Patent Grant
10277717
Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
It is often useful for computer systems to determine, in real time, characteristics of software components and processes running on the computer system. The ability to determine such characteristics and gather information about them is generally called introspection. Network introspection, which is one type of system introspection, may be used for detection, protection, main management, compliance and security enforcement, etc.
In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the drawings, can be arranged, substituted, combined, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.
At block 110, in response to an initiation of a socket operation, the socket operation is filtered at a socket layer of the kernel memory space using a socket operation filter hook associated with the socket operation.
At block 120, an introspection action associated with the socket operation filtered using the socket operation filter hook is performed.
According to examples of the present disclosure, socket operation filter hooks provide greater versatility for filtering socket operations at the socket layer in the kernel memory space. In the present disclosure, the term “socket layer” may refer generally to an Application Programming Interface (API) supported by the kernel memory space. The term “socket operation filter hook” may refer generally to a piece of code that alters the behaviour of a socket operation allowing either additional or alternative processing to occur. The term “filtering” may refer generally to the interception of the socket operation by the socket operation filter hook, for example, to gather information about the socket operation.
According to examples of the present disclosure, network introspection may be performed at the socket layer in the kernel memory space, instead of at a packet level in the protocol layer. Compared to processing packets at the transport or network layer in the TCP/IP reference model, processing socket operations at the kernel socket layer is less resource intensive. In contrast, packet processing is generally more computationally expensive because packet headers need to be parsed before the actual payload may be examined. Network introspection at the socket layer may also provide better capability to gather information of network events initiated in the user memory space or kernel memory space, such as pre-operation and post-operation events, etc.
Operating System
User memory space 202 is the memory space where user application processes 212 (one shown for simplicity) are executed in application layer 210. To facilitate inter-process communication, a socket is created to represent a communication endpoint for application process 212. The communicating application processes 212 may be running on the same operating system or different ones, and on the same machine or different ones.
Kernel memory space 204 is the memory space where kernel processes run. Socket layer 220 serves as a protocol-independent interface between application layer 210 and protocol-dependent layers 230 residing below socket layer 220. For example, protocol-dependent layers 230 may include transport layer (e.g. Transmission Control Protocol, TCP) and network layer (e.g. Internet Protocol, IP). Further underlying interface layers 240 may include MAC (Media Access Control) layer and physical layer (e.g. physical network interface cards).
Socket layer 220 represents an Application Programming Interface (API) supported by kernel memory space 204 to allow application processes 212 to control and use sockets. For example, in a Linux kernel, socket layer 220 may be implemented as a set of system calls, and user memory space 202 accesses the kernel memory space 204 via the system calls.
Although not shown in
In a conventional logic flow (i.e. without socket operation filter hooks 224), socket operation 226 is initiated and executed after a corresponding system call is invoked. For example, application process 212 in user memory space 202 may invoke socket system call 222, e.g. connect( ) via a function library call. In response, socket layer 220 executes socket operation 226 that is specific to the protocol family of the socket, e.g. connect_op( ). The result of socket operation 226, and in turn system call 222, is then returned to application process 212.
Socket Operation Filter Hooks
According to examples of the present disclosure, socket layer 220 is modified to include socket operation filter hooks 224 to enable network introspection at the socket layer 220. The modification may be performed on the fly before the initiation of socket operation 226 at block 110 in
Socket operation filter hooks 224 allow filtering of socket operations 226 at socket layer 220. Here, filtering using a socket operation filter hook refers generally to the interception of socket operation 226 by interposing the socket operation filter hook 224 between socket system call 222 and socket operation 226 at socket layer 220. In other words, socket operation filter hook 224 acts like a “filter” or “trap” to detect and gather information of socket operations 226. Any information gathered during the filtering process may be reported to registered user 250. Throughout the present disclosure, the term “registered user” may be an application, process or module etc. in user memory space 202 or kernel memory space 204. The “registered user” may also reside on the same machine or different ones.
At block 310 in
Global socket operations structure 405 is generally in a read-only page table entry in kernel memory space 204. As such, at block 320 in
Next, at block 330 in
At block 340 in
At block 350 in
Table 3 shows a list of example socket operations and associated socket operation filter hooks that may be implemented, in accordance to at least some embodiments in the present disclosure. For example, socket operation connect_op( ), is associated with socket operation filter hook connect_op_filter( ); listen_op( ) is associated with listen_op_filter( ), etc. It should be understood that the list in Table 3 is non-exhaustive, and any additional or alternative socket operation may be included.
Once global socket operations structure is modified, a socket created based on the structure will have the operations function pointer *ops redirected to the socket operation filter hooks 420.
The examples in
Type SOCK_STREAM for stream-based communication using Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP); SOCK_DGRAM for datagram-based communication using User Datagram Protocol (UDP); or SOCK_RAW for RAW sockets, etc. TCP and UDP are two main IP-based transport protocols. UDP, for example, may be used to send datagrams in video conferencing, audio streaming and similar services. TCP, for example, is used to set up secure, connection-oriented services.
Family or domain AF_INET for IPv4 (Internet Protocol version 4) or AF_INET6 for IPv6 (Internet Protocol version 6), etc.
Protocol IPPROTO_TCP for TCP, IPPROTO_UDP for UDP, IPPROTO_SCTP for SCTP, or BTPROTO_RFCOMM for Bluetooth, etc.
As such, socket operations 410 and socket operation filter hooks 420 in
Network Introspection at Socket Layer
According to blocks 110 and 120 in
The decision to allow or deny may be made at socket layer 520 and/or by a registered user 530 depending on whether the socket operation 526 is perceived as normal or malicious respectively. If allowed, socket operation 526 is called using the function pointer stored at block 330 in
Post-operation filtering 534 involves interception by socket operation filter hook 524 after socket operation 526 is performed. Since socket operation 526 has already been performed, no access control policy may be enforced. In this case, the introspection action may be to monitor whether socket operation 526 has been successful or otherwise.
In the example in
In response to the initiation of socket operation 626 connect_op( ), filtering is performed using a socket operation filter hook 624 connect_op_filter( ) associated with the socket operation 626. In other words, since the function pointer *ops shown in the example in
Post-operation filtering (shown in dotted lines in
It will be appreciated that examples in the present disclosure may be applied to introspect network events at different stages. Some examples are described below.
Outbound events related to an outgoing connection, at different stages such as pre-connect (before initiating connect), post-connect (after successful connection) and disconnect (when connection disconnects), etc. Outgoing disconnect may be filtered based on release( ) and release_op( ), and shutdown( ) and shutdown_op( ).
Inbound events related to an incoming connection, at different stages such as inbound-connect (during incoming connection) and disconnect (incoming connection disconnects), etc. An incoming connection may be filtered based on accept( ) and accept_op( ).
Listen events that occur when an application process listens at different stages such as start (when an application calls listen) and stop (when an application stops listening), etc. In this case, listen_op( ) socket operations are trapped at the socket layer and their information reported to a registered user.
Similarly, socket operations related to sendmsg( ) and recvmsg( ) may be filtered at the socket layer to facilitate deep packet inspection. Since introspection is performed at the socket layer, it is not necessary to parse packet headers (TCP/IP/MAC) to obtain the actual data or payload.
Other applications include data leakage detection or prevention (by examining outgoing and incoming data), data flow monitoring, endpoint desktop network security and server network security, etc. For data leakage or prevention, the examples of the present disclosure may be used to peek into data sent to or received from a remote machine regardless of whether the data is sensitive. Data flow monitoring may be used to show a graph of network connections between different machines with respect to the application, protocol and user etc. Desktop network security may enforce access control for different users belonging to the same or different groups or group types. Server network security may monitor if there is any unwanted application has started listening on a port and getting any connections or otherwise starting a connection to some remote machine, which may indicate malicious activities.
Virtualized Environment
In some embodiments, network introspection process 100 in
In the illustrated example of
As shown in more detail at 740, operating system of the virtual machine may include user memory space 742 and kernel memory space 744. Similar to the example illustrated in
On the other hand, kernel memory space 744 runs various kernel processes. Similar to the example in
Virtualized environments 700 may be subject to security and integrity risks, and each virtual machine 720 may be vulnerable to intrusion and attack from a variety of sources. The additional visibility provided by network introspection into each virtual machine 720 can be very useful for implementing security. For example, since multiple virtual machines 720 are running on the same hardware in a virtualized environment, introspection allows inter-virtual machine network events to be monitored.
Computer System
The above examples can be implemented by hardware, software or firmware or a combination thereof.
Processor 810 is to perform processes described herein with reference to
The methods, processes and units described herein may be implemented by hardware (including hardware logic circuitry), software or firmware or a combination thereof. The term ‘processor’ is to be interpreted broadly to include a processing unit, ASIC, logic unit, or programmable gate array etc.
The techniques introduced above can be implemented in special-purpose hardwired circuitry, in software and/or firmware in conjunction with programmable circuitry, or in a combination thereof. Special-purpose hardwired circuitry may be in the form of, for example, one or more application-specific integrated circuits (ASICs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), and others.
The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, it will be understood by those within the art that each function and/or operation within such block diagrams, flowcharts, or examples can be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof.
Those skilled in the art will recognize that some aspects of the embodiments disclosed herein, in whole or in part, can be equivalently implemented in integrated circuits, as one or more computer programs running on one or more computers (e.g., as one or more programs running on one or more computer systems), as one or more programs running on one or more processors (e.g., as one or more programs running on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and or firmware would be well within the skill of one of skill in the art in light of this disclosure.
Software and/or firmware to implement the techniques introduced here may be stored on a non-transitory machine-readable storage medium and may be executed by one or more general-purpose or special-purpose programmable microprocessors. A “machine-readable storage medium”, as the term is used herein, includes any mechanism that provides (i.e., stores and/or transmits) information in a form accessible by a machine (e.g., a computer, network device, personal digital assistant (PDA), mobile device, manufacturing tool, any device with a set of one or more processors, etc.). For example, a machine-accessible storage medium includes recordable/non recordable media (e.g., read-only memory (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash memory devices, etc.)
The figures are only illustrations of an example, wherein the units or procedure shown in the figures are not necessarily essential for implementing the present disclosure. Those skilled in the art will understand that the units in the device in the example can be arranged in the device in the examples as described, or can be alternatively located in one or more devices different from that in the examples. The units in the examples described can be combined into one module or further divided into a plurality of sub-units.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the present disclosure. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6675218 | Mahler | Jan 2004 | B1 |
| 7801128 | Hoole et al. | Sep 2010 | B2 |
| 8127291 | Pike et al. | Feb 2012 | B2 |
| 8352941 | Protopopov et al. | Jan 2013 | B1 |
| 8365294 | Ross | Jan 2013 | B2 |
| 20050050377 | Chan et al. | Mar 2005 | A1 |
| 20050071840 | Neiger et al. | Mar 2005 | A1 |
| 20070078915 | Gassoway | Apr 2007 | A1 |
| 20070192862 | Vermeulen et al. | Aug 2007 | A1 |
| 20070226788 | Lee | Sep 2007 | A1 |
| 20070250929 | Herington et al. | Oct 2007 | A1 |
| 20070266433 | Moore | Nov 2007 | A1 |
| 20080127292 | Cooper | May 2008 | A1 |
| 20080189769 | Casado et al. | Aug 2008 | A1 |
| 20080196100 | Madhavan et al. | Aug 2008 | A1 |
| 20080222717 | Rothstein et al. | Sep 2008 | A1 |
| 20080244569 | Challener et al. | Oct 2008 | A1 |
| 20080289028 | Jansen et al. | Nov 2008 | A1 |
| 20090006603 | Duponchel et al. | Jan 2009 | A1 |
| 20090006847 | Abzarian | Jan 2009 | A1 |
| 20090113031 | Ruan et al. | Apr 2009 | A1 |
| 20090122710 | Bar-Tor et al. | May 2009 | A1 |
| 20090144410 | Fink | Jun 2009 | A1 |
| 20090249473 | Cohn | Oct 2009 | A1 |
| 20090328194 | Kim | Dec 2009 | A1 |
| 20100138830 | Astete et al. | Jun 2010 | A1 |
| 20100235831 | Dittmer | Sep 2010 | A1 |
| 20110072486 | Hadar et al. | Mar 2011 | A1 |
| 20110078497 | Lyne et al. | Mar 2011 | A1 |
| 20110107331 | Evans et al. | May 2011 | A1 |
| 20110107406 | Frost et al. | May 2011 | A1 |
| 20110119748 | Edwards et al. | May 2011 | A1 |
| 20110258701 | Cruz et al. | Oct 2011 | A1 |
| 20120054781 | Tzruya | Mar 2012 | A1 |
| 20130074181 | Singh | Mar 2013 | A1 |
| 20130322266 | Maon | Dec 2013 | A1 |
| 20130347131 | Mooring et al. | Dec 2013 | A1 |
| 20140194094 | Ahuja | Jul 2014 | A1 |
| Number | Date | Country |
|---|---|---|
| 2479619 | Oct 2011 | GB |
| Entry |
|---|
| Garfinkel, Tal, et al., “A Virtual Machine Introspection Based Architecture for Intrusion Detection,” In Proc. Network and Distributed Systems Security Symposium, Feb. 2003, 16 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20150172153 A1 | Jun 2015 | US |
