| With the continuous development of Android devices,embedded technology and domestic information system,the market share of Linux based operating system is gradually increasing.Therefore,the security analysis of application and kernel in Linux operating system have been widely studied worldwide.At present,most of the analysis and research on Linux programs are static or dynamic analysis alone,which can neither capture the behavior in the kernel layer widely nor effectively analyze its behavior characteristics or influence.The Linux kernel module(LKM)directly acts on the kernel.Applications can indirectly affect the behavior of the kernel through LKM.The behavior of LKM itself can also access and modify the kernel resources.Therefore,it is important to study the behavior of LKM in the kernel for the security of Linux kernel.Based on the research and summary of the existing LKM security analysis technology at home and abroad,aiming at the problems of incomplete LKM behavior capture and weak adaptability of analysis methods,this thesis first proposes a method that combines LKM static analysis and dynamic tracking to achieve LKM function call acquisition.In this method,the user-defined function and dependent function of LKM obtained from static analysis are used as the input of dynamic tracking,and the data structure of prefix tree and virtual child node are used to store the function call sequence.The tracking range of LKM function call is expanded,and the breadth and depth of the sequence are taken into account.In order to obtain useful information from the function call sequence of LKM and adapt to the characteristics of kernel function call sequence,this thesis uses the depth of function in call stack and the number of times that function is called as weight measure to add into algorithm,which solves the problem of too many redundant items in function call analysis of unweighted algorithm.On this basis,a two-stage weighted pattern miner(TSWP-miner)algorithm based on hash table mapping bit matrix as search space is proposed,which can effectively mine the weighted frequent patterns of LKM function call sequences.By analyzing the function calls of loaded modules in the experimental environment,and comparing with static analysis and dynamic tracking,it is found that the function tracking method proposed in this thesis can obtain a wider range of LKM function calls,which can effectively detect the potential function calls of LKM,and the coverage of function nodes is higher;Based on the same data set,the weighted frequent pattern mining algorithm proposed in this paper is compared with the existing algorithms.The results show that the algorithm in this paper is more effective in terms of time efficiency and space efficiency,and the larger the sequence database,the greater the support The smaller the threshold,the more obvious the result.Finally,by attacking the target system using Metasploit penetration tool,the LKM kernel function call sequence generated in target system is tracked by the proposed method,and the algorithm proposed in this thesis is used to mine the weighted sequence pattern,proving its effectiveness. |
PDF Full Text Request