A Static-Dynamic Conjunct Windows Process Integrity Detection Model

Transcription

1 A Static-Dynamic Conjunct Windows Process Integrity Detection Model Fei Chen 1, Yi Li 1, Tong Zhang 1, Kehe Wu 1, 1 North China Electric Power University, Department of Control and Computer Engineering, Beinong Rd. 2, Beijing, China chenfei0428@126.com, liyi174748@163.com, zhtzhangtong@163.com, epuwkh@126.com Abstract. In this paper we propose a process integrity detection model. This model combines static detection with dynamic detection method to prevent processes from being tampered maliciously. Static detection is based on integrity detection of process files, it is implemented by calculating hash value of file directly; dynamic detection is based on detecting integrity of process code space when the process is running, this method checks whether process integrity is destroyed through counting the number of memory blocks and size of space used by the process, as well as calculating hash value of code segment during process is running and comparing it with the prospective value. We carry out experiments of this model in Windows operating system, the result shows that this model can effectively prevent processes from being tampered illegally, and it affects little to running of operating system. Keywords: process integrity, static detection, dynamic detection, malicious code, information security 1 Introduction Process integrity is the attribute to maintain a program running correctly [1]. It is a common method for malicious code to break into computers via destroying integrity of process. Attackers achieve this goal by writing a segment of executable binary code in the address space of a process to modify normal execution procedure. The most remarkable example of this is process injection attack. Many famous worms such as Blaster and Code Red II are all through modifying memory space of process and destroy process integrity to spread them. With the rapid development of hacker technology, the harm brings by destruction of process integrity to operating system becomes much heavier. Thus it is very significant to monitor process integrity realtime and prevent process from being tampered maliciously in terms of protecting the security of operating system. Integrity detection can be divided into static integrity detection and dynamic integrity detection. Static integrity detection focuses on integrity of binary file of process, once the process is loaded into memory, any changes occur after that can not be detected. Tripwire is such a static integrity detection system [2]. Dynamic integrity detection aims at integrity of code while the corresponding process is running, it is the 30

2 most frequently-used means of attack for malicious code, and in turn is a hotspot of process integrity detection study. PDMIS[3] implements process integrity detection in page granularity and has a good effect. Patagonix[4] can take integrity detection for common Rootkits, whereas it has no demonstration tests. LKIM implements dynamic integrity detection for Linux kernel, but it does not implement detection for applications[5]. This paper proposes a process integrity detection model combines static integrity with dynamic integrity. It first detects integrity of process file before the process starts running, if it is authenticated, lets the process run, in addition, monitors and detects integrity of code real-time during the process is running; otherwise the model rejects running of the process immediately. Via utilizing double detection to prevent process integrity from being tampered maliciously at utmost and protect security of operating system. 2 Process Integrity Detection Model The process integrity detection model is made up of five components which are static integrity measurement module, communication module, integrity database, monitoring module and dynamic integrity measurement module. Among them static integrity measurement module, communication module and integrity database lie in application layer, while monitoring module and dynamic integrity measurement module are at kernel layer. Figure 1 shows the architecture of this model. Fig. 1. Process integrity detection model. 31

3 2.1 Static Integrity Measurement Module The static integrity measurement module is implemented to calculate integrity of binary files. Static integrity detection occurs in two situations: one is when the system starts-up, it measures integrity of all process files starts-up with the system; the other is when a new process is about to run, it suspends the process and measures integrity of corresponding binary file. If it is the first time for the process to run, the static integrity measurement module deposits the result of measurement into integrity database; otherwise, it compares measurement result with the value stores in integrity database, if they are consistent, the process will resume running, otherwise rejects running this process. 2.2 Monitoring Module Monitoring module is an important part of this model. It has two functions: one is to intercept requests of creating and writing process space, the other is to protect the model itself. When the monitoring module intercepts a request of creating process, it notifies static integrity measurement module to execute static measure; when it intercepts a request of writing process space, it in turn notifies dynamic integrity measurement module to carry out dynamic measure. To prevent the model from being destroyed maliciously, the monitoring module forbids illegal access to its files, and provides access control protection to the process of itself. 2.3 Dynamic Integrity Measurement Module Dynamic integrity measurement calculates integrity of two kinds of information. One is hash value of code segment and the other is hash value of process space usage information. When monitoring module intercepts requests of writing process space, it notifies dynamic integrity measurement module to calculate integrity of process. Taking efficiency into account, this module obtains number of process memory blocks and size of space to calculate integrity, rather than reading the content of process code segment to calculate hash value, eventually achieves the goal of detecting dynamic integrity of process by judging whether there are changes occur in process memory space. If there are no changes in process memory space, goes ahead reading the content of process code segment to calculate integrity, otherwise rejects running this process. 2.4 Communication Module Communication module is responsible for transferring information between modules. The information here can be divided into two kinds: one is integrity value, it is either the current calculating result or from integrity database; the other is control information, mostly it is requests of integrity measurement. When there is a process ready to execute, monitoring module intercepts the request of creating process, and notifies static integrity measurement module via 32

4 communication module to measure integrity of binary file. After the measurement finishes, static integrity measurement module notifies monitoring module result of comparison through communication module, and determines whether to continue executing the process base on the result. When monitoring module intercepts requests of writing process space, it notifies dynamic integrity measurement module to measure dynamic integrity, dynamic integrity measurement module then notifies communication module to take the value out from integrity database for comparison. 2.5 Integrity Database Integrity database stores integrity information of processes, including integrity value of static binary files, dynamic process space code segment as well as process memory information. The corresponding data structure is as follows. typedef struct procintegrityinfo{ char *procname; // process name char *procpath; // process path char *binaryfilehash; // hash value of binary file char *codeseghash; // hash value of process code segment content char *procspacehash;// hash value of process space usage }TProcIntegrityInfo,*PProcIntegrityInfo; Note that the hash value of process memory information is calculated from number of memory blocks and size of memory space occupied by the process. This information in database can be appropriately encrypted in case of being exposed. 2.6 Procedure of Integrity Detection The procedure of process execution is split into two stages which are static detection and dynamic detection. A process will have no chance to execute if it is not authenticated by static detection. Accordingly, if the process is not authenticated by dynamic detection, it will also be terminated. Static integrity detection calculates hash value of binary file, if a process is authenticated by static detection, calculates hash value of process memory information, and stores it into integrity database. Dynamic integrity detection calculates hash value of process memory information first, if it is consistent, calculates hash value of process code segment, and compares it with the value stored in integrity database. The procedure of static and dynamic integrity detection is shown in Fig

5 Fig. 2. Procedure of integrity detection. 3 Experiment and Analysis This experiment is to test response capability against process injection attack and performance effect brings to operating system. The content of experiment including whether it can find out and alert injection attack against protected process, and tests the effect of time and load brings to system when invoking system services in normal circumstances. The result of experiment shows that this method can response to injection attack in time, and brings an inconspicuous delay to system service call, affects little to operating system. 34

6 Table 1. Result of system performance test Injected process CPU Occupy Response Time Notepad.exe 1% 1.3ms Winword.exe 2%-5% 4.4ms Iexplore.exe 3%-5% 4.6ms Apareader.exe 6%-8% 7.5ms 4 Conclusion This paper aims at threats of processes being tampered by malicious code, from perspect of integrity, proposes a model of process integrity detection combines with dynamic integrity and static integrity. This model can effectively detect integrity of binary files and memory space while the process is running to ensure the running process unmodified through double detection, and can achieve expected goals via expected actions[6]. The result of tests shows that this model has an outstanding performance in all-sidedness of detection, universality of defence and stability of performance. As this model interacts frequently with database, it is significant to adopt an effective searching algorithm to improve efficiency. In the future work, we will further our study in this aspect to make improvements. Besides, there is only a prototype for this model under Windows platform, in the future, we should also study prototype systems in other operating systems to extend range of its application. References 1. Zeng, F., Chen, M., Yin, K., Wang, X.: Process Integrity and Its Application in Software Vulnerability Testing. Information Security and Communications Privacy. Vol. 10, (2009) 2. Kim, G., Spafford, E.: Design and Implementation of Tripwire: A File System Integrity Checker. In: 2nd ACM Conference on Computer and communications security, pp ACM, New York (1994) 3. Wei, C., Song, S., Hua, W., Bian, P.: Operating Systems Support for Process Dynamic Integrity Measurement. In: IEEE Youth Conference on Information, Computing, and Telecommunication, pp IEEE Press, New York (2009) 4. Litty, L., Andrés Lagar-Cavilla, H., Lie D.: Hypervisor Support for Identifying Covertly Executing Binaries. In: 17th Conference on Security Symposium, pp USENIX Association Berkeley (2008) 5. Loscocco, P. A., Wilson, P. W., Pendergrass, J. A., McDonell, C. D.: Linux Kernel Integrity Measurement Using Contextual Inspection. In: 2007 ACM workshop on scalable trusted computing, pp ACM, New York (2007) 6. Sheng, C., Zhang, H., Wang, H., Wang, J., Zhao, B., Yan, W., Yu, F., Zhang, L., Xu, M.: Reaserch on Trusted Computing and Its Development. Science China (Information Sciences). Vol.53, (2010) 35