| Vulnerability in information system and software has always been a major source of information security incidents. Software vulnerability, especially kernel software vulnerability, poses a great threat to information security. The kernel consists of operating system kernel, device drivers, and third-part drivers. They run in ring0 level with top system privilege, share the same virtual address space. They are responsible for accessing hardware, managing virtual memory and other core tasks. The security of them is of vital importance. The kernel vulnerability is unavoidable because of its special cause. Therefore, monitoring kernel vulnerability attracts increasing attention.Firstly, on the basis of analysis in the traditional vulnerability monitoring technology in this paper, aiming at its inability to monitor the behavior of the kernel or the corresponding monitoring method needs to be modified by the monitoring program and the results are affected by the monitoring results. Through the research on the causes and the use of the kernel vulnerabilities, a new method for monitoring the vulnerability of automatic kernel based on hardware virtualization is proposed. This method adopt Hardware virtualization technology and mapping the real system into virtual environment, building a lightweight virtual machine monitor, ensuring that the kernel program is monitored independently. When possible kernel vulnerability is happening, it will be located with the help of combination of causes and exploitation of kernel vulnerability and kernel structure in the operating system.Secondly, according to the method put forward, a kernel vulnerability monitoring system is designed and implemented. The system is composed of 5 modules, initialization module, monitoring control module, event analysis module, event dispatch and process module, determinant module, vulnerability analysis and location module. Virtual environment is initialized based on the virtual technology and monitoring is initialized based on monitoring layout. Monitoring control module is responsible for entire monitor layout. Event analysis module reconstructs kernel information on the upper level with the underlying hardware information. Event dispatch and process module distributes the event after basic process. Determinant module judges the event between 3 stages. Vulnerability analysis and location module locates the vulnerability by means of stack backtrack and symbol files. The 5 modules are interlocked and achieve that kernel vulnerability is comprehensive monitored.Finally, through experiment analysis, the result shows that the monitoring way in the system could monitor more kernel vulnerabilities and monitor more accurately without affecting the operation of the kernel program, so the validity of the method in this paper is elucidated effectively. |
PDF Full Text Request