您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2018, Vol. 53 ›› Issue (7): 46-50.doi: 10.6040/j.issn.1671-9352.2.2017.276

• • 上一篇    下一篇

面向Windows环境进程主动动态度量方法

张建标1,2,3,李志刚1,2,3,刘国杰1,2,3,王超1,2,3,王玮1,2,3   

  1. 1.北京工业大学信息学部, 北京 100124;2.可信计算北京市重点实验室, 北京 100124;3.信息安全等级保护关键技术国家工程实验室, 北京 100124
  • 收稿日期:2017-08-20 出版日期:2018-07-20 发布日期:2018-07-03
  • 作者简介:张建标(1969— ),男,博士,教授,研究方向为信息安全与可信计算. E-mail:zjb@bjut.edu.cn
  • 基金资助:
    国家自然科学基金资助项目(61671030);北京市博士后工作经费资助项目(2017-22-030);CCF-启明星辰“鸿雁”科研资助计划项目(CCF-VenustechRP2017008)

Process active dynamic measurement method for Windows environment

ZHANG Jian-biao1,2,3, LI Zhi-gang1,2,3, LIU Guo-jie1,2,3, WANG Chao1,2,3, WANG Wei1,2,3   

  1. 1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China;
    2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China;
    3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
  • Received:2017-08-20 Online:2018-07-20 Published:2018-07-03

摘要: 在对Windows用户层恶意行为分类研究的基础上,提出了一种面向Windows环境的进程可信度量方法。针对现有的可信度量基准值通过进程执行流获取时,不能免疫加载的挂钩攻击的问题,通过对比分析进程内存映像和可执行文件执行流的基准值,判断进程是否遭受恶意攻击,并自动修复被恶意程序篡改的内容,确保进程的正常执行。

关键词: 可信计算, 执行流基准值, 挂钩, 主动度量

Abstract: A process dynamic measurement method for Windows environment based on the classification of malicious behavior of Windows user mode is proposed. Existing trusted metric benchmark values are acquired through process execution streams and cannot be immune to hook attacks when loaded. By comparing and analyzing the baseline value of the process memory image and executable stream, the method is used to determine whether the process is subjected to malicious attack, which can automatically repair the content tampered by the malicious program and ensure the normal execution of the process.

Key words: execution flow reference value, hook, active measurement, trusted computing

中图分类号: 

  • TP309
[1] Trusted Computing Group. TCG Specification Architecture Overview[EB/OL]. [2007-08-02]. http://www.trustedcomputting group.org/
[2] WANG J, SHI Y, PENG G, et al. Survey on key technology development and application in trusted computing[J]. China Communications, 2016, 13(11): 70-90.
[3] AZAB A M, NING P, SEZER E C, et al. HIMA: a hypervisor-based integrity measurement agent[C] //Computer Security Applications Conference, 2009. ACSAC'09. Annual. IEEE, 2009: 461-470.
[4] LI Y, BA H, REN J. Integrity measurement based on trusted computing[C] //International Conference on Information Engineering for Mechanics and Materials, 2015: 956-959.
[5] 黄坚会, 石文昌. 基于ATX主板的TPCM主动度量及电源控制设计[J]. 信息网络安全, 2016(11):1-5. HUANG Jianhui, SHI Wenchang. The TPCM active measurement and power control design for ATX motherboard [J]. Netinfo Security, 2016(11): 1-5.
[6] DAVI L, SADEGHI A R, WINANDY M. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks[C] //Proceedings of the 2009 ACM workshop on Scalable trusted computing. ACM, 2009: 49-54.
[7] REIN A. Drive: dynamic runtime integrity verification and evaluation[C] //Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 2017: 728-742.
[8] 田健生,詹静. 基于TPCM 的动态度量机制的研究与实现[J]. 信息网络安全, 2016(6): 22-27. TIAN Jiansheng, ZHAN Jing. Research and implementation of active dynamic measurement based on TPCM [J]. Netinfo Security, 2016(6): 22-27.
[9] AZAB A M, NING P, WANG Z, et al. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C] //ACM Conference on Computer and Communications Security. ACM, 2010:38-49.
[10] HOFMANN O S, KIM S, DUNN A M, et al. InkTag: secure applications on an untrusted operating system[C] //ASPLOS Proc, 2013:253.
[11] JAEGER T, SAILER R, SHANKAR U. PRIMA: policy-reduced integrity measurement architecture[C] // Proceedings of the Eleventh ACM Symposium on Access Control Models and Echnologies, 2006: 19-28.
[12] 邢彬, 刘吉强, 韩臻. 一种可信计算平台完整性度量的新模型[J]. 信息网络安全, 2016(6):8-14. XING Bin, LIU Jiqiang, HAN Zhen. A new model for measuring the integrity of trusted computing platforms [J]. Netinfo Security, 2016(6): 8-14.
[13] RILEY R, JIANG X, XU D. An architectural approach to preventing code injection attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2010, 7(4): 351-365.
[14] 徐明迪,张焕国,赵恒. 可信计算平台信任链安全性分析[J]. 计算机学报, 2010, 33(7): 1165-1176. XU Mingdi, ZHANG Huanguo, ZHAO Heng. Security analysis on trust chain of trusted computing platform[J]. Chinese Journal of Computers, 2010, 33(7): 1165-1176.
[15] 文静,王怀民,应时. 支持运行监控的可信软件体系结构设计方法[J]. 计算机学报, 2010, 33(12): 2321-2334. WEN Jing, WANG Huaimin, YING Shi. Toward a software architectural design approach for trusted software based on monitoring[J]. Chinese Journal of Computers, 2010, 33(12): 2321-2334.
[1] 孙亮,陈小春,钟阳,林志鹏,任彤. 基于可信BMC的服务器安全启动机制[J]. 山东大学学报(理学版), 2018, 53(1): 89-94.
[2] 李晓策,潘晓中,麦涛涛. 多组件属性的远程证明[J]. 山东大学学报(理学版), 2016, 51(9): 53-58.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!