Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in t...Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.展开更多
The NPP (nuclear power plant) being vital objects of an energy infrastructure must be protected against malicious actions affecting their safety, and cyber security plays a key part in attaining this goal. The paper...The NPP (nuclear power plant) being vital objects of an energy infrastructure must be protected against malicious actions affecting their safety, and cyber security plays a key part in attaining this goal. The paper considers, implemented by the authors within the project of advanced digital control system for NPP with the reactor VVER-1000, a system of unauthorized access protection, partially built up on the technology of AA (active audit) and expert system. The AA technology is based on response of the system on deviation of current signature of the automated process control system from stable state rather than on a certain signature of attack and relies on the estimation of the behavioral models of the particular digital control system. The advent of active audit reflects the current situation in the digital control systems where complex distributed platforms are used to construct automated process control system. The active audit allows one to make the digital control system functionally closed, provided that it is determinate. The methodology of the active audit does not give u external (barrier) and traditional (password, antivirus) methods of unauthorized access protection. These methods can be used when it is appropriate to achieve a required protection level.展开更多
基金supported in part by the National High Technology Research and Development Program of China(863 Program)under Grant No.2009AA01Z433the Project of National Ministry under Grant No.A21201-10006the Open Foundation of State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences)under Grant No.2013-4-1
文摘Kernel hooks are very important con- trol data in OS kernel. Once these data are com- promised by attackers, they can change the control flow of OS kemel's execution. Previ- ous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel mo- dules whose memory locations cannot be pre- determined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH off- ers the protected OS a fully transparent envi- ronment and an easy deployment. In general, the working procedure of OPKH can be di- vided into two steps. First, we utilise the me- mory virtualization for offiine profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to in- strument the hooks for run-time protection. The experiments show that our system can pro- tect the dynamic hooks effectively with mini- mal performance overhead.
文摘The NPP (nuclear power plant) being vital objects of an energy infrastructure must be protected against malicious actions affecting their safety, and cyber security plays a key part in attaining this goal. The paper considers, implemented by the authors within the project of advanced digital control system for NPP with the reactor VVER-1000, a system of unauthorized access protection, partially built up on the technology of AA (active audit) and expert system. The AA technology is based on response of the system on deviation of current signature of the automated process control system from stable state rather than on a certain signature of attack and relies on the estimation of the behavioral models of the particular digital control system. The advent of active audit reflects the current situation in the digital control systems where complex distributed platforms are used to construct automated process control system. The active audit allows one to make the digital control system functionally closed, provided that it is determinate. The methodology of the active audit does not give u external (barrier) and traditional (password, antivirus) methods of unauthorized access protection. These methods can be used when it is appropriate to achieve a required protection level.