内网安全防护技术的研究与实现
|
摘要
随着信息化在全球范围内的迅速扩展,计算机网络已经成为人们日常工作和生活的一部分。内网作为机构内部信息流通的渠道,面临着严峻的安全形势。当前各种与现实利益挂钩的网络犯罪层出不穷,加之电子文件比传统纸质文档更容易复制和传播,导致内网泄密事件频繁发生。因此,如何保证内网安全成为网络安全领域研究的一个重要方面。
本文总结了内网安全所面临的具体问题,并分析了现有内网安全技术在应对这些问题时所存在的不足。针对这些不足并结合内网特点,本文从内网主机的操作系统安全和文件安全角度入手提出了一种基于主机的内网安全防护技术。它能有效地发现和阻止恶意程序或者黑客后门程序对内网主机的入侵并保证主机中重要文件的安全,从而提供对内网信息的双重防护。本文叙述了操作系统安全加固和文件防护的目标以及具体功能;针对Windows NT平台,分析了系统服务调度表钩子、内联钩子以及文件过滤驱动的工作原理;重点阐述了Windows NT安全加固和文件防护的设计思路以及各子模块的实现流程,并就其中一些关键问题如缓存管理、加密标识管理等进行了详细说明;最后通过编写相应的测试用例对这两部分功能进行了测试并给出了最终测试结果。
With the rapid development of the global information, computer networks have become part of people’s daily work and life. As a means to convey information within organizations, internal networks are facing severe security risks. At present, more and more cyber crime is associated with the practical interests. In addition, electronic files can be copied and disseminated more easily than tranditional paper documents. These lead to the frequent occurrence of the divulgence of confidential information within internal networks. Therefore, ensuring the security of internal networks is an important problem in the field of network security.
This paper summarizes the specific issues of internal network security, and analyzes the shortcomings of the existing internal network security technologies. Taking into account these shortcomings and features of the internal network, this paper presents a host-based internal network security method from the perspective of operating system security and file security. It can ensure the security of files and prevent host from being intruded by malwares and backdoors. In this way it provides double protection for the internal network information. This paper describes the goals and desired properties of operating system security and file protection, analyzes the principles of system service dispatch table hook, inline hook and file system filter driver under Windows NT platform. Then the main idea and implementation of Windows NT security and file protection is introduced. Some of the key problems such as cache management, encryption flag management are described in detail. Finally, we test the functionalities of these two measures using our own test cases and present the results.
本文总结了内网安全所面临的具体问题,并分析了现有内网安全技术在应对这些问题时所存在的不足。针对这些不足并结合内网特点,本文从内网主机的操作系统安全和文件安全角度入手提出了一种基于主机的内网安全防护技术。它能有效地发现和阻止恶意程序或者黑客后门程序对内网主机的入侵并保证主机中重要文件的安全,从而提供对内网信息的双重防护。本文叙述了操作系统安全加固和文件防护的目标以及具体功能;针对Windows NT平台,分析了系统服务调度表钩子、内联钩子以及文件过滤驱动的工作原理;重点阐述了Windows NT安全加固和文件防护的设计思路以及各子模块的实现流程,并就其中一些关键问题如缓存管理、加密标识管理等进行了详细说明;最后通过编写相应的测试用例对这两部分功能进行了测试并给出了最终测试结果。
With the rapid development of the global information, computer networks have become part of people’s daily work and life. As a means to convey information within organizations, internal networks are facing severe security risks. At present, more and more cyber crime is associated with the practical interests. In addition, electronic files can be copied and disseminated more easily than tranditional paper documents. These lead to the frequent occurrence of the divulgence of confidential information within internal networks. Therefore, ensuring the security of internal networks is an important problem in the field of network security.
This paper summarizes the specific issues of internal network security, and analyzes the shortcomings of the existing internal network security technologies. Taking into account these shortcomings and features of the internal network, this paper presents a host-based internal network security method from the perspective of operating system security and file security. It can ensure the security of files and prevent host from being intruded by malwares and backdoors. In this way it provides double protection for the internal network information. This paper describes the goals and desired properties of operating system security and file protection, analyzes the principles of system service dispatch table hook, inline hook and file system filter driver under Windows NT platform. Then the main idea and implementation of Windows NT security and file protection is introduced. Some of the key problems such as cache management, encryption flag management are described in detail. Finally, we test the functionalities of these two measures using our own test cases and present the results.
引文
[1]沈昌祥,张焕国,冯登国,曹珍富,黄继武.信息安全综述[J].中国科学(E辑:信息科学), 2007, 37(2): 129-150.
[2]金波,张兵,王志海.内网安全技术分析与标准探讨[J].信息安全与通信保密, 2007(7): 109-114.
[3]国家计算机病毒应急处理中心,计算机病毒防治产品检验中心. 2009年中国计算机病毒疫情调查技术分析报告[DB/OL]. http://www.antivirus-china.org.cn, 2009.
[4]瑞星信息技术有限公司.瑞星2010上半年互联网安全报告[DB/OL]. http://www.rising.com.cn/about/news/rising/2010-07-30/7951.html, 2010.
[5] James Butler, Jeffrey L.Undercoffer, John Pinkston. HIDDEN PROCESSES: The Implication for Intrusion Detection[C]. Proceedings of the IEEE Systems, Man and Cybernetics Conference. Washington: IEEE Press, 2003, pp.116-121.
[6]田野.内部网络预警系统的设计与实现[D].成都:电子科技大学, 2008.
[7]周剑岚.基于Agent的内部网络安全系统研究与实现[D].武汉:华中科技大学, 2006.
[8]徐国爱,张淼,彭俊好.网络安全[M].北京:北京邮电大学出版社, 2008.
[9]郝玉洁,常征.网络安全与防火墙技术[J].电子科技大学学报, 2002, 4(1): 5-7.
[10]谭瑛.网络安全中的防火墙技术及其变迁趋势[J].计算机安全, 2009(9): 65-67.
[11]卿斯汉,蒋建春,马恒太,文伟平,刘雪飞.入侵检测技术研究综述[J].通信学报, 2004, 25(7): 19-29.
[12]陈瑾,罗敏,张焕国.入侵检测技术概述[J].计算机工程与应用, 2004, 40(2): 133-136.
[13]张迎春.基于特征码技术的攻防策略[J].计算机系统应用, 2009, 18(3): 114-117.
[14]刘颖. Windows环境恶意代码检测技术研究[D].成都:电子科技大学, 2006.
[15]Zhen Li, Jun-Feng Tian, Feng-Xian Wang. Sandbox System Based on Role and Virtualization[C]. Proceedings of the 2009 International Symposium on Information Engineering and Electronic Commerce. Washington: IEEE Computer Society, 2009, pp.342-346.
[16]Chaoting Xuan, John Copeland, Raheem Beyah. Toward Revealing Kernel Malware Behavior in virtual Execution Environments[C]. Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Berlin:Springer-Verlag, 2009, pp.304-325.
[17]王克.内网安全防范技术.信息网络安全[J], 2009(1): 20-21.
[18]魏珉.内网终端安全操作监控方案的设计与实现[D].郑州:中国人民解放军信息工程大学, 2007.
[19]Michael E.Whitman, Herbert J.Mattord.信息安全原理[M].重庆:重庆大学出版社, 2005.
[20]Ashkan Sami, Babak Yadegari, Hossein Rahimi, Naser Peiravian, Sattar Hashemi, Ali Hamze. Malware detection based on mining API calls[C]. Proceedings of the 2010 ACM Symposium on Applied Computing. New York: ACM Press, 2010, pp.1020-1025.
[21]Peter Szor. The Art of Computer Virus Research and Defense[M]. Boston: Addison Wesley, 2005.
[22]Yong Wang, Dawu Gu, Wei Li, Jing Li, Mi Wen. Virus Analysis on IDT Hooks of Rootkits Trojan[J]. Proceedings of International Symposium on Information Engineering and Electronic Commerce. Washington: IEEE Press, 2009, pp.224-228.
[23]刘喆,张家旺. Rootkit隐藏技术分析与检测技术综述[J].信息安全与通信保密, 2010(11): 61-65.
[24]Xuxian Jiang, Florian Buchholz, Aaron Walters. Racing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach[J]. Parallel and Distributed Systems, 2008, 19(7): 890-902.
[25]Cliff Changchun Zou, Weibo Gong, Don Towsley. Code red worm propagation modeling and analysis[C]. Proceedings of the 9th ACM conference on Computer and communications security. New York: ACM Press, 2002, 138-147.
[26]李春光,赵彬,周保群.一种基于行为的主机入侵防护系统设计与实现[J].计算机工程, 2007, 33(6): 129-131.
[27]张园林,匡兴华.信息系统Insider威胁问题研究[J].信息安全与通信保密, 2007(2): 130-133.
[28]毛德操. Windows内核情景分析[M].北京:电子工业出版社, 2009.
[29]Greg Hoglund, James Butler. Rootkits: Subverting the Windows Kernel[M]. Boston: Addison Wesley, 2005.
[30]Mark E.Russinovich, David A.Solomon, Alex Ionescu. Windows Internals Fifth Edition[M]. Washington: Microsoft Press,2009.
[31]潘爱民. Windows内核原理与实现[M].北京:电子工业出版社, 2010.
[32]Prasad Dabak, Sandeep Phadke, Milind Borate, Sandeep Thadke, Prasad Ddabak. Undocumented Windows NT[M]. New York: John Wiley & Sons, 1999.
[33]Sven Schreiber. Undocumented Windows 2000 Secrets: A Programmer's Cookbook[M]. Boston: Addison Wesley, 2001.
[34]Galen Hunt, Doug Brubacher. Detours: Binary Interception of Win32 Functions[C]. Proceedings of the Third on USENIX Windows NT Symposium. Berkeley: USENIX Association, 1999, pp.14-22.
[35]Walter Oney. Windows Driver Model[M]. Washington: Microsoft Press, 1999.
[36]Art Baker, Jerry Lozano. The Windows 2000 Device Driver Book: A Guide for Programmers Second Edition[M]. New York: Prentice Hall, 2000.
[37]In Context: Understanding Execution Context for NT Driver[DB/OL]. http://www. osronline.com/article.cfm?id=168, 1996.
[38]郜小亮.一种WINDOWS安全加固技术的研究与实现[D].北京:北京邮电大学, 2009.
[39]张连成.主机主动入侵防御系统的研究与实现[D].郑州:中国人民解放军信息工程大学, 2007.
[40]刘松.主机安全防护技术研究与实现[D].北京:北京邮电大学, 2006.
[41]王雷,凌翔. Windows Rootkit进程隐藏与检测技术[J].计算机工程, 2010, 36(5): 140-142.
[42]Alex Ionescu. Getting Kernel Variables from KdVersionBlock[DB/OL]. http://www. rootkit.com/newsread.php?newsid=153, 2004.
[43]Jeffrey Richter, Christophe Nasarre. Windows via C/C++ Fifth Edition[M]. Washington: Microsoft Press,2009.
[44]John G.Levine, Julian B.Grizzard, Henry L.Owen. Detecting and categorizing kernel-level rootkits to aid future detection[J]. IEEE Security & Privacy, 2006, 4(1): 24-32.
[45]Woei-Jiunn Tsaur, Yuh-Chen Chen, Being-Yu Tsai. A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation[C]. Proceedings of the 9th International Conference on Algorithms and Architectures for Parallel Processing. Berlin: Springer-Verlag, 2009, pp.202-213.
[46]Nagar R. Windows NT File System Internals: A Developer's Guide[M]. New York: O.Reilly & Associates, 1998.
[47]谭文,杨潇,邵坚磊.寒江独钓——Windows内核安全编程[M].北京:电子工业出版社,2009.
[48]任建华.基于主机的文件实时监控技术的研究与实现[D].南京:南京航空航天大学, 2005.
[49]秦志光.密码算法的现状和发展研究[J].计算机应用, 2004, 24(2): 1-4.
[50]Bruce Schneier.应用密码学:协议、算法与C源程序(吴世忠,祝世雄,张文政等译)[M].北京:机械工业出版社, 2006.
[51]黄智颖,冯新喜,张焕国.高级加密标准AES及其实现技巧[J].计算机工程与应用, 2002, 38(9): 112-115.
[52]金晨辉,孙莹. AES密码算法S盒的线性冗余研究[J].电子学报, 2004, 32(4): 639-641.
[53]Alfred J.Menezes, Paul C.van Oorschot, Scott A.Vanstone.应用密码学手册(胡磊,王鹏等译)[M].北京:电子工业出版社, 2005.
[2]金波,张兵,王志海.内网安全技术分析与标准探讨[J].信息安全与通信保密, 2007(7): 109-114.
[3]国家计算机病毒应急处理中心,计算机病毒防治产品检验中心. 2009年中国计算机病毒疫情调查技术分析报告[DB/OL]. http://www.antivirus-china.org.cn, 2009.
[4]瑞星信息技术有限公司.瑞星2010上半年互联网安全报告[DB/OL]. http://www.rising.com.cn/about/news/rising/2010-07-30/7951.html, 2010.
[5] James Butler, Jeffrey L.Undercoffer, John Pinkston. HIDDEN PROCESSES: The Implication for Intrusion Detection[C]. Proceedings of the IEEE Systems, Man and Cybernetics Conference. Washington: IEEE Press, 2003, pp.116-121.
[6]田野.内部网络预警系统的设计与实现[D].成都:电子科技大学, 2008.
[7]周剑岚.基于Agent的内部网络安全系统研究与实现[D].武汉:华中科技大学, 2006.
[8]徐国爱,张淼,彭俊好.网络安全[M].北京:北京邮电大学出版社, 2008.
[9]郝玉洁,常征.网络安全与防火墙技术[J].电子科技大学学报, 2002, 4(1): 5-7.
[10]谭瑛.网络安全中的防火墙技术及其变迁趋势[J].计算机安全, 2009(9): 65-67.
[11]卿斯汉,蒋建春,马恒太,文伟平,刘雪飞.入侵检测技术研究综述[J].通信学报, 2004, 25(7): 19-29.
[12]陈瑾,罗敏,张焕国.入侵检测技术概述[J].计算机工程与应用, 2004, 40(2): 133-136.
[13]张迎春.基于特征码技术的攻防策略[J].计算机系统应用, 2009, 18(3): 114-117.
[14]刘颖. Windows环境恶意代码检测技术研究[D].成都:电子科技大学, 2006.
[15]Zhen Li, Jun-Feng Tian, Feng-Xian Wang. Sandbox System Based on Role and Virtualization[C]. Proceedings of the 2009 International Symposium on Information Engineering and Electronic Commerce. Washington: IEEE Computer Society, 2009, pp.342-346.
[16]Chaoting Xuan, John Copeland, Raheem Beyah. Toward Revealing Kernel Malware Behavior in virtual Execution Environments[C]. Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Berlin:Springer-Verlag, 2009, pp.304-325.
[17]王克.内网安全防范技术.信息网络安全[J], 2009(1): 20-21.
[18]魏珉.内网终端安全操作监控方案的设计与实现[D].郑州:中国人民解放军信息工程大学, 2007.
[19]Michael E.Whitman, Herbert J.Mattord.信息安全原理[M].重庆:重庆大学出版社, 2005.
[20]Ashkan Sami, Babak Yadegari, Hossein Rahimi, Naser Peiravian, Sattar Hashemi, Ali Hamze. Malware detection based on mining API calls[C]. Proceedings of the 2010 ACM Symposium on Applied Computing. New York: ACM Press, 2010, pp.1020-1025.
[21]Peter Szor. The Art of Computer Virus Research and Defense[M]. Boston: Addison Wesley, 2005.
[22]Yong Wang, Dawu Gu, Wei Li, Jing Li, Mi Wen. Virus Analysis on IDT Hooks of Rootkits Trojan[J]. Proceedings of International Symposium on Information Engineering and Electronic Commerce. Washington: IEEE Press, 2009, pp.224-228.
[23]刘喆,张家旺. Rootkit隐藏技术分析与检测技术综述[J].信息安全与通信保密, 2010(11): 61-65.
[24]Xuxian Jiang, Florian Buchholz, Aaron Walters. Racing Worm Break-In and Contaminations via Process Coloring: A Provenance-Preserving Approach[J]. Parallel and Distributed Systems, 2008, 19(7): 890-902.
[25]Cliff Changchun Zou, Weibo Gong, Don Towsley. Code red worm propagation modeling and analysis[C]. Proceedings of the 9th ACM conference on Computer and communications security. New York: ACM Press, 2002, 138-147.
[26]李春光,赵彬,周保群.一种基于行为的主机入侵防护系统设计与实现[J].计算机工程, 2007, 33(6): 129-131.
[27]张园林,匡兴华.信息系统Insider威胁问题研究[J].信息安全与通信保密, 2007(2): 130-133.
[28]毛德操. Windows内核情景分析[M].北京:电子工业出版社, 2009.
[29]Greg Hoglund, James Butler. Rootkits: Subverting the Windows Kernel[M]. Boston: Addison Wesley, 2005.
[30]Mark E.Russinovich, David A.Solomon, Alex Ionescu. Windows Internals Fifth Edition[M]. Washington: Microsoft Press,2009.
[31]潘爱民. Windows内核原理与实现[M].北京:电子工业出版社, 2010.
[32]Prasad Dabak, Sandeep Phadke, Milind Borate, Sandeep Thadke, Prasad Ddabak. Undocumented Windows NT[M]. New York: John Wiley & Sons, 1999.
[33]Sven Schreiber. Undocumented Windows 2000 Secrets: A Programmer's Cookbook[M]. Boston: Addison Wesley, 2001.
[34]Galen Hunt, Doug Brubacher. Detours: Binary Interception of Win32 Functions[C]. Proceedings of the Third on USENIX Windows NT Symposium. Berkeley: USENIX Association, 1999, pp.14-22.
[35]Walter Oney. Windows Driver Model[M]. Washington: Microsoft Press, 1999.
[36]Art Baker, Jerry Lozano. The Windows 2000 Device Driver Book: A Guide for Programmers Second Edition[M]. New York: Prentice Hall, 2000.
[37]In Context: Understanding Execution Context for NT Driver[DB/OL]. http://www. osronline.com/article.cfm?id=168, 1996.
[38]郜小亮.一种WINDOWS安全加固技术的研究与实现[D].北京:北京邮电大学, 2009.
[39]张连成.主机主动入侵防御系统的研究与实现[D].郑州:中国人民解放军信息工程大学, 2007.
[40]刘松.主机安全防护技术研究与实现[D].北京:北京邮电大学, 2006.
[41]王雷,凌翔. Windows Rootkit进程隐藏与检测技术[J].计算机工程, 2010, 36(5): 140-142.
[42]Alex Ionescu. Getting Kernel Variables from KdVersionBlock[DB/OL]. http://www. rootkit.com/newsread.php?newsid=153, 2004.
[43]Jeffrey Richter, Christophe Nasarre. Windows via C/C++ Fifth Edition[M]. Washington: Microsoft Press,2009.
[44]John G.Levine, Julian B.Grizzard, Henry L.Owen. Detecting and categorizing kernel-level rootkits to aid future detection[J]. IEEE Security & Privacy, 2006, 4(1): 24-32.
[45]Woei-Jiunn Tsaur, Yuh-Chen Chen, Being-Yu Tsai. A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation[C]. Proceedings of the 9th International Conference on Algorithms and Architectures for Parallel Processing. Berlin: Springer-Verlag, 2009, pp.202-213.
[46]Nagar R. Windows NT File System Internals: A Developer's Guide[M]. New York: O.Reilly & Associates, 1998.
[47]谭文,杨潇,邵坚磊.寒江独钓——Windows内核安全编程[M].北京:电子工业出版社,2009.
[48]任建华.基于主机的文件实时监控技术的研究与实现[D].南京:南京航空航天大学, 2005.
[49]秦志光.密码算法的现状和发展研究[J].计算机应用, 2004, 24(2): 1-4.
[50]Bruce Schneier.应用密码学:协议、算法与C源程序(吴世忠,祝世雄,张文政等译)[M].北京:机械工业出版社, 2006.
[51]黄智颖,冯新喜,张焕国.高级加密标准AES及其实现技巧[J].计算机工程与应用, 2002, 38(9): 112-115.
[52]金晨辉,孙莹. AES密码算法S盒的线性冗余研究[J].电子学报, 2004, 32(4): 639-641.
[53]Alfred J.Menezes, Paul C.van Oorschot, Scott A.Vanstone.应用密码学手册(胡磊,王鹏等译)[M].北京:电子工业出版社, 2005.