited to a tree structure nor a binary tree structure, i.e., one parent node may correspond to M child nodes. Wherein M is an integer greater than 1.
In this embodiment, the self-decrypting machine code of the storage component is generated by encrypting the program of the storage component, so that the probability of finding the storage component in a searching manner can be effectively reduced, the security of the original information of the preset key information in the storage component is improved, and the probability of tampering the original information of the preset key information is reduced.
In one embodiment of the present disclosure, step S2 may include:
s2-1: and in response to receiving the key information detection instruction, closing the interruption associated with the preset key information, and detecting whether the calling interface of the preset key information is safe.
And after receiving the key information detection instruction, closing the interruption associated with the preset key information, and detecting whether the calling interface of the preset key information is safe or not, so as to avoid misjudgment on whether the preset key information is tampered or not caused by interruption or tampering of the calling interface.
S2-2: and acquiring the current information of the preset key information in response to the detection of the safety of the calling interface of the preset key information.
In this embodiment, before detecting whether the preset key information is tampered, the interruption associated with the preset key information is closed, and whether the call interface of the preset key information is safe is detected, so that the misjudgment on whether the preset key information is tampered due to the interruption or the tampering of the call interface can be effectively avoided.
In an embodiment of the present disclosure, the original information of the preset key information includes an original hash value of the preset key information, and the current information of the preset key information includes a current hash value of the preset key information. Correspondingly, step S3 may comprise: if the original hash value is the same as the current hash value, determining that the preset key information is not tampered; and if the original hash value is different from the current hash value, determining that the preset key information is tampered.
When the operating system is installed, hash operation may be performed on the preset key information, for example, hash operation may be performed on the preset key information by using a one-way hash method such as sha256, so as to obtain an original hash value of the preset key information. When detecting whether the preset key information is tampered, calculating the current hash value of the preset key information by adopting the same hash method, and if the original hash value of the preset key information is consistent with the current hash value of the preset key information, determining that the preset key information is not tampered; if the original hash value of the preset key information is inconsistent with the current hash value of the preset key information, it can be determined that the preset key information is tampered.
In this embodiment, the original hash value of the preset key information is stored, so that the occupied storage capacity can be effectively reduced. By comparing the original hash value of the preset key information with the current hash value, whether the preset key information is tampered or not can be accurately judged.
FIG. 3 is a block diagram of an apparatus for protecting an operating system kernel in one embodiment of the present disclosure. As shown in fig. 3, the apparatus for protecting the kernel of the operating system may include:
the storage module 100 is configured to store original information of preset key information of an operating system after an image of the operating system is loaded;
an obtaining module 200, configured to obtain current information of preset key information in response to receiving a key information detection instruction;
the detection module 300 is configured to detect whether the preset key information is tampered based on original information of the preset key information and current information of the preset key information;
and the tampering processing module 400 is configured to alarm and/or recover the preset key information in response to detecting that the preset key information is tampered.
In an embodiment of the present disclosure, the storage module 100 is further configured to, when it is determined that the preset key information is not tampered, encrypt a storage component of original information of the preset key information, and generate a self-decryption machine code of the storage component; the storage module 100 is further configured to store the self-decrypting machine code in a preset memory space, and restart a calling source of the storage component, where the preset memory space is different from an original memory space of the storage component, and the calling source points to the preset memory space.
In one embodiment of the present disclosure, the storage module 100 is used to divide the program of the storage component into a plurality of program paragraphs; the storage module 100 is further configured to determine, based on the plurality of program paragraphs, a tree structure that generates the program paragraphs, where each node of the tree structure corresponds to one of the plurality of program paragraphs; the storage module 100 is further configured to set an encryption relationship and a decryption relationship between a parent node and a child node of the tree structure, and set a root node of the tree structure as a self-decrypting machine code.
In an embodiment of the present disclosure, the obtaining module 200 is configured to close an interrupt associated with preset key information in response to receiving a key information detection instruction, and detect whether a call interface of the preset key information is safe; the obtaining module 200 is further configured to obtain current information of the preset key information in response to detecting the security of the call interface of the preset key information.
In one embodiment of the present disclosure, the original information of the preset key information includes an original hash value of the preset key information, and the current information of the preset key information includes a current hash value of the preset key information; the detection module 300 is configured to determine that the preset key information is not tampered if the original hash value is the same as the current hash value; the detection module 300 is further configured to determine that the preset key information is tampered if the original hash value is different from the current hash value.
In one embodiment of the present disclosure, the preset critical information includes at least one of a global variable, a common variable, a run-time variable, an interrupt descriptor table IDT, a system service descriptor table SSDT and a global descriptor table GDT of the operating system.
It should be noted that, a specific implementation of the apparatus for protecting an operating system kernel according to the embodiment of the present disclosure is similar to a specific implementation of the method for protecting an operating system kernel according to the embodiment of the present disclosure, and specific reference is specifically made to the description of the method portion for protecting an operating system kernel, and in order to reduce redundancy, no further description is given.
In addition, an embodiment of the present disclosure further provides an electronic device, including:
a memory for storing a computer program;
a processor configured to execute the computer program stored in the memory, and when the computer program is executed, implement the method for protecting the operating system kernel according to any of the above embodiments of the present disclosure.
Fig. 4 is a block diagram of an electronic device in an embodiment of the present disclosure. As shown in fig. 4, the electronic device includes one or more processors 10 and memory 20.
The processor 10 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device to perform desired functions.
Memory 20 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by the processor 20 to implement the methods for protecting an operating system kernel and/or other desired functions of the various embodiments of the present disclosure described above.
In one example, the electronic device may further include: an input device 30 and an output device 40, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
Of course, for simplicity, only some of the components of the electronic device relevant to the present disclosure are shown in fig. 4, omitting components such as buses, input/output interfaces, and the like. In addition, the electronic device may include any other suitable components, depending on the particular application.
In addition to the above-described methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising software code portions which, when run on a computer, cause a processor to perform the steps in the method for protecting an operating system kernel according to various embodiments of the present disclosure described in the above-mentioned part of the specification when the software code portions are run by the processor.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform the steps in the method for protecting an operating system kernel according to various embodiments of the present disclosure described in the above section of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the system embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The block diagrams of devices, apparatuses, systems referred to in this disclosure are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably herein. As used herein, the words "or" and "refer to, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
It is also noted that in the apparatus, devices, and methods of the present disclosure, various components or steps may be broken down and/or re-combined. Such decomposition and/or recombination should be considered as equivalents of the present disclosure.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.
Claims (10)
1. A method for protecting an operating system kernel, comprising:
after loading an image of an operating system, storing original information of preset key information of the operating system;
in response to receiving a key information detection instruction, acquiring current information of the preset key information;
detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information;
and when the preset key information is detected to be tampered, alarming and/or recovering the preset key information.
2. The method according to claim 1, wherein after detecting whether the preset key information is tampered based on the original information of the preset key information and the current information of the preset key information, the method further comprises:
in response to the fact that the preset key information is not tampered, carrying out encryption processing on a storage component of original information of the preset key information, and generating a self-decryption machine code of the storage component;
and storing the self-decryption machine code in a preset memory space, and restarting a calling source of the storage component, wherein the preset memory space is different from the original memory space of the storage component, and the calling source points to the preset memory space.
3. The method according to claim 2, wherein the encrypting the storage component of the original information of the preset key information to generate a self-decrypting machine code of the storage component comprises:
dividing the program of the storage component into a plurality of program paragraphs;
determining, based on the plurality of program paragraphs, a tree structure that generates program paragraphs, wherein each node of the tree structure corresponds to one of the plurality of program paragraphs;
and setting an encryption relationship and a decryption relationship between a father node and a child node of the tree structure, and setting a root node of the tree structure as the self-decryption machine code.
4. The method of claim 1, wherein the obtaining current information of the preset key information in response to receiving a key information detection instruction further comprises:
in response to receiving the key information detection instruction, closing the interruption associated with the preset key information, and detecting whether a calling interface of the preset key information is safe;
and acquiring the current information of the preset key information in response to the detection of the safety of the calling interface of the preset key information.
5. The method according to any one of claims 1 to 4, wherein the original information of the preset key information includes an original hash value of the preset key information, and the current information of the preset key information includes a current hash value of the preset key information; the detecting whether the preset key information is tampered based on the original information of the preset key information and the current information of the preset key information includes:
if the original hash value is the same as the current hash value, determining that the preset key information is not tampered;
and if the original hash value is different from the current hash value, determining that the preset key information is tampered.
6. The method of any of claims 1-4, wherein the pre-defined critical information comprises at least one of a global variable, a common variable, a run-time variable, an Interrupt Descriptor Table (IDT), a System Service Descriptor Table (SSDT), and a Global Descriptor Table (GDT) of the operating system.
7. An apparatus for protecting an operating system kernel, comprising:
the storage module is used for storing original information of preset key information of the operating system after the image of the operating system is loaded;
the acquisition module is used for responding to the received key information detection instruction and acquiring the current information of the preset key information;
the detection module is used for detecting whether the preset key information is tampered or not based on the original information of the preset key information and the current information of the preset key information;
and the tampering processing module is used for alarming and/or recovering the preset key information when the preset key information is tampered.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing a computer program stored in said memory, and when executed, implementing a method for protecting an operating system kernel as claimed in any of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method for protecting an operating system kernel according to any one of the preceding claims 1 to 6.
10. A computer program product for a computer, comprising software code portions for performing the method for protecting an operating system kernel of any one of claims 1 to 6 when said product is run on said computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211606380.4A CN115935373A (en) | 2022-12-12 | 2022-12-12 | Method and apparatus for protecting operating system kernel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211606380.4A CN115935373A (en) | 2022-12-12 | 2022-12-12 | Method and apparatus for protecting operating system kernel |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115935373A true CN115935373A (en) | 2023-04-07 |
Family
ID=86648680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211606380.4A Pending CN115935373A (en) | 2022-12-12 | 2022-12-12 | Method and apparatus for protecting operating system kernel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935373A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116861411A (en) * | 2023-06-05 | 2023-10-10 | 北京连山科技股份有限公司 | Secure sandbox data protection method and system based on Seccomp mechanism |
-
2022
- 2022-12-12 CN CN202211606380.4A patent/CN115935373A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116861411A (en) * | 2023-06-05 | 2023-10-10 | 北京连山科技股份有限公司 | Secure sandbox data protection method and system based on Seccomp mechanism |
| CN116861411B (en) * | 2023-06-05 | 2024-06-25 | 北京连山科技股份有限公司 | Seccomp mechanism-based safe sandbox data protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12149623B2 (en) | Security privilege escalation exploit detection and mitigation | |
| US12284269B2 (en) | System and method for securing computer code using dynamically generated digital signatures | |
| JP5736305B2 (en) | Systems and programs for establishing and monitoring software evaluation | |
| WO2017160376A1 (en) | Systems and methods for generating tripwire files | |
| CN106560830A (en) | Linux embedded system safety protection method and system | |
| CN107092824B (en) | Application program running method and device | |
| US12411955B2 (en) | Control method and apparatus for safety boot of chip, electronic device and storage medium | |
| CN115248919A (en) | Method and device for calling function interface, electronic equipment and storage medium | |
| US20190121985A1 (en) | Detecting vulnerabilities in applications during execution | |
| CN115935373A (en) | Method and apparatus for protecting operating system kernel | |
| CN108959915B (en) | Rootkit detection method, rootkit detection device and server | |
| CN109446011A (en) | A kind of firmware safety detecting method, device and the storage medium of hard disk | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| US11263313B2 (en) | Securing execution of a program | |
| US12340002B2 (en) | Monitoring range determination device, monitoring range determination method, and computer readable medium | |
| CN111090889A (en) | Method for detecting ELF file and electronic equipment | |
| US11853417B2 (en) | Hardware device integrity validation using platform configuration values | |
| CN114168163A (en) | A program installation method, device and medium | |
| CN115878122B (en) | Method, system and storage medium for corruption determination of data items | |
| US20250258921A1 (en) | System and Method for Automated Whitelisting Prior to Installation | |
| US20250193019A1 (en) | Monitoring user space processes using heartbeat messages authenticated based on integrity measurements | |
| CN117272291A (en) | Intrusion detection method of application program and related device | |
| CN109977665A (en) | Cloud Server start-up course Anti-theft and tamper resistant method based on TPCM | |
| CN118555084A (en) | LibOS file time verification method and LibOS file time verification device | |
| CN117131475A (en) | Business service process permission detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |