| Recent years, the rapid development of computer network and electronic commerce has greatly changed people's lives. Thanks to these techniques, our lives are becoming more and more convenient, but at the same time, these techniques make it easier for a malicious party to get our privacy information. Therefore, people pay more attention to build a trusted computing system which can guarantee the security and integrality of their privacy information.Traditional secure computing method is to add some secure layer between computers and computer networks, such as password, encryption, anti-virus software or IDS(Intrusion Detecting System).But those are passive solutions, and that both anti-virus software and IDS are helpless against new viruses and new attacks. Moreover, the accurate running of those solutions is based on the accurate running of under layer systems, especially operating system. A large amount of secure problems exist in current computing platform due to the weakness of the platform itself.Trusted computing enhances computer systems'security by adding some module on both software and hardware. Trusted computing technology use a trusted hardware embedded in the TCP(Trusted computing platform) as the root of trust, build a chain of trust using the trusted root's ability of generating and protecting keys. Then, one layer attests and trusts another layer next to it, and consequently spread the trust relationship to the whole computing system.Remote attestation technology provides us a instrumentality to attest the running environment and the configuration of a remote platform. The user authentification of remote attestation is almost perfect, but the essential of behavior attestation is a integrity test based on binary test. Thus, what this kind of attestation can confirm is that what program is exactly running on the remote party, it cannot confirm whether the program's behavior is normal. In other words, it can solve the problem"what is it", whereas it cannot solve the problem"what is it doing". The software producer declares that their software is trustworthy. The assurance about the security of the software is completely based on the declaration. Therefore, the program attestation of remote attestation is based on trust, not behavior.In order to overcome the shortcoming of remote attestation, this paper uses system calls generated when a program accurately running in Linux to build the program's behavior model. By matching the system calls collected when the program is practically running with its behavior model, we can calculate the matching degree of the program's behavior model and its practical behavior, and then we can estimate whether the behavior of the program is normal. When calculating matching degree, we considered the factor of probability that each short sequence appeared in the behavior model. We use the probability that the short sequence appeared in the behavior model as its weight. In order to make the results more intuitive, we use relative matching degree to measure the differences between the behavior model and the to-be-detected system call sequences. This attestation method is dynamic and not attests only once, it can be a complement of remote attestation so as to overcome the shortcomings of remote attestation. |
PDF Full Text Request