Computer Engineering and Applications ›› 2019, Vol. 55 ›› Issue (23): 105-112.DOI: 10.3778/j.issn.1002-8331.1809-0180

Previous Articles     Next Articles

Rootkit Universality Detection Method for Heterogeneous BIOS Environments

HE Liwen, HOU Xiaoyu, TANG Chengcheng, ZHOU Rui, ZHANG Xingning   

  1. 1.School of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
    2.School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
  • Online:2019-12-01 Published:2019-12-11

面向异构BIOS环境的Rootkit通用性检测方法

何利文,侯小宇,唐澄澄,周睿,张幸宁   

  1. 1.南京邮电大学 物联网学院,南京 210003
    2.南京邮电大学 计算机学院,南京 210003

Abstract: Based on the traditional Trojan horse model framework, this paper analyzes and improves the Rootkit’s formal model about cooperative concealment, and implements a formal detection model of Rootkit for heterogeneous BIOS environment. The model divides the entire inspection process into three modules based on the ideas of cooperative concealment. The Rootkit samples under heterogeneous BIOS environment are studied, and combined with the idea of trusted computing, a detection method based on trusted computing is proposed. This method is combined with the formal detection model of Rootkit. It establishes three trusted chains according to the results of Rootkit sample analysis of multiple heterogeneous BIOS environments. and proposes different detection ideas for different modules, such as integrity detection method based on trusted computing and detection of entry addresses of interrupt vector tables. Experimental results show that the detection method can effectively detect Rootkit in different system environments under heterogeneous BIOS environment.

Key words: Rootkit, heterogeneous BIOS environment, cooperative concealment, formal model, trusted computing, detection

摘要: 在传统木马模型框架的基础上,对Rootkit协同隐藏形式化模型进行分析和改进,实现了一个面向异构BIOS环境的Rootkit形式化检测模型。该模型根据协同隐藏思想,将整个检测流程分为三个模块。对多种异构BIOS环境下的Rootkit样本进行研究,并结合可信计算思想,提出基于可信计算的检测方法。该方法和Rootkit形式化检测模型相结合,根据多个异构BIOS环境的Rootkit样本分析结果建立三条可信链,对不同模块提出不同检测思想,如:基于可信计算的完整性检测方法、检测中断向量表入口地址等。实验结果表明,该检测方法对异构BIOS环境下不同系统环境的Rootkit可进行有效检测。

关键词: Rootkit, 异构BIOS环境, 协同隐藏, 形式化模型, 可信计算, 检测