CN107247910B - File integrity measurement detection method, system and detection equipment - Google Patents
File integrity measurement detection method, system and detection equipment Download PDFInfo
- Publication number
- CN107247910B CN107247910B CN201710687004.5A CN201710687004A CN107247910B CN 107247910 B CN107247910 B CN 107247910B CN 201710687004 A CN201710687004 A CN 201710687004A CN 107247910 B CN107247910 B CN 107247910B
- Authority
- CN
- China
- Prior art keywords
- file
- measurement
- integrity
- reference value
- requirement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000005259 measurement Methods 0.000 title claims abstract description 193
- 238000001514 detection method Methods 0.000 title claims abstract description 32
- 230000009471 action Effects 0.000 claims abstract description 55
- 238000000034 method Methods 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of file detection, and provides a file integrity measurement detection method, a system and a detection device, wherein the method comprises the following steps: according to the requirement of file integrity, carrying out initialization setting based on file integrity measurement on the measurement file; intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time; inquiring and reading a pre-stored reference value of the measurement file, and judging whether the measurement file meets the requirement of file integrity; and if the measurement file meets the file integrity requirement, allowing the access action of the measurement file, thereby realizing the access control of the predefined file, measuring the integrity of the complete file and ensuring the safe execution of the access action.
Description
Technical Field
The invention belongs to the technical field of file detection, and particularly relates to a file integrity measurement detection method, a file integrity measurement detection system and file integrity measurement detection equipment.
Background
The integrity measurement technology of the file has very important significance for finding whether the important file is tampered, but the currently adopted file integrity measurement technology basically belongs to static integrity measurement. The static integrity measurement technology measures whether the file and a reference measurement value change at intervals, when the file and the reference measurement value change, the integrity of the file is judged to have a problem and the possibility of being tampered, and when the file and the reference measurement value do not change, the integrity of the file is judged to be complete.
However, if the file is tampered between the two measurements, the tampering is not detected at this point, and access to the file is at risk.
Disclosure of Invention
The invention aims to provide a file integrity measurement detection method, which aims to solve the problem that in the prior art, if a file is tampered between two measurements, the tampering is not detected and measured, and the access to the file is at risk.
The invention is realized in such a way that a file integrity measurement detection method comprises the following steps:
according to the requirement of file integrity, carrying out initialization setting based on file integrity measurement on the measurement file;
intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time;
inquiring and reading a pre-stored reference value of the measurement file, and judging whether the measurement file meets the requirement of file integrity;
and if the measurement file meets the file integrity requirement, allowing the access action to the measurement file.
As an improved scheme, the step of performing initialization setting based on the file integrity measurement on the measurement file according to the requirement of the file integrity specifically includes the following steps:
predefining a measurement file for detecting whether the file is tampered in real time, wherein the number of the predefined measurement files is a plurality;
carrying out file system reinstallation on a predefined measurement file, and designating an ivetion option in the reinstallation process of the system;
and calculating and storing a predefined reference value sha1 of the measurement file according to the requirement of file integrity.
As an improved scheme, the step of intercepting the access action of the pre-defined metric file according to the initialization setting and calculating the reference value of the metric file in real time is followed; the step of querying for reading the reference value of the metric file further comprises the following steps:
judging whether the measurement file is an accessed file or not, wherein the accessed file is stored in a cache;
when the measurement file is an accessed file, judging whether the measurement file is credible;
if the measurement file is credible, executing an access action allowing the measurement file;
and if the measurement file is a file which is not already accessed, executing the step of inquiring and reading the reference value of the measurement file.
As an improved solution, the step of allowing the access action to the measurement file if the measurement file meets the file integrity requirement further includes the following steps:
adding a metric file to the cache that allows the access action to be performed.
Another object of the present invention is to provide a file integrity measurement detection system, the system comprising:
the initialization setting module is used for carrying out initialization setting based on file integrity measurement on the measurement file according to the requirement of the file integrity;
the access action intercepting module is used for intercepting the access action of the pre-defined measurement file according to the initialization setting;
the reference value calculation module is used for calculating the reference value of the measurement file in real time;
the reference value query and judgment module is used for querying and reading a reference value of the pre-stored measurement file and judging whether the measurement file meets the requirement of file integrity;
and the action allowing execution module is used for allowing the access action to the measurement file if the reference value query judgment module judges that the measurement file meets the file integrity requirement.
As an improved scheme, the initialization setting module specifically includes:
the measurement file predefining module is used for predefining measurement files for detecting whether the files are tampered in real time, and the number of the predefined measurement files is a plurality;
the system mounting module is used for re-mounting the file system on the predefined measurement file, and appointing an iverio option in the process of re-mounting the system;
and the reference value calculation and storage module is used for calculating and storing a predefined reference value sha1 of the measurement file according to the requirement of the integrity of the file.
As an improvement, the system further comprises:
the access judging module is used for judging whether the measurement file is an accessed file or not, wherein the accessed file is stored in a cache;
the credibility judging module is used for judging whether the measurement file is credible or not when the measurement file is an accessed file;
if the credible judgment module judges that the measurement file is a file which is not already accessed, executing a step of inquiring and reading a reference value of the measurement file by the reference value inquiry judgment module;
and if the measurement file is credible, executing the access action of the permission action execution module to the measurement file.
As an improvement, the system further comprises:
and the cache adding and updating module is used for adding the measurement file which is allowed to execute the access action into the cache.
It is another object of the present invention to provide a detection device comprising a file integrity measurement detection system.
In the embodiment of the invention, the initialization setting based on the file integrity measurement is carried out on the measurement file according to the requirement of the file integrity; intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time; inquiring and reading a pre-stored reference value of the measurement file, and judging whether the measurement file meets the requirement of file integrity; and if the measurement file meets the file integrity requirement, allowing the access action of the measurement file, thereby realizing the access control of the predefined file, measuring the integrity of the complete file and ensuring the safe execution of the access action.
Drawings
Fig. 1 is a flowchart illustrating an implementation of a file integrity measurement detection method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating an implementation of initialization setting for a measurement file based on file integrity measurement according to a requirement of file integrity;
fig. 3 is a flowchart of an implementation of a file integrity measurement detection method according to a second embodiment of the present invention;
fig. 4 is a block diagram of a file integrity measurement detection system provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 shows an implementation flowchart of a file integrity measurement detection method according to an embodiment of the present invention, which specifically includes the following steps:
in step S101, according to the requirement of file integrity, the measurement file is initialized based on the file integrity measurement.
In step S102, according to the initialization setting, access actions of a predefined metric file are intercepted, and a reference value of the metric file is calculated in real time.
The access action to the measurement file includes, but is not limited to, reading, writing, executing, deleting and renaming, and the interception of the access action is implemented at a system kernel layer, and may be intercepted in a system call replacement manner, which is not limited herein.
When the access action of the measurement file is intercepted, the reference value of the measurement file is calculated in real time, and then the step of judgment in the following S103 is executed.
In step S103, a reference value of the measurement file stored in advance is queried and read, and whether the measurement file meets the requirement of file integrity is determined.
The judgment of whether the read file meets the requirement of the integrity of the file is to judge whether the reference value calculated in real time is the same as the reference value stored in advance, if so, the file meets the requirement, and if not, the file does not meet the requirement.
In step S104, if the measurement file meets the file integrity requirement, the access action to the measurement file is allowed.
And when the measurement file does not meet the file integrity requirement, forbidding the execution of the access action.
In the embodiment of the present invention, when it is detected that the measurement file does not meet the file integrity requirement, that is, the measurement file has been tampered, the administrator is notified of the tampering content, and the notification mode may be a log mode, or may also be another mode, which is not limited herein.
Fig. 2 shows a flowchart of an implementation of initialization setting based on file integrity measurement on a measurement file according to a requirement of file integrity, which specifically includes the following steps:
in step S201, a metric file for detecting whether a file is tampered with in real time is predefined, and the number of the predefined metric files is several.
The file definition process is to confirm the system files and predefine a plurality of important files to prevent the important files from being maliciously tampered.
In step S202, file system re-mount is performed on the predefined measurement file, and during the system re-mount process, a drive option is designated.
In this step, when the integrity of the file in the file system is checked, the system needs to be restarted.
In step S203, a predefined reference value sha1 of the measurement file is calculated and stored according to the requirement of file integrity.
Wherein file integrity metrics, such as/var/log directories, are not required for files and directories that change frequently.
Fig. 3 shows an implementation flowchart of the file integrity measurement detection method according to the second embodiment of the present invention, which specifically includes the following steps:
in step S301, according to the initialization setting, access actions of a predefined metric file are intercepted, and a reference value of the metric file is calculated in real time.
In step S302, it is determined whether the measurement file is an already accessed file, if yes, step S303 is performed, otherwise, step S305 is performed.
Wherein the accessed file is stored in the cache.
In step S303, when the measurement file is an already accessed file, it is determined whether the measurement file is authentic, if so, step S304 is executed, otherwise, step S306 is executed.
In this step, it is determined whether the measurement file is trusted, specifically, whether the version is changed is achieved, specifically:
the access of files in a Linux system is very frequent, if the reference value sha1 is calculated during each access, the system performance is seriously influenced, in order to influence the system performance as little as possible, it is very necessary to add cache query, and record the inode riversion, and when the files are accessed again, whether the files are tampered or not is determined according to whether the inode of the files in the cache is changed or not;
the inode represents a data structure of a file for the file system, and when the file system mount specifies an live option, the live count in the inode is incremented when the file changes.
In step S304, an action is performed that allows access to the metric file.
In step S305, if the measurement file is a file that has not been accessed, querying and reading a pre-stored reference value of the measurement file, and determining whether the measurement file meets the requirement of file integrity, if so, returning to step S304, otherwise, performing step S306.
The criterion for judging whether the measurement file meets the requirement of file integrity is that the reference value calculated in real time and the stored reference value are the same parameter value.
In step S306, the access action to the metric file is prohibited.
The above is only one specific embodiment of the present invention, and the detailed description is omitted here.
In this embodiment, after the step S305 is completed, the determined measurement file is added to the cache, and meanwhile, the validity of the access action of the measurement file is marked, and when the access action of the measurement file is received again next time, the validity of the measurement file is detected, and if the detection is legal, the step S303 is continuously executed, otherwise, the access is prohibited.
In the embodiment of the invention, the reference value is stored in an application layer database, the application layer starts a netlink, when the system kernel layer intercepts an access action and the query is not hit, the kernel layer sends a reference value query message to the application layer, and the application layer feeds back a result to the kernel layer.
Fig. 4 shows a block diagram of a file integrity measurement detection system provided by the present invention, and for convenience of explanation, only the relevant parts of the file integrity measurement detection system are shown in the diagram, wherein the file integrity measurement detection system is built in a detection device.
The file integrity measurement detection system comprises:
the initialization setting module 11 is configured to perform initialization setting based on file integrity measurement on a measurement file according to a requirement on file integrity;
an access action intercepting module 12, configured to intercept an access action of a predefined measurement file according to an initialization setting;
a reference value calculation module 13, configured to calculate a reference value of the measurement file in real time;
a reference value query and judgment module 14, configured to query and read a reference value of the metric file stored in advance, and judge whether the metric file meets the requirement of file integrity;
and an action allowing execution module 15, configured to allow an access action to the measurement file if the reference value query and determination module determines that the measurement file meets the file integrity requirement.
The initialization setting module 11 specifically includes:
the measurement file predefining module 16 is configured to predefine measurement files for detecting whether a file is tampered in real time, where the number of the predefined measurement files is several;
the system mount module 17 is used for re-mounting the file system on the predefined measurement file, and designating an livetion option in the process of re-mounting the system;
and the reference value calculation and storage module 18 is configured to calculate and store a predefined reference value sha1 of the measurement file according to the requirement on file integrity.
As shown in fig. 4, the file integrity measurement detection system further includes:
an access judging module 19, configured to judge whether the measurement file is an already accessed file, where the already accessed file is stored in a cache;
a credibility judgment module 20, configured to judge whether the measurement file is a file that has been accessed;
if the trusted judgment module 20 judges that the measurement file is a file that has not been accessed, the step of querying and reading the reference value of the measurement file by the reference value query judgment module 14 is executed;
if the measurement file is trusted, the permission action execution module 15 executes the permission action for the access to the measurement file.
Wherein, the cache adding and updating module 21 is configured to add the metric file allowed to perform the access action to the cache.
The functions of the modules are described in the above embodiments, and are not described herein again.
In the embodiment of the invention, the initialization setting based on the file integrity measurement is carried out on the measurement file according to the requirement of the file integrity; intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time; inquiring and reading a pre-stored reference value of the measurement file, and judging whether the measurement file meets the requirement of file integrity; and if the measurement file meets the file integrity requirement, allowing the access action of the measurement file, thereby realizing the access control of the predefined file, measuring the integrity of the complete file and ensuring the safe execution of the access action.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (5)
1. A method for detecting file integrity metrics, the method comprising the steps of:
according to the requirement of file integrity, carrying out initialization setting based on file integrity measurement on the measurement file;
intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time;
inquiring and reading a pre-stored reference value of the measurement file, and judging whether the measurement file meets the requirement of file integrity;
if the measurement file meets the file integrity requirement, allowing the access action to the measurement file, and if the measurement file does not meet the file integrity requirement, forbidding the execution of the access action;
intercepting access actions of a predefined measurement file according to initialization setting, and calculating a reference value of the measurement file in real time; the step of querying for reading the reference value of the metric file further comprises the following steps:
judging whether the measurement file is an accessed file or not, wherein the accessed file is stored in a cache;
when the measurement file is an accessed file, judging whether the measurement file is credible;
if the measurement file is credible, executing an access action allowing the measurement file;
if the measurement file is a file which is not already accessed, executing the step of inquiring and reading the reference value of the measurement file;
the basis for judging whether the measurement file meets the requirement of file integrity is that the reference value calculated in real time and the stored reference value are the same parameter value;
the step of performing initialization setting based on the file integrity measurement on the measurement file according to the requirement of the file integrity specifically includes the following steps:
predefining a measurement file for detecting whether the file is tampered in real time, wherein the number of the predefined measurement files is a plurality;
carrying out file system reinstallation on a predefined measurement file, and designating an ivetion option in the reinstallation process of the system;
according to the requirement of file integrity, calculating and storing a predefined reference value sha1 of the measurement file;
wherein, whether change to version takes place to realize specifically is:
the file access in the Linux system is frequent, cache query is added, inode live is recorded, whether the file is tampered or not is determined according to whether live in the inode of the cache file is changed or not when the file is accessed again, the inode represents a data structure of the file for the file system, and when the mount of the file system designates a live option, the live count in the inode is increased when the file is changed.
2. The method according to claim 1, wherein the step of allowing the access action to the measurement file if the measurement file meets the file integrity requirement further comprises the following steps:
adding a metric file to the cache that allows the access action to be performed.
3. A file integrity metric detection system, the system comprising:
the initialization setting module is used for carrying out initialization setting based on file integrity measurement on the measurement file according to the requirement of the file integrity;
the access action intercepting module is used for intercepting the access action of the pre-defined measurement file according to the initialization setting;
the reference value calculation module is used for calculating the reference value of the measurement file in real time;
the reference value query and judgment module is used for querying and reading a reference value of the pre-stored measurement file and judging whether the measurement file meets the requirement of file integrity;
the allowable action execution module is used for allowing the access action to the measurement file if the reference value query judgment module judges that the measurement file meets the file integrity requirement;
the system further comprises:
the access judging module is used for judging whether the measurement file is an accessed file or not, wherein the accessed file is stored in a cache;
the credibility judging module is used for judging whether the measurement file is credible or not when the measurement file is an accessed file;
if the credible judgment module judges that the measurement file is a file which is not already accessed, executing a step of inquiring and reading a reference value of the measurement file by the reference value inquiry judgment module;
if the measurement file is credible, executing the access action of the permission action execution module on the measurement file;
the basis for judging whether the measurement file meets the requirement of file integrity is that the reference value calculated in real time and the stored reference value are the same parameter value;
the initialization setting module specifically comprises:
the measurement file predefining module is used for predefining measurement files for detecting whether the files are tampered in real time, and the number of the predefined measurement files is a plurality;
the system mounting module is used for re-mounting the file system on the predefined measurement file, and appointing an iverio option in the process of re-mounting the system;
the reference value calculation and storage module is used for calculating and storing a predefined reference value sha1 of the measurement file according to the requirement of file integrity;
wherein, whether change to version takes place to realize specifically is:
the file access in the Linux system is frequent, cache query is added, inode live is recorded, whether the file is tampered or not is determined according to whether live in the inode of the cache file is changed or not when the file is accessed again, the inode represents a data structure of the file for the file system, and when the mount of the file system designates a live option, the live count in the inode is increased when the file is changed.
4. The file integrity metric detection system of claim 3, wherein the system further comprises:
and the cache adding and updating module is used for adding the measurement file which is allowed to execute the access action into the cache.
5. A detection device comprising the file integrity metric detection system of any of claims 3 and 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710687004.5A CN107247910B (en) | 2017-08-11 | 2017-08-11 | File integrity measurement detection method, system and detection equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710687004.5A CN107247910B (en) | 2017-08-11 | 2017-08-11 | File integrity measurement detection method, system and detection equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107247910A CN107247910A (en) | 2017-10-13 |
| CN107247910B true CN107247910B (en) | 2021-01-15 |
Family
ID=60012259
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710687004.5A Active CN107247910B (en) | 2017-08-11 | 2017-08-11 | File integrity measurement detection method, system and detection equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107247910B (en) |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069353B (en) * | 2015-08-11 | 2017-10-24 | 武汉大学 | A kind of credible vessel safety reinforcement means based on Docker |
| CN105205391B (en) * | 2015-10-15 | 2018-08-07 | 中南大学 | A kind of clean room method for real-time monitoring based on integrity verification |
| CN106250760A (en) * | 2016-07-26 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | U-Boot trusted Boot method based on TPM 2.0 chip |
| CN106384053A (en) * | 2016-09-14 | 2017-02-08 | 江苏北弓智能科技有限公司 | Trusted boot method and apparatus for mobile operation system |
-
2017
- 2017-08-11 CN CN201710687004.5A patent/CN107247910B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107247910A (en) | 2017-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10348756B2 (en) | System and method for assessing vulnerability of a mobile device | |
| US11777705B2 (en) | Techniques for preventing memory timing attacks | |
| US9317450B2 (en) | Security protection for memory content of processor main memory | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| EP2867820B1 (en) | Devices, systems, and methods for monitoring and asserting trust level using persistent trust log | |
| US11544379B2 (en) | Malicious software detection based on API trust | |
| CN105608386A (en) | Trusted computing terminal integrity measuring and proving method and device | |
| US9071639B2 (en) | Unauthorized application detection system and method | |
| CN109891422A (en) | Dynamic prestige indicator for optimizing computer safety operation | |
| US20190361616A1 (en) | Memory protective apparatus for indirect access memory controller | |
| WO2017133442A1 (en) | Real-time measurement method and device | |
| Gu et al. | D2taint: Differentiated and dynamic information flow tracking on smartphones for numerous data sources | |
| CN110046505B (en) | Container security reinforcement method, system and storage medium | |
| US20210266181A1 (en) | Data security processing method and terminal thereof, and server | |
| CN107247910B (en) | File integrity measurement detection method, system and detection equipment | |
| US11599637B1 (en) | Systems and methods for blocking malicious script execution | |
| CN115828225A (en) | White list measurement method, system, medium and client based on trusted computing | |
| Mollus et al. | Curtailing privilege escalation attacks over asynchronous channels on Android | |
| US11209862B2 (en) | Keyboard dock verification | |
| Liu et al. | A sensitive file abnormal access detection method based on application classification | |
| US11921859B2 (en) | System and method for managing device security during startup | |
| US12032689B2 (en) | Systems and methods for preventing zero-day attacks | |
| US11750660B2 (en) | Dynamically updating rules for detecting compromised devices | |
| US20240176915A1 (en) | Threat detection using a measured storage device | |
| CN108205624B (en) | Electronic device and method for detecting malicious file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20201209 Address after: Building 9, No.1, guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Wuzhong District, Suzhou City, Jiangsu Province Applicant after: SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd. Address before: Room 1601, floor 16, 278 Xinyi Road, Zhengdong New District, Zhengzhou City, Henan Province Applicant before: ZHENGZHOU YUNHAI INFORMATION TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |