Research On Kernel Integrity Dynamic Protection Based On Firmware

The core security problem of a computer is kernel security.If the kernel security cannot be guaranteed,any application layer protection measures cannot guarantee its own security and credibility.The existing kernel integrity measurement methods are mainly divided into static methods and dynamic methods.Static methods will measure when the kernel file is loaded,and determine whether the file has been tampered with the measurement value.The disadvantage is that it cannot detect memory attacks.Dynamic methods can measure the data in memory and can resist memory attacks,but the methods themselves often exist as the form of kernel extension modules,so their own security cannot be guaranteed.Therefore,it is necessary to design a kernel integrity protection system that can fundamentally guarantee the safety of the kernelTo solve the above problems,we propose a firmware-based dynamic system for kernel integrity protection KIPS.The system is located in the firmware,and in UEFI mode and legacy mode,it uses a hash algorithm to measure the kernel integrity after the kernel is loaded into memory,which basically guarantees the kernel security.Security based on firmware and dynamic protection are the two core points of the system.Firstly,the measurement of the kernel by the system is completed in the firmware phase.At this time,the kernel has no control.The security of the system is based on the security of the firmware.The firmware is executed first after the computer is powered on.Completing the kernel integrity measurement during the firmware phase can ensure the credibility of the measurement results to the greatest extent,and effectively avoid the problem of untrusted measurement results caused by the system's own security based on the kernel.Secondly,the integrity measurement object is the kernel in the memory,which can not only ensure the integrity of the kernel when loading,but also effectively resist kernel attacks against the memory,and achieve dynamic protection.The main research contents and results of this master thesis include the following:(1)According to the objective conditions of UEFI firmware and the advantages & disadvantages of traditional integrity measurement methods,a dynamic kernel integrity protection system KIPS based on firmware is proposed;(2)Through analyzing the firmware volume and PE file structure,complete the extraction,expansion,modification,and replacement of the checksum for the EFI driver;(3)Analyze the startup process of UEFI mode and legacy mode,and study how to obtain the operating system kernel base and perform integrity measurement at startup;(4)Through the study of the hash function,a modified SHA-256 algorithm is implemented,which aims to reduce the code size while completing the measurement.Finally,the basic functions of KIPS are implemented and tested.The test results show that KIPS can measure the integrity of the kernel in the memory during the boot phase,and respond differently according to the different measurement results,which is in line with the intended purpose.