摘要
针对现有操作系统函数调用关系构建方法存在依赖系统源代码、兼容性差的问题,提出了一种基于硬件虚拟化中断陷入机制的操作系统内核函数调用关系构建方法。该方法在操作系统内核函数的特定位置动态插入会引起虚拟化中断陷入的特殊指令覆盖内核特定位置的指令,实现在函数调用、被调用时触发虚拟化中断陷入,并在陷入后的虚拟机监控器中获取当前内核函数的调用信息,从而动态构建操作系统的内核调用关系。实验结果表明,本方法能在不依赖内核源码、编译器的情况下构建多种开源/闭源、32位/64位操作系统的内核函数调用关系,构建准确率为100%,查全率大于85%。该方法可用于操作系统内核安全分析及白名单构建等工作,具有一定的实用价值。
To improve the compatibility of operating system kernel function call relations generation,a generation method based on hardware virtualization is proposed. This method replaces the kernel instructions in specific position with special instructions. These special instructions trigger virtualization interrupt trapping when the function is calling or called. So the virtual machine monitor can dynamically generate the operating system’s kernel calling relations in the interrupt trapping. Experimental results show that this method can generate either open-source or closed-source,32 bit or 64 bit operating system’s kernel function calling relations without relying on kernel source code or compilers. The accuracy of the generation is 100% and recall is 85%. This method can be used in the operating system kernel security analysis and whitelist generation.
作者
刘望桐
罗森林
闫广禄
潘丽敏
QAMAS GUL KHAN SAFI
LIU Wangtong;LUO Senlin;YAN Guanglu;PAN Limin;QAMAS GUL KHAN SAFI(Information System and Security&Countermeasures Experimental Center,Beijing Institute of Technology,Beijing 100081,China)
出处
《吉林大学学报(信息科学版)》
CAS
2019年第1期40-46,共7页
Journal of Jilin University(Information Science Edition)
基金
国家242计划基金资助项目(2017A149)
北京理工大学科技创新计划重大基金资助项目(2011CX01015)
关键词
函数调用关系
操作系统内核
硬件虚拟化
function calling relation
operating system kernel
hardware virtualization
