JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2018, Vol. 53 ›› Issue (7): 46-50.doi: 10.6040/j.issn.1671-9352.2.2017.276

Previous Articles     Next Articles

Process active dynamic measurement method for Windows environment

ZHANG Jian-biao1,2,3, LI Zhi-gang1,2,3, LIU Guo-jie1,2,3, WANG Chao1,2,3, WANG Wei1,2,3   

  1. 1. Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China;
    2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China;
    3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
  • Received:2017-08-20 Online:2018-07-20 Published:2018-07-03

PDF (PC)

591

Abstract: A process dynamic measurement method for Windows environment based on the classification of malicious behavior of Windows user mode is proposed. Existing trusted metric benchmark values are acquired through process execution streams and cannot be immune to hook attacks when loaded. By comparing and analyzing the baseline value of the process memory image and executable stream, the method is used to determine whether the process is subjected to malicious attack, which can automatically repair the content tampered by the malicious program and ensure the normal execution of the process.

Key words: execution flow reference value, hook, active measurement, trusted computing

CLC Number: 

  • TP309
[1] Trusted Computing Group. TCG Specification Architecture Overview[EB/OL]. [2007-08-02]. http://www.trustedcomputting group.org/
[2] WANG J, SHI Y, PENG G, et al. Survey on key technology development and application in trusted computing[J]. China Communications, 2016, 13(11): 70-90.
[3] AZAB A M, NING P, SEZER E C, et al. HIMA: a hypervisor-based integrity measurement agent[C] //Computer Security Applications Conference, 2009. ACSAC'09. Annual. IEEE, 2009: 461-470.
[4] LI Y, BA H, REN J. Integrity measurement based on trusted computing[C] //International Conference on Information Engineering for Mechanics and Materials, 2015: 956-959.
[5] 黄坚会, 石文昌. 基于ATX主板的TPCM主动度量及电源控制设计[J]. 信息网络安全, 2016(11):1-5. HUANG Jianhui, SHI Wenchang. The TPCM active measurement and power control design for ATX motherboard [J]. Netinfo Security, 2016(11): 1-5.
[6] DAVI L, SADEGHI A R, WINANDY M. Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks[C] //Proceedings of the 2009 ACM workshop on Scalable trusted computing. ACM, 2009: 49-54.
[7] REIN A. Drive: dynamic runtime integrity verification and evaluation[C] //Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 2017: 728-742.
[8] 田健生,詹静. 基于TPCM 的动态度量机制的研究与实现[J]. 信息网络安全, 2016(6): 22-27. TIAN Jiansheng, ZHAN Jing. Research and implementation of active dynamic measurement based on TPCM [J]. Netinfo Security, 2016(6): 22-27.
[9] AZAB A M, NING P, WANG Z, et al. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C] //ACM Conference on Computer and Communications Security. ACM, 2010:38-49.
[10] HOFMANN O S, KIM S, DUNN A M, et al. InkTag: secure applications on an untrusted operating system[C] //ASPLOS Proc, 2013:253.
[11] JAEGER T, SAILER R, SHANKAR U. PRIMA: policy-reduced integrity measurement architecture[C] // Proceedings of the Eleventh ACM Symposium on Access Control Models and Echnologies, 2006: 19-28.
[12] 邢彬, 刘吉强, 韩臻. 一种可信计算平台完整性度量的新模型[J]. 信息网络安全, 2016(6):8-14. XING Bin, LIU Jiqiang, HAN Zhen. A new model for measuring the integrity of trusted computing platforms [J]. Netinfo Security, 2016(6): 8-14.
[13] RILEY R, JIANG X, XU D. An architectural approach to preventing code injection attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2010, 7(4): 351-365.
[14] 徐明迪,张焕国,赵恒. 可信计算平台信任链安全性分析[J]. 计算机学报, 2010, 33(7): 1165-1176. XU Mingdi, ZHANG Huanguo, ZHAO Heng. Security analysis on trust chain of trusted computing platform[J]. Chinese Journal of Computers, 2010, 33(7): 1165-1176.
[15] 文静,王怀民,应时. 支持运行监控的可信软件体系结构设计方法[J]. 计算机学报, 2010, 33(12): 2321-2334. WEN Jing, WANG Huaimin, YING Shi. Toward a software architectural design approach for trusted software based on monitoring[J]. Chinese Journal of Computers, 2010, 33(12): 2321-2334.
[1] SUN Liang, CHEN Xiao-chun, ZHONG Yang, LIN Zhi-peng, REN Tong. Secure startup mechanism of server based on trusted BMC [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2018, 53(1): 89-94.
[2] LI Xiao-ce, PAN Xiao-zhong, MAI Tao-tao. Multi-component property based remote attestation [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(9): 53-58.
[3] JIANG Wei-jin, XU Yu-hui, GUO Hong, XU Yu-sheng. A multi-dimensional evidence dynamic trust computing model based on multi-agent [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2015, 50(01): 1-11.
[4] HUANG Zheng-li1, REN Zhao-jie2, LI Lin1, ZHAO Zun-tian1*. Hookeriales new to Shandong Province, China [J]. J4, 2011, 46(11): 5-7.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
Copyright 2018 © Editorial office of JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
Supported by Beijing Magtech Co.Ltd