We propose an intrusion prevention system called WHIPS that controls, entirely in kernel mode, the invocation of the critical system calls for the Windows OS security. WHIPS is implemented as a kernel driver, also called kernel module, by using kernel structures of the Windows OS. It is integrated without requiring changes to either the kernel data structures or to the kernel algorithms. WHIPS is also transparent to the application processes that continue to work correctly without source code changes or recompilation. A working prototype has been implemented as a kernel extension and it is applicable to all the Windows NT family OS, e.g. Windows 2000/XP/2003. The WHIPS first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straightforward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor.
展开▼
机译:我们提出了一种称为WHIPS的入侵防御系统,该系统完全以内核模式控制关键系统的调用,这需要Windows OS安全性。 WHIPS通过使用Windows OS的内核结构实现为内核驱动程序,也称为内核模块。它是集成的,不需要更改内核数据结构或内核算法。 WHIPS对应用程序过程也是透明的,这些应用程序过程可以继续正常运行,而无需更改源代码或重新编译。一个有效的原型已经实现为内核扩展,它适用于所有Windows NT家族操作系统,例如Windows XP。 Windows 2000 / XP / 2003。 WHIPS的首要贡献是将系统调用插入技术应用于非开源的Windows OS。将该技术应用于Windows OS并非易事,因为Windows内核结构对开发人员是隐藏的,而且其内核文档很差。
展开▼