一种基于安全优先架构的细粒度可信监测度量方法

Linux下的Rootkit通常使用修改系统内核关键位置数据的手段破坏系统内核完整性。可信计算是保护系统内核完整性的重要方法，可以使用它对Rootkit攻击进行监测。相较传统的被动可信计算体系，主动可信计算体系因其对上层应用透明、安全机制与计算功能充分隔离、可信根完全受硬件保护等特点，可以更有效地进行系统内核完整性保护。但目前的主动可信监测度量方法存在监测结果粒度较粗的问题，不能为防御者进行攻击对抗提供更详细的信息。针对这一问题，本文提出了一种基于安全优先架构的细粒度可信监测度量方法，安全域通过解析计算域内存语义信息，实现符号级别的细粒度可信度量，得到可用来对攻击进行分析的监测结果。实验表明，该方法可以在计算域受到Rootkit攻击时检测到全部被篡改的.text和.rodata段的符号，使用该方法得到的细粒度监测结果可以用来分析Rootkit的攻击手段和攻击目的，同时该方法对计算域的性能几乎没有影响。

A Fine-grained Trusted Monitoring Measurement Method Based on Security-first Architecture

Rootkit under Linux usually destroys the integrity of the system by modifying the key location data of the system kernel. Trusted Computing is one of the important methods to protect system integrity, which can be used to monitor Rootkit attacks. Comparing with the traditional passive trusted computing system, the active trusted computing system is transparent to the upper application, its security mechanism and computing function are fully isolated, and the trusted root is completely protected by hardware. So it can protect the integrity of the system kernel more effectively. However, the current active trusted monitoring measurement methods have the problem of coarse granularity of monitoring results, which can not provide more detailed information for defenders to carry out attack confrontation. To solve this problem, this paper proposes a fine-grained trusted monitoring measurement method based on security-first architecture, Security domain implements fine-grained trusted measurement at symbol level by parsing the memory semantic information of computation domain, and obtains the monitoring results that can be used to analyze attacks. Experiments show that this method can detect all tampered symbols of text and rodata segments when the computing domain is attacked by Rootkit. Fine-grained monitoring results obtained by this method can be used to analyze Rootkit''s attack means and purpose, and it has little effect on the performance of the computing domain.