[go: up one dir, main page]

WO2021208353A1 - Device and method for dynamically measuring trusted state of computer based on call stack track - Google Patents

Device and method for dynamically measuring trusted state of computer based on call stack track Download PDF

Info

Publication number
WO2021208353A1
WO2021208353A1 PCT/CN2020/115905 CN2020115905W WO2021208353A1 WO 2021208353 A1 WO2021208353 A1 WO 2021208353A1 CN 2020115905 W CN2020115905 W CN 2020115905W WO 2021208353 A1 WO2021208353 A1 WO 2021208353A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
unit
call stack
thread
measurement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/115905
Other languages
French (fr)
Chinese (zh)
Inventor
方昊
吴鹤意
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Institute Of Cyber Technology Co Ltd
Original Assignee
Nanjing Institute Of Cyber Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Institute Of Cyber Technology Co Ltd filed Critical Nanjing Institute Of Cyber Technology Co Ltd
Publication of WO2021208353A1 publication Critical patent/WO2021208353A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • the invention belongs to the field of information security, and particularly relates to a device and a method for dynamically measuring the trusted state of a computer based on a call stack trace.
  • Trusted computing as an active defense technology, does not need to rely on virus database upgrades and can automatically be immune to new security threats such as ransomware, advertising Trojans, and mining machines.
  • Traditional trusted computing technology relies on pre-measurement of legitimate boot programs, boot program configuration files, operating system kernels, and user-mode executable files outside the operating system kernel stored on disks, and dynamic link library files, and then based on actual conditions. The measurement of the executable image loaded into the memory is compared with the previously stored measurement. If the comparison is inconsistent, it can naturally be regarded as an illegal file loading, and the trusted system can block unknown security threats.
  • the trusted computing system has introduced a measurement of trusted behavior in addition to the traditional measurement of executable file content, which mainly refers to the monitoring of the memory in the monitored memory.
  • the code that executes file mirroring and dynamic link library mirroring calls various system calls (System Call, such as opening files, opening network sockets, opening processes, performing memory mapping, etc.) for monitoring.
  • System Call such as opening files, opening network sockets, opening processes, performing memory mapping, etc.
  • the present invention provides a device and method for dynamically measuring the trusted state of a computer based on the call stack trajectory, which solves the problem that the traditional trusted computing metrics measure the trusted behaviors too roughly.
  • the present invention proposes a device for dynamically measuring the trusted state of a computer based on the call stack trajectory, which includes a process monitoring unit, a thread monitoring unit, a state collection building unit, a state measurement unit, a user state contact unit, a state measurement matching unit, and a call Stack trace storage unit; the process monitoring unit and thread monitoring unit are connected to the state collection construction unit, the state collection construction unit is connected to the state measurement unit, the state measurement unit is connected to the user mode contact unit, and the user mode contact unit is connected to the state measurement matching unit Connected, the state metric matching unit is connected to the call stack trace storage unit.
  • the process monitoring unit is used to register the process monitoring callback function in the kernel mode, so that the operating system notifies the callback function when the process is established and destroyed; the process monitoring callback function is responsible for notifying the state collection building unit to collect the process and each of the processes.
  • the call stack information of the thread is used to register the process monitoring callback function in the kernel mode, so that the operating system notifies the callback function when the process is established and destroyed; the process monitoring callback function is responsible for notifying the state collection building unit to collect the process and each of the processes.
  • the call stack information of the thread is used to register the process monitoring callback function in the kernel mode, so that the operating system notifies the callback function when the process is established and destroyed; the process monitoring callback function is responsible for notifying the state collection building unit to collect the process and each of the processes.
  • the thread monitoring unit is used to register the thread monitoring callback function in the kernel mode, so that the operating system notifies the thread monitoring callback function when the process is established and the threads in the process are destroyed;
  • the thread monitoring callback function is responsible for notifying the state collection building unit to collect The call stack information of each thread of the process to which the thread belongs.
  • state collection and construction unit is used to obtain the call stack information of all threads under the process number according to the process number parameters passed by the process monitoring unit and the thread monitoring unit in the kernel state, and pass it to the state measurement unit.
  • the state measurement unit is used to generate a call stack measurement based on the call stack information of all threads of the process in the kernel mode, and transmit it to the user mode contact unit.
  • the user mode contact unit is used to notify the state metric matching unit program located in the user mode to match the metrics of the call stack information of all threads of the process in the kernel mode.
  • the state measurement matching unit is used to receive the call stack information measurement of all threads of the process sent from the user mode contact unit of the kernel mode in the user mode, and call the corresponding process call of the call stack trace storage unit Stack trajectory measurement for matching judgment; if the matching fails, the user will be alerted and the alarm log will be recorded; at this time, the dynamic trustworthy status of the user's computer is that the trustworthy integrity is destroyed; if the match is successful, the dynamic trustworthy status of the user's computer will continue Keep it trusted.
  • a method for dynamically measuring the trusted state of a computer based on the call stack trajectory for dynamically measuring the trusted state of a computer as described above includes the following steps:
  • the state collection and construction unit obtains the call stack information of all threads under the process number according to the process number parameters passed by the process monitoring unit and the thread monitoring unit, and Passed to the state measurement unit;
  • the state measurement unit collects the call stack information of all threads of the process reported by the construction unit according to the state, generates the call stack measurement, and transmits it to the user mode contact unit;
  • the user mode contact unit notifies the state measurement matching unit in the user mode to match the call stack measurement of the changed process and its thread;
  • the specific steps for comparing call stack information in the user mode in the step (6) are as follows:
  • the state measurement matching unit is used to compare the call stack metrics and slave calls of the changed process and its threads.
  • the stack trace storage unit searches for the pre-statically analyzed call stack information of the executable image, and matches whether the metric passed by the kernel matches the statically analyzed pre-stored call stack information metric; if the match fails, the user will be alerted and the alarm log will be recorded
  • the dynamic trusted state of the user computer is that the trusted integrity is destroyed; if the match is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.
  • the present invention compares the possible function call stack data of the pre-stored code with the monitoring of the process, thread and thread call stack, thereby discovering possible abnormal behaviors in the code execution flow, compared to only monitoring the dynamics of the system call type
  • the credibility measurement scheme, the intensity and depth of detection are further advanced.
  • Figure 1 is a schematic diagram of the structure of the present invention.
  • the device for dynamically measuring the trusted state of a computer based on the call stack trajectory described in the present invention includes a process monitoring unit, a thread monitoring unit, a state collection building unit, a state measurement unit, a user state contact unit, and a state measurement matching unit.
  • Unit and call stack trace storage unit The process monitoring unit and thread monitoring unit are connected to the state collection building unit, the state collection building unit is connected to the state measurement unit, the state measurement unit is connected to the user mode contact unit, the user mode contact unit is connected to the state measurement matching unit, and the user mode contact unit is connected to The call stack trace storage unit is connected.
  • the process monitoring unit includes a memory, a processor, and a computer program stored in the memory and running on the processor.
  • the process monitor callback function is registered in the kernel mode, so that the operating system establishes the process and Notify the callback function when the process is destroyed.
  • the process monitoring callback function is responsible for notifying the state collection building unit to collect the call stack information of the process and each thread under the process.
  • the thread monitoring unit includes a memory, a processor, and a computer program that is stored in the memory and can run on the processor.
  • the thread monitoring callback function is registered in the kernel mode, so that the operating system establishes the process and Notify the thread monitoring callback function when the thread in the process is destroyed.
  • the thread monitoring callback function is responsible for notifying the state collection building unit to collect the call stack information of each thread of the process to which the thread belongs.
  • the state collection and construction unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor.
  • the processor executes the program, it is realized: in the kernel state, according to the process monitoring unit and the thread monitoring unit.
  • the process number parameter is used to obtain the call stack information of all threads under the process number and pass it to the state measurement unit.
  • the state measurement unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor.
  • the processor executes the program, it is realized: in the kernel state, according to the call stack information of all threads of the process, generate Call stack metrics, and pass to the user mode contact unit.
  • the user mode contact unit includes a memory, a processor, and a computer program stored in the memory and running on the processor.
  • the processor executes the program, the processor implements: in the kernel mode, notify the state metric matching unit program in the user mode Match the call stack information metrics of all threads of the process.
  • the state metric matching unit includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor.
  • the processor executes the program, it realizes: in the user mode, receiving data from the user mode contact unit in the kernel mode
  • the call stack information of all threads of the incoming process is measured, and the corresponding process call stack trace measurement of the call stack trace storage unit is called for matching judgment. If the matching fails, the user is alerted and the alarm log is recorded. At this time, the dynamic credibility status of the user's computer is that credible integrity has been destroyed. If the matching is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.
  • the call stack trace storage unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor.
  • the processor executes the program, it realizes: in the user state, the state metric matching unit provides the corresponding process Pre-statically analyzed call stack trace metrics of executable images.
  • the static analysis of the function call stack trace of the executable image can use the common practice in the industry, such as: executable image (executable file and dynamic link library) for binary analysis and disassembly, and each exportable function (or procedure) and The head address, offset information and mutual call information of the unexported function (by disassembling the call instruction), and then for each function, you can deduce who called the function, and then get it recursively.
  • executable image executable file and dynamic link library
  • each exportable function or procedure
  • the head address, offset information and mutual call information of the unexported function by disassembling the call instruction
  • each function can be summarized on a directed graph of function call relationships.
  • Each node in the figure represents a function, and the direction of the arrow indicates the direction of the stack down.
  • This function call relationship diagram is the static analysis call stack trace measurement.
  • This step is carried out in accordance with the operating system kernel development specifications.
  • PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine to register the process creation callback function and thread creation callback function respectively, and use the timer to periodically scan the process and thread changes and destruction, and the callback function is registered under the timer.
  • This step is carried out according to the general operating system kernel development method.
  • you can use semi-functions such as PsGetNextProcess and PsGetNextProcessThread (disclosed in Windows Research Kernel) to obtain KTHREAD structure data, and obtain call stack information such as InitialStack and StackLimit from it.
  • This step is carried out in accordance with the operating system kernel development specifications. For example, in the Windows system, use the IoControl system call to pass in a notification event handle from the user mode, and when you want to notify the user mode, perform the Set operation on the notification event handle.
  • the relation graph is a subgraph of the function call relation general graph, then the matching is successful, otherwise the matching fails. If the matching fails, the user is alerted and the alarm log is recorded. At this time, the dynamic credibility status of the user's computer is that credible integrity has been destroyed. If the matching is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A device and method for dynamically measuring a trusted state of a computer based on a call stack track, relating to the field of information security. The device comprises a process monitoring unit, a thread monitoring unit, a state collection and construction unit, a state measurement unit, a user state contact unit, a state measurement matching unit, and a call stack track storage unit. The process monitoring unit and the thread monitoring unit are connected to the state collection and construction unit; the state collection and construction unit is connected to the state measurement unit; the state measurement unit is connected to the user state contact unit; the user state contact unit is connected to the state measurement matching unit; the state measurement matching unit is connected to the call stack track storage unit. According to the device and method, by monitoring a process, a thread and a thread call stack, and comparing with pre-stored possible function call stack data of a code, possible abnormal behaviors in a code execution flow are found, and compared with a dynamic trusted measurement solution of only monitoring a system call type, the detection strength and depth are further improved.

Description

一种基于调用栈轨迹进行动态度量计算机可信状态装置及其方法Device and method for dynamically measuring computer trusted state based on call stack trajectory 技术领域Technical field

本发明属于信息安全领域,特别涉及一种基于调用栈轨迹进行动态度量计算机可信状态装置及其方法。The invention belongs to the field of information security, and particularly relates to a device and a method for dynamically measuring the trusted state of a computer based on a call stack trace.

背景技术Background technique

可信计算作为一种主动防御技术,不需要依赖病毒库的升级更新,就可以自动免疫诸如勒索病毒、广告木马、挖矿机等新型安全威胁。传统可信计算技术依赖对合法的引导程序、引导程序配置文件、操作系统内核乃至保存在磁盘上的操作系统内核之外的用户态可执行文件、动态链接库文件做事前的度量,再根据实际载入内存的可执行镜像的度量和之前预存的度量进行比对。如果比对不一致,自然可以视作出现了非法文件的加载,可信系统因此得以拦截未知的安全威胁。Trusted computing, as an active defense technology, does not need to rely on virus database upgrades and can automatically be immune to new security threats such as ransomware, advertising Trojans, and mining machines. Traditional trusted computing technology relies on pre-measurement of legitimate boot programs, boot program configuration files, operating system kernels, and user-mode executable files outside the operating system kernel stored on disks, and dynamic link library files, and then based on actual conditions. The measurement of the executable image loaded into the memory is compared with the previously stored measurement. If the comparison is inconsistent, it can naturally be regarded as an illegal file loading, and the trusted system can block unknown security threats.

近年来,随着国家计算机等级保护新规范的出台,可信计算系统除了传统的对可执行文件内容进行度量外,又引入了对可信行为的度量,主要指对受监控的内存中的可执行文件镜像和动态链接库镜像的代码中调用各种系统调用(System Call,如打开文件、打开网络套接字、打开进程、进行内存映射等)的行为进行监控。一旦代码进行了超出该段代码预期的行为的系统调用,就可以判断该代码在运行过程中,因为恶意输入等原因的影响,代码段遭到了栈溢出、堆溢出等攻击,使得代码调用到了本不该调用的系统调用。In recent years, with the introduction of new national computer grade protection specifications, the trusted computing system has introduced a measurement of trusted behavior in addition to the traditional measurement of executable file content, which mainly refers to the monitoring of the memory in the monitored memory. The code that executes file mirroring and dynamic link library mirroring calls various system calls (System Call, such as opening files, opening network sockets, opening processes, performing memory mapping, etc.) for monitoring. Once the code has made a system call that exceeds the expected behavior of the code, it can be judged that during the operation of the code, due to malicious input and other reasons, the code segment has been attacked by stack overflow, heap overflow, etc., making the code call to its original value. System calls that should not be called.

然而,存在一些关键的可执行程序,为实现其自身功能,需要调用前述各种类型的系统调用。例如,浏览器程序打开网络套接字是非常合理的行为。如果有恶意输入攻击了浏览器程序中的漏洞,使浏览器调用了一个非设计者预期的“打开网络套接字”系统调用(比如向攻击者发送一些受害者主机上的数据),那么在可信计算系统的监控程序看来,“打开网络套接字”并不是浏览器程序的异常行为,从而不会触发警报。However, there are some key executable programs. In order to realize its own functions, it is necessary to call the aforementioned various types of system calls. For example, it is a very reasonable behavior for a browser program to open a network socket. If malicious input attacks a loophole in the browser program, causing the browser to call a system call "open network socket" that was not intended by the designer (such as sending some data on the victim's host to the attacker), then The monitoring program of the Trusted Computing System seems that "opening the network socket" is not an abnormal behavior of the browser program, so that it will not trigger an alarm.

因此如何实现更细粒度地监控程序行为,区分合法的“按设计如此的”调用(即可信的调用)和非法“与设计有差异的”调用(即非可信的调用)就成为了一个值得考虑的问题。Therefore, how to achieve a more fine-grained monitoring of program behavior and distinguish between legal "as designed" calls (trusted calls) and illegal "different from design" calls (ie untrusted calls) has become a problem. Issues worth considering.

发明内容Summary of the invention

发明目的:针对上述缺陷,本发明提供一种基于调用栈轨迹进行动态度量计算机可信状态装置及其方法,解决了传统可信计算度量对可信行为的度量过于粗略的问题。Purpose of the invention: In view of the above-mentioned defects, the present invention provides a device and method for dynamically measuring the trusted state of a computer based on the call stack trajectory, which solves the problem that the traditional trusted computing metrics measure the trusted behaviors too roughly.

技术方案:本发明提出一种基于调用栈轨迹进行动态度量计算机可信状态装置,包括进程监控单元、线程监控单元、状态收集构建单元、状态度量单元、用户态联络单元、状态度量匹配单元和调用栈轨迹存储单元;所述进程监控单元和线程监控单元与状态收集构建单元相连,状态收集构建单元与状态度量单元相连,状态度量单元与用户态联络单元相连,用户态联络单元与状态度量匹配单元相连,状态度量匹配单元与调用栈轨迹存储单元相连。Technical Solution: The present invention proposes a device for dynamically measuring the trusted state of a computer based on the call stack trajectory, which includes a process monitoring unit, a thread monitoring unit, a state collection building unit, a state measurement unit, a user state contact unit, a state measurement matching unit, and a call Stack trace storage unit; the process monitoring unit and thread monitoring unit are connected to the state collection construction unit, the state collection construction unit is connected to the state measurement unit, the state measurement unit is connected to the user mode contact unit, and the user mode contact unit is connected to the state measurement matching unit Connected, the state metric matching unit is connected to the call stack trace storage unit.

进一步的,所述进程监控单元用于在内核态注册进程监控回调函数,使得操作系统建立进程和销毁进程时通知回调函数;所述进程监控回调函数负责通知状态收集构建单元收集进程和进程下各个线程的调用栈信息。Further, the process monitoring unit is used to register the process monitoring callback function in the kernel mode, so that the operating system notifies the callback function when the process is established and destroyed; the process monitoring callback function is responsible for notifying the state collection building unit to collect the process and each of the processes. The call stack information of the thread.

进一步的,所述线程监控单元用于在内核态注册线程监控回调函数,使得操作系统建立进程和销毁进程内的线程时通知线程监控回调函数;所述线程监控回调函数负责通知状态收集构建单元收集线程所属进程的各个线程的调用栈信息。Further, the thread monitoring unit is used to register the thread monitoring callback function in the kernel mode, so that the operating system notifies the thread monitoring callback function when the process is established and the threads in the process are destroyed; the thread monitoring callback function is responsible for notifying the state collection building unit to collect The call stack information of each thread of the process to which the thread belongs.

进一步的,所述状态收集构建单元用于在内核态,根据进程监控单元和线程监控单元传递的进程号参数,取得该进程号下所有线程的调用栈信息,并传递给状态度量单元。Further, the state collection and construction unit is used to obtain the call stack information of all threads under the process number according to the process number parameters passed by the process monitoring unit and the thread monitoring unit in the kernel state, and pass it to the state measurement unit.

进一步的,所述状态度量单元用于在内核态,根据进程的所有线程的调用栈信息,生成调用栈度量,并传递给用户态联络单元。Further, the state measurement unit is used to generate a call stack measurement based on the call stack information of all threads of the process in the kernel mode, and transmit it to the user mode contact unit.

进一步的,所述用户态联络单元用于在内核态,通知位于用户态的状态度量匹配单元程序对进程的所有线程的调用栈信息的度量进行匹配。Further, the user mode contact unit is used to notify the state metric matching unit program located in the user mode to match the metrics of the call stack information of all threads of the process in the kernel mode.

进一步的,所述状态度量匹配单元用于在用户态,接收从内核态的用户态联络单元发送而来的进程的所有线程的调用栈信息的度量,并调用调用栈轨迹存储单元的对应进程调用栈轨迹度量,进行匹配判断;如果匹配失败,则向用户告警并记录告警日志;此时用户计算机动态可信状态为可信完整性遭到破坏;如果匹配成功,则用户计算机动态可信状态继续保持可信状态。Further, the state measurement matching unit is used to receive the call stack information measurement of all threads of the process sent from the user mode contact unit of the kernel mode in the user mode, and call the corresponding process call of the call stack trace storage unit Stack trajectory measurement for matching judgment; if the matching fails, the user will be alerted and the alarm log will be recorded; at this time, the dynamic trustworthy status of the user's computer is that the trustworthy integrity is destroyed; if the match is successful, the dynamic trustworthy status of the user's computer will continue Keep it trusted.

一种如上所述的基于调用栈轨迹进行动态度量计算机可信状态装置的动态度量计算机可信状态方法,包括如下步骤:A method for dynamically measuring the trusted state of a computer based on the call stack trajectory for dynamically measuring the trusted state of a computer as described above includes the following steps:

(1)在调用栈轨迹存储单元,静态分析和预存待度量的可执行镜像的调用栈轨迹度量;(1) In the call stack trace storage unit, static analysis and pre-stored call stack trace metrics of the executable image to be measured;

(2)在内核态,调用进程监控单元和线程监控单元,注册进程监控回调函数和线程监控回调函数,对系统内的所有进程及进程下线程的变动进行监控;(2) In the kernel mode, call the process monitoring unit and thread monitoring unit, register the process monitoring callback function and thread monitoring callback function, and monitor all processes in the system and the changes of threads under the process;

(3)在进程及进程下线程发生建立、销毁、暂停等变动时,状态收集构建单元根据进程监控单元和线程监控单元传递的进程号参数,取得该进程号下所有线程的调用栈信息,并传递给状态度量单元;(3) When the process and threads under the process undergo changes such as establishment, destruction, suspension, etc., the state collection and construction unit obtains the call stack information of all threads under the process number according to the process number parameters passed by the process monitoring unit and the thread monitoring unit, and Passed to the state measurement unit;

(4)在内核态,状态度量单元根据状态收集构建单元汇报的进程的所有线程的调用栈信息,生成调用栈度量,并传递给用户态联络单元;(4) In the kernel state, the state measurement unit collects the call stack information of all threads of the process reported by the construction unit according to the state, generates the call stack measurement, and transmits it to the user mode contact unit;

(5)在内核态,用户态联络单元通知位于用户态的状态度量匹配单元,对发生变动的进程及其线程的调用栈度量进行匹配;(5) In the kernel mode, the user mode contact unit notifies the state measurement matching unit in the user mode to match the call stack measurement of the changed process and its thread;

(6)在用户态对调用栈信息进行比对。(6) Compare call stack information in user mode.

进一步的,所述步骤(6)中在用户态对调用栈信息进行比对的具体步骤如下:在用户态,通过状态度量匹配单元,对照发生变动的进程及其线程的调用栈度量和从调用栈轨迹存储单元查找而来的可执行镜像的预先静态分析过的调用栈信息,匹配内核传来的度量是否匹配静态分析的预存调用栈信息度量;如果匹配失败,则向用户告警并记录告警日志,此时用户计算机动态可信状态为可信完整性遭到破坏;如果匹配成功,则用户计算机动态可信状态继续保持可信状态。Further, the specific steps for comparing call stack information in the user mode in the step (6) are as follows: In the user mode, the state measurement matching unit is used to compare the call stack metrics and slave calls of the changed process and its threads. The stack trace storage unit searches for the pre-statically analyzed call stack information of the executable image, and matches whether the metric passed by the kernel matches the statically analyzed pre-stored call stack information metric; if the match fails, the user will be alerted and the alarm log will be recorded At this time, the dynamic trusted state of the user computer is that the trusted integrity is destroyed; if the match is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.

本发明采用上述技术方案,具有以下有益效果:The present invention adopts the above technical scheme and has the following beneficial effects:

本发明通过对进程、线程和线程调用栈的监控,和预存的代码可能的函数调用栈 数据进行比对,从而发现代码执行流中的可能存在的异常行为,相对于只监控系统调用类型的动态可信度量方案,检测的力度和深度都更进一步。The present invention compares the possible function call stack data of the pre-stored code with the monitoring of the process, thread and thread call stack, thereby discovering possible abnormal behaviors in the code execution flow, compared to only monitoring the dynamics of the system call type The credibility measurement scheme, the intensity and depth of detection are further advanced.

附图说明Description of the drawings

图1为本发明的结构示意图。Figure 1 is a schematic diagram of the structure of the present invention.

具体实施方式Detailed ways

下面结合具体实施例,进一步阐明本发明,应理解这些实施例仅用于说明本发明而不用于限制本发明的范围,在阅读了本发明之后,本领域技术人员对本发明的各种等价形式的修改均落于本申请所附权利要求所限定的范围。In the following, the present invention will be further clarified with reference to specific examples. It should be understood that these examples are only used to illustrate the present invention and not to limit the scope of the present invention. After reading the present invention, those skilled in the art will give various equivalents All the modifications fall within the scope defined by the appended claims of this application.

下面结合附图对本发明实施方法做更详细的描述。The implementation method of the present invention will be described in more detail below in conjunction with the accompanying drawings.

如图1所示,本发明描述的基于调用栈轨迹进行动态度量计算机可信状态的装置,包括进程监控单元、线程监控单元、状态收集构建单元、状态度量单元、用户态联络单元、状态度量匹配单元和调用栈轨迹存储单元。进程监控单元和线程监控单元与状态收集构建单元相连,状态收集构建单元与状态度量单元相连,状态度量单元与用户态联络单元相连,用户态联络单元与状态度量匹配单元相连,用户态联络单元与调用栈轨迹存储单元相连。As shown in Figure 1, the device for dynamically measuring the trusted state of a computer based on the call stack trajectory described in the present invention includes a process monitoring unit, a thread monitoring unit, a state collection building unit, a state measurement unit, a user state contact unit, and a state measurement matching unit. Unit and call stack trace storage unit. The process monitoring unit and thread monitoring unit are connected to the state collection building unit, the state collection building unit is connected to the state measurement unit, the state measurement unit is connected to the user mode contact unit, the user mode contact unit is connected to the state measurement matching unit, and the user mode contact unit is connected to The call stack trace storage unit is connected.

所述进程监控单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在内核态注册进程监控回调函数,使得操作系统建立进程和销毁进程时通知回调函数。进程监控回调函数负责通知状态收集构建单元收集进程和进程下各个线程的调用栈信息。The process monitoring unit includes a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the program, the process monitor callback function is registered in the kernel mode, so that the operating system establishes the process and Notify the callback function when the process is destroyed. The process monitoring callback function is responsible for notifying the state collection building unit to collect the call stack information of the process and each thread under the process.

所述线程监控单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在内核态注册线程监控回调函数,使得操作系统建立进程和销毁进程内的线程时通知线程监控回调函数。线程监控回调函数负责通知状态收集构建单元收集线程所属进程的各个线程的调用栈信息。The thread monitoring unit includes a memory, a processor, and a computer program that is stored in the memory and can run on the processor. When the processor executes the program, the thread monitoring callback function is registered in the kernel mode, so that the operating system establishes the process and Notify the thread monitoring callback function when the thread in the process is destroyed. The thread monitoring callback function is responsible for notifying the state collection building unit to collect the call stack information of each thread of the process to which the thread belongs.

所述状态收集构建单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在内核态,根据进程监控单元和线程监控单元传递的进程号参数,取得该进程号下所有线程的调用栈信息,并传递给状态度量单元。The state collection and construction unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor. When the processor executes the program, it is realized: in the kernel state, according to the process monitoring unit and the thread monitoring unit. The process number parameter is used to obtain the call stack information of all threads under the process number and pass it to the state measurement unit.

所述状态度量单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在内核态,根据进程的所有线程的调用栈信息,生成调用栈度量,并传递给用户态联络单元。The state measurement unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor. When the processor executes the program, it is realized: in the kernel state, according to the call stack information of all threads of the process, generate Call stack metrics, and pass to the user mode contact unit.

所述用户态联络单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在内核态,通知位于用户态的状态度量匹配单元程序对进程的所有线程的调用栈信息的度量进行匹配。The user mode contact unit includes a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the program, the processor implements: in the kernel mode, notify the state metric matching unit program in the user mode Match the call stack information metrics of all threads of the process.

所述状态度量匹配单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在用户态,接收从内核态的用户态联络单元发送而来的进程的所有线程的调用栈信息的度量,并调用调用栈轨迹存储单元的对应进程调用栈轨迹度量,进行匹配判断。如果匹配失败,则向用户告警并记录告警日志。此时用户计算机动态可信状态为可信完整性遭到破坏。如果匹配成功,则用户计算机动态可信状态继续保持可信状态。The state metric matching unit includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor. When the processor executes the program, it realizes: in the user mode, receiving data from the user mode contact unit in the kernel mode The call stack information of all threads of the incoming process is measured, and the corresponding process call stack trace measurement of the call stack trace storage unit is called for matching judgment. If the matching fails, the user is alerted and the alarm log is recorded. At this time, the dynamic credibility status of the user's computer is that credible integrity has been destroyed. If the matching is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.

所述调用栈轨迹存储单元,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行该程序时实现:在用户态,向状态度量匹配单元提供进程对应的可执行镜像的预先静态分析过的调用栈轨迹度量。The call stack trace storage unit includes a memory, a processor, and a computer program that is stored on the memory and can run on the processor. When the processor executes the program, it realizes: in the user state, the state metric matching unit provides the corresponding process Pre-statically analyzed call stack trace metrics of executable images.

下面对通过本装置实现基于调用栈轨迹进行动态度量计算机可信状态的流程做具体描述:The following is a detailed description of the process of dynamically measuring the trusted state of a computer based on the call stack trajectory through this device:

1.静态分析调用栈轨迹度量并存储至调用栈轨迹存储单元1. Statically analyze the call stack trace metrics and store them in the call stack trace storage unit

静态分析可执行镜像的函数调用栈轨迹可使用业内通行的做法,比如:可执行镜像(可执行文件和动态链接库)做二进制分析和反汇编,可得每一个可导出函数(或过程)和未导出函数的头部地址、偏移信息及相互调用信息(通过反汇编call指令),进而对每一个函数,可以推导出该函数被谁调用,进而递归得到,每一个函数在调用栈的栈顶时,其调用栈栈顶之下各个函数调用的轨迹。The static analysis of the function call stack trace of the executable image can use the common practice in the industry, such as: executable image (executable file and dynamic link library) for binary analysis and disassembly, and each exportable function (or procedure) and The head address, offset information and mutual call information of the unexported function (by disassembling the call instruction), and then for each function, you can deduce who called the function, and then get it recursively. Each function is on the call stack. At the top, the trajectory of each function call under the top of the call stack.

为数据存储的效率考虑,每个函数的调用栈可以汇总在一张函数调用关系有向图上。图中的每个节点表示一个函数,其箭头方向表示栈向下的方向。此函数调用关系总图即为静态分析调用栈轨迹度量。In consideration of the efficiency of data storage, the call stack of each function can be summarized on a directed graph of function call relationships. Each node in the figure represents a function, and the direction of the arrow indicates the direction of the stack down. This function call relationship diagram is the static analysis call stack trace measurement.

2.注册进程监控回调函数和线程监控回调函数2. Register process monitoring callback function and thread monitoring callback function

此步骤按操作系统内核开发规范进行。如在Windows系统中,使用PsSetCreateProcessNotifyRoutine和PsSetCreateThreadNotifyRoutine分别注册进程创建回调函数和线程创建回调函数,而使用定时器定时进行进程和线程变动与销毁扫描,回调函数注册在定时器之下。This step is carried out in accordance with the operating system kernel development specifications. For example, in the Windows system, use PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine to register the process creation callback function and thread creation callback function respectively, and use the timer to periodically scan the process and thread changes and destruction, and the callback function is registered under the timer.

3.按进程号收集该进程名下线程的调用栈信息3. Collect the call stack information of the thread under the process name according to the process number

此步骤按一般操作系统内核开发方式进行。如在Windows系统中,可使用PsGetNextProcess、PsGetNextProcessThread等半函数(在Windows Research Kernel中公开)取得KTHREAD结构体数据,从中获得InitialStack、StackLimit等调用栈信息。This step is carried out according to the general operating system kernel development method. For example, in a Windows system, you can use semi-functions such as PsGetNextProcess and PsGetNextProcessThread (disclosed in Windows Research Kernel) to obtain KTHREAD structure data, and obtain call stack information such as InitialStack and StackLimit from it.

4.对调用栈信息生成度量4. Generate metrics for call stack information

将同一进程名下各线程的调用栈返回地址(即标识函数入口地址)连接起来,即为调用栈信息的度量。Connecting the call stack return address (namely the identification function entry address) of each thread under the same process name is the measurement of the call stack information.

5.通知用户态进行度量5. Notify users to measure

此步骤按操作系统内核开发规范进行。如在Windows系统中,使用IoControl系统调用从用户态传入一个通知事件句柄,在欲通知用户态时,对此通知事件句柄进行Set操作。This step is carried out in accordance with the operating system kernel development specifications. For example, in the Windows system, use the IoControl system call to pass in a notification event handle from the user mode, and when you want to notify the user mode, perform the Set operation on the notification event handle.

6.在用户态对调用栈信息进行比对6. Compare call stack information in user mode

将从内核传来的同一进程名下各线程的调用栈信息度量重新表达为调用函数节点间的当前调用关系图,与调用栈轨迹存储单元中的函数调用关系图进行搜索比对,如当前调用关系图是函数调用关系总图的子图,那么说明匹配成功,否则匹配失败。如果匹配失败,则向用户告警并记录告警日志。此时用户计算机动态可信状态为可信完整性遭到破坏。如果匹配成功,则用户计算机动态可信状态继续保持可信状态。Re-express the call stack information measurement of each thread under the same process name from the kernel as the current call relationship graph between the calling function nodes, and search and compare it with the function call relationship graph in the call stack trace storage unit, such as the current call The relation graph is a subgraph of the function call relation general graph, then the matching is successful, otherwise the matching fails. If the matching fails, the user is alerted and the alarm log is recorded. At this time, the dynamic credibility status of the user's computer is that credible integrity has been destroyed. If the matching is successful, the dynamic trusted state of the user computer continues to maintain the trusted state.

Claims (9)

一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:包括进程监控单元、线程监控单元、状态收集构建单元、状态度量单元、用户态联络单元、状态度量匹配单元和调用栈轨迹存储单元;所述进程监控单元和线程监控单元与状态收集构建单元相连,状态收集构建单元与状态度量单元相连,状态度量单元与用户态联络单元相连,用户态联络单元与状态度量匹配单元相连,状态度量匹配单元与调用栈轨迹存储单元相连。A device for dynamically measuring the trusted state of a computer based on call stack trajectory, which is characterized in that it includes a process monitoring unit, a thread monitoring unit, a state collection building unit, a state measurement unit, a user mode contact unit, a state measurement matching unit, and a call stack trajectory Storage unit; the process monitoring unit and thread monitoring unit are connected to the state collection building unit, the state collection building unit is connected to the state measurement unit, the state measurement unit is connected to the user mode contact unit, and the user mode contact unit is connected to the state measurement matching unit, The state metric matching unit is connected to the call stack trace storage unit. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述进程监控单元用于在内核态注册进程监控回调函数,使得操作系统建立进程和销毁进程时通知回调函数;所述进程监控回调函数负责通知状态收集构建单元收集进程和进程下各个线程的调用栈信息。The device for dynamically measuring the trusted state of a computer based on the call stack trace according to claim 1, wherein the process monitoring unit is used to register a process monitoring callback function in the kernel mode, so that the operating system establishes and destroys processes The callback function is notified at the time; the process monitoring callback function is responsible for notifying the state collection and construction unit to collect the process and the call stack information of each thread under the process. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述线程监控单元用于在内核态注册线程监控回调函数,使得操作系统建立进程和销毁进程内的线程时通知线程监控回调函数;所述线程监控回调函数负责通知状态收集构建单元收集线程所属进程的各个线程的调用栈信息。The device for dynamically measuring the trusted state of a computer based on the call stack trace according to claim 1, wherein the thread monitoring unit is used to register a thread monitoring callback function in the kernel mode, so that the operating system establishes and destroys the process The thread monitoring callback function is notified when the inner thread is in; the thread monitoring callback function is responsible for notifying the state collection construction unit to collect the call stack information of each thread of the process to which the thread belongs. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述状态收集构建单元用于在内核态,根据进程监控单元和线程监控单元传递的进程号参数,取得该进程号下所有线程的调用栈信息,并传递给状态度量单元。The device for dynamically measuring the trusted state of a computer based on the call stack trajectory according to claim 1, wherein the state collection and construction unit is used in the kernel state, according to the process number passed by the process monitoring unit and the thread monitoring unit Parameter, get the call stack information of all threads under the process number, and pass it to the state measurement unit. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述状态度量单元用于在内核态,根据进程的所有线程的调用栈信息,生成调用栈度量,并传递给用户态联络单元。The device for dynamically measuring the trusted state of a computer based on the call stack trace according to claim 1, wherein the state measurement unit is used to generate a call stack in the kernel state according to the call stack information of all threads of the process. Measure and pass it to the user mode contact unit. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述用户态联络单元用于在内核态,通知位于用户态的状态度量匹配单元程序对进程的所有线程的调用栈信息的度量进行匹配。The device for dynamically measuring the trusted state of a computer based on the call stack trajectory according to claim 1, wherein the user mode contact unit is used in the kernel mode to notify the state measurement matching unit in the user mode of the program to the process The call stack information metrics of all threads are matched. 根据权利要求1所述的一种基于调用栈轨迹进行动态度量计算机可信状态装置,其特征在于:所述状态度量匹配单元用于在用户态,接收从内核态的用户态联络单元发送而来的进程的所有线程的调用栈信息的度量,并调用调用栈轨迹存储单元的对应进程调用栈轨迹度量,进行匹配判断;如果匹配失败,则向用户告警并记录告警日志;此时用户计算机动态可信状态为可信完整性遭到破坏;如果匹配成功,则用户计算机动态可信状态继续保持可信状态。The device for dynamically measuring the trusted state of a computer based on the call stack trajectory according to claim 1, wherein the state metric matching unit is used in the user state to receive data sent from the user state contact unit in the kernel state Measure the call stack information of all threads of the process, and call the corresponding process call stack trace measurement of the call stack trace storage unit for matching judgment; if the matching fails, the user will be alerted and the alarm log will be recorded; at this time, the user’s computer can be dynamically The trust state is that the trustworthy integrity is destroyed; if the match is successful, the dynamic trustworthy state of the user computer continues to maintain the trustworthy state. 一种根据权利要求1-7之一所述的基于调用栈轨迹进行动态度量计算机可信状态装置的动态度量计算机可信状态方法,其特征在于,包括如下步骤:A method for dynamically measuring the trusted state of a computer based on a call stack trajectory for dynamically measuring the trusted state of a computer according to any one of claims 1-7, characterized in that it comprises the following steps: (1)在调用栈轨迹存储单元,静态分析和预存待度量的可执行镜像的调用栈轨迹度量;(1) In the call stack trace storage unit, static analysis and pre-stored call stack trace metrics of the executable image to be measured; (2)在内核态,调用进程监控单元和线程监控单元,注册进程监控回调函数和线程监控回调函数,对系统内的所有进程及进程下线程的变动进行监控;(2) In the kernel mode, call the process monitoring unit and thread monitoring unit, register the process monitoring callback function and thread monitoring callback function, and monitor all processes in the system and the changes of threads under the process; (3)在进程及进程下线程发生建立、销毁、暂停等变动时,状态收集构建单元根据进程监控单元和线程监控单元传递的进程号参数,取得该进程号下所有线程的调用栈信息,并传递给状态度量单元;(3) When the process and threads under the process undergo changes such as establishment, destruction, suspension, etc., the state collection and construction unit obtains the call stack information of all threads under the process number according to the process number parameters passed by the process monitoring unit and the thread monitoring unit, and Passed to the state measurement unit; (4)在内核态,状态度量单元根据状态收集构建单元汇报的进程的所有线程的调用栈信息,生成调用栈度量,并传递给用户态联络单元;(4) In the kernel state, the state measurement unit collects the call stack information of all threads of the process reported by the construction unit according to the state, generates the call stack measurement, and transmits it to the user mode contact unit; (5)在内核态,用户态联络单元通知位于用户态的状态度量匹配单元,对发生变动的进 程及其线程的调用栈度量进行匹配;(5) In the kernel mode, the user mode contact unit notifies the state metric matching unit in the user mode to match the call stack metrics of the changed process and its threads; (6)在用户态对调用栈信息进行比对。(6) Compare the call stack information in the user mode. 根据权利要求8所述的一种基于调用栈轨迹进行动态度量计算机可信状态方法,其特征在于:所述步骤(6)中在用户态对调用栈信息进行比对的具体步骤如下:在用户态,通过状态度量匹配单元,对照发生变动的进程及其线程的调用栈度量和从调用栈轨迹存储单元查找而来的可执行镜像的预先静态分析过的调用栈信息,匹配内核传来的度量是否匹配静态分析的预存调用栈信息度量;如果匹配失败,则向用户告警并记录告警日志,此时用户计算机动态可信状态为可信完整性遭到破坏;如果匹配成功,则用户计算机动态可信状态继续保持可信状态。The method for dynamically measuring the trusted state of a computer based on the call stack trajectory according to claim 8, wherein the specific steps of comparing call stack information in the user mode in the step (6) are as follows: State, through the state measurement matching unit, the call stack measurement of the changed process and its thread is compared with the call stack information of the executable image searched from the call stack trace storage unit and the call stack information that has been statically analyzed in advance to match the measurement passed by the kernel Whether it matches the pre-stored call stack information measurement of static analysis; if the match fails, the user is alerted and the alarm log is recorded. At this time, the dynamic credibility of the user's computer is that the credible integrity is destroyed; if the match is successful, the dynamic of the user's computer can be The trust state continues to maintain the credible state.
PCT/CN2020/115905 2020-04-15 2020-09-17 Device and method for dynamically measuring trusted state of computer based on call stack track Ceased WO2021208353A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010293691.4A CN111538986B (en) 2020-04-15 2020-04-15 Device and method for dynamically measuring computer trusted state based on call stack track
CN202010293691.4 2020-04-15

Publications (1)

Publication Number Publication Date
WO2021208353A1 true WO2021208353A1 (en) 2021-10-21

Family

ID=71972990

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/115905 Ceased WO2021208353A1 (en) 2020-04-15 2020-09-17 Device and method for dynamically measuring trusted state of computer based on call stack track

Country Status (2)

Country Link
CN (1) CN111538986B (en)
WO (1) WO2021208353A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119473307A (en) * 2025-01-14 2025-02-18 浪潮云信息技术股份公司 A customized calling method and device for a trusted operating system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538986B (en) * 2020-04-15 2023-05-09 南京东科优信网络安全技术研究院有限公司 Device and method for dynamically measuring computer trusted state based on call stack track
CN114356591B (en) * 2020-10-14 2025-07-11 阿里巴巴集团控股有限公司 Inter-process communication method, device, Internet of Things operating system, and Internet of Things device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090300415A1 (en) * 2005-10-19 2009-12-03 Lenovo (Beijing) Limited Computer System and Method for Performing Integrity Detection on the Same
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103577748A (en) * 2013-11-20 2014-02-12 北京可信华泰信息技术有限公司 Dynamic measuring method based on dependable computing and management system
CN104573516A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Industrial control system trusted environment control method and platform based on safety chip
CN111538986A (en) * 2020-04-15 2020-08-14 南京东科优信网络安全技术研究院有限公司 Device and method for dynamically measuring trusted state of computer based on call stack track

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7458078B2 (en) * 2003-11-06 2008-11-25 International Business Machines Corporation Apparatus and method for autonomic hardware assisted thread stack tracking
US8245002B2 (en) * 2008-10-08 2012-08-14 International Business Machines Corporation Call stack protection
US11416612B2 (en) * 2018-03-16 2022-08-16 Acronis International Gmbh Protecting against malware code injections in trusted processes
CN109614290A (en) * 2018-12-10 2019-04-12 苏州思必驰信息科技有限公司 Process exception information recording method and system in container
CN110413432B (en) * 2019-07-02 2023-09-01 Oppo广东移动通信有限公司 Information processing method, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090300415A1 (en) * 2005-10-19 2009-12-03 Lenovo (Beijing) Limited Computer System and Method for Performing Integrity Detection on the Same
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103577748A (en) * 2013-11-20 2014-02-12 北京可信华泰信息技术有限公司 Dynamic measuring method based on dependable computing and management system
CN104573516A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Industrial control system trusted environment control method and platform based on safety chip
CN111538986A (en) * 2020-04-15 2020-08-14 南京东科优信网络安全技术研究院有限公司 Device and method for dynamically measuring trusted state of computer based on call stack track

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119473307A (en) * 2025-01-14 2025-02-18 浪潮云信息技术股份公司 A customized calling method and device for a trusted operating system

Also Published As

Publication number Publication date
CN111538986A (en) 2020-08-14
CN111538986B (en) 2023-05-09

Similar Documents

Publication Publication Date Title
US10791133B2 (en) System and method for detecting and mitigating ransomware threats
US10216934B2 (en) Inferential exploit attempt detection
US20180218153A1 (en) Comparing structural information of a snapshot of system memory
Bhandari et al. Draco: Droid analyst combo an android malware analysis framework
WO2021208353A1 (en) Device and method for dynamically measuring trusted state of computer based on call stack track
CN105184169A (en) Method for vulnerability detection in Windows operating environment based on instrumentation tool
JP2010182019A (en) Abnormality detector and program
US20230252144A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
CN111859394A (en) TEE-based software behavior active measurement method and system
CN110543759A (en) Malicious file detection method and device, computer equipment and storage medium
Rajput et al. Remote non-intrusive malware detection for plcs based on chain of trust rooted in hardware
CN115840940B (en) File-free Trojan detection method, system, medium and equipment
Prakash et al. On the trustworthiness of memory analysis—an empirical study from the perspective of binary execution
Andriatsimandefitra et al. Detection and identification of android malware based on information flow monitoring
US20220201016A1 (en) Detecting malicious threats via autostart execution point analysis
CN105791250A (en) App detection method and device
US10880316B2 (en) Method and system for determining initial execution of an attack
US11574049B2 (en) Security system and method for software to be input to a closed internal network
CN119808095B (en) Linux process code segment measurement enhancement method based on double system architecture
US10303876B2 (en) Persistence probing to detect malware
US11449610B2 (en) Threat detection system
CN115982673A (en) Safety detection method, device, electronic device and computer-readable storage medium
CN115730308A (en) Runtime protection method and device based on memory check
TWI682303B (en) Computer system and ransomware detection method thereof
Singh et al. Monitoring application behaviours to detect android malware

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20931244

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20931244

Country of ref document: EP

Kind code of ref document: A1