中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
内核级木马隐藏技术研究与实现
作者: 孙淑华
答辩日期: 2004
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 特洛伊木马 ; 后门 ; 隐蔽通道 ; 隐藏 ; 检测 ; 内存映射
其他题名: Research and Implementation on hiding technology of Kernel TrojanHorse
摘要: 特洛伊木马是网络攻击的主要手段之一,其首要特征是隐蔽性。它可以在目标系统被攻破以后继续保持对它的控制,并可以以长期潜伏、滞后活动的方式来隐身以获取连续性的政治、经济、军事或商业情报。在网络攻击技术中,木马技术是一个很重要的研究领域。特洛伊木马攻击、检测和清除技术在军方和国家安全保密等部门存在潜在应用,研究意义重大。在当前多维信息战的形势下,加强这方面的工作刻不容缓。本文的研究工作以国家,“863”项目“特洛伊木马隐藏技术研究”为基础,对Lillux内核级木马的隐藏技术进行了深入地研究,分析和总结了现有的特洛伊木马的隐藏和检测技术,并针对著名的内核级木马SuKit进行了剖析,指出了该木马的不足,提出了改进建议和实现方案,开发了一个内核级木马原型Longshadow。内核级木马Longshadow是基于silvio Cesare的思想:在不支持LKM技术的前提下,在运行的系统中实现对内核的改动。没有采用修改系统调用指针进行系统调用重定向来实现隐藏,而是通过在内核中重建一个系统调用表,因此检查系统调用表的变化无法检测到木马的存在。对利用检测系统调用重定向来检测LKM木马的扫描检测工具Kstat可以成功避过。chkrootkit也是检测LKM的工 ,它是通过一些恶意代码签名来检测的,因此木马Longshadow能成功避过。stMicheal-LKM 是检测内核变动的工具,木马Longslladow通过首先定位StMicheal-LKM,然后使其失效的方法避过此种检测工具。由于木马原型LongSlladow在通信隐藏上采用了隐蔽通道技术,因此木马Longshadow可以成功避过Realsecure/snort的检测。本论文的工作主要创新之处在于:利用隐蔽通道技术和实时检测对抗技术改进了通信隐藏和对抗实时检测的能力。另外,论文也针对木马攻击过程的各个阶段对检测技术进行了分析和总结。当然,随着网络安全技术的不断发展,木马扫描检测技术在不断深入,因而木马隐藏技术也需要不断提高。木马隐藏技术与检测技术是攻与防、矛与盾的关系,它们是互相促进,螺旋式上升的。
英文摘要: Trojan Horse attack is an important means of network attacks,whose chief feature is hiding .After breaking into target system ,it can keep controlling and continue to gain information about politics,economics,military,and/or commerce from target system in a manner of hiding for a long time and lag acting.In the fields of network attack ,Trojan horse attack technology is an important research field . In the future ,Trojan horse attack ,detecting ,cleaning technology have a lot of application foreground and an important research significance in the department of military and national security ,so it is very urgent to enhance tin's work under the situation of multidimension informantion war. In this paper ,based on National 863 Project ..Research on Hiding Technology of Trojan horse ( ((National Network and Information Security Development Planning)) ).,we mainly implement a kernel Trojan horse prototype LongShadow by analyzing ,studying on and summing up the hiding and detecting technology of current kernel Trojan horse on Linux platfonn,and analyzing the famous kernel Trojan, horse SucKit, pointing out its merit and demerit and putting forward correct opinion and implementation scheme. Trojan horse prototype LongShadow is based on Silvio Cesare'Idea :How to modify kernel in the running linux system without supporting LKM.lt achieve hiding not by modifying syscall pointer to execute syscall redirection, but by making another syscall table , so it can't be found by the detecting tools which detect the syscall table modification.,including Kstat which detects LKM Trojan horse by detecting the syscall redirection,Chkrootkit which detects Trojan horse by detecting malicious code fingerprint and stMicheal-LKM which detect kernel modification. Especially, in accordance with StMicheal-LKM Trojan horse prototype LongShadow can escape it by first locating it and then making it invalidation In the communication hiding LongShadow takes use of covert channel technology ,so it can succeed in escaping NIDS Realsecure/snort'detecting. The innovations of this paper lie in improving capability of communication hiding and selfjhjding by taking use of the covert channel and real time anti_detecting technology. In addition,this paper also analyzes and sums up Trojan horse detecting technology according to various phrase of Trojan horse attack. Of course, with the development of the network security technology Trojan horse scamiing and detecting technology is unceasingly improved, it also results in Trojan horse hiding technology progress. The relationship between Trojan horse hiding technology and detecting technology is attack and defence ,spear and shield.They give impetus mutually and develop in spirals.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7104
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW014105.pdf(2550KB)----限制开放-- 联系获取全文

Recommended Citation:
孙淑华. 内核级木马隐藏技术研究与实现[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[孙淑华]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[孙淑华]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace