| With the widespread use of computer technology,the problem of information security is becoming highlighted.Information system security is paid more and more attention by people.In view of the key role that operating system plays in computer system,the security of the entire computer system relies heavily on operating system security.In recent years,the Linux operating system has rapidly gained shares in the server operating system market with its unique advantages.Because of this reason,however,targeted malicious attacks have increased.At the same time,with the rapid growth of the amount of codes in the Linux kernel,its vulnerabilities are continuously exposed.The kernel is the core part of the operating system and its security is the foundamental premise to guarantee the security of operating system and the entire computer system.Therefore,Linux security especially its kernel security has become one of the research focuses in the fields of computer system security.As for the server running Linux system,a system protection method by the way of monitoring kernel functions is proposed in this paper based on the analysis of various existing Linux system protection methods.It limits the kernel functions that can be accessed by the related daemons and increases the difficulty of malicious attacks so as to enhance the security of Linux kernel.Moreover,some real-time categorical processing is introduced for various abnormal invocations to the kernel functions so that the security level of the entire server system is promoted.During the implementation of the prototype,the dynamic tracing technology of ftrace is utilized for the extraction of the kernel functions to be monitored,while the runtime debugging technology of Kprobes and the alarm response mechanism of Zabbix are used for monitoring the kernel functions and dealing with abnormal invocations respectively.Moreover,the prototype for monitoring kernel functions are constructed automatically based on the basic elements and characteristic patterns of related monitoring mechanisms.In addition,this paper also presents a classification standard about security risk for kernel functions,and gives examples of corresponding classification under the prototype application environment.In another word,the kernel function is divided into three levels of high,medium and low potential security risks based on the analysis and reference to the security classification of system calls and combined with related known kernel vulnerabilities and other factors.Then the corresponding three kinds of processing ways in the handling mechanism are set up to support the classification of various abnormalities processing.The experimental results of functional tests and performance tests on Linux system protection prototype show that the proposed method can indeed detect the abnormal invocations of the kernel functions timely followed by some appropriate alarming or interception measures.Furthermore,the overloads are not too much such that the method is verified to be feasible and effective.Compared with other research work about kernel security,this method can protect broader kernel coverage and it does not need to recompile and reconstruct the kernel image while kernel monitoring and protection mechanisms are integrated organically. |
PDF Full Text Request