基于多内核的操作系统内生安全技术

白紫星; 戴华昇; 宋怡景; 蒋金虎; 张为华; 梁浩

doi:10.20193/j.ices2097-4191.2024.01.008

PDF(912 KB)

集成电路与嵌入式系统 ›› 2024, Vol. 24 ›› Issue (1) : 58-63. DOI: 10.20193/j.ices2097-4191.2024.01.008

研究论文

基于多内核的操作系统内生安全技术

白紫星 ¹ ,
戴华昇 ¹ ,
宋怡景 ¹ ,
蒋金虎 ¹ ,
张为华 ¹^,^* ,
梁浩 ²

作者信息 +

Endogenous security technology based on multi-kernel operating system

Author information +

文章历史 +

摘要

随着数字化、智能化、网络化趋势席卷全球,功能安全与网络安全日益交织、叠加,演变为内生安全问题。操作系统是计算机系统的重要组成部分,是软件架构的基石,操作系统级内生安全至关重要。基于拟态防御的动态异构冗余架构是实现操作系统内生安全的关键技术,但目前面临单内核操作系统不支持内生安全、操作系统级内生安全方案缺失、操作系统层共识机制设计不完善等挑战。本文从操作系统内生安全架构、异构冗余机制、高效通信和共识机制等方面展开分析和设计,提出了一套基于多内核的操作系统内生安全技术方案。

Abstract

With the trend of digitization,intelligence,and networking sweeping the world,functional security and network security are increasingly intertwined and overlapping,evolving into endogenous security issues.The operating system is an important component of computer systems and the cornerstone of software architecture,and operating system level endogenous security is crucial.The dynamic heterogeneous redundant architecture based on mimetic defense is a key technology for achieving endogenous security in operating systems.However,it currently faces challenges such as single kernel operating systems not supporting endogenous security,lack of operating system level endogenous security solutions,and incomplete design of operating system level consensus mechanisms.This article analyzes and designs an embedded security architecture for operating systems,heterogeneous redundancy mechanisms,efficient communication,and consensus mechanisms,and proposes a multi kernel based embedded security technology solution for operating systems.

导出引用

白紫星, 戴华昇, 宋怡景, 等. 基于多内核的操作系统内生安全技术[J]. 集成电路与嵌入式系统. 2024, 24(1): 58-63 https://doi.org/10.20193/j.ices2097-4191.2024.01.008

BAI Zixing, DAI Huasheng, SONG Yijing, et al. Endogenous security technology based on multi-kernel operating system[J]. Integrated Circuits and Embedded Systems. 2024, 24(1): 58-63 https://doi.org/10.20193/j.ices2097-4191.2024.01.008

中图分类号： TP31 (计算机软件)

参考文献

列表( 原文顺序 | 文献年度倒序 | 文中引用次数倒序 ) 可视化分析

[1]	WU J X. Research on cyber mimic defense[J]. Journal of Cyber Security, 2016, 1(4):1-10. 本文引用 [1]

[2]	吴礼发, 洪征, 李华波. 网络攻防原理与技术[M]. 2版. 北京: 机械工业出版社, 2017. WU L F, HONG ZH, LI H B. Principles and Technologies of Network Attack and Defense[M]. 2nd Edition. Beijing: Mechanical Industry Press, 2017 (in Chinese). 本文引用 [1]

[3]	WU J X. Cyberspace mimic defense: generalized robust control and endogenous security[EB/OL].[2023-10]. https://www.doc88.com/p9009953314809.html. https://www.doc88.com/p9009953314809.html 本文引用 [1]

[4]	中兴通讯股份有限公司. 2030+网络内生安全愿景白皮书, 2021. ZTE Communications Co. 2030+Network Endogenous Security Vision White Paper, 2021 (in Chinese). 本文引用 [1]

[5]	WANG H, BU Y J, JIANG Y M, et al. Design and research of a mimic honeypot system[J]. Network Security Technology and Ap-plication, 2021(2):1-3. 本文引用 [1]

[6]	Beijing Topsec Network Security Technology. A network-based data processing method and electronic equipment:China,110311850A[P]. 2019-10-08. 本文引用 [1]

[7]

SONG

, LIU

Q R

, WEI

, et al. Endogenous security architecture of Ethernet switch based on mimic defense[J]. Journal on Communications, 2020, 41(5):18-26.

https://doi.org/10.11959/j.issn.1000-436x.2020098

本文引用 [1] 摘要

Aiming at the unknown vulnerabilities and unknown backdoor security threats faced by Ethernet switches,a switch endogenous security architecture based on mimicry defense theory was proposed.The theoretical basis,construction mode and security mechanism of the architecture ware introduced,the algorithm strategy and security improvement effect of TAMA algorithm were proposed and analyzed,a prototype of mimic switch was designed and implemented,and the security tests of white box stuffing and attack chain were carried out.Theoretical analysis and test results show that the architecture has good unknown vulnerabilities and unknown backdoor defense capabilities in various attack scenarios.

[8]	MA H L, YI P, JIANG Y M, et al. Router mimic defense architecture based on dynamic heterogeneous redundancy mechanism[J]. Journal of Cyber Security, 2017, 2(1):29-42. 本文引用 [1]

[9]	WEI S, YU H, GU Z Y, et al. Architecture of mimic security processor for industry control system[J]. Journal of Cyber Security, 2017, 2(1):54-73. 本文引用 [1]

[10]	TONG Q, ZHANG Z, ZHANG W H, et al. Design and implementation of mimic defense web server[J]. Journal of Software, 2017, 28(4):883-897. 本文引用 [1]

[11]

ZHANG

J X

, PANG

J M

, ZHANG

, et al. Executors scheduling algorithm for Web server with mimic structure[J]. Computer Engineering, 2019, 45(8):14-21.

https://doi.org/10.19678/j.issn.1000-3428.0053425

本文引用 [1] 摘要

Scheduling is an important mechanism for the Web server with mimic structure.Most of the existing scheduling algorithms lack consideration about heterogeneity and Quality of Service(QoS) of the Web server with mimic structure,and do not solve the problems of security and service quality instability caused by the scheduling mechanism.Therefore,a scheduling algorithm called Random Seed algorithm based on Maximum heterogeneity and Web QoS(RSMHQ)is proposed.All the thresholds of the Web servers with mimic structure are calculated.The seed executor is randomly selected,and the scheduling scheme is determined according to the maximum heterogeneity and QoS.Simulation results show that compared with the random scheduling algorithm,the proposed algorithm has better scheduling effects and achieves an excellent balance between security,Web service quality and dynamic behaviour.

[12]	WANG Z P, HU H C, CHENG G Z. A DNS architecture based on mimic security defense[J]. Acta Electronica Sinica, 2017, 45(11):2705-2714. 本文引用 [1]

[13]

ZHANG

, XIE

G W

, GUO

, et al. Key technologies and implementation methods of endogenous safety and security cloud data center based on mimic architecture[J]. Telecommunications Science, 2021, 37(3):39-48.

https://doi.org/10.11959/j.issn.1000-0801.2021056

本文引用 [1] 摘要

Cloud data center is the representative of the new generation of information infrastructure, and its security has become the focus of attention in recent years, which is of great significance.Based on the analysis of the current cloud security situation, the security architecture, key technologies, and implementation methods of the cloud data center through the emerging concept of endogenous security were explored, hoping to use the mimic structure to solve the endogenous safety and security problems such as vulnerabilities and backdoors that were difficult to deal with by the existing means.Moreover, the endogenous security architecture of cloud data centers and related key technologies were proposed, with the mode and trend of mimic transformation.In the future, endogenous safety and security cloud data centers will provide practical solutions for the construction of a new generation of information infrastructure, which may accelerate the technology application and promotion of the cloud service model.

[14]	PU L M, WEI H Q, LI X, et al. Mimic cloud service architecture for cloud applications[J]. Chinese Journal of Network and Information Security, 2021, 7(1):101-112. 本文引用 [1]

[15]	WANG Z P, HU H C, CHENG G Z. Design and implementation of mimic network operating system[J]. Journal of Computer Research and Development, 2017, 54(10):2321-2333. 本文引用 [1]

[16]	LEI C, ZHANG H Q, TAN J L, et al. Moving target defense techniques:A survey[J]. Security and Communication Networks, 2018. 本文引用 [1]

[17]	邬江兴. 网络空间拟态防御研究[J]. 信息安全学报, 2016, 1(4):1-10. WU J X. Research on Cyberspace Pseudomorphic Defense[J]. Journal of Information Security, 2016, 1(4):1-10 (in Chinese). https://doi.org/10.4236/jis.2010.11001 http://www.scirp.org/journal/doi.aspx?DOI=10.4236/jis.2010.11001 本文引用 [1]

[18]	邬江兴. 网络空间内生安全(上册):拟态防御与广义鲁棒控制[M]. 北京: 科学出版社, 2020. WU J X. Endogenous Security in Cyberspace (Volume 1):Pseudomorphic Defense and Generalized Robust Control[M]. Beijing: Science Press, 2020 (in Chinese). 本文引用 [1]

[19]	邬江兴. 内生安全赋能网络弹性工程[M]. 北京: 科学出版社, 2023. WU J X. Endogenous Security Empowerment Network Resilience Engineering[M]. Beijing: Science Press, 2023 (in Chinese). 本文引用 [1]

[20]	THOMPSON M, EVANS N, KISEKKA V. Multiple OS rotational environment an implemented moving target defense[C]// 2014 7th International Symposium on Resilient Control Systems (ISRCS).IEEE, 2014:1-6. 本文引用 [1]

[21]	SONG Y, DAI H, JIANG J, et al. Multikernel: operating system solution to generalized functional safety[J]. Security and Safety, 2023(2):2023007. 本文引用 [1]

[22]

W C

, ZHANG

, WANG

L Q

, et al. A web threat situation analysis method for mimic structure[J]. Computer Engineering, 2019, 45(8):1-6.

https://doi.org/10.19678/j.issn.1000-3428.0054221

本文引用 [1] 摘要

Threat adjudication based on the judge method of ruling difference is an important mechanism for the mimic defense system to shield and block the threat of attacks.However,the existing mimic adjudication mechanism cannot conduct effective inductive analysis and threat control on the security situation of the mimic defense systems.Therefore,taking the mimic Web service system as an example,and integrating the network situation awareness technology into the mimic defense architecture,this paper proposes an improved Web threat situation analysis method.The data association is performed on the multi-level mimic adjudication alarm log.The feature data information extracted by fusion is deeply mined and classified.Different types of classification data are visually displayed.Experimental results show that the method can display the security state of the mimic defense systems,and is informed of the running state of the abnormal execution body in time,so as to realize the analysis and evaluation of the security situation of the mimic defense systems.

[23]	WU Y F, RAN X M. Application of CNN neural network in route forecasting[J]. Electronic Design Engineering, 2019, 27(12):13-20. 本文引用 [1]

[24]	KONG J, HUANG J, YU H, et al. RNN-based default logic for route planning in urban environments[J]. Neurocomputing, 2019(338):307-320. 本文引用 [1]

[25]	BUSCH J, KOCHETUROV A, TRESP V, et al. NF-GNN:network flow graph neural networks for malware detection and classification, 2021. 本文引用 [1]

[26]	FU R, ZHANG Z, LI L. Using LSTM and GRU neural network methods for traffic flow prediction[C]// Proceedings of 2016 31st Youth Academic Annual Conference of Chinese Association of Automation (YAC). 2016:324-328. 本文引用 [1]

[27]

, LIU

X W

, MA

H L

. Research on mimic defense system of Internet of vehicles[J]. Journal of Information Security Research, 2020, 6(3):244-251.

本文引用 [1] 摘要

In the era of the Internet of things, everything is interconnected. As one of its products, the Internet of Vehicles provides consumers with a convenient way to travel. But at the same time, the safety problems of automobile driving brought by intelligence and network also face various risks, which seriously threaten peoples lives and property safety. Therefore, this article adopts a mimic defense method to design and implement a mimic defense system of Internet of vehicles. Through the collection of vehicle-side threat data and the identification of vehicle serverside threat data, a mimic defense analysis engine is established to effectively protect against various known threats. At the same time, the analysis engine is used to predict the unknown vulnerabilities and threats, thereby forming an active defense behavior. Finally, experiments show that the method can effectively guarantee the safety of the Internet of Vehicles, and provide a strong security support for the security of the Internet of Vehicles business.

[28]	GUBBI J, BUYYA R, MARUSIC S, et al. Internet of things (IoT):a vision,architectural elements,and future directions[J]. Future Generation Computer Systems, 2013, 29(7):1645-1660. https://doi.org/10.1016/j.future.2013.01.010 https://linkinghub.elsevier.com/retrieve/pii/S0167739X13000241 本文引用 [1]

[29]	ZHANG Z K, CHO M C Y, WANG C W, et al. IoT security: ongoing challenges and research opportunities[C]// Proceedings of 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications. Piscataway: IEEE Press, 2014:230-234. 本文引用 [1]

[30]	HAILONG MA, LIANG WANG, TAO HU, et al. Survey on the development of mimic defense in cyberspace:from mimic concept to “mimic+” ecology[J]. Chinese Journal of Network and Information Security, 2022, 8(2):15-38. 本文引用 [1]