CN103226676A - Mixed method for measuring creditability of application software - Google Patents
Mixed method for measuring creditability of application software Download PDFInfo
- Publication number
- CN103226676A CN103226676A CN2013100673647A CN201310067364A CN103226676A CN 103226676 A CN103226676 A CN 103226676A CN 2013100673647 A CN2013100673647 A CN 2013100673647A CN 201310067364 A CN201310067364 A CN 201310067364A CN 103226676 A CN103226676 A CN 103226676A
- Authority
- CN
- China
- Prior art keywords
- software
- application software
- creditability
- security
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a mixed method for measuring the creditability of application software and aims to solve the problem that a TPM (trusted platform module), a TCM (trusted control model) or a TPCM (trusted platform control model) is used for achieving safe start in the trusted computing field at the present, but the study on creditability measurement of the application software is immature after an operating system is loaded. A security defending system is designed and achieved to protect the security of a computer according to the mixed method for measuring the creditability of the application software.
Description
Technical field:
The present invention's design is a kind of hybrid metric method of application software credibility, and according to this method, designs and realized a security protection system, and the safety of protection computer system stops the operation of viral wooden horse.
Background technology:
Along with the fast development of infotech, information security issue is increasingly sophisticated, and the security of system problem emerges in an endless stream, and is also restricting informationalized development process when bringing harm to the mankind.By fire wall, intrusion detection and virus prevention is the main conventional information security system that constitutes, in face of protean malicious attack means, it is powerless to seem gradually, ' block ' is high more more, intrusion detection is done more complicated and more complicated, the malicious code storehouse is done bigger and bigger can only to cause fire wall at last, and invasion has no defence capability to new attack." old three samples, plug up a leak, do high-wall, anti-outer attacking, hard to guard against " are exactly the basic situation of information security
[1]In recent years, the reliable computing technology that embodies general safety thought just more and more is subjected to people's attention, becomes the new hot research direction of information security.It is different from traditional safety technique, but begins to take precautions against attack from bottom and terminal.
Along with the establishment of Trusted Computing tissue T CG, and release is the Trusted Computing standard of core with credible platform module TPM (Trusted Platform Module)
[2], the research of trust systems has further caused researchers' great attention in the world.According to the TCG standard, different with traditional security system, the core concept of Trusted Computing is to introduce a security coprocessor TPM, is embedded in the computer platform, utilizes the tolerance of TPM and constraint to guarantee the credible of system.It is exactly clean boot that the typical case of TPM uses, its concrete principle is meant the moment from system power-up, successively BIOS, system I/O, ROM, hardware, system kernel are carried out integrity measurement, guarantee that system's normal condition starts, thereby effectively stop virus, wooden horse, illegal program attack and destruction to system, the system of assurance is immune against attacks, reliable, stable operation.TCM has adopted Chinese cryptographic algorithm, and TPCM has increased ACTIVE CONTROL and initiatively measured.
But no matter be clean boot, still also there are the following problems at present for the credible tolerance that adopts during checking starts: power up the single chain processes that operating system loading (being referred to as system bootstrap) is a fixed order from computer, and BIOS, operating system loading device and operating system are generally relatively stable, and therefore the integrity measurement in credible transmittance process implements fairly simple.To the credible transmittance process of using but the characteristics that are different from the system bootstrap process are arranged from operating system: at first the application on the operating system platform generally is not single, and does not have inevitable ordinal relation between these application; Secondly between user's single job active stage, not necessarily can use the application that all are allowed to carry out.Power up the whole process that begins before BIOS runs to operating system from computer at present, because the flow process changeability is little, the credible tolerance in this field has had a large amount of research and has reached actual application
[3] [4] [5], and the Study on Measure of operating system loading back application programs is also very immature.
Summary of the invention:
The static state tolerance of 1 application software
The static state tolerance of using software is adopted " white list method ".In computer system, deposit the tabulation of an application software, in tabulation, deposited the HASH metric of each legal application software.Behind os starting, before the operation of each application software, measure this application software and compare with the HASH value in the database (white list), it then is believable comparing the application software of passing through, the application software of not passing through then is not believable.Realize static tolerance to using software by this method.
The dynamic measurement of 2 application software
The dynamic measurement method of application software is: the dynamic monitoring software instances, therefrom extract the normal behaviour model that the software action feature is set up software; The actual motion of monitoring software then extracts its behavioural characteristic and compares with the normal behaviour model.If the deviation that software action takes place surpasses assign thresholds, judge that then software action is insincere.The actual motion of monitoring software is meant the behavior in the monitoring software operational process, such as file operation, and software actions such as Registry Modifications.
The hybrid metric of static tolerance of 3 application software and dynamic measurement
Present software exists quantity huge different versions and configuration file, and it is inconvenient only utilizing the static state tolerance of " white list method ".Therefore this paper proposes to carry out static state and dynamic hybrid metric method to using software.
The method of hybrid metric is: carry out static state tolerance to using software earlier before application software initiated, the result directly allows its operation for believable application software for static state tolerance; Because the application software reason that static tolerance is not passed through may be the not comprehensive of " white list " database, so we carry out dynamic measurement to this part application software.Come final decision whether to allow its operation by dynamic measurement.
1.4Hook?SSDT
The Windows executable program moves in kernel mode, and all provides local support to all subsystems (Win32, POSIX and OS/2) of operating system.The address of these local system services is called the system service dispatch list in inner core (System Service Dispatch Table lists in SSDT).This table can carry out index based on the system call numbering, so that the memory address of mapping function.(System Service Parameter Table SSPT) has specified the byte number of the function parameter of each system service to also have a system service parameter list.
KeServiceDescriptorTable is the table of being derived by kernel.This table has a pointer, points to the appropriate section that comprises the core system service that is realized by Ntoskrnl.exe among the SSDT, and it is the chief component of kernel.The KeServiceDescriptorTable table also comprises a pointer that points to SSPT.
Can the activation system service dispatcher when calling INT2E or SYSENTER instruction.This causes process to be transformed into kernel mode by calling this program.If change SSDT into the sensing function that rootkit provided, rather than point to Ntoskrnl.exe or Win32k.sys, when non-core application call was in kernel, this request was handled by the system service scheduler program, and had called the function of rootkit.At this moment, any false information that rootkit can want it transfers back to application program, thereby hides self and used resource effectively.[5]
The grand SSDT of Hook easily that has derived by Microsoft.
Description of drawings:
Fig. 1: system construction drawing.
Fig. 2: system's operational process synoptic diagram.
Embodiment:
By to using the research of software credibility hybrid metric method, utilize this hybrid metric method to design a security protection system that operates on the operating system, this system can play the effect of protection to computing machine.
One. system architecture
Native system mainly is made up of three parts: server-side application, client application and inner nuclear layer driver, system construction drawing such as Fig. 1.
The function of server end comprises:
1, carries out alternately the request Query Database of sending according to client, and answer Query Result with client.
2, extract of the increase of the information of client collection to the server end data-base content.
Client functionality comprises:
1, mutual with Drive Layer, obtain progress information that Drive Layer transmits, send order to Drive Layer
2, mutual with server end, send querying command to server end, accept the return results of server
3, the number of times and the situation of the strange program appearance of statistics, the information that sends application software is to server end
The function of Drive Layer comprises:
1, monitors the process that to move, send information to the client of application layer.
2, to moving the control operation of process, as operations such as suspend process, end processes.
Two. system's operational process
A call back function is set in Drive Layer, when process initiation, the information that call back function captures process initiation parses information such as process name, path, process place then, and these information are passed to the client-side program of application layer, and call back function finishes.
Client is asked its hash value to the process that receives, and sends request information to server end, and server is brought in the inquiry of finishing progress information.By with server end " white list " storehouse in advance ratio judge the credibility of the process that will start.The result that server end will be inquired about returns client, and client is made corresponding action according to the result who returns again.If believable process just allows to pass through, allow its normal operation.Otherwise remind the user,, just this part process is carried out dynamic measurement if the user still wishes this part process operation.The process that discovery can produce harm in metrics process stops its operation.
Overall operation process such as Fig. 2 of system.
Three. the realization of system
Virus and wooden horse are present in the system, all can't be thoroughly and the process renunciation, thus therefore can reach the purpose that prevention is viral and wooden horse moves by the operation that stops harmful process.
According to above principle, before application software initiated, need to tackle to using software, realize using the interception of software from Drive Layer by using Hook SSTD method.Under windows operating system, all of user all are to finish by driver to the operational motion of bottom hardware, rather than directly send operation signal to hardware device by operating system.
Drive Layer gets access to the information of application software, passes to system client then, and the client brings in the credibility of judging application software according to the credible principle static and dynamically hybrid metric of application software mentioned above.Client will judge that back and the command information of sending feed back to Drive Layer, and Drive Layer is made corresponding action according to the command information that receives, and comprises operations such as suspend process, recovering process, end process.
To influence system effectiveness and need to bring in constant renewal in the problem of client database in order to solve at the client query database, the inquiry of database is placed on server brings in and finish, client only need send request and receive and reply.For the communications security that guarantees client and server adopts ssl protocol.Ssl protocol is between ICP/IP protocol and various application layer protocol, for data communication provides safe support.Ssl protocol can be divided into two-layer: SSL record protocol (SSL Record Protocol): it is based upon on the reliable host-host protocol (as TCP), and the support of basic functions such as data encapsulation, compression, encryption is provided for upper-layer protocol.Ssl handshake protocol (SSL Handshake Protocol): it is based upon on the SSL record protocol, is used for before the data transmission of reality begins, and communication two party carries out authentication, consulted encryption algorithm, exchange encryption keys etc.In systems development process, use the OpenSSL software package to develop communications portion.
The quantity of application software is huge, and all can have every day new software, new version to produce, and therefore need set up system's self-study mechanism.When the user runs into strange program, and the appearance of this program reaches certain frequency, just the relevant information with this program sends to server by its credibility of server authentication, join in the database then, when this program startup next time, just can make accurately and judging, can constantly improve database like this.
Claims (3)
1. the static state of application software credibility and dynamic hybrid metric method have been enriched the research of application software creditability measurement, have both remedied the deficiency of static tolerance, utilize dynamic measurement that theoretical conversion has been arrived application again, are a kind of newer and practical methods.
2. She Ji security protection system can be protected computing machine efficiently, compare with other fail-safe softwares, having does not need a large amount of malicious code storehouses, has autonomous learning mechanism can find that emerging viral wooden horse, discovery speed are fast, reaction velocity fast, client does not need advantages such as often renewal.
3. utilize this hybrid metric method to design a security protection system that operates on the operating system; this system can be used as the gauging system of a copyrighted software equally and uses; avoid the use of piracy software; the protection software copyright can be used as a supervisory system in the environment for security requirement strictness especially and uses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100673647A CN103226676A (en) | 2013-03-04 | 2013-03-04 | Mixed method for measuring creditability of application software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100673647A CN103226676A (en) | 2013-03-04 | 2013-03-04 | Mixed method for measuring creditability of application software |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103226676A true CN103226676A (en) | 2013-07-31 |
Family
ID=48837120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100673647A Pending CN103226676A (en) | 2013-03-04 | 2013-03-04 | Mixed method for measuring creditability of application software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103226676A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104035787A (en) * | 2014-07-01 | 2014-09-10 | 深圳数字电视国家工程实验室股份有限公司 | Mandatory access control method and device based on Andriod kernel |
| CN107360165A (en) * | 2017-07-13 | 2017-11-17 | 北京元心科技有限公司 | Terminal device, cloud server and method and device for managing and controlling operating system |
| CN107403097A (en) * | 2017-08-10 | 2017-11-28 | 清远博云软件有限公司 | A kind of core system software running guard method |
| CN110348180A (en) * | 2019-06-20 | 2019-10-18 | 苏州浪潮智能科技有限公司 | A kind of application program launching control method and device |
| CN112733149A (en) * | 2021-01-12 | 2021-04-30 | 北京旋极安辰计算科技有限公司 | Method for self-learning credible static measurement strategy in operating system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070107056A1 (en) * | 2005-11-09 | 2007-05-10 | Microsoft Corporation | Hardware-aided software code measurement |
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN102073816A (en) * | 2010-12-31 | 2011-05-25 | 兰雨晴 | Behavior-based software trusted measurement system and method |
-
2013
- 2013-03-04 CN CN2013100673647A patent/CN103226676A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070107056A1 (en) * | 2005-11-09 | 2007-05-10 | Microsoft Corporation | Hardware-aided software code measurement |
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN102073816A (en) * | 2010-12-31 | 2011-05-25 | 兰雨晴 | Behavior-based software trusted measurement system and method |
Non-Patent Citations (1)
| Title |
|---|
| 田俊峰 等: "《一种可信软件设计方法及可信性评价》", 《计算机研究与发展》, vol. 48, no. 08, 15 August 2011 (2011-08-15), pages 1447 - 1454 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104035787A (en) * | 2014-07-01 | 2014-09-10 | 深圳数字电视国家工程实验室股份有限公司 | Mandatory access control method and device based on Andriod kernel |
| CN107360165A (en) * | 2017-07-13 | 2017-11-17 | 北京元心科技有限公司 | Terminal device, cloud server and method and device for managing and controlling operating system |
| CN107360165B (en) * | 2017-07-13 | 2021-02-12 | 北京元心科技有限公司 | Terminal device, cloud server and method and device for managing and controlling operating system |
| CN107403097A (en) * | 2017-08-10 | 2017-11-28 | 清远博云软件有限公司 | A kind of core system software running guard method |
| CN110348180A (en) * | 2019-06-20 | 2019-10-18 | 苏州浪潮智能科技有限公司 | A kind of application program launching control method and device |
| CN110348180B (en) * | 2019-06-20 | 2021-07-30 | 苏州浪潮智能科技有限公司 | Application program starting control method and device |
| CN112733149A (en) * | 2021-01-12 | 2021-04-30 | 北京旋极安辰计算科技有限公司 | Method for self-learning credible static measurement strategy in operating system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230231872A1 (en) | Detection of and protection from malware and steganography | |
| US20150205962A1 (en) | Behavioral analytics driven host-based malicious behavior and data exfiltration disruption | |
| US10152597B1 (en) | Deduplicating malware | |
| Xu et al. | Data-provenance verification for secure hosts | |
| CN111158906B (en) | Active immunity credible cloud system | |
| Böck et al. | Towards more trustable log files for digital forensics by means of “trusted computing” | |
| Lauer et al. | Hypervisor-based attestation of virtual environments | |
| CN110188547B (en) | Trusted encryption system and method | |
| Schmidt et al. | Malware detection and kernel rootkit prevention in cloud computing environments | |
| EP3217310B1 (en) | Hypervisor-based attestation of virtual environments | |
| EP3683712B1 (en) | Protecting integrity of log data | |
| WO2014121510A1 (en) | Method and device for realizing attack protection in cloud computing network, and network | |
| Ling et al. | Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes | |
| CN103226676A (en) | Mixed method for measuring creditability of application software | |
| Schiffman et al. | Verifying system integrity by proxy | |
| Kumara et al. | Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment | |
| JP2019057167A (en) | Computer program, device and determining method | |
| Zhang et al. | Trustlogin: Securing password-login on commodity operating systems | |
| CN113647053A (en) | Method for configuring a security module with at least one derived key | |
| Qin et al. | RIPTE: runtime integrity protection based on trusted execution for IoT device | |
| Sun et al. | Cloud armor: Protecting cloud commands from compromised cloud services | |
| Jin et al. | Trusted attestation architecture on an infrastructure-as-a-service | |
| Stelte et al. | Towards integrity measurement in virtualized environments—a hypervisor based sensory integrity measurement architecture (SIMA) | |
| Zaharis et al. | Live forensics framework for wireless sensor nodes using sandboxing | |
| Khurshid et al. | ShieLD: Shielding Cross-zone Communication within Limited-resourced IoT Devices running Vulnerable Software Stack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130731 |