基於 eBPF 偵測 Kernel-Level 具隱匿性 Rootkit;Kernel-Level Hidden Rootkit Detection Based on eBPF

NCU Institutional Repository > 資訊電機學院 > 資訊工程研究所 > 博碩士論文 > Item 987654321/95802

請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/95802

題名:	基於 eBPF 偵測 Kernel-Level 具隱匿性 Rootkit;Kernel-Level Hidden Rootkit Detection Based on eBPF
作者:	游允喆;Yu, Yun-Che
貢獻者:	資訊工程學系
關鍵詞:	雲端運算;eBPF;Rootkit;Linux;DKOM 攻擊;Cloud Computing;eBPF;Rootkit;Linux;DKOM Attack
日期:	2024-08-14
上傳時間:	2024-10-09 17:17:34 (UTC+8)
出版者:	國立中央大學
摘要:	隨著網際網路的快速發展，企業將資料與服務交由雲服務託管已是目前的趨勢，其中虛擬化技術（Virtualization）在此扮演整個雲端運算的重要角色，藉由抽象化技術將伺服器資源切割，使一台伺服器能同時向多個不同的使用者在隔離的環境中提供服務，這種技術讓伺服器資源使用更有效率與安全。然而虛擬化技術的普及也帶來了新的安全威脅，尤其是rootkit的潛在危害，這類惡意軟體在獲得系統控制權後具有隱藏攻擊者行為的能力，其中kernel-level rootkit更具威脅性且更難以偵測。對於rootkit攻擊的防禦，擴展柏克萊封包過濾器（extended Berkley Packet Filter, eBPF）技術尤其適合，eBPF透過kprobe與tracepoint讓使用者能在系統特定函數執行前後執行自定義的程式，這種程式能存取函數的參數、回傳值與呼叫堆疊（Call Stack）等相關資訊。為了防止kernel-level rootkit的攻擊，本論文提出了一種Hidden Kernel Rootkit Detector（HKRD）針對Linux kernel-level rootkit隱藏物件的偵測機制，利用eBPF技術在系統呼叫（system call）時與備份的位址比對檢查系統呼叫是否受到劫持，若受到劫持則將其恢復為原本的系統呼叫位址並將攻擊者從系統中移除。在系統發生上下文交換（context switch）前檢查即將執行的行程（process）與模組（module）的完整性，並在 socket傳送或接收訊息前檢查socket是否存在於系統中，以防禦Direct Kernel Object Manipulation（DKOM）攻擊，若系統物件受到竄改則將其恢復至原本的狀態並從系統中移除。根據實驗結果本論文提出的HKRD架構其中平均CPU使用率為0.35%，較 rkhunter 少了 5.34 倍，較 HBRAD 少了 23.84 倍，平均記憶體使用量為2.66 MB，較 rkhunter 少了 3.24 倍，較 HBRAD 少了 5.5 倍，平均的網路吞吐量為 4.62 Gb/s，較 rkhunter 多了 1.01 倍，較 HBRAD 多了 1.25 倍。;In light of the accelerated growth of the Internet, it has become a prevalent practice among enterprises to outsource their data and services to cloud hosting. Virtualization technology plays a pivotal role in this process, as it enables the abstraction of technology, thereby dividing server resources. This allows a server to simultaneously serve numerous users in disparate environments, enhancing the efficiency and security of server resources. This technology enhances the efficiency and security of server resource utilization. However, the popularity of virtualization technology also introduces new security threats, particularly the potential harm of rootkit malware. A rootkit is a type of malware that has the ability to hide the attacker′s behavior after gaining control of the system. Kernel-level rootkits are particularly threatening and more difficult to detect. In order to defend against rootkit attacks, the extended Berkeley Packet Filter (eBPF) technology is particularly suitable. eBPF allows users to execute custom programs before and after the execution of system-specific functions through kprobe and tracepoint, which are able to access the parameters of the functions, return values, and call stacks. This program is therefore able to access information about function parameters, return values, and call stacks. In order to prevent kernel-level rootkit attacks, this paper proposes a Hidden Kernel Rootkit Detector (HKRD) for Linux kernel-level rootkit hidden object detection mechanism. The proposed mechanism utilizes the eBPF technique to compare the address of the rootkit with the backed-up address during a system call, thereby enabling the detection of hidden rootkits at the kernel level. The proposed mechanism employs the eBPF technique to ascertain whether the system call has been compromised. This is achieved by comparing the current system call address with a stored backup. In the event of a hijacking, the original system call address is restored and the attacker is removed from the system. It is imperative to ascertain the integrity of the forthcoming process and module prior to a context switch in the system. Furthermore, it is of paramount importance to determine the existence of the socket within the system before it transmits or receives a message, in order to forestall a Direct Kernel Object Manipulation (DKOM) attack. In the event of a DKOM (Direct Kernel Object Manipulation) attack, the system object in question is restored to its original state and removed from the system. The experimental results indicate that the average CPU utilization of the proposed HKRD architecture is 0.35%, which is 5.34 times less than rkhunter and 23.84 times less than HBRAD. Additionally, the average memory usage is 2. The average memory usage is 66 MB, which is 3.24 times less than rkhunter and 5.5 times less than HBRAD. The average network throughput is 4.62 Gb/s, which is 5.5 times less than rkhunter. However, the average network throughput is 4.62 Gb/s, which is 1.01 times more than rkhunter and 1.25 times more than HBRAD.
顯示於類別:	[資訊工程研究所] 博碩士論文

文件中的檔案:

檔案	描述	大小	格式	瀏覽次數
index.html		0Kb	HTML	20	檢視/開啟

在NCUIR中所有的資料項目都受到原著作權保護.

社群 sharing

資料載入中.....