摘要
随着信息安全的重要性日益提高,网络攻防技术得到迅速的发展,远程控制技术的研究也成为网络攻防研究中的热点之一。Rootkit作为一种长期隐蔽控制计算机系统的有效工具,其相关技术研究是远程控制技术研究的重要组成部分。在WINDOWS系统中,内核态Rootkit相对于用户态的Rootkit在隐蔽性方面更加完善,功能也更加强大。基于内核态的Rootkit将成为WINDOWS系统远程控制技术研究的主要方向。
目前内核态Rootkit在内存隐藏性方面主要采用内核API挂接、直接内核对象操作等方式,在隐蔽通道方面采用注入信任进程的方式建立通道。改进的内核态Rootkit针对这些方式的优缺点,在三个方面给出适当的改进方案。在自启动隐藏方面,利用逆向分析得出一种有效躲避系统检测软件的加载形式;在内存隐藏方面,现存的内核态Rootkit虽能改变系统调用执行路径,但破坏操作系统的内存子系统。改进后的Rootkit利用X86的内存分页机制和破坏TLB同步的方式,分离内存访问请求,从而实现在内存中Rootkit代码页面的隐藏;在数据远程通讯方面,现有的Rootkit中多采用端口复用和反向连接技术来欺骗防火墙信任连接,改进的Rootkit则结合WINDOWS系统网络体系结构中底层网络驱动接口的结构,提出了一种基于底层网络驱动接口内核函数挂接的隐蔽的底层网络通讯机制.这种通讯方式无需开启端口进行监听和建立连接,能够有效的穿透过滤型网络防火墙,并能绕过本机防火墙进行远程通讯。
通过Rootkit检测工具对改进设计测试效果分析,改进的内核态Rootkit在隐藏性方面有一定增强,能躲避针对内存特征值的扫描,能有效的穿透过滤型网络防火墙。总结而言,Rootkit系统的隐藏性是内核态Rootkit系统设计和实现的最重要问题,是决定整个系统性能优劣的关键。
Responding to the rapid increase of information security, the network attack and security techniques progress and perfect continuously. And the research of remote control techniques has become a hot focus. Rootkit is a kind of tool used to control target’s computer system permanently and secretly after successfully breaking into the target. The technique of Rootkit plays an important role in remote control research. The kernel Rootkit is much more powerful than the userland Rootkit, so Rootkit based on the kernel is the future of the remote control technique in WINDOWS system.
In the existing kernel Rootkits, kernel API hooking and direct kernel object manipulation are used to hide the Rootkit in the system memory,and the code inject into trusted process is used to bypass the firewall stealthily. There are three definite improvements on our advanced kernel Rootkit, compared to the existing kernel Rootkits. In the launch hiding area, a new loading patterns which can evade the detection system effectively has been chosen through the reverse analysis about the system kernel. In the memory hiding, current Rootkit subvert essentially the operating system's memory management subsystem although they can easy control the execution path of system call, our advanced kernel Rootkit is able to filter the memory access by using the memory paging mechanism and desynchronizing the Pentium TLB architecture, then hide its changes to executable code and its own code from view. In the majority of the existing Rootkit data transmission, port reuse and code injection techno are adopted to cheat the common firewall, they are either firewall implementation specific or take advantage of incompetence of a user. In our advanced kernel Rootkit, the data transmission is a low level communication mechanism based on the modification of the NDIS network protocol stack. This mechanism can hook the NDIS protocol stack according to the rules of the network firewalls and can effectively penetrate the packet filtering firewalls and most kinds of local desktop firewalls.
There is a definite improvement of our advanced kernel Rootkit in the hidden, through analysis of confrontation with current Rootkit detection tools. So how Rootkit hide its behavior and itself existence is the key problem in the implementation of Rootkit system.
引文
[1] Douligeris C, Mitrokotsa A. DDoS attacks and defense mechanisms: Classification and state-of-the-art. The International Journal of Computer and Telecommunications Networking, 2004, 44(5): 643 ~ 666
[2] Costa M, Crowcroft J, Castro M, etal. End-to-end containment of Internet Worms. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. New York, NY, USA: ACM Press, 2005. 365 ~ 369
[3] Koutepas G, Stamatelopoulos F, Maglaris B. Distributed management architecture for cooperative detection and reaction to DDOS attacks. Journal of Networks and Systems Mangament, 2004, 12 (1): 483 ~ 490
[4] Chang C. Defending against flooding-based distributed denial of service attacks. A tutorial IEEE Communications Magazine, 2002, 40(10): 42 ~ 51
[5] Levin F, Grizzard J. Detecting and categorizing kernel-level rootkits to aid future detection. IEEE Security Privacy, 2006, 4(1):24~32
[6] Hoglund Greg, Butler James. Rootkits: Subverting the Windows Kernel. Addison Wesley Professional, 2005. 30~35
[7] Hofmeyr SA, Forrest S, Somayaji A. Intrusion Detection using Sequences of System Calls. Journal of Computer Security, 1998, 6(1): 151~160
[8] Heasman J. Rootkit threats. Network Security, 2006, 4(1): 18~19
[9] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, Feb. 2005.238~245
[10] Joukov Nikolai, Kashyap Aditya. Kefence: An electric defence for kernel buffers. In: Proceedings of the 2005 ACM Workshop on Storage Security and Survivability. Fairfax, VA, USA: ACM Press, 2005.37~43
[11]孙淑华,马恒太,卿斯汉.内存映射型木马的研究与改进.微电子学与计算机, 2004,21(11):15~19
[12] Crandall Jedidiah R, Su Zhendong, Wu Felix. On Deriving Unknown Vulnerabilitiesfrom Zero-Day Polymorphic and Metamorphic Worm Exploits. In: Proceedings of the 12th ACM conference on Computer and Communications Security. Alexandria, VA, USA: ACM Press, 2005.180~185
[13] Akritidis P, Markatos E. P, Polychronakis M, etal. Stride: Polymorphic sled detection through instruction sequence analysis. In: Proceedings of the 20th IFIP International Information Security Conference. Makuhari Messe, Chiba, JAPAN: 2004.190~196
[14] Barrantes E. G, Ackley D. H, Palmer T. S, etal. Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM conference on Computer and communication security. Washington, DC, USA: ACM Press, 2003. 103~111
[15] Russinovich Mark, Solomon David. Microsoft Windows Internals,Fourth Edition: Microsoft Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press, 2004.90~98
[16] Nebbett Gary. Windows NT/2000 NativeAPI Reference. Macmillan Technical Publishing (MTP), February 15, 2000.
[17] Schreiber Sven. Undocumented windows 2000 secrets: A programmer's Cookbook.Addison-Wesley, 2001.55~60
[18] Hollander Yona, Agostini R. Stop hacker attacks at the OS level. Internet Security Advisor Magazine, 2000, 9(10):6~10
[19] Battistoni R, Gabrielli E, Mancini L V. A host intrusion prevention system for Windows operating systems .In: Proceedings of the 9th European Symposium on Research in Computer Security.Sophia Antipolis, France: ESORICS, 2004. 365~376
[20] Hung Jason C, Lin Kuan-Cheng.Behavior-based anti-worm system. In: Proceedings of the 17th International Conference on Advanced Information Networking and Applications. Xi'an, China: AINA2003, 2003 .149~158
[21] Lee Kyechan,Wee Kyubum. Detection of loadable kernel module Rootkit. In: Proceedings of the International Conference on Security and Management. Las Vegas, Nevada, USA: CSREA Press, 2003. 385~389
[22] Pasupulati A, Coit J, Levitt K, etal. Buttercup:On network-based detection ofpolymorphic buffer overflow vulnerabilities. In: Proceedingof the 9th IEEE/IFIP Network Operation and Management Symposium. Seoul, Korea: IEEE Press,2004. 443-456
[23] Levine John, Grizzard Julian, Owen Henry. A Methodology to Detect and Characterize Kernel Level Rootkit Exploits Involving Redirection of the System Call Table. In: Proceedings of the Second IEEE International Information Assurance Workshop. Charlotte, NC, USA: IEEE Press, 2004. 145~161
[24] Jaeger T, Edwards A. Consistency analysis of authorization hook placement in the Linux security modules framework. ACM Transactions on Information and Systems Security, 2004, 7(2):175-205
[25] Petroni Jr, Nick L. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 2006, 3(4):197~210
[26] Yan Renzhong, Zhong Xichang. Method to automatically detect and recover from kernel level Rootkit. Computer Engineering, 2006, 32(10):77~79
[27] Seshadri Arvind, Perrig Adrian, Luk Mark. Pioneer: Verifying code integrity and Enforcing untampered code execution on legacy systems. Operating Systems Review (ACM), 2005, 39(5):1~16
[28] Ring Sandra, Cole Eric. Taking a lesson from Stealthy Rootkits. IEEE Security and Privacy, 2004, 2(4):38-45
[29] Ferraiolo David, Barkley John, Kuhn Richard. A role based access control model and reference implementation within a corporate in tranet. ACM Transaction on Information and System Security.1999, 2(1):54~64
[30]许峰,赖海光,黄皓,等.面向服务的角色访问控制技术研究.计算机学报,2005,28 (4):686 ~693
[31] Wang Zhenghong,Lee R B. New Constructive Approach to Covert Channel Modeling and Channel Capacity Estimation. Princeton University Department of Electrical Engineering Technical Report CE-L2005-005, April 2005.240-256
[32] D Song. Athena, Automatic Checker for Security Protocol Analysis. In: Proceedings of the IEEE Computer Security Foundation Workshop. Los Alamitos: IEEEComputer Society Press, 1999. 192~202
[33]李蜡元,林样.用ICMP封装用户数据进行通信的方法以及实现.计算机工程与应用.2002,38(23):148~151
[34] CHEN ZS, GAO LX, KW IAT K. Modeling the spread of active worms.In: Proceedings of 22nd Annual Joint Conference of the IEEE Computer and Communications Societies.San Francisco,CA,USA: IEEE ,2003. 1890~1900
[35] IA-32 Intel Architecture Software Developer’s Manual-Volume 1: Basic Architecture .2004.98-107
[36] IA-32 Intel Architecture Software Developer’s Manual-Volume 3: System Programming Guide .2004.180-190
[37] Kim Gene.H, Spafford Eugene.H. The design and implementation of tripwire: a file system integrity checker. In CCS’94: Proceedings of the Second ACM Conference on Computer and communications security. New York, NY, USA: ACMPress, 1994. 18~29
[38] Papadimitriou, Georgios I. Centralized Packet Filtering protocols: A new family of MAC protocols for WDM Star Networks. Computer Communications, 1999, 22(1): 11~19
[39] Calvin Ko, George Flink, Levit Karl. Automated detection of vulnerabilities in priviledged programs by execution monitoring. In:Proceedings of the 10th Annual Computer Security Applications Conference. 1994. 134-144
[40] Vigna G., Robertson W, Balzarotti D. Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In ACCCS’04: Proceedings of the ACM Conference on Computer and Communication Security. Washington, DC: ACMPress,2004. 21~30
[41] Kruegel Christopher, Robertson William, Vigna Giovanni. Detecting Kernel-Level Rootkits Through Binary Analysis. In ACSAC’04: Proceedings of the 20th Annual Computer Security Applications Conference. Tucson , Arizona ,USA:ACM Press, 2004. 57~65
