Research On Non-control-data Kernel Attacks And Runtime Detection Method

Operating system security is the foundation and prerequisite of computer system security, and it is mainly depend on the security of the system kernel.However, with the increasing number of kernel attacks, the kernel security situation is increasingly grim.In kinds of kernel attacks,as a kind of Rootkit attack,non-control-data attacks become more and more threatening. By tampering some key data structures inside kernel space, non-control-data kernel attacks induce some kernel vulnerabilities and a series of stability problems, which will severely affect the security of operating system and even that of the whole computer system.Based on analysis and research on current non-control-data kernel attacks, designs and implements an prototype of non-control-data kernel attacks, as an test tool suite for the security defender to develop non-control-data kernel attacks detection method. In order to enhance the security of Linux kernel, starting from the basic principle and construction mechanism of various attack methods,summarize their common characteristics, research and explore the change characteristics of the key kernel data structures, try to realize the continuous monitoring of the kernel data structures change under running(online) condition, and check the consistency and invariability of kernel data structures,then feedback the relevant information of suffered non-control-data kernel attacks timely.In this paper, we propose a runtime detection method based on the Kprobes debugging mechanism and a monitor kernel thread. The former as a kind of mechanism for debugging the kernel of the system, is used to monitor the execution of key kernel functions and to check the consistency of related dynamic data structures. While the latter is used to check the invariance of some static kernel data structures through a dameon. Then the corresponding prototype named by KNCDefender is designed and implemental in C language on Linux 2.6.32.27 kernel version and a series of experiments for verification and performance testing have been carried out. Experimental results show that the method proposed in this paper is completely lightweight, and various attacks against non-control-data kernel can be detected timely.The completion of the work, can provide a useful reference for security personnel to detect non-control-data kernel attacks. At the same time it shows that,based on the foundation of existing technology to achieve the non-control-data kernel attacks detection is feasible and effective. However, limited to time and energy, detection method and prototype in different version of the Linux kernel and platform adaptability and portability remains to be further improved.