基于结构体随机化的内核Rootkit防御技术

摘要

内核Rootkit对于操作系统来说是个严重的威胁。入侵者通过植入内核Rootkit，修改一些关键的内核结构体，实现恶意进程隐藏、日志文件删除、私密信息窃取等恶意行为。由于Rootkit主要通过篡改内核结构体对象来实现控制流截取，因此我们试图通过结构体随机化来防御这些入侵。在文中，作者提出了一种基于编译器的自动结构体随机化技术，解决了包括结构体的可随机化识别，随机化语义不变保护以及自动随机化等多个技术难题，最终利用随机环境下攻击者无法预知结构体域排列的特点，实现对内核Rootkit的防御。在实验环节，我们在被随机化的Linux系统中测试了已知的5种不同原理的8个真实的Rootkit，结果展示了我们的方法以几乎零负荷的代价防御了全部的Rootkit加载。%Kernel rootkit has been demonstrated as a serious operating system kernel threat.With the injection of the malicious rootkit into OS kernel,which tampers vital data structures,the intruder can deliver process hiding,log file deletion,privacy information stealing and othermalicious behaviors.Based on the basic insight of that rootkit interferes in OS kernel through data structures,in this paper,we present a compiler-based data structure randomization technique,which can identify the randomiz ability and achieve the randomization automatically withoutaltering the original semantics.With the random and unexpected data structure field sequence,the intrusion of kernel rootkit will fail.Through the experiments of eight well-known variousrootkits in five categories,we present that our approach is effective with almost zero overload.