Software trust gauging system and method based on behavior
Technical field
The present invention relates to trusted computing method, refer to a kind of especially based on anticipatory behavior and agenda software trust gauging system and method relatively based on behavior.
Background technology
Trusted Computing (Trusted Computing, TC) be one by Trusted Computing tissue (Trusted Computing Group, TCG, before be called TCPA) promote and the technology of exploitation, the TCG definition is credible to be: an entity is believable, if its behavior always reaches the set goal by way of expectations.The main thought of Trusted Computing is to introduce the security that safety chip (credible platform module) improves terminal system on hardware platform, that is to say in each microcomputer terminal and implant a root of trust, begin to hardware platform from root of trust, to the operating system nucleus layer, arrive application layer again, make up trusting relationship, one-level authentication one-level, one-level is trusted one-level, and based on this, expand on the network, set up corresponding trust chain, thereby guarantee the credible of whole network.The extended method that is trust chain is " a limit tolerance, transmit on the limit ".As seen, credible tolerance is the basis of Trusted Computing.
A series of standards have been formulated and announced to the TCG tissue since setting up, wherein, the general view of standard framework is described in detail integrity measurement, storage and report.The integrity measurement that provides in the standard is meant the metric of the platform properties that obtains to influence completeness of platform (credibility), and the summary of metric is deposited in such process in the platform configuration register.Integrity measurement, storage and report three are undivided, and integrity report is meant the process of the integrity measurement value of external demonstrated record in platform configuration register.The idea of integrity measurement, storage and report is that the permission platform enters any possible state, comprises unwelcome state and unsafe state, still, does not allow platform to lie about its residing state.Can with another one independently process assess the integrality state and determine reasonably response.
TCM (Trusted Cryptography Module) is the credible chip of China according to the TPM standard manufacture, for of the use of manufacturer of standard enterprise to TCM, the end of the year 2007, issued " creditable calculation password support platform function and interface specification " by national Password Management office, mainly based on domestic cryptographic algorithm, in conjunction with internal security demand and industrial market, use for reference international advanced reliable computing technology framework and technical concept and autonomous innovation.Point out in the standard that integrity measurement is meant the metric of calculating unit with storage, write down this incident, and metric is charged in the credible password module in the corresponding platform configuration register (PCR) to event log.
No matter be the Trusted Computing standard of TCG standard or China, all only described the confidence level metering method during the system start-up, promptly begin the tolerance of static code and data before the os starting from system power-up.So, some enterprises and scientific research institutions begin the search operation system and on software trust measure and technology.
2003, IBM proposed integrity measurement framework IMA (Integrity Measurement Architecture) according to the TCG standard.IMA is an execution framework of supporting Linux, and the purpose of this framework is in order to solve between the Distributed Application---especially in the middle of distributed working time environment, and the difficult problem of the relation of breaking the wall of mistrust.The course of work of this credible platform is: after the system start-up, give a constant base control; Constant base will be measured the integrality of BIOS, by calculating the cryptographic hash that a SHA1 guarantees its content, the result will be kept among the TPM; Next measure the code of next start-up routine, calculate cryptographic hash equally, guarantee that it is credible; This process is a recursive procedure, is starting up of camping step by step to guarantee system.
2005, Carnegie Mellon University and IBM Watson Research Center proposed to set up for distributed system BIND (the Binding Instruction and Data) framework of trusted context.BIND is refined as the integrity certification of critical code section to the integrity certification of code, and each the group data that produces for critical code section generate an authenticator.Authenticator is attached on the corresponding data, thereby realizes the binding of the output data that integrity certification and its produced of critical code section.Therefore, BIND can by critical code section with and the integrity certification of input data reach the purpose of system integrity proof.But,,, increased the burden of programmer's coding though improved the accuracy of measurement because system inserts the hook function interface that BIND provides by programmer oneself decision metric point and in metric point.And it can't answering system many attacks during operation.
2006, the plug of the Jaeger of Pennsylvania State University (T.Jaeger), IBM Watson Research Center is reined in the mountain of University of California Berkeley gram (U.Shankar) and has been proposed PRIMA (Policy-Reduced Integrity Measurement Architecture) integrity measurement architecture based on information flow, and has studied the prototype system of SE-Linux for the basis.The research work of PRIMA project is expanded and is strengthened one of IMA on the basis of IMA achievement in research, introduce the CW-Lite information flow model and come the processing components dependence, aspect the system integrity dynamic measurement of information flow, carrying out fruitful trial.The realization thinking of PRIMA is as follows: when system start-up, MAC strategy and believable main body collection are measured.By these tolerance, remote parties can make up an information flow chart.Remote parties can be verified that all come from trusted subjects (this main body is verified in working time and is moving believable code) or have through what filter interface was crossed filtration and come from all popular intended application of untrusted main body and trusted application information.Then, measure the information of working time.According to information flow chart, only need to measure the code of required dependence.Other codes all are assumed to incredible.Then also need to measure in loading code and load mapping between this body of code, thereby remote parties can be verified this main body and carried out the code of expection.PRIMA only requires additionally to measure the MAC strategy and in the trusted subjects of load time, and the matching problem between code and the MAC strategy main body, owing to no longer need to measure incredible main body, thus just can reduce a part of metric.The PRIMA structure has demonstrated fully secure operating system for the exemplary operation in the support of trusted application.
The hardware co-processor that one of the Copilot utilization that University of Maryland proposes is independent of main frame realizes that the shortcoming of main frame being scheduled to the integrity measurement .CoPilot of region of memory is that the design realization is complicated, need carry out repeatedly map operation to internal memory, and can only set the tolerance cycle earlier, if its tolerance cycle is longer than the impaired time of process integrity, also may can't find such destruction.
LKIM and follow-up working needle are measured system kernel, and it defines the state that a series of variablees are represented system on the basis of static state tolerance, when these variate-values change, measure again, thus the purpose of realization dynamic measurement.But the static state that it is emphasized tolerance adds state variable and can not represent real dynamic tolerance, and its tolerance at be linux kernel, powerless to common process.
Domestic, the architecture and the prototype system Patos-RIP thereof of integrity measurement when proposition process based on the TPM safety chip in People's University's is moved are in order to the integrality of tolerance process from be created to dead whole life.
The angle that Beijing University of Technology is learned from software action has provided a credible dynamic measurement and proof model.This model has proposed some theorems that are used for Trusted Computing behavior dynamic measurement, and then has provided believable decision method of software action and model based on the tolerance mechanism of the behavior of expansion mark and the authentication mechanism of behavior metric base.
Credible tolerance was through the research in 10 years, from a plurality of angles credible tolerance is explored, tolerance (BIND) based on code is arranged, based on role's tolerance (PRIMA), based on the tolerance (PRIMA) of information flow, based on the tolerance (Copilot) in cycle, based on the tolerance (Patos-RIP) of process, based on the tolerance of internal memory, based on tolerance of software action or the like.Yet what TCG proposed is credible, although the expected leading notion of the behavior that proposed, how its core concept still is confined to the proving program code is to be provided or installed, safeguarded by reliable supvr by reliable supplier.For the dynamic credible tolerance of upper application software in operational process, still ripe without comparison measurement model and solution.
Therefore, the present invention follows the credible thought of TCG, not only the loading code of software is verified, also will set up anticipatory behavior tree and agenda expection tree for software, on the feasible basis of checking anticipatory behavior tree, expection by comparison software and actual behavior track, the environmental context when behavior takes place, environmental parameter etc. realize the credible tolerance to software.
Summary of the invention
The objective of the invention is to propose a kind of software trust measure based on behavior; deviation to agenda and anticipatory behavior in the integrality of code before the rationality of software expects behavior, the software loading, the software running process is measured; guaranteeing the credible of software life-cycle, thereby reach the believable target of the whole infosystem of protection.
To achieve these goals, a kind of software trust gauging system based on behavior, it is characterized in that: described application system comprises with the lower part: basal layer, by forming based on the trusted operating system of Trusted Computing chip hardware, be a credible calculating platform, for the credible tolerance and the credible judgement of core layer provides shoring of foundation; Core layer is made up of credible tolerance and credible judgement two parts, and wherein, credible tolerance part is responsible for acquisition of information, is made up of integrity measurement module, anticipatory behavior acquisition module, agenda acquisition module; Credible judgement part is responsible for the information that credible tolerance part obtains is judged according to decision rule, is contrasted module by integrity verification module, anticipatory behavior authentication module, behavior and form; Application layer is responsible for software loading and operation.
Software comprises source program software and executable program software.
Software provisioning side is meant software vendor, perhaps is meant the credible calculating platform based on the Trusted Computing chip.
A kind of software trust measure that uses said system based on behavior, it may further comprise the steps:
One, obtains software from software provisioning side;
Two, before software loading, described integrity verification module is by the integrality of integrity measurement module tolerance software content;
Three, after integrity checking passed through, described anticipatory behavior acquisition module obtained the anticipatory behavior of software;
Four, the rationality of described anticipatory behavior authentication module verifying software anticipatory behavior;
Five, install software, operating software;
Six, in the software running process, described agenda acquisition module obtains the agenda of software;
Seven, described behavior contrast module compares the difference of anticipatory behavior and agenda, judges the credibility of software.
In described step 3: the anticipatory behavior acquisition module uses the executable program code of dis-assembling static analysis technology analysis software under the situation of operating software not, executable statement to program carries out control flow analysis, and extraction procedure all execution routes that can reach, determine the control structure of program, thereby obtain the anticipatory behavior of software.
In described step 3, the concrete operations step that obtains the anticipatory behavior of software is: 1. the executable program to software utilizes the dis-assembling technology that executable program is converted to assembler source program; 2. scan assembler source program, find all system calls, and all instructions between each system call are recorded as instruction block IB; 3. the title SysCallName that calls of register system; 4. register system is called context SCC; If 5. system call relates to the file call parameters, collect the cryptographic hash of file name, executable file, system file, configuration file, script file, data file, size, update date, action type, file integrality so; 6. with the control flow graph branch instruction is carried out formalization representation; 7. set up the anticipatory behavior tree.
In described step 6: the utilization Hook Mechanism, the generation of system call incident in the monitoring software operational process, the register system calling sequence is with the actual motion state and the extraction agenda of monitoring software.
In described step 2, software integrity checking is meant that the code, file, data of verifying software etc. do not distorted.
In described step 7, the contrast rule is: 1. the agenda tree is compared with the anticipatory behavior tree behind node of every interpolation, and this tree remains the subtree of anticipatory behavior tree; 2. the corresponding sides information of the information on the newly-increased limit of agenda tree and anticipatory behavior tree is compared, judge respectively whether system their system call title SysCallName, system context value SCCV and file integrality cryptographic hash equate.If satisfy this two rules, illustrate that then software realizing re-set target according to the anticipatory behavior mode, otherwise there is potential safety hazard in software, reports to trusted operating system, stops its operation and return back to safe condition.
In described step 4, the behavior rationality comprises the satisfying property of dependence between behavior feasibility, the behavior.
Compared with prior art, the invention has the beneficial effects as follows: in software loading before the system, not only verified the integrality of code and data, also verified the rationality of software expects behavior, and in software loading after system, the difference of agenda by comparison software and known anticipatory behavior has realized the dynamic measurement during the running software, thereby has guaranteed that software is according to " anticipatory behavior has reached re-set target ".
Description of drawings
Fig. 1 is the software trust tolerance overall architecture synoptic diagram based on behavior;
Fig. 2 is anticipatory behavior tree example;
Embodiment
For making feature of the present invention and advantage obtain clearer understanding, below in conjunction with accompanying drawing, be described in detail below: as shown in Figure 1, credible tolerance configuration diagram of the present invention has been described, be divided into 3 layers, lowermost layer is a basal layer, is credible calculating platform, by forming based on the trusted operating system of Trusted Computing chip hardware; The middle layer is a core layer, is made up of credible tolerance and credible judgement two parts, and wherein, credible tolerance part is responsible for acquisition of information, and credible judgement partly is responsible for the information that credible tolerance part obtains is judged according to decision rule; The superiors are application layers, are responsible for software loading and operation.
Software is before loading, the TPM/TCM identity key that integrity measurement module receiving software supplier provides and the cryptographic hash of software for calculation code (adopting SHA1 algorithm or MD5 algorithm to obtain the numerical value of a 120bit respectively) pass to the credible integrity verification module of judging part.The cryptographic hash sequence table of the software code that in store in advance each software vendor's of portion of credible calculating platform TPM/TCM identity key and they can provide, so, the decision rule of integrity verification module is exactly directly to search TPM/TCM identity key and the cryptographic hash that the integrity measurement module obtains in table, if find, show that then software is complete believable, otherwise, stop software loading.
Software is by behind the integrity verification, the executable program code of the static analysis technology that the anticipatory behavior acquisition module uses software inverse engineering technology analysis software under the situation of operating software not, executable statement to program carries out control flow analysis, and extraction procedure all execution routes that can reach, determine the control structure of program, thereby infer the anticipatory behavior of software, set up the anticipatory behavior tree.Concrete steps are: 1. the executable program to software carries out reverse-engineering, utilizes the dis-assembling technology that executable program is converted to assembler source program (static analysis tools commonly used is W32DASM, IDA and HIEW etc.); 2. scan assembler source program, find all system calls, and all instructions between each system call are recorded as instruction block IB; 3. the title SysCallName that calls of register system; 4. register system is called context SCC, it is meant a function call title sequence<FuncName1, FuncName2, FuncName3,, expression FuncName1 calls FuncName2, and FuncName2 calls FuncName3 ..., the computing formula of system call context value SCCV is SCCV=Hash (SCC); If 5. system call relates to the file call parameters, collect the cryptographic hash FIH of file name, type (executable file, system file, configuration file, script file, data file), attribute (size, update date), action type (reading and writing), file integrality so; 6. with the control flow graph branch instruction is carried out formalization representation: CFG=<V, E 〉, V={v wherein
i| v
iCorresponding instruction block IB
i, E={<v
i, v
j| instruction block IB
iTo IB
jBetween exist control to shift; 7. set up anticipatory behavior tree, example as shown in Figure 2, the information representation EI=<SysCallName on every limit, SCCV, FIH 〉.Information stores of anticipatory behavior tree and report realize by trusted storage and the report mechanism of TPM/TCM.The anticipatory behavior tree can specifically be stored as a storehouse or array.
Whether the anticipatory behavior authentication module is responsible for analyzing the information that the anticipatory behavior acquisition module is collected, reasonable, legal, feasible with the anticipatory behavior of judging software.Implementing particularly is TPM/TCM information and the EI that originates according to software, the security strategies such as access control of combining information system self, and whether whether verifying software has the right to carry out system call, have the right visit and executive system file.If by checking, then software can be loaded in the middle of the infosystem, otherwise, the refusal software loading.
Next, software will be loaded in the middle of the infosystem, the beginning dynamic operation.We use Hook Mechanism, the generation of system call incident in the monitoring software operational process, register system calling sequence.(SuSE) Linux OS with open source is an example, and Linux security module LSM (Linux Security Module) provides the relevant Hook Function of a series of safety to realize.The mode of can the employing program implanting, by rewriting the Hook Function relevant with behavior monitoring, realization is to the dynamic interception of the system call of being sent in the software running process, with the actual motion state and the extraction agenda feature of monitoring software.When system call takes place; incident perceptron ES can be triggered; after event adapter EA identification; remove to extract the title SysCallName that current software systems are called behavior by corresponding characteristic extraction method among the incident distributor ED startup method collection MS; the title of the system call context SCC and the file that is called; type; attribute; action type (is read; write); the cryptographic hash FIH of file integrality; calculate SCCH then; the process of setting up of similar anticipatory behavior tree; set up the agenda tree, after TPM carries out integrity protection, report behavior contrast module again.
Behavior contrast module is responsible for contrasting the difference of agenda and anticipatory behavior.The contrast rule is: 1. the agenda tree is compared with the anticipatory behavior tree behind node of every interpolation, and this tree remains the subtree of anticipatory behavior tree; 2. the corresponding sides information of the information on the newly-increased limit of agenda tree and anticipatory behavior tree is compared, judge respectively whether system their system call title SysCallName, system context value SCCV and file integrality cryptographic hash equate.If satisfy this two rules, illustrate that then software realizing re-set target according to the anticipatory behavior mode, otherwise there is potential safety hazard in software, reports to trusted operating system, stops its operation and return back to safe condition.
Above-described example has been done detailed explanation to the implementation of various piece of the present invention; but specific implementation form of the present invention is not limited thereto; for the those skilled in the art in present technique field, the various conspicuous change of under the situation of spirit that does not deviate from the method for the invention and claim scope it being carried out is all within protection scope of the present invention.