基於 eBPF 偵測 Kernel-Level 具隱匿性 Rootkit

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：100

、訪客IP：3.144.252.49

姓名

游允喆(Yun-Che Yu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

基於 eBPF 偵測 Kernel-Level 具隱匿性 Rootkit
(Kernel-Level Hidden Rootkit Detection Based on eBPF)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著網際網路的快速發展，企業將資料與服務交由雲服務託管已是目前的趨勢，其中虛擬化技術（Virtualization）在此扮演整個雲端運算的重要角色，藉由抽象化技術將伺服器資源切割，使一台伺服器能同時向多個不同的使用者在隔離的環境中提供服務，這種技術讓伺服器資源使用更有效率與安全。然而虛擬化技術的普及也帶來了新的安全威脅，尤其是rootkit的潛在危害，這類惡意軟體在獲得系統控制權後具有隱藏攻擊者行為的能力，其中kernel-level rootkit更具威脅性且更難以偵測。對於rootkit攻擊的防禦，擴展柏克萊封包過濾器（extended Berkley Packet Filter, eBPF）技術尤其適合，eBPF透過kprobe與tracepoint讓使用者能在系統特定函數執行前後執行自定義的程式，這種程式能存取函數的參數、回傳值與呼叫堆疊（Call Stack）等相關資訊。
為了防止kernel-level rootkit的攻擊，本論文提出了一種Hidden Kernel Rootkit Detector（HKRD）針對Linux kernel-level rootkit隱藏物件的偵測機制，利用eBPF技術在系統呼叫（system call）時與備份的位址比對檢查系統呼叫是否受到劫持，若受到劫持則將其恢復為原本的系統呼叫位址並將攻擊者從系統中移除。在系統發生上下文交換（context switch）前檢查即將執行的行程（process）與模組（module）的完整性，並在 socket傳送或接收訊息前檢查socket是否存在於系統中，以防禦Direct Kernel Object Manipulation（DKOM）攻擊，若系統物件受到竄改則將其恢復至原本的狀態並從系統中移除。
根據實驗結果本論文提出的HKRD架構其中平均CPU使用率為0.35%，較 rkhunter 少了 5.34 倍，較 HBRAD 少了 23.84 倍，平均記憶體使用量為2.66 MB，較 rkhunter 少了 3.24 倍，較 HBRAD 少了 5.5 倍，平均的網路吞吐量為 4.62 Gb/s，較 rkhunter 多了 1.01 倍，較 HBRAD 多了 1.25 倍。

摘要(英)

In light of the accelerated growth of the Internet, it has become a prevalent practice among enterprises to outsource their data and services to cloud hosting. Virtualization technology plays a pivotal role in this process, as it enables the abstraction of technology, thereby dividing server resources. This allows a server to simultaneously serve numerous users in disparate environments, enhancing the efficiency and security of server resources. This technology enhances the efficiency and security of server resource utilization. However, the popularity of virtualization technology also introduces new security threats, particularly the potential harm of rootkit malware. A rootkit is a type of malware that has the ability to hide the attacker′s behavior after gaining control of the system. Kernel-level rootkits are particularly threatening and more difficult to detect. In order to defend against rootkit attacks, the extended Berkeley Packet Filter (eBPF) technology is particularly suitable. eBPF allows users to execute custom programs before and after the execution of system-specific functions through kprobe and tracepoint, which are able to access the parameters of the functions, return values, and call stacks. This program is therefore able to access information about function parameters, return values, and call stacks.
In order to prevent kernel-level rootkit attacks, this paper proposes a Hidden Kernel Rootkit Detector (HKRD) for Linux kernel-level rootkit hidden object detection mechanism. The proposed mechanism utilizes the eBPF technique to compare the address of the rootkit with the backed-up address during a system call, thereby enabling the detection of hidden rootkits at the kernel level. The proposed mechanism employs the eBPF technique to ascertain whether the system call has been compromised. This is achieved by comparing the current system call address with a stored backup. In the event of a hijacking, the original system call address is restored and the attacker is removed from the system. It is imperative to ascertain the integrity of the forthcoming process and module prior to a context switch in the system. Furthermore, it is of paramount importance to determine the existence of the socket within the system before it transmits or receives a message, in order to forestall a Direct Kernel Object Manipulation (DKOM) attack. In the event of a DKOM (Direct Kernel Object Manipulation) attack, the system object in question is restored to its original state and removed from the system.
The experimental results indicate that the average CPU utilization of the proposed HKRD architecture is 0.35%, which is 5.34 times less than rkhunter and 23.84 times less than HBRAD. Additionally, the average memory usage is 2. The average memory usage is 66 MB, which is 3.24 times less than rkhunter and 5.5 times less than HBRAD. The average network throughput is 4.62 Gb/s, which is 5.5 times less than rkhunter. However, the average network throughput is 4.62 Gb/s, which is 1.01 times more than rkhunter and 1.25 times more than HBRAD.

關鍵字(中)

★ 雲端運算
★ eBPF
★ Rootkit
★ Linux
★ DKOM 攻擊

關鍵字(英)

★ Cloud Computing
★ eBPF
★ Rootkit
★ Linux
★ DKOM Attack

論文目次

摘要 i
Abstract iii
誌謝 v
目錄 vi
圖目錄 ix
表目錄 xi
第一章緒論 1
1.1. 概要 1
1.2. 研究動機 1
1.3. 研究目的 2
1.4. 章節架構 3
第二章背景知識與相關研究 4
2.1. Linux 4
2.1.1. Kernel Symbol Table 5
2.1.2. Proc File System (procfs) 6
2.1.3. Linux Kernel Module (LKM) 6
2.2. Rootkit 7
2.3. extended Berkley Packet Filter (eBPF) 7
2.3.1. Tracepoint 9
2.3.2. Kprobe 9
2.3.3. eBPF Map 10
2.4. 相關研究 10
第三章 HKRD 14
3.1. 系統架構與設計 15
3.2. 系統運作流程與實作 16
3.2.1. 系統呼叫劫持攻擊的偵測 17
3.2.2. 偵測 DKOM 隱匿行程 21
3.2.3. 偵測 DKOM 隱匿模組 24
3.2.4. 偵測 DKOM 隱匿網路連線 26
3.2.5. 針對 Kernel-Level Rootkit 之防禦 27
3.3. 系統環境與假設 30
第四章實驗與討論 32
4.1. 情境一：HKRD 功能性驗證 32
4.1.1. 實驗一：系統呼叫劫持攻擊偵測與移除之功能性驗證 32
4.1.2. 實驗二：DKOM 隱匿行程偵測與移除之功能性驗證 34
4.1.3. 實驗三：DKOM 隱匿模組偵測與移除之功能性驗證 36
4.1.4. 實驗四：DKOM 隱匿網路連線偵測與移除之功能性驗證 37
4.2. 情境二：效能比較 39
4.2.1. 實驗五：HKRD、rkhunter 和 HBRAD CPU 使用率比較 40
4.2.2. 實驗六：HKRD、rkhunter 和 HBRAD 記憶體使用量比較 41
4.2.3. 實驗七：HKRD、rkhunter 和 HBRAD 網路傳輸吞吐量比較 42
4.3. 情境三：Linux Kernel 版本通用性測試與 Unix Benchmark 測試 43
4.3.1. 實驗八：Linux Kernel 版本通用性測試 44
4.3.2. 實驗九：Unix benchmark 測試 45
第五章結論與未來研究方向 48
5.1. 結論 48
5.2. 研究限制 49
5.3. 未來研究 49
參考文獻 52

參考文獻

[1] B. Cinar and Jasmin Praful Bharadiya, “Cloud Computing Forensics; Challenges and Future Perspectives: A Review,” Asian Journal of Research in Computer Science, vol. 16, no. 1, pp. 1–14, May 2023, doi: https://doi.org/10.9734/ajrcos/2023/v16i1330.
[2] M. Nadim, W. Lee, and D. Akopian, “Kernel-level Rootkit Detection, Prevention and Behavior Profiling: A Taxonomy and Survey,” arXiv.org, Apr. 02, 2023.
https://arxiv.org/abs/2304.00473 (accessed Jul. 22, 2023).
[3] U. A. Butt, R. Amin, M. Mehmood, H. Aldabbas, M. T. Alharbi, and N. Albaqami, “Cloud Security Threats and Solutions: A Survey,” Wireless Personal Communications, vol. 128, no. 1, Sep. 2022, doi: https://doi.org/10.1007/s11277-022-09960-z.
[4] Z. Aalam, V. Kumar, and S. Gour, “A Review Paper on Hypervisor and Virtual Machine Security,” Journal of Physics: Conference Series, vol. 1950, no. 1, p. 012027, Aug. 2021, doi: https://doi.org/10.1088/1742-6596/1950/1/012027.
[5] Ö. Aslan, S. S. Aktuğ, M. Ozkan-Okay, A. A. Yilmaz, and E. Akin, “A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions,” Electronics, vol. 12, no. 6, p. 1333, Mar. 2023, doi: https://doi.org/10.3390/electronics12061333.
[6] F. Xiao, Z. Yang, J. Allen, G. Yang, G. Williams, and W. Lee, “Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem,”
Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Nov. 2022, doi: https://doi.org/10.1145/3548606.3559340.
[7] V. Dakić, K. Jakobovic, and L. Zgrablic, “Linux Security in Physical, Virtual, and Cloud Environments,” 33rd International DAAAM Virtual Symposium on Intelligent Manufacturing & Automation, pp. 0151–0160, Jan. 2022, doi: https://doi.org/10.2507/33rd.daaam.proceedings.021.
[8] D. Soldani, P. Nahi, H. Bour, S. Jafarizadeh, Mohammed F. Soliman, Leonardo Di Giovanna, F. Monaco, G. Ognibene, and F. Risso “eBPF: A New Approach to Cloud-Native Observability, Networking and Security for Current (5G) and Future Mobile Networks (6G and Beyond),” IEEE Access, vol. 11, pp. 57174–57202,
2023, doi: https://doi.org/10.1109/ACCESS.2023.3281480.
[9] Red Hat. “State of Linux in the Public Cloud” Accessed on: Feb 20, 2024.
[Online]. Available: https://www.redhat.com/en/resources/state-of-linux-publiccloud-solutions-ebook.
[10] Red Hat. “Linux for Cloud Computing” Accessed on: Apr 11, 2024. [Online].
Available: https://www.redhat.com/en/topics/linux/linux-for-cloud-computing.
[11] statcounter. “Desktop, Tablet & Console Operating System Market Share
Worldwide. Jan - Dec 2023” Accessed on: May 4, 2024. [Online]. Available: https://gs.statcounter.com/os-market-share/desktop-tablet-console/worldwide.
[12] It’s FOSS. “Oomputers, Again!” Accessed on: Mar 26, 2024. [Online]. Available: https://itsfoss.com/linux-runs-top-supercomputers.
[13] QUICKSTART. “Why Linux Runs 90 Percent of the Public Cloud Workload” Accessed on: Apr 26, 2024. [Online]. Available: https://www.quickstart.com/blog/why-linux-runs-90-percent-of-the-public-cloudworkload.
[14] SEALEVEL. “The Top Three Reasons Linux is Running the World’s Supercomputers” Accessed on: Jan 9, 2024. [Onlinne]. Available: https://www.sealevel.com/2022/09/13/linux-os.
[15] AV-TEST. “New Malware Samples by Operating System (2021 vs 2022)” Access on: May 19, 2024. [Online]. Available: https://atlasvpn.com/blog/new-linuxmalware-hits-record highs-in-2022-rising-by-50.
[16] The Linux Kernel Archives. “Symbol Namespaces” Accessed on: May 14, 2024.
[Onlinne]. Available: https://docs.kernel.org/coreapi/symbol-namespaces.html.
[17] The Linux Kernel Archives. “The /proc Filesystem” Accessed on: May 16, 2024.
[Onlinne]. Available: https://docs.kernel.org/filesystems/proc.html.
[18] M. Nadim, D. Akopian, and W. Lee, “A Review on Learning-based Detection Approaches of the Kernel-level Rootkit,” IEEE Xplore, Oct. 01, 2021. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9659710.
[19] S. Suresh Kumar and T. SudalaiMuthu, “Advance Kernel Rootkit Detection: Survey,” 2023 7th International Conference on Intelligent Computing and Control
Systems (ICICCS), May 2023, doi: https://doi.org/10.1109/iciccs56967.2023.10142360.
[20] Y. Li, T. Zhai, B. Wu, Y. Jiang, Z. Li, and S.-T. Xia, “Rethinking the Trigger of Backdoor Attack,” arXiv (Cornell University), Jan. 2020, doi: https://doi.org/10.48550/arxiv.2004.04692.
[21] H. Sharaf, I. Ahmad, and T. Dimitriou, “Extended Berkeley Packet Filter: An Application Perspective,” IEEE Access, vol. 10, pp. 126370–126393, 2022, doi: https://doi.org/10.1109/access.2022.3226269.
[22] The Linux Kernel Archives. “Using the Linux Kernel Tracepoints” Accessed on: Mar 8, 2024. [Online]. Available: https://docs.kernel.org/trace/kprobes.html.
[23] The Linux Kernel Archives. “Kernel Probes (Kprobes)” Accessed on: Mar 9, 2024. [Online]. Available: https://docs.kernel.org/trace/kprobes.html.
[24] M. Boelen. “rkhunter” Accessed on: May 26, 2024. [Online]. Available: https://rkhunter.sourceforge.net.
[25] H. Handschuh, “SHA Family (Secure Hash Algorithm),” Encyclopedia of Cryptography and Security, pp. 565–567, 2020, doi: https://doi.org/10.1007/0-387-23483-7_388.
[26] B. Noor and S. Qadir, “Machine Learning and Deep Learning Based Model for the Detection of Rootkits Using Memory Analysis,” Applied Sciences, vol. 13, no. 19, p. 10730, Sep. 2023, doi: https://doi.org/10.3390/app131910730.
[27] I. H. Sarker, “Machine Learning: Algorithms, Real-World Applications and Research Directions,” SN Computer Science, vol. 2, no. 3, pp. 1–21, Mar. 2021,
doi: https://doi.org/10.1007/s42979-021-00592-x.
[28] S. Dong, P. Wang, and K. Abbas, “A Survey on Deep Learning and its
Applications,” Computer Science Review, vol. 40, p. 100379, May 2021, doi:
https://doi.org/10.1016/j.cosrev.2021.100379.
[29] A. Antoniadis, S. Lambert-Lacroix, and J.-M. Poggi, “Random Forests for Global
Sensitivity Analysis: A Selective Review,” Reliability Engineering & System
Safety, vol. 206, p. 107312, Feb. 2021, doi:
https://doi.org/10.1016/j.ress.2020.107312.
[30] P. Cunningham and S. J. Delany, “k-Nearest Neighbour Classifiers - A Tutorial,”
ACM Computing Surveys, vol. 54, no. 6, pp. 1–25, Jul. 2021, doi: https://doi.org/10.1145/3459665.
[31] N. A. Priyanka and D. Kumar, “Decision Tree Classifier: A Detailed Survey,”
International Journal of Information and Decision Sciences, vol. 12, no. 3, p. 246,
2020, doi: https://doi.org/10.1504/ijids.2020.108141.
[32] D. A. Pisner and D. M. Schnyer, “Support Vector Machine,” Machine Learning,
pp. 101–121, 2020, doi: https://doi.org/10.1016/b978-0-12-815739-8.00006-7.
[33] A. Graves, “Long Short-Term Memory,” Studies in Computational Intelligence,
vol. 385, pp. 37–45, 2012, doi: https://doi.org/10.1007/978-3-642-24797-2_4.
[34] P. Pandiaraja, K. Muthumanickam, and R. Palani Kumar, “A Graph-Based Model
for Discovering Host-Based Hook Attacks,” Smart Technologies in Data Science
and Communication pp. 1–13, Jan. 2023, doi: https://doi.org/10.1007/978-981-19-
6880-8_1.
[35] A. Mohanta and A. Saldanha, “Code Injection, Process Hollowing, and API
Hooking,” Malware Analysis and Detection Engineering, pp. 267–329, 2020, doi:
https://doi.org/10.1007/978-1-4842-6193-4_10.
[36] Y. Lu, D.-L. Zhang, C.-P. Hu, K.-L. Zhu, Y. Zhuang, and L.-N. Shi, “Rootkit
Detection Mechanisms for Linux Systems,” 2023 9th International Conference on
Computer and Communications (ICCC) Dec. 2023, doi:
https://doi.org/10.1109/iccc59590.2023.10507534.
[37] M. Y. Hsieh, “Using Virtual Machine Introspection to Detect Hidden Behavior of
DKOM-Rootkit in Cloud Environment” National Central University, Accessed on:
Jan 6, 2024. [Online]. Available: https://hdl.handle.net/11296/tjuq8m.
[38] D. Kapil and P. Mishra, “Virtual Machine Introspection in Virtualization: A
Security Perspective,” 2021 Thirteenth International Conference on Contemporary
Computing (IC3-2021), Aug. 2021, doi: https://doi.org/10.1145/3474124.3474140.
[39] B. Taubmann and H. P. Reiser, “Towards Hypervisor Support for Enhancing the
Performance of Virtual Machine Introspection,” Lecture notes in computer science, pp. 41–54, Jan. 2020, doi: https://doi.org/10.1007/978-3-030-50323-9_3.
[40] Github. “libbpf” Accessed on: Mar 28, 2024. [Online]. Available: https://github.com/libbpf/libbpf.
[41] Github. “hyperfine” Accessed on: Mar 28, 2024. [Online]. Available: https://github.com/sharkdp/hyperfine.
[42] Github. “byte-unixbench” Accessed on: Mar 28, 2024. [Online]. Available: https://github.com/kdlucas/byte-unixbench/tree/master.
[43] Github. “Diamorphine” Accessed on: Mar 23, 2024. [Online]. Available: https://github.com/m0nad/Diamorphine.
[44] Github. “Reptile” Accessed on: Jan 18, 2024. [Online]. Available: https://github.com/f0rb1dd3n/Reptile.
[45] Github. “rootkit” Accessed on: Jan 18, 2024. [Online]. Available:
https://github.com/plusls/rootkit.
[46] Github. “linux_kernel_hacking” Accessed on: Jan 23, 2024. [Online]. Available: https://github.com/xcellerator/linux_kernel_hacking.
[47] iperf, “iperf” Accessed on July 12, 2024. [Online]. Available: https://iperf.fr.
[48] GeeksForGeeks. “Introduction to Semantic Versioning” Accessed on: Jan 23, 2024. [Online]. Available: https://www.geeksforgeeks.org/introduction-semanticversioning

指導教授

周立德(Li-Der Chou)

審核日期

2024-8-14

推文