中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
面向入侵攻击的内核层取证系统设计与实现
作者: 周博文
答辩日期: 2007-06-05
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 入侵 ; 计算机取证 ; 操作系统
摘要: 自从1988年的莫里斯蠕虫事件以来,入侵一直被视为计算机信息系统安全面临的最大威胁。近年来,一种新的计算机安全技术被广泛的关注和研究——计算机取证。计算机取证技术萌芽于九十年代初,蓬勃发展于21世纪,它是计算机安全与法律的交叉学科。目前已有的取证工具采用事后取证的方法,只能通过分析磁盘镜像的方式搜集证据,无法满足对入侵取证的需要。事后取证具有其优越性,如保证硬盘数据的真实和完整等等;但是同时具有天生的缺陷。事后取证丢弃了大量有价值的系统运行时产生的数据,利用这些信息可以确定入侵者的很多犯罪细节:攻击目标、入侵手段、入侵时间、发起入侵的机器地址等等。 我们研究的主要目的是提供一种有效的面向入侵攻击的计算机取证系统。本文在分析多种缓冲区溢出攻击的基础上抽象出入侵过程的一般模式,提出针对入侵攻击的取证系统应满足的要求。 1) 实时地记录用户和进程的操作,而不局限于操作产生的结果; 2) 具有一定程度的通用性,可以针对不同种类的入侵进行必要的定制。 3) 实施严格的证据保护机制,防止证据被篡改或删除; 基于这种面向入侵的设计思路,我们在FreeBSD系统中实现了在操作系统内核中运行的取证系统KIFS(Kernel Intrusion Forensics System)。在实际的入侵攻击场景中,KIFS实现了上述的对取证系统的三个要求。最后,在入侵取证实验中,根据KIFS得到的证据,我们成功记录并重构了一个针对FreeBSD 4.3系统漏洞的本地提升权限攻击的完整过程;同时,我们测试了KIFS对系统增加了额外负载,对比了KIFS系统与普通操作系统的性能差别,为后继的研究奠定了基础。
英文摘要: Since the incident of Morris worm in 1988, intrusion has been treated as the No.1 enemy of information system security. Recently, a new brand of security protection technique drew a lot of attentions from both the research community and the companies. It is computer forensics which was first named in early 1990s and developing quickly during the first years of the 21st century. Theories were given and toolkits provided, which however were solely based on analysis of postmortem content of disks from compromised systems. This postmortem way to address forensics problems is derived from the practice of law enforcement. Though having several strengths such as preserving originality and integrity of data on disks, the postmortem method is inherently weak in collecting those runtime information generated in the memory by the suspect’s process which is important for intrusion evidence collection and subsequent analysis. The main goal of our research is to develop an intrusion-oriented forensic system for collecting evidence against intrusions effectively. We analyzed several variants of buffer overflow attack and abstracted a general pattern from these attacks. Based on this abstraction of intrusion pattern we presented the basic characteristics of intrusion forensic system: 1) Recording in runtime both process operations sequence and the result of these operations; 2) Configurability for user to define proper forensic range of objects in system.; 3) Strict evidence protection mechanism to prevent attacker from destroying trace of intrusion. By giving the specification of design requirements and forensic model of the system, we implemented a forensic system prototype KIFS(Kernel Intrusion Forensic System) based on the forensic model. In an experiment aimed at collecting evidence against a real world exploit in FreeBSD 4.3 operating system, according to the result given by KIFS, we successfully recorded details of the intrusion and reconstructed the whole incident. Besides, we compared the performances between systems with and without KIFS and discussed the reason of system overhead added by KIFS which could be future research topic.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6254
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200428015029026周博文_paper.doc(1819KB)----限制开放-- 联系获取全文

Recommended Citation:
周博文. 面向入侵攻击的内核层取证系统设计与实现[D]. 软件研究所. 中国科学院软件研究所. 2007-06-05.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[周博文]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[周博文]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace