摘要
目前,国内外很多厂商推出了Linux系统中的终端检测响应(Endpoint Detection and Response,EDR)系统,为云平台、物联网、大数据计算等基础设施提供全面的安全检测和防护服务。但是,针对EDR文件防护功能的绕过攻击能够帮助恶意行为规避监控,造成严重的系统和数据安全风险。针对开源和商业闭源的Linux EDR系统,首先,阐述了文件防护功能的底层实现机制,对其核心技术原理进行了分析;其次,重点梳理了4种现有公开的文件防护绕过技术,提出了3种尚未公开的绕过技术,并且总结提炼为3种攻击类型;再次,基于上述绕过技术编写了验证工具,通过测试证明了这些技术方法对于部分Linux EDR系统的文件防护绕过能力;最后,给出了相应的安全防护建议。
Currently,there are many domestic and foreign vendors offering EDR(Endpoint Detection and Response)system for Linux system,which provides comprehensive security detection and protection services for infrastructures like cloud platforms,IoT(Internet of Things),and big data computing,etc.However,bypass attacks targeting EDR file protection function can help malicious behavior evade monitoring and pose serious system and data security risks.This paper examines both open-source and commercial closedsource Linux EDR systems.First,it explains the underlying implementation mechanism of the file protection function and analyzes its core technical principles.Then,it reviews four known publicly available bypass techniques for file protection,proposes three previously undisclosed bypass techniques,and categorizes them into three types of attacks.Next,based on the above bypassing techniques,this paper writes a verification tool that demonstrates the ability of above technical methods to bypass file protection on some Linux EDR systems.Finally,it presents corresponding security protection recommendations.
作者
王轶骏
代传磊
WANG Yijun;DAI Chuanei(Shanghai Jiao Tong University,Shanghai 200240,China)
出处
《通信技术》
2024年第9期934-941,共8页
Communications Technology
基金
国家重点研发计划项目(2022QY1702)。
关键词
终端检测响应
主机入侵检测
Linux主机防护
内核追踪技术
文件防护绕过
endpoint detection and response
host intrusion detection
Linux host protection
kernel state tracing technology
file protection bypassing
