中文题名: | 一种UEFI rootkit的分析与定位尝试 |
姓名: | |
学科名称: | 信息安全 |
学生类型: | 学士 |
学位名称: | 工学学士 |
学校: | 中国人民大学 |
院系: | |
专业: | |
第一导师姓名: | |
完成日期: | 2016-05-18 |
提交日期: | 2016-05-18 |
中文关键词: | UEFI rootkit ; 软件聚类 ; 分析 ; 定位方法 ; 检测 |
中文摘要: |
& ltp& gtHacking Team公司的数据泄漏事件曝光了一个UEFI rootkit实例。据报道,该UEFI rootkit的危害性十分巨大,其能够在操作系统每次启动前获得系统控制权,且几乎所有杀毒软件无法探测到其存在。作为一种新形式的rootkit,其并不为人们所熟悉,甚至连信息安全从业人员对其基本机理也缺乏足够的感性认识与理性认识,更不用说对其进行有效的检测了。针对上述现状,本文对Hacking Team的UEFI rootkit进行了分析与定位尝试。分析阶段,本人成功在实验机器上植入了该UEFI rootkit,对该rootkit的实现原理及危害性有了直观的认识。通过分析该rootkit的源代码,本人发现rootkit模块与目标系统的UEFI固有模块间的交互远少于系统固有模块之间的交互,且rootkit模块中包含过多的条件判断语句。根据上述分析结果,本文提出了一种基于软件聚类思想的UEFI rootkit定位方法。该方法利用UEFI模块间的交互情况以及各模块中条件语句的数量对UEFI中所有模块进行了聚类。本人在9款被植入该rootkit的UEFI ROM上进行定位实验。实验结果显示,本方法能够从包含上百个模块的UEFI ROM中将rootkit模块定位至只包含个位数模块的簇中,大大缩小了检测范围,极大地推动了对该rootkit的检测工作的进行。& lt/p& gt
& ltp& gt关键词:UEFI rootkit软件聚类分析定位方法检测& lt/p& gt
﹀
|
外文摘要: |
& ltp& gtHacking Team&rsquos data leakage incident exposed a UEFI rootkit. According to some reports, this UEFI rootkit is extremely harmful. It will gain the system control every time before the operating system starts, and few anti-virus software can detect it. As a new form of rootkit, it is not well known to the public, and even information security practitioners are lacking in knowledge about the rootkit&rsquos mechanism both perceptually and rationally, let alone detect the rootkit effectively. Considering all the facts talked above, we did some analysis and tried to locate the Hacking Team&rsquos UEFI rootkit. In the analysis phase, we implanted the rootkit into an experimental machine, and thus got some intuitive knowledge about the rootkit&rsquos mechanism and its harmfulness. After reviewing the rootkit&rsquos source code, we found that the interactions between rootkit modules and target system&rsquos UEFI inherent modules are much weaker than those between UEFI inherent modules, and the rootkit modules contain too many conditional statements. Based on those analysis, the paper proposed a locating method inspired from software clustering to locate the UEFI rootkit. The method extracts interactions between modules and every module&rsquos conditional statements numbers as clustering&rsquos features to divide all the modules into several clusters. Nine different kinds of UEFI ROM are used to evaluate the effectiveness of the method. The results show that among hundreds of modules, the method is able to locate the rootkit modules into a cluster which contains only single-digit modules. The method significantly narrows the detection scope, thus promoting the detection work against Hacking Team&rsquos UEFI rootkit considerably.& lt/p& gt
& ltp& gtKey Words: UEFI rootkitsoftware clusteringanalysislocating methoddetection& lt/p& gt
﹀
|
总页码: | 47 |
参考文献: |
[2] D. Vincenzetti and V. Bedeschi. REMOTE CONTROL SYSTEM V5.1[R]. Milano: Hacking Team, 2008. [3] 糜旗,宗俊珺,徐超.BIOS Rootkit的实现技术[J].计算机与现代化,2013& #4011): 175. [4] Claudio Guarnieri. Detekt[EB\OL]. https://github.com/botherder/detekt. 2016年4月23日访问. [6] WikiLeaks. Hacking Team[EB/OL]. https://wikileaks.org/hackingteam/emails/ [10] Techopedia. BIOS Rootkit[EB/OL]. https://www.techopedia.com/definition/ 15943/bios-rootkit. 2016年4月18日访问. [17] Ilfak Guilfanov. On batch analysis[EB/OL]. http://www.hexblog.com/?p=53. 2016年4月29日访问. [18] Intel Corporation. EDK II Module Writer’s Guide Revision 0.7. 2010:52-58. security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html.2016年4月29日访问. |
开放日期: | 2016-05-18 |