基于内核函数监控的Linux系统防护方法的研究与实现

Study and Implementation of Systematic Protection by Monitoring Abnormal Invocation of Linux Kernel Functions

伴随Linux操作系统在服务器市场所占份额的迅速增长及其内核漏洞曝光率的不断增加,Linux内核安全已成为计算机系统安全领域的研究焦点之一。文章以运行Linux系统的服务器为研究对象,提出了一种基于内核函数监控的系统防护模型,试图通过限制相关服务进程所能访问的内核函数范围,使恶意攻击的难度加大进而增强Linux内核安全,同时通过对内核函数各种异常调用情况的分级分类实时处理,从而提升整个服务器系统的安全水平。原型实验结果表明,文章所提方法能够及时检测到相关服务进程对内核函数的异常调用情况,并给以适当的报警或拦截处理,而且由此带来的额外开销完全可以承受,从而验证了本文方法的可行性和有效性。与内核安全防护的其他研究工作相比,文章所提方法所涉内核防护覆盖范围更大且无需重新编译构建内核映像,并切实做到了监测与防护的有机结合。

With the wide application of Linux operating systemin the servers and the continuous exposure of kernel vulnerabilities, Linux kernel security has become one of the research focuses in the fields of computer system security. As for the server running Linux system, this paper proposed a system protection model by the way of monitoring kernel functions. It limits the kernel functions that can be accessed by the related daemons and increases the difficulty of malicious attacksso as to enhance the security of Linux kernel.Moreover, some real-time categorical processing is introduced for various abnormal invocations to the kernel functions so that the security level of the entire server system is promoted. Experimental results show that the proposed method can indeed detect the abnormal invocations of the kernel functions timely followed by some appropriate alarming or interception measures. Furthermore, the additional overloads are not too much such that the method is verified to be feasible and effective. Compared with other research work about kernel security, this method can protectbroader kernel coverage and it eliminates the need to recompile and reconstruct the kernel image while kernel monitoring and protection mechanisms are integrated organically.