| The security of computer is deeply influenced by the malware since the first advent of the worm. The combats between Operating System, Anti-virus software and malware never stopped. Operating System is the essential software of the computer and plays an important role in computer security.Windows operating system uses Discretionary Access Control which is mainly performed by the identity of users and user groups. However, this approach allows the applications get more permissions than they need in their running. Obviously, it broke the’Least privilege’of security rule. It’s a disaster for the user that the software running with the administrator account contained malicious behavior or its vulnerability was exploited. The traditional anti-virus software uses static analysis methods to identify and prevent the malware. However, a large number of the malware use the technology of code obfuscation and encryption, therefore, static analysis can no longer meet the needs of the untrusted software testing. It is an effective solution against the malicious software that restrict the program behavior when it is running in our security environment. It is less efficient to build a secure environment with a virtual machine. The sandbox which uses SSDT Hook and the redirect technology checked every system call and it has the similar problems with virtual machine.This paper tries to implement an efficient secure system on Windows7. This system is based on the access control mechanism. The restricted access token and restricted job object are used to limit the privileges of the process. In user mode, the process reference a kernel object by handle, so we can monitor the creating and duplicating of the handle. The extension of the Object Manager callback is used to monitor the applications to access resources. This system uses both access control and resource monitoring.The main contribution of this paper includes:1. We analyzed the access control mechanism on Windows 7 operating system and its defects, systematically summarized the permission control of applications and interception of system calls on Windows platform, generalized the system call interception techniques and its apply scope.2. We achieved the access control of fourteen kernel objects through extending the Object Manager on Windows 7 system. We controlled the assessment of the object by modifying the access permission of process handle. And we provided a strategy file to flexibly protect the system resources, because processes will have to reference the object by handle after they obtain the permission, this method reduces the operations to monitor the system calls and improve the efficiency.3. We designed a system that combining the features of process’s permission control and kernel object monitor, which can control process’s behaviors. This system can effectively prevent attacker’s dynamic-loaded codes that exploiting the vulnerabilities of applications, it also meets the requirement of Mandatory Access Control by protecting user’s privacy data. |
PDF Full Text Request