CN115730308A - Runtime protection method and device based on memory check - Google Patents

Runtime protection method and device based on memory check Download PDF

Info

Publication number
CN115730308A
CN115730308A CN202211239161.7A CN202211239161A CN115730308A CN 115730308 A CN115730308 A CN 115730308A CN 202211239161 A CN202211239161 A CN 202211239161A CN 115730308 A CN115730308 A CN 115730308A
Authority
CN
China
Prior art keywords
program
memory
user
unit
reference value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211239161.7A
Other languages
Chinese (zh)
Inventor
牛登平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CLP Cloud Digital Intelligence Technology Co Ltd
Original Assignee
CLP Cloud Digital Intelligence Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CLP Cloud Digital Intelligence Technology Co Ltd filed Critical CLP Cloud Digital Intelligence Technology Co Ltd
Priority to CN202211239161.7A priority Critical patent/CN115730308A/en
Publication of CN115730308A publication Critical patent/CN115730308A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The invention relates to the technical field of trusted computing, and provides a runtime protection method and a runtime protection device based on memory check, wherein the method comprises the following steps: acquiring a newly loaded program according to a request of a user for creating a process; calculating a reference value of the program according to an initial program code segment, a program constant segment and an environment variable segment of the newly loaded program; configuring a user policy; and calculating the current measurement value of the new loading program, comparing the current measurement value of the new loading program with the reference value of the program, and triggering to measure again or identify the abnormality according to the comparison result and the user strategy. According to the run-time protection method and device based on the memory check, disclosed by the exemplary embodiment of the invention, the influence of various virus attacks aiming at a service system on the normal operation of a monitoring system can be prevented, various defects of a passive measurement mechanism caused by a passive waiting event are avoided, the check mechanism is prevented from being skipped, and the operation efficiency of the whole system is improved.

Description

Runtime protection method and device based on memory check
Technical Field
The invention relates to the technical field of trusted computing, in particular to a runtime protection method and device based on memory check.
Background
The traditional security technology is to perform static detection on a program file before execution, and ignore the possibility that a program area is tampered after the program runs. Some hackers intentionally use malicious tools to launch the attacked program instead of directly launching the attacked program, thereby gaining the possibility of modifying the memory of the attacked program, which creates a great security risk.
The main problem of the attack on the memory is that an attacker constructs malicious input by using software security holes, so that unexpected errors occur when software processes data streams, the input data is written into certain specific positions in the memory, and therefore software control streams are hijacked, and instruction codes input from the outside are executed, so that a target system is allowed to acquire remote control authority or is refused to serve. Common vulnerability defects of memory attacks are mostly expressed as software writing errors, such as condition setting defects of filtering input, variable type conversion errors, logic judgment errors, pointer reference errors and the like. The fundamental reason for causing the memory attack is that data and instructions in the memory area are not strictly distinguished, and the purpose of modifying program instructions is achieved by operating on the data.
As time goes on, the technology of memory-based attack is endless, and a common defense means against memory attack is to scan the memory of an active program in a system and identify whether there is a suspicious process in the memory by using a virus library sample, so as to identify and kill the resident malicious software in the memory. The development history of the network world is reviewed, the speed and harm of virus development and variation exceed the natural world, and in view of the fact that the current virus variation speed is faster and faster, the attacking means are more systematized, diversified and concealed, and generally have organizational characteristics, the attacking effect is more and more serious, great influence is often caused, and even the social millet survival is influenced. The traditional protection means and safety products which utilize feature matching for passive searching and killing obviously cannot perform effective defense.
In order to effectively defend and deal with the unknown high-level virus, the traditional safety protection idea needs to be changed, the traditional passive safety protection idea is changed into active safety protection, and the trusted computing is an active defense idea.
The Chinese patent invention with publication number CN 105912929A discloses a dynamic measurement method based on domestic TCM, which carries out paging measurement on a program section of a process through a TCM security module; when the measurement is abnormal, the kernel module immediately gives an alarm to a user and suspends the execution of the program; the user makes own selection according to the alarm information, namely, whether to recover the execution program or stop the execution. Compared with the prior art, the dynamic measurement method based on domestic TCM effectively improves the security performance of the file, reduces the probability of the file being attacked and monitors the personal terminal in real time. However, this solution has the following drawbacks in design:
1. has obvious performance bottleneck and cannot be popularized and applied on a large scale. This scheme requires that every page of memory be sent to the TCM to calculate the metric. Most of the currently known TCM cards are based on PCIE/SPI/USB and other IO ports, and the IO operation speed is much lower than that of direct reading of a memory, so that the measurement process inevitably causes great performance reduction on the operation of a program;
2. the measurement contents are incomplete, only the program section of the program is measured, and actually, the layout analysis of the program loaded into the memory can be used for obtaining that the program file can be subdivided into a data section, a code section and a program constant section after being loaded into the memory. Besides, some important environment variables also have important influence on the running of the program, and the environment variable segments comprise an interrupt vector table, configuration constants, a dynamic link library and the like; attacks against such memories may also cause the program to fail to operate according to expected results;
3. according to the scheme, the measurement module is designed to be dependent on the kernel measurement module loaded into the kernel, and once the kernel privilege is improved due to the 0-day bug in the case of memory attack, the kernel measurement module can be unloaded, so that the whole dynamic measurement checking function is skipped.
Therefore, how to provide a complete, safe and efficient memory checking method becomes a technical problem to be solved urgently.
Disclosure of Invention
In view of this, in order to overcome the defects in the prior art, the present invention provides a run-time protection method based on memory check, which ensures that key memory data of all running software in the entire system is not tampered through real-time active security monitoring of a service system by a monitoring system, thereby effectively resisting various attack means of malicious software on a memory, and achieving the purpose of ensuring the run-time security of the system.
In one aspect, the present invention provides a run-time protection method based on memory check, including:
step S1: acquiring a newly loaded program according to a request of a user for creating a process;
step S2: calculating a reference value of the program according to an initial program code segment, a program constant segment and an environment variable segment of the newly loaded program;
and step S3: configuring user strategies, wherein the user strategies comprise a periodic trigger strategy, a key operation trigger strategy, a blocking strategy and an alarm strategy;
and step S4: and calculating the current measurement value of the new loading program, comparing the current measurement value of the new loading program with the reference value of the program in the step S2, and triggering to measure again or identify the abnormality according to the comparison result and the user strategy.
Further, step S1 of the runtime protection method based on memory check of the present invention includes: reading an executable file of a user program according to a request of a user for creating a process, distributing a memory for the program, and loading the program to different memory segments; and meanwhile, updating a service system program list, monitoring and periodically reading the program list to acquire a newly loaded program.
Further, step S2 of the runtime protection method based on memory check of the present invention includes:
extracting a program code segment, a program constant segment and an environment variable segment of a newly loaded program, calculating a hash value according to the extracted program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as an initial measurement value of the program;
setting the initial measurement value of the program as the reference value of the program, storing the initial measurement value of the program in a safe storage area, and persistently storing a reference value list of the program.
Further, in step S3 of the run-time protection method based on memory check, the periodically triggering policy includes: and configuring a timer, and triggering measurement on the memory when the timer reaches a set value, so as to perform periodic memory check on the new loader.
Further, in step S3 of the run-time protection method based on memory check of the present invention, the critical operation triggering policy includes: and monitoring the key behaviors of the new loader, triggering measurement on a memory when the key behaviors occur to the new loader, and performing a round of memory check on the new loader, wherein the key behaviors comprise file creation, deletion and reading and writing, network link establishment and sending, and equipment operation.
Further, in step S4 of the run-time protection method based on memory check of the present invention, calculating a current metric value of the new loader includes: and extracting the current program code segment, the program constant segment and the environment variable segment of the new loading program, calculating a hash value according to the extracted current program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as the current memory measurement value of the program.
Further, in step S4 of the run-time protection method based on memory check of the present invention, comparing the current measurement value of the program with the reference value of the program in step S2, and triggering re-measurement or abnormal recognition according to the comparison result and the user policy, the method includes:
when the current measurement value of the newly loaded program is consistent with the reference value and the user strategy is a periodic trigger strategy, waiting for the next round of memory check trigger;
and when the current metric value of the new loading program is consistent with the reference value and the user policy is a key operation trigger policy, waiting for the occurrence of the next key behavior.
Further, step S4 of the run-time protection method based on memory check of the present invention compares the current measurement value of the program with the reference value of the program in step S2, and triggers re-measurement or identifies an anomaly according to the comparison result and the user policy, further comprising:
when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is a blocking strategy, killing a process corresponding to the program, clearing a related memory, and recording and storing a related measurement log;
and when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is an alarm strategy, releasing the process of the program to continue running, recording and storing a related measurement log, and reporting an alarm event to the user.
In another aspect, the present invention provides a run-time protection device based on memory checking, including:
the business system comprises a kernel layer and an application layer and is used for operating the user program and completing the business requirements of the user;
the monitoring system comprises a bottom layer support module and a measurement core module and is used for monitoring and safety checking program operation of the business system and ensuring safety and credibility during the operation of the business system.
Furthermore, the invention relates to a run-time protection device based on memory check.A kernel layer of a service system comprises a service system communication agent unit, a program loading unit and a program key behavior monitoring unit, wherein the service system communication agent unit is used for establishing real-time two-way communication with the monitoring system communication agent unit; the program loading unit is used for reading an executable file of a user program, distributing a memory for the program, loading the program to different memory segments, updating a service system program list, monitoring and periodically reading the program list, acquiring the newly loaded program, and reporting the creating and unloading behaviors of the program to the monitoring system in real time through the communication agent unit; and the program key behavior monitoring unit is used for monitoring the key behavior of the user program and reporting the key behavior to the monitoring system through the service system communication agent unit.
Furthermore, the invention relates to a run-time protection device based on memory check, wherein a bottom layer support module of a monitoring system comprises a monitoring system communication agent unit, a memory management unit, a task scheduling unit and a safety storage unit, wherein the monitoring system communication agent unit is used for establishing real-time two-way communication with a service system communication agent unit, the memory management unit is used for providing the capability of reading the memory of the service system for the monitoring system, the task scheduling unit is used for scheduling and coordinating each unit of the monitoring system, and the safety storage unit is used for persistently storing the data of the monitoring system.
Furthermore, the invention relates to a run-time protection device based on memory check.A measurement core module of a monitoring system comprises a reference value calculation unit, a reference value management unit, a policy management unit and a log management unit, wherein the reference value calculation unit is used for reading a memory in a service system through the memory management unit and extracting a reference value of a generated program from a read-only area of a user program in the memory; the reference value management unit is used for managing (adding, deleting, updating or inquiring) the user program reference value in the service system; the policy management unit is used for receiving the configured user policy; the log management unit is used for recording various memory check logs and alarm logs of the monitoring system.
The run-time protection method and device based on memory check have the following beneficial effects:
1. the device is divided into two systems, namely a service system and a monitoring system, wherein the two systems can run on different CPU cores, or the same CPU core is multiplexed in a time-sharing manner by utilizing the TEE technology, so that the two systems are kept to run independently; and various virus attacks aiming at the service system are prevented from influencing the normal operation of the monitoring system.
2. The monitoring system actively carries out periodic memory measurement monitoring on the kernel measurement module and the key behavior monitoring module in the service system, can effectively put an end to relying on the kernel measurement module in the service system, avoids various defects of a passive measurement mechanism caused by passive waiting events, and prevents the checking mechanism from being skipped.
3. The monitoring system can directly extract the memory section of the appointed program in the service system by utilizing the characteristic that the monitoring system can read and write the memory of the service system, and compared with the mode of sending the memory section to the TCM card through IO, the computing efficiency of the memory metric value can be greatly improved, the performance interference on the service system is reduced, and the operation efficiency of the whole system is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a runtime protection method based on memory check according to an exemplary first embodiment of the present invention.
Fig. 2 is a flowchart illustrating a principle of comparing a current metric value of a loader with a reference value in a run-time protection method based on memory checking according to an exemplary fifth embodiment of the present invention.
Fig. 3 is an architecture diagram of a runtime guard based on memory check according to an exemplary sixth embodiment of the present invention.
Fig. 4 is a flowchart of a runtime protection method based on memory check according to an exemplary seventh embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, based on the embodiments in the present disclosure, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
Fig. 1 is a flowchart of a runtime protection method based on memory check according to an exemplary first embodiment of the present invention, and as shown in fig. 1, the method of this embodiment includes:
step S1: acquiring a newly loaded program according to a request of a user for establishing a process;
step S2: calculating a reference value of the program according to an initial program code segment, a program constant segment and an environment variable segment of the newly loaded program;
and step S3: configuring user strategies, wherein the user strategies comprise a periodic trigger strategy, a key operation trigger strategy, a blocking strategy and an alarm strategy;
and step S4: and calculating the current measurement value of the new loading program, comparing the current measurement value of the new loading program with the reference value of the program in the step S2, and triggering to measure again or identify the abnormality according to the comparison result and the user strategy.
A second exemplary embodiment of the present invention provides a runtime protection method based on memory checking, which is a preferred embodiment of the method shown in fig. 1. Step S1 of the method of this embodiment includes: reading an executable file of a user program according to a request of a user for establishing a process, allocating a memory for the program, and loading the program to different memory segments; and meanwhile, updating a service system program list, monitoring and periodically reading the program list to acquire a newly loaded program.
An exemplary third embodiment of the present invention provides a runtime protection method based on memory check, which is a preferred embodiment of the method shown in fig. 1. Step S2 of the method of this embodiment includes:
extracting a program code segment, a program constant segment and an environment variable segment of a newly loaded program, calculating a hash value according to the extracted program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as an initial measurement value of the program;
setting the initial measurement value of the program as the reference value of the program, storing the initial measurement value of the program in a safe storage area, and persistently storing a reference value list of the program.
An exemplary fourth embodiment of the present invention provides a runtime protection method based on memory check, which is a preferred embodiment of the method shown in fig. 1.
In step S3 of the method of this embodiment, periodically triggering the policy includes: and configuring a timer, and triggering measurement on the memory when the timer reaches a set value, so as to perform periodic memory check on the new loader.
In step S3 of the method of this embodiment, the key operation triggering policy includes: and monitoring the key behaviors of the new loader, triggering measurement on a memory when the key behaviors occur to the new loader, and performing a round of memory check on the new loader, wherein the key behaviors comprise file creation, deletion and reading and writing, network link establishment and sending, and equipment operation.
An exemplary fifth embodiment of the present invention provides a runtime protection method based on memory check, which is a preferred embodiment of the method shown in fig. 1.
In step S4 of the method of this embodiment, calculating the current metric value of the new loaded program includes: and extracting a current program code segment, a program constant segment and an environment variable segment of the new loading program, calculating a hash value according to the extracted current program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as a current measurement value of the program.
In step S4 of the method of this embodiment, comparing the current metric value of the program with the reference value of the program in step S2, and triggering to measure again or identify an anomaly according to the comparison result and the user policy, includes:
when the current measurement value of the newly loaded program is consistent with the reference value and the user strategy is a periodic trigger strategy, waiting for the next round of memory check trigger;
when the current measurement value of the newly loaded program is consistent with the reference value and the user strategy is a key operation trigger strategy, waiting for the occurrence of the next key behavior;
when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is a blocking strategy, killing the process corresponding to the program, cleaning the related memory, and recording and storing the related measurement log;
and when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is an alarm strategy, releasing the process of the program to continue running, recording and storing a related measurement log, and reporting an alarm event to the user.
In this embodiment, the principle of comparing the current metric value of the loader with the reference value is shown in fig. 2.
Fig. 3 is an architecture diagram of a runtime protection device based on memory check according to an exemplary sixth embodiment of the present invention, as shown in fig. 3, the device of this embodiment includes:
the business system comprises a kernel layer and an application layer and is used for operating a user program and completing the business requirements of the user;
the monitoring system comprises a bottom layer support module and a measurement core module and is used for monitoring and safety inspection of program operation of the business system.
The monitoring system of the device of the embodiment is independent of the service system, is not interfered by the service system, and is operated in an independent CPU core or a TEE (terminal equipment) for keeping independence. The monitoring system has an independent memory area or memory device, and simultaneously, the monitoring system can directly read and write all the memory areas or memory devices of the service system, and the service system can not read and write the memory areas or memory devices distributed to the monitoring system, so that the safety and reliability of the service system during operation are ensured.
As shown in fig. 3, in practical applications, the kernel layer of the service system includes a service system communication agent unit, a program loading unit, and a program critical behavior monitoring unit, where the service system communication agent unit is configured to establish real-time bidirectional communication with the monitoring system communication agent unit; the program loading unit is used for reading an executable file of a user program, allocating a memory for the program, loading the program to different memory segments, updating a service system program list, monitoring and regularly reading the program list, acquiring a newly loaded program, and reporting the creating and unloading behaviors of the program to a monitoring system in real time through the communication agent unit; and the program key behavior monitoring unit is used for monitoring the key behavior of the user program and reporting the key behavior to the monitoring system through the service system communication agent unit. The program is distributed in the memory and is divided into a read-only area and a variable area. The content of the read-only area should not be changed, and if the content is changed, the operation of the program is wrong or the system is attacked.
The bottom layer supporting module of the monitoring system comprises a monitoring system communication agent unit, a memory management unit, a task scheduling unit and a safety storage unit, wherein the monitoring system communication agent unit is used for establishing real-time bidirectional communication with the service system communication agent unit, the memory management unit is used for providing the capability of reading the memory of the service system for the monitoring system, the task scheduling unit is used for scheduling and coordinating each unit of the monitoring system, and the safety storage unit is used for persistently storing data of the monitoring system.
The measurement core module of the monitoring system comprises a reference value calculation unit, a reference value management unit, a strategy management unit and a log management unit, wherein the reference value calculation unit is used for reading a memory in the service system through the memory management unit and extracting a reference value of a generated program from a read-only area of a user program in the memory; the reference value management unit is used for managing (adding, deleting, updating or inquiring) the user program reference value in the service system; the policy management unit is used for receiving the configured user policy; the log management unit is used for recording various memory check logs and alarm logs of the monitoring system. The measurement core module of the monitoring system of the embodiment periodically performs a round of memory check on the kernel measurement module and the key behavior monitoring module of the service system, and if the checks are inconsistent, it indicates that the kernel layer of the service system is attacked, and the operation of the whole service system needs to be blocked or an alarm needs to be given according to a user policy.
Fig. 4 is a flowchart of a run-time protection method based on memory check according to an exemplary seventh embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and a device with the architecture shown in fig. 3 may be implemented and executed according to the method of this embodiment.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. A run-time protection method based on memory check is characterized in that the method comprises the following steps:
step S1: acquiring a newly loaded program according to a request of a user for establishing a process;
step S2: calculating a reference value of the program according to an initial program code segment, a program constant segment and an environment variable segment of the newly loaded program;
and step S3: configuring user strategies, wherein the user strategies comprise a periodic trigger strategy, a key operation trigger strategy, a blocking strategy and an alarm strategy;
and step S4: and calculating the current measurement value of the new loading program, comparing the current measurement value of the new loading program with the reference value of the program in the step S2, and triggering to measure again or identify the abnormality according to the comparison result and the user strategy.
2. The run-time protection method based on memory check according to claim 1, wherein the step S1 includes: reading an executable file of a user program according to a request of a user for creating a process, distributing a memory for the program, and loading the program to different memory segments; and meanwhile, updating a service system program list, monitoring and periodically reading the program list to acquire a newly loaded program.
3. The run-time protection method based on memory check according to claim 1, wherein the step S2 includes:
extracting a program code segment, a program constant segment and an environment variable segment of a newly loaded program, calculating a hash value according to the extracted program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as an initial measurement value of the program;
setting the initial measurement value of the program as the reference value of the program, storing the initial measurement value of the program in a safe storage area, and persistently storing a reference value list of the program.
4. The run-time protection method based on memory check according to claim 1, wherein in step S3, the periodically triggering a policy includes: and configuring a timer, and triggering measurement on the memory when the timer reaches a set value, so as to perform periodic memory check on the new loader.
5. The run-time protection method based on memory check according to claim 1, wherein in step S3, the triggering policy of the critical operation includes: and monitoring the key behaviors of the new loader, triggering measurement on a memory when the key behaviors occur to the new loader, and performing a round of memory check on the new loader, wherein the key behaviors comprise file creation, deletion and reading and writing, network link establishment and sending, and equipment operation.
6. The run-time protection method based on memory check according to claim 1, wherein in step S4, calculating the current metric value of the new loader comprises: and extracting a current program code segment, a program constant segment and an environment variable segment of the new loading program, calculating a hash value according to the extracted current program code segment, the program constant segment and the environment variable segment, and taking the calculated hash value as a current measurement value of the program.
7. The run-time protection method based on memory check according to claim 1, wherein in step S4, comparing the current metric value of the program with the reference value of the program in step S2, and triggering re-measurement or exception identification according to the comparison result and the user policy, includes:
when the current measurement value of the newly loaded program is consistent with the reference value and the user strategy is a periodic trigger strategy, waiting for the next round of memory check trigger;
and when the current metric value of the new loading program is consistent with the reference value and the user strategy is a key operation trigger strategy, waiting for the occurrence of the next key behavior.
8. The run-time protection method based on memory check according to claim 1, wherein in step S4, the current measurement value of the program is compared with the reference value of the program in step S2, and re-measurement or exception identification is triggered according to the comparison result and the user policy, and further comprising:
when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is a blocking strategy, killing the process corresponding to the program, cleaning the related memory, and recording and storing the related measurement log;
and when the current measurement value of the newly loaded program is inconsistent with the reference value and the user strategy is an alarm strategy, releasing the process of the program to continue running, recording and storing a related measurement log, and reporting an alarm event to the user.
9. A run-time guard based on memory checking, the guard comprising:
the business system comprises a kernel layer and an application layer and is used for operating a user program and completing the business requirements of the user;
the monitoring system comprises a bottom layer support module and a measurement core module and is used for monitoring and safety inspection of program operation of the business system.
10. The run-time protection device based on memory check of claim 9, wherein the kernel layer of the service system comprises a service system communication agent unit, a program loading unit and a program critical behavior monitoring unit, wherein the service system communication agent unit is configured to establish real-time bidirectional communication with the monitoring system communication agent unit; the program loading unit is used for reading an executable file of a user program, distributing a memory for the program, loading the program to different memory segments, updating a service system program list, monitoring and periodically reading the program list, acquiring the newly loaded program, and reporting the creating and unloading behaviors of the program to the monitoring system in real time through the communication agent unit; and the program key behavior monitoring unit is used for monitoring the key behavior of the user program and reporting the key behavior to the monitoring system through the service system communication agent unit.
11. The run-time protection device based on memory check according to claim 9, wherein the bottom support module of the monitoring system comprises a monitoring system communication agent unit, a memory management unit, a task scheduling unit and a secure storage unit, wherein the monitoring system communication agent unit is configured to establish real-time bidirectional communication with the service system communication agent unit, the memory management unit is configured to provide the monitoring system with a capability of reading the memory of the service system, the task scheduling unit is configured to schedule and coordinate each unit of the monitoring system itself, and the secure storage unit is configured to persistently store data of the monitoring system.
12. The run-time protection device based on memory check according to claim 9, wherein the metric core module of the monitoring system includes a benchmark calculation unit, a benchmark management unit, a policy management unit, and a log management unit, wherein the benchmark calculation unit is configured to read the memory in the service system through the memory management unit, and extract the benchmark of the generation program from the read-only area of the user program in the memory; the reference value management unit is used for managing the reference value of the user program in the service system; the policy management unit is used for receiving the configured user policy; the log management unit is used for recording various memory check logs and alarm logs of the monitoring system.
CN202211239161.7A 2022-10-11 2022-10-11 Runtime protection method and device based on memory check Pending CN115730308A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211239161.7A CN115730308A (en) 2022-10-11 2022-10-11 Runtime protection method and device based on memory check

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211239161.7A CN115730308A (en) 2022-10-11 2022-10-11 Runtime protection method and device based on memory check

Publications (1)

Publication Number Publication Date
CN115730308A true CN115730308A (en) 2023-03-03

Family

ID=85293466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211239161.7A Pending CN115730308A (en) 2022-10-11 2022-10-11 Runtime protection method and device based on memory check

Country Status (1)

Country Link
CN (1) CN115730308A (en)

Similar Documents

Publication Publication Date Title
US11106799B2 (en) Methods, media, and systems for detecting an anomalous sequence of function calls
CN106991324B (en) Malicious code tracking and identifying method based on memory protection type monitoring
JP4629332B2 (en) Status reference monitor
US8272059B2 (en) System and method for identification and blocking of malicious code for web browser script engines
EP3654218B1 (en) Method for detecting malicious code and deferring countermeasures
AU2006210698B2 (en) Intrusion detection for computer programs
US20070266435A1 (en) System and method for intrusion detection in a computer system
CN102893289A (en) Malware protection
Kollenda et al. Towards automated discovery of crash-resistant primitives in binary executables
CN115840940A (en) File-free Trojan horse detection method, system, medium and equipment
US8566585B2 (en) System and a method for processing system calls in a computerized system that implements a kernel
KR101438979B1 (en) Method and system for checking software
US11263307B2 (en) Systems and methods for detecting and mitigating code injection attacks
US8533833B2 (en) System, a method, and a data-structure for processing system calls in a computerized system that implements a kernel
Zhou et al. The final security problem in IOT: Don’t count on the canary!
US20220138311A1 (en) Systems and methods for detecting and mitigating code injection attacks
CN115730308A (en) Runtime protection method and device based on memory check
EP3940566A1 (en) Using a variable write profile for detecting intrusion of a computer program
CN109271787A (en) A kind of operating system security active defense method and operating system
US20130268934A1 (en) Dynamic method for controlling the integrity of the execution of an executable code
Wang et al. IRePf: An Instruction Reorganization Virtual Platform for Kernel Stack Overflow Detection
Lei et al. MeadDroid: Detecting monetary theft attacks in Android by DVM monitoring
Kato et al. Monitoring library function-based intrusion prevention system with continuing execution mechanism
JP6594213B2 (en) Control device and program
CN113779561A (en) Kernel vulnerability processing method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination