摘要: | Rootkit 是目前最常被攻擊者用來隱藏其攻擊行為的工具,現有的Rootkit 檢測機制大多以檢查系統的靜態特徵或比對系統的完整性等方式偵測Rootkit,但攻擊者可透過不同的方式混淆系統的特徵值,而快速即時的完整性確認亦不易達成。 因此本論文提出一精確、快速即時的Rootkit 偵測機制–Discoverer–以提昇系統偵測Rootkit 的能力。由於攻擊者的網路連線及攻擊者正在執行的程序是Root kit 主要的隱藏對象,因此 Discoverer 藉由找出被隱藏的網路連線及程序偵測Rootkit。為了管理網路連線及程序,作業系統內包含有各式的資料結構來記錄相關的訊息,攻擊者可加入甚至修改程式碼以讓使用者無法得知攻擊者的網路連線或正在執行的攻擊者程序,但若藉由竄改與網路連線或程序相關的資料結構,如run queue,來達成上述目的,則很可能會破壞系統的正常運作,因此這些資料結構中的資訊是最能真實反應系統狀態的資訊,本論文利用新增的系統呼叫,將使用者模式下所列出的程序相關資料(如ps、netstat)傳入核心,與系統內部相關資料結構中的資訊逐一比對。找出隱藏程序的pid、socket 連線、及所存取的file 名稱與路徑。實驗結果顯示Discoverer 可精確地偵測出我們所蒐集到的各式Rootkit。Rootkit is most often used by attacker to hide their behavior, theRootkit detection mechanisms mostly focus on static characteristics or theintegrity of the system, but the attacker can confuse the system eigenvaluesthrough various ways , and the integrity of the rapid real-time confirmationwould not be easy to reach. This paper presents an accurate, rapid real-timeRootkit detection mechanisms-Discoverer-to enhance the ability of thesystem to detect Rootkit. Since the attacker's network connection and therunning process is the main hidden object of Rootkit, Discoverer by locatingthe hidden network connections and process to detect Rootkits. In orderto manage network connections and process, the operating system containsa variety of data structures to record the relevant message, the attackercan be added or even modify the code to allow users to not know the attacker'snetwork connection, or are under implementation process of the attacker,but if by tampering with the network connection or process-related datastructures, such as the run queue, to achieve the above purpose, they arelikely to undermine the normal functioning of the system, so the informationin these data structures can be a true reflection of system statusinformation, this paper list and send all the user mode process information(such as ps, the netstat) into the Kernel by adding the new system call,and compare one by one with kernel data .Then find out the hidden processPID, socket connections, and the access file name and path. The experimentalresults show that Discoverer can accurately detect all kinds of Rootkitswhich we collected. |