36 results about "Loadable kernel module" patented technology

The invention discloses a dynamic acquisition method of file system access record, belonging to the field of storage system testing and performance analysis. The invention is characterized in that a kernel module can be loaded without the need of unloading the old file system, thus not needing to interrupt the working application. A file system operation interception module can dynamically intercept the underlayer file system operation by a substitution of corresponding functions in the interception module. While executing the underlayer file system operation, the functions output the operation type and parameters to an access record output module which compresses the file record and outputs a plurality of operation information at one time in a output record way of register. The access record output module controls the output file size to prevent the problems of difficult read and write and exceeding file system restriction. An access record file management module collects additional information and packages and transfers the access record according to the assignment of users, thus being convenient for users to manage. The test shows that the collection of access record has little impact on the application.

The invention relates to an Android unknown malicious software detection method based on dynamic behavior characteristics and belongs to the technical field of computers and information science. The method comprises the steps that to-be-detected software is input into a system; the system uncompresses and decompiles a software package and extracts static characteristics in a result file; at the same time, the system operates the software package in an Android simulator and monitors dynamic behavior of the software by using a behavior monitoring system based on an LKM (Loadable Kernel Module); the dynamic behavior is recorded in logs and the dynamic behavior characteristics of the software are extracted from the logs; the extracted dynamic and static characteristics are subjected to normalization processing and the results are input into a trained classification algorithm classification detection module; the module can automatically judge whether the detected software is malicious software or not according to the input dynamic and static characteristic data. The method has high detection efficiency and accuracy and can be applied to security detection of software platforms such as the Android application market.

The invention relates to a method for implementing a user mode drive program in an embedded Linux, and belongs to the technical field of embedded operating systems. The method for implementing the user mode drive program in the embedded Linux comprises the specific steps of carrying out separation on a traditional kernel mode drive program to form a k-driver component running in a kernel mode and a u-driver component running in a user mode according to whether performance is related or not and priorities, building a dynamic loadable kernel module k-mod in the kernel mode, and building a dynamic link library u-lib in the user mode. According to a user mode programming tool, a programmer is allowed to use universal mature programming tools such as a code debugger when carrying out programming, and coding quality is improved; better performance is achieved, and performance, such as the throughput, the delay and the CPU overhead, is similar to performance of the traditional kernel mode device drive program; fault isolation is achieved, and a fault occurring on a user layer component cannot influence a kernel, namely, safe operation of a whole system cannot be influenced; compatibility is achieved, the method for implementing the user mode drive program in the embedded Linux is compatible with an existing embedded Linux system, and the same interfaces are provided.

A real-time remote backup system and related method used for a network system connecting at least one source computer system and one destination computer system is disclosed. The system includes a loadable kernel module capable of presetting up at least one specific system call in the kernel space of the source computer system. Besides the kernel software, the specific system call can notify the loadable kernel module to generate a corresponding file modification message when a file modification event occurs in the user space of the source computer system. A scheduling module sequentially queues and implements the file modification messages from the loadable kernel module, and then generates a corresponding backup command according to each said file modification message. And, a network backup unit installed in the source computer system is facilitated to directly back up variant part of the file through the network system to the destination computer system when receiving the backup command transmitted from the scheduling module.

The invention provides a kernel mode Rootkit detection method based on system virtualization technology. A Rootkit principle, system calling and an LKM (Loadable Kernel Module) are analyzed deeply to obtain the behavior characteristic of hiding of own module information of kernel mode Rootkit. Specific to the characteristic, the Rootkit detection method based on cross view validation is designed. A Xen kernel is changed to intercept system calling, so that a credible view is constructed. An infected view is constructed by using a user mode tool of a target client. Hidden modules are found by comparing the credible view with the infected view.

A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.

The invention provides a malicious code analysis method and system under a Linux platform. According to the method and the system provided by the invention, dynamic loading can be realized by using an LKM (Loadable Kernel Module) technology, a position of intercepting system call is positioned between a VFS (Virtual File system) layer and a detailed file system so as to acquire more information related to file operation and provide more accurate and useful monitoring information. The system call can be intercepted without the need of correcting a system call table, so that the potential safety hazards brought by the traditional method of correcting the system call table are avoided; a shared memory mechanism is adopted to increase the communication speed of a kernel module and a user progress, and the data volume of communication transmission; key files and progresses needing to be monitored are selected by a user so as to improve the usability, the flexibility and the high efficiency of the system, and the demands of the user on malicious code analysis are well met; the selected malicious code progresses and a plurality of important key files are monitored so as to avoid great performance loss of the system and improve the operation speed of the analysis system.

The invention discloses an equipment driving method for a user mode and kernel mode-driver cooperative processing framework and the method comprises the steps: initializing the user mode and kernel mode driver cooperative processing framework, comprising a kernel mode driver as a loadable kernel module to operate in a kernel space used for providing a stable kernel mode driver development interface; and a user mode driver as a shared library, is located in the user space and used for providing an interface for user mode driver development; and when an application program in the user space calls the user mode driver, enabling the user mode driver to interact with the kernel mode driver by the user mode driver, or directly interact with the kernel mode driver by character equipment and DMA buffer equipment so that operation on specified equipment is completed. User mode and kernel mode driver cooperative processing can be achieved, interaction with hardware is jointly completed, the driver development and maintenance process can be greatly simplified, and the stability and reliability of the kernel are improved.

The invention discloses an operating system and an operating method for a cloud server. The system is arranged on a server of a cloud computing network, and comprises a Host kernel module, a security module and a system service kernel module, wherein the Host kernel module is a configurable multi-task operating system base layer, the security module is used for implementing a forced access control system and the system service kernel module is a loadable kernel module, wherein the system service kernel module directly runs a service program under the operating system on a cloud service operating system by loading different operating system plug-in modules. Under an operating system, service application of different operating systems can be simultaneously operated without performing virtualization and without installing different operating systems in each virtual environment; and when arranged on the server of the cloud computing network, the system can run the services of various operating systems at extremely high efficiency on the premise that other operating systems are not required to be installed.

The invention relates to monitoring for Android system malicious behaviors, and belongs to the technical field of computer and information science. Monitoring is implemented to system function calling in the Java layer, the Native layer and the Kernel layer of an Android system; while the malicious behaviors are prevented, a user is warned, and a log is recorded; the malicious behavior lists 1, 2 and 3 of each layer are output; and finally, through pairwise comparison of adjacent views, hidden behaviors (Java layer hidden behaviors and Native layer hidden behaviors) are analyzed, and a hidden behavior list is output. A process injection technology is adopted in the Java layer and the Native layer, and an LKM (Loadable Kernel Modules) technology is adopted in the Kernel layer.

A technique for processing Internet Protocol (IP) packets includes an IP conveyor portion as a loadable kernel module that includes user defined filtering criteria for recognizing at least one feature of an IP packet. When one of the user defined filtering criteria is satisfied, an IP packet can be directed along a desired communication path, processed using a desired protocol stack or both. Whenever an IP packet does not satisfy at least one of the filtering criteria, a default communication path is used for such a packet.

The invention relates to the field of computer operating systems, in particular to a cooperative work system and method of a user mode drive and a kernel mode drive. The cooperative work system comprises a user mode driver, a kernel mode driver and a loadable kernel module, the loadable kernel module provides an operation interface for the user mode driver, and the loadable kernel module is used for registering corresponding character equipment according to a request of the kernel mode driver and creating an associated attribute file, and providing the character device and the attribute file for the user mode drive, so that the user mode drive calls the drive part data in the corresponding kernel mode drive by operating the character device. The technical scheme provided by the invention has the beneficial effects that the cooperative work system and method of the user mode drive and the kernel mode drive are provided, the cooperative processing of the user mode drive and the kernel mode drive can be achieved, the interaction with hardware is completed together, the drive development and maintenance process can be greatly simplified, and the stability and reliability of the kernel are improved.

The invention discloses a container escape detection and blocking method, device and equipment and a storage medium, and relates to the technical field of safety environment detection.The method comprises the following steps that a dynamic loadable kernel module is loaded in a system, and the dynamic loadable kernel module is made to hook a fork function and an excve function; acquiring key information of a host machine process and storing the key information into a global table; when the fork function or the excve function is called by the container process, key information of the container process is obtained and stored in a global table; and searching the key information of the host machine process in the global table, comparing the key information with the key information of the container process to determine whether the container process escapes or not, and if so, blocking the container process. According to the method, the execution process of the process is supervised, and the process can be killed before the escape process executes malicious actions, so that blocking in the process is realized, and an operating system is protected to the maximum extent.

The invention provides a method and device for guaranteeing the system security. The method includes the steps that a dynamic-loadable kernel module (LKM) is set in a Linux system of an EPG device, and preset security configuration files are loaded in the LKM; when file operation is carried out, whether the file operation is legal or not is detected according to the security configuration files; under the condition that the file operation is legal, the file operation is carried out, and if the file operation is illegal, the file operation is refused to be carried out. By means of the method and device for guaranteeing the system security in the technical scheme, the problem that the security level of the EPG device in the related technology is low is solved, and the security of the EPG device is greatly improved.

An indication is received. The indication is of an address in a first page in virtual memory used by an application with a static memory corruption. A loadable kernel module will monitor the address. Access to the first page in virtual memory is changed from read/write access to read only access. A second page in virtual memory is created with read/write access. Whether a page fault occurs on the first page in virtual memory during the execution of the application with the static memory corruption is determined.