WO2024164630A1

WO2024164630A1 - Microkernel operating system based security monitoring method, apparatus, device, and chip

Info

Publication number: WO2024164630A1
Application number: PCT/CN2023/133287
Authority: WO
Inventors: 赵东艳; 王慧; 王喆; 曾林; 李德建; 顿中强
Original assignee: 北京智芯微电子科技有限公司
Priority date: 2023-02-10
Filing date: 2023-11-22
Publication date: 2024-08-15
Also published as: CN115774651B; CN115774651A

Abstract

Disclosed in the embodiments of the present disclosure are a microkernel operating system based security monitoring method, an apparatus, a device, and a chip. The method comprises: in response to a calling request of an execution object of a user space for a system calling interface in a microkernel operating system, matching, in a kernel space, a system calling event type corresponding to the calling request with pre-configured audit configuration information; when the system calling event type matches the audit configuration information, recording entrance audit information when the system calling interface enters the kernel space to run in an audit context structure of the execution object, and also recording exit audit information when the system calling interface exits in the audit context structure of the execution object; and when exiting the system call interface, outputting the entrance audit information and the exit audit information in the audit context structure from the kernel space to an audit buffer area of the user space. By means of the technical solution, safety monitoring can be carried out on the operating system on the premise of maximizing the simplification of a kernel as much as possible.

Description

Security monitoring method, device, equipment and chip based on microkernel operating system

Technical Field

本公开涉及芯片技术领域，具体涉及一种基于微内核操作系统的安全监控方法、装置、设备及芯片。The present disclosure relates to the field of chip technology, and in particular to a security monitoring method, device, equipment and chip based on a microkernel operating system.

Background Art

审计是事后认定违反安全规则的分析技术，安全审计为管理员在用户违反安全法则时提供及时的警告信息，实现对系统信息的追踪、审查、统计和报告等功能。目前有一些开源操作系统已经实现了审计功能。Auditing is an analytical technique for identifying violations of security rules after the fact. Security auditing provides administrators with timely warning information when users violate security rules, and implements functions such as tracking, reviewing, statistics and reporting of system information. Currently, some open source operating systems have implemented auditing functions.

Linux提供了用来记录系统安全事件的审计系统，审计系统包括用户空间审计系统和内核空间审计系统，用户空间审计系统由一些用户空间的审计程序组成，用来开启内核审计功能、设置审计规则和审计系统状态、接收内核审计系统发送来的审计消息并写入log文件，以及审计消息的检索和生成审计总结报告。内核审计系统用于产生和过滤内核的各种审计消息。Linux provides an audit system for recording system security events. The audit system includes a user space audit system and a kernel space audit system. The user space audit system consists of some user space audit programs, which are used to enable the kernel audit function, set audit rules and audit system status, receive audit messages sent by the kernel audit system and write them to log files, as well as retrieve audit messages and generate audit summary reports. The kernel audit system is used to generate and filter various kernel audit messages.

Linux的安全审计系统分为syslog和audit两个部分。audit部分主要记录安全信息，包括文件的读写、权限的修改等，syslog部分主要用来记录系统中的各种信息，如硬件警报和软件日志等。日志的数据主要包含了三类：内核及系统日志、用户日志、程序日志。The Linux security audit system is divided into two parts: syslog and audit. The audit part mainly records security information, including file reading and writing, permission modification, etc. The syslog part is mainly used to record various information in the system, such as hardware alarms and software logs. The log data mainly includes three categories: kernel and system logs, user logs, and program logs.

syslog属于应用层的服务，专门用来记录日志，我们可以把每一个程序理解为子系统，syslog可以根据日志的类别和优先级将日志保存在不同的文件中。另外syslog有两个进程，syslogd专门负责记录非内核的其他设置产生的日志，klogd专门负责内核产生的日志，通过系统调用syslog读出这些信息，记录在日志文件中。Syslog is a service at the application layer, which is used to record logs. We can regard each program as a subsystem. Syslog can save logs in different files according to the type and priority of the logs. In addition, syslog has two processes: syslogd is responsible for recording logs generated by other non-kernel settings, and klogd is responsible for recording logs generated by the kernel. These information are read through the system call syslog and recorded in the log file.

除了Linux以外，还有SNARE(System iNtrusion and Reporting Environment)审计系统，它是一个开源的安全审计和事件日志软件。SNARE系统主要分为三个模块：内核动态加载模块auditmodule.o；在用户空间运行的审计监控程序auditd；图形截面的配置和报告工具snare。此系统将审计从内核中分离出来，构成一个独立于内核的模块。它重新编写了要审计的系统调用，在新的系统调用中实现对审计信息的收集以及将审计记录放入缓冲池，加载模块后，通过将系统调用表中的函数指针指向新的系统调用函数来使得新的带审计功能的系统调用代替原有的系统调用。In addition to Linux, there is also the SNARE (System iNtrusion and Reporting Environment) audit system, which is an open source security audit and event log software. The SNARE system is mainly divided into three modules: the kernel dynamic loading module auditmodule.o; the audit monitoring program auditd running in the user space; the graphical section configuration and reporting tool snare. This system separates the audit from the kernel and constitutes a module independent of the kernel. It rewrites the system call to be audited, implements the collection of audit information and puts the audit records into the buffer pool in the new system call, and after loading the module, the new system call with audit function replaces the original system call by pointing the function pointer in the system call table to the new system call function.

此外，WINDOWS NT审计系统能够检测和记录与安全性有关的任何创建、访问或删除系统资源的事件，并记录实施这些行为的用户。在审计过程中对象管理器可以根据审计策略生成审计事件，这是一个被动的过程，也可以在用户程序中利用审计函数主动生成审计事件。In addition, the WINDOWS NT audit system can detect and record any security-related events of creating, accessing, or deleting system resources, and record the users who perform these actions. During the audit process, the object manager can generate audit events based on the audit policy, which is a passive process, or it can actively generate audit events using the audit function in the user program.

Linux操作系统作为一个宏内核架构，系统的主要核心组件都在内核实现，安全审计系统的部分模块也是在内核中实现的，这样的设计思想与本发明针对的微内核操作系统是不同的，不利于模块化设计。The Linux operating system is a macro kernel architecture, and the main core components of the system are implemented in the kernel. Some modules of the security audit system are also implemented in the kernel. Such a design concept is different from the micro kernel operating system targeted by the present invention and is not conducive to modular design.

SNARE系统的审计事件较少，不够全面，同时其采用系统调用来分离审计系统的方式是建立在系统调用表的基础上，当内核模块中不能再引用系统调用表时，此方式也就不可行了。The SNARE system has fewer audit events and is not comprehensive enough. At the same time, its method of using system calls to separate the audit system is based on the system call table. When the system call table can no longer be referenced in the kernel module, this method is no longer feasible.

因此，针对微内核操作系统，需要在用户层设计一个安全审计监控系统，在保证隔离性的基础上，维护操作系统的安全性和可靠性。Therefore, for microkernel operating systems, it is necessary to design a security audit monitoring system at the user level to maintain the security and reliability of the operating system while ensuring isolation.

发明内容Summary of the invention

本公开实施例提供一种基于微内核操作系统的安全监控方法、装置、设备及芯片。The embodiments of the present disclosure provide a security monitoring method, apparatus, device and chip based on a microkernel operating system.

第一方面，本公开实施例中提供了一种基于微内核操作系统的安全监控方法，其中，包括：In a first aspect, an embodiment of the present disclosure provides a security monitoring method based on a microkernel operating system, which includes:

响应于用户空间的执行对象对微内核操作系统中的系统调用接口的调用请求，在内核空间将所述调用请求对应的系统调用事件类型与预先配置的审计配置信息进行匹配；In response to a call request from an execution object in a user space to a system call interface in a microkernel operating system, matching a system call event type corresponding to the call request with pre-configured audit configuration information in a kernel space;

在所述系统调用事件类型与所述审计配置信息相匹配时，将所述系统调用接口进入内核空间运行时的入口审计信息记录在所述执行对象的审计上下文结构中，并将所述系统调用接口退出时的出口审计信息也记录在所述执行对象的审计上下文结构中； When the system call event type matches the audit configuration information, the entry audit information of the system call interface when entering the kernel space for runtime is recorded in the audit context structure of the execution object, and the exit audit information of the system call interface when exiting is also recorded in the audit context structure of the execution object;

在退出所述系统调用接口时将所述审计上下文结构中的入口审计信息和出口审计信息从所述内核空间输出至用户空间的审计缓冲区。When exiting the system call interface, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to the audit buffer of the user space.

进一步地，所述方法还包括：Furthermore, the method further comprises:

在所述调用请求对应的系统调用事件类型与所述审计配置信息不相匹配时，将所述系统调用接口在内核空间执行过程中所产生的第一内核态日志信息写入用户空间的日志缓冲区中。When the system call event type corresponding to the call request does not match the audit configuration information, the first kernel state log information generated by the system call interface during the execution of the kernel space is written into the log buffer of the user space.

将用户空间产生的用户态日志信息写入所述日志缓冲区中；和/或，Writing the user state log information generated by the user space into the log buffer; and/or,

将内核空间产生的第二内核态日志信息写入所述日志缓冲区中；其中，所述第二内核态日志信息为非系统调用接口在内核空间产生的日志信息。The second kernel state log information generated by the kernel space is written into the log buffer; wherein the second kernel state log information is log information generated by the non-system call interface in the kernel space.

在用户空间读取所述日志缓冲区中的日志信息；Read the log information in the log buffer in the user space;

调用文件系统接口将所述日志缓冲区中的所述日志信息输出至控制台或日志文件中。The file system interface is called to output the log information in the log buffer to a console or a log file.

获取用户空间产生的用户空间审计信息；Get user space audit information generated by user space;

将所述用户空间审计信息与所述审计配置信息进行匹配；Matching the user space audit information with the audit configuration information;

在所述用户空间审计信息与所述审计配置信息相匹配时，将所述用户空间审计信息写入所述审计缓冲区中。When the user space audit information matches the audit configuration information, the user space audit information is written into the audit buffer.

接收用户在用户空间通过预设接口输入的用户配置信息；Receiving user configuration information input by the user in the user space through a preset interface;

基于所述用户配置信息更新在用户空间存储的所述审计配置信息。The audit configuration information stored in the user space is updated based on the user configuration information.

接收用户在用户空间对日志文件的查看请求；Receive a user's request to view the log file in the user space;

基于所述查看请求向用户输出所述日志文件。The log file is output to a user based on the viewing request.

在用户空间读取所述审计缓冲区中的审计信息；Reading the audit information in the audit buffer in the user space;

调用文件系统接口将所述审计缓存区中的所述审计信息输出至审计文件中。The file system interface is called to output the audit information in the audit buffer area to an audit file.

接收用户在用户空间对所述审计文件的查看请求；Receiving a user's request to view the audit file in the user space;

基于所述审计文件中的审计信息向用户输出审计报告。An audit report is output to a user based on the audit information in the audit file.

在用户空间设置审计缓冲区链表；所述审计缓冲区链表用于存储指向所述审计缓冲区的指针；An audit buffer linked list is set in the user space; the audit buffer linked list is used to store a pointer pointing to the audit buffer;

调用文件系统接口将所述审计缓存区中的所述审计信息输出至审计文件中，包括：Calling a file system interface to output the audit information in the audit buffer area to an audit file includes:

在所述审计缓冲区链表中的指针个数超过预设阈值后，在用户空间基于所述审计缓冲区链表中的指针，调用文件系统接口将所述审计缓冲区中的审计信息输出至所述审计文件中；After the number of pointers in the audit buffer linked list exceeds a preset threshold, in the user space, based on the pointers in the audit buffer linked list, the file system interface is called to output the audit information in the audit buffer to the audit file;

删除所述审计缓冲区链表中对应的指针。Delete the corresponding pointer in the audit buffer linked list.

建立空闲的审计缓冲区；Create a free audit buffer;

将指向所述空闲的审计缓冲区的指针存储在空闲审计缓冲区链表中；storing a pointer to the idle audit buffer in an idle audit buffer linked list;

在退出所述系统调用接口时将所述审计上下文结构中的入口审计信息和出口审计信息从所述内核空间输出至用户空间的审计缓冲区，包括：When exiting the system call interface, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to the audit buffer of the user space, including:

从所述空闲审计缓冲区链表中请求空闲的审计缓冲区；Requesting an idle audit buffer from the idle audit buffer linked list;

将所述审计上下文结构中的审计信息写入空闲的所述审计缓冲区中。The audit information in the audit context structure is written into the idle audit buffer.

在所述空闲审计缓冲区链表中没有空闲的审计缓冲区时，重新分配审计缓冲区；When there is no idle audit buffer in the idle audit buffer chain list, reallocate the audit buffer;

将所述审计上下文结构中的审计信息写入重新分配的所述审计缓冲区中。The audit information in the audit context structure is written into the reallocated audit buffer.

进一步地，所述方法还包括： Furthermore, the method further comprises:

在所述审计文件中的内容超过预设存储容量后，建立新的审计文件；After the content in the audit file exceeds the preset storage capacity, a new audit file is created;

在所述审计文件的个数超过预设数量后，按照时间先后顺序删除最先建立的一个或多个审计文件。After the number of the audit files exceeds a preset number, one or more audit files created first are deleted in chronological order.

第二方面，本公开实施例中提供了一种基于微内核操作系统的安全监控装置，其中，包括：In a second aspect, the present disclosure provides a security monitoring device based on a microkernel operating system, which includes:

响应模块，被配置为响应于用户空间的执行对象对微内核操作系统中的系统调用接口的调用请求，在内核空间将所述调用请求对应的系统调用事件类型与预先配置的审计配置信息进行匹配；A response module is configured to respond to a call request of an execution object in a user space to a system call interface in a microkernel operating system, and match a system call event type corresponding to the call request with pre-configured audit configuration information in a kernel space;

记录模块，被配置为在所述系统调用事件类型与所述审计配置信息相匹配时，将所述系统调用接口进入内核空间运行时的入口审计信息记录在所述执行对象的审计上下文结构中，并将所述系统调用接口退出时的出口审计信息也记录在所述执行对象的审计上下文结构中；A recording module configured to record, when the system call event type matches the audit configuration information, entry audit information of the system call interface when it enters the kernel space for runtime in the audit context structure of the execution object, and also record exit audit information of the system call interface when it exits in the audit context structure of the execution object;

第一输出模块，被配置为在退出所述系统调用接口时将所述审计上下文结构中的入口审计信息和出口审计信息从所述内核空间输出至用户空间的审计缓冲区。The first output module is configured to output the entry audit information and the exit audit information in the audit context structure from the kernel space to the audit buffer of the user space when exiting the system call interface.

进一步地，所述装置还包括：Furthermore, the device also includes:

第一写入模块，被配置为在所述调用请求对应的系统调用事件类型与所述审计配置信息不相匹配时，将所述系统调用接口在内核空间执行过程中所产生的第一内核态日志信息写入用户空间的日志缓冲区中。The first writing module is configured to write the first kernel state log information generated by the system call interface during the execution of the kernel space into the log buffer of the user space when the system call event type corresponding to the call request does not match the audit configuration information.

进一步地，所述装置还包括：Furthermore, the device also includes:

第二写入模块，被配置为将用户空间产生的用户态日志信息写入所述日志缓冲区中；和/或，A second writing module is configured to write the user state log information generated by the user space into the log buffer; and/or,

第三写入模块，被配置为将内核空间产生的第二内核态日志信息写入所述日志缓冲区中；其中，所述第二内核态日志信息为非系统调用接口在内核空间产生的日志信息。The third writing module is configured to write the second kernel state log information generated by the kernel space into the log buffer; wherein the second kernel state log information is log information generated by the non-system call interface in the kernel space.

进一步地，所述装置还包括：Furthermore, the device also includes:

第一读取模块，被配置为在用户空间读取所述日志缓冲区中的日志信息；A first reading module is configured to read the log information in the log buffer in the user space;

第一调用模块，被配置为调用文件系统接口将所述日志缓冲区中的所述日志信息输出至控制台或日志文件中。The first calling module is configured to call a file system interface to output the log information in the log buffer to a console or a log file.

进一步地，所述装置还包括：Furthermore, the device also includes:

获取模块，被配置为获取用户空间产生的用户空间审计信息；An acquisition module, configured to acquire user space audit information generated by the user space;

匹配模块，被配置为将所述用户空间审计信息与所述审计配置信息进行匹配；A matching module, configured to match the user space audit information with the audit configuration information;

第四写入模块，被配置为在所述用户空间审计信息与所述审计配置信息相匹配时，将所述用户空间审计信息写入所述审计缓冲区中。A fourth writing module is configured to write the user space audit information into the audit buffer when the user space audit information matches the audit configuration information.

进一步地，所述装置还包括：Furthermore, the device also includes:

第一接收模块，被配置为接收用户在用户空间通过预设接口输入的用户配置信息；A first receiving module is configured to receive user configuration information input by a user in a user space through a preset interface;

更新模块，被配置为基于所述用户配置信息更新在用户空间存储的所述审计配置信息。An update module is configured to update the audit configuration information stored in the user space based on the user configuration information.

进一步地，所述装置还包括：Furthermore, the device also includes:

第二接收模块，被配置为接收用户在用户空间对日志文件的查看请求；A second receiving module is configured to receive a user's request to view the log file in the user space;

第二输出模块，被配置为基于所述查看请求向用户输出所述日志文件。The second output module is configured to output the log file to a user based on the viewing request.

进一步地，所述装置还包括：Furthermore, the device also includes:

第二读取模块，被配置为在用户空间读取所述审计缓冲区中的审计信息；A second reading module is configured to read the audit information in the audit buffer in the user space;

第二调用模块，被配置为调用文件系统接口将所述审计缓存区中的所述审计信息输出至审计文件中。The second calling module is configured to call a file system interface to output the audit information in the audit buffer area to an audit file.

进一步地，所述装置还包括：Furthermore, the device also includes:

第三接收模块，被配置为接收用户在用户空间对所述审计文件的查看请求；A third receiving module is configured to receive a user's request to view the audit file in a user space;

第三输出模块，被配置为基于所述审计文件中的审计信息向用户输出审计报告。The third output module is configured to output an audit report to a user based on the audit information in the audit file.

进一步地，所述装置还包括：Furthermore, the device also includes:

设置模块，被配置为在用户空间设置审计缓冲区链表；所述审计缓冲区链表用于存储指向所述审计缓冲区的指针；A setting module is configured to set an audit buffer linked list in the user space; the audit buffer linked list is used to store a pointer pointing to the audit buffer;

所述第二调用模块，包括：The second calling module includes:

调用子模块，被配置为在所述审计缓冲区链表中的指针个数超过预设阈值后，在用户空间基于所述审计缓冲区链表中的指针，调用文件系统接口将所述审计缓冲区中的审计信息输出至所述审计文件中；A calling submodule is configured to call a file system interface in a user space based on the pointers in the audit buffer chain list to output the audit information in the audit buffer to the audit file after the number of pointers in the audit buffer chain list exceeds a preset threshold;

删除子模块，被配置为删除所述审计缓冲区链表中对应的指针。The deletion submodule is configured to delete the corresponding pointer in the audit buffer linked list.

进一步地，所述装置还包括： Furthermore, the device also includes:

第一建立模块，被配置为建立空闲的审计缓冲区；A first establishment module is configured to establish an idle audit buffer;

存储模块，被配置为将指向所述空闲的审计缓冲区的指针存储在空闲审计缓冲区链表中；A storage module, configured to store a pointer pointing to the idle audit buffer in an idle audit buffer linked list;

所述第一输出模块，包括：The first output module comprises:

请求子模块，被配置为从所述空闲审计缓冲区链表中请求空闲的审计缓冲区；A request submodule, configured to request an idle audit buffer from the idle audit buffer linked list;

写入子模块，被配置为将所述审计上下文结构中的审计信息写入空闲的所述审计缓冲区中。The writing submodule is configured to write the audit information in the audit context structure into the idle audit buffer.

进一步地，所述装置还包括：Furthermore, the device also includes:

分配模块，被配置为在所述空闲审计缓冲区链表中没有空闲的审计缓冲区时，重新分配审计缓冲区；an allocation module, configured to reallocate an audit buffer when there is no idle audit buffer in the idle audit buffer chain list;

第五写入模块，被配置为将所述审计上下文结构中的审计信息写入重新分配的所述审计缓冲区中。A fifth writing module is configured to write the audit information in the audit context structure into the reallocated audit buffer.

进一步地，所述装置还包括：Furthermore, the device also includes:

第二建立模块，被配置为在所述审计文件中的内容超过预设存储容量后，建立新的审计文件；A second establishing module is configured to establish a new audit file after the content in the audit file exceeds a preset storage capacity;

删除模块，被配置为在所述审计文件的个数超过预设数量后，按照时间先后顺序删除最先建立的一个或多个审计文件。The deletion module is configured to delete one or more audit files created first in chronological order after the number of the audit files exceeds a preset number.

所述功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。The functions can be implemented by hardware or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions.

在一个可能的设计中，上述装置的结构中包括存储器和处理器，所述存储器用于存储一条或多条支持上述装置执行上述对应方法的计算机指令，所述处理器被配置为用于执行所述存储器中存储的计算机指令。上述装置还可以包括通信接口，用于上述装置与其他设备或通信网络通信。In one possible design, the structure of the above-mentioned device includes a memory and a processor, the memory is used to store one or more computer instructions that support the above-mentioned device to execute the above-mentioned corresponding method, and the processor is configured to execute the computer instructions stored in the memory. The above-mentioned device may also include a communication interface for the above-mentioned device to communicate with other devices or communication networks.

第三方面，本公开实施例提供了一种电子设备，包括存储器、处理器以及存储在存储器上的计算机程序，其中，所述处理器执行所述计算机程序以实现上述任一方面所述的方法。In a third aspect, an embodiment of the present disclosure provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory, wherein the processor executes the computer program to implement the method described in any one of the above aspects.

第四方面，本公开实施例提供了一种计算机可读存储介质，用于存储上述任一装置所用的计算机指令，该计算机指令被处理器执行时用于实现上述任一方面所述的方法。In a fourth aspect, an embodiment of the present disclosure provides a computer-readable storage medium for storing computer instructions used by any of the above-mentioned devices, and when the computer instructions are executed by a processor, they are used to implement the method described in any of the above-mentioned aspects.

第五方面，本公开实施例提供了一种计算机程序产品，其包含计算机指令，该计算机指令被处理器执行时用于实现上述任一方面所述的方法。In a fifth aspect, an embodiment of the present disclosure provides a computer program product, which includes computer instructions, and when the computer instructions are executed by a processor, they are used to implement the method described in any of the above aspects.

第六方面，本公开实施例提供了一种芯片，该芯片用于执行指令以实现上述任一方面所述的方法。In a sixth aspect, an embodiment of the present disclosure provides a chip, which is used to execute instructions to implement the method described in any of the above aspects.

本公开实施例提供的技术方案可以包括以下有益效果：The technical solution provided by the embodiments of the present disclosure may have the following beneficial effects:

本公开实施例设计和实现了基于微内核操作系统的安全监控方案，通过记录和分析操作系统的运行时信息，来保证操作系统安全。已有技术中，少有针对微内核操作系统设计完善的安全审计方案，而本公开实施例设计与实现了符合操作系统安全标准的基于微内核操作系统的安全监控方案，并利用该安全监控方案实时地记录操作系统运行时的状态和信息。本公开实施例通过在用户空间提供配置审计规则服务，权限用户根据需求对需要进行审计的事件、格式等做配置，内核系统运行过程中仅针对权限用户所配置的相关事件进行有条件的记录，在尽可能最大化简化内核的前提下对操作系统进行安全监控。The disclosed embodiment designs and implements a security monitoring solution based on a microkernel operating system, and ensures the security of the operating system by recording and analyzing the runtime information of the operating system. In the prior art, there are few well-designed security audit solutions for microkernel operating systems, and the disclosed embodiment designs and implements a security monitoring solution based on a microkernel operating system that meets the operating system security standards, and uses the security monitoring solution to record the status and information of the operating system in real time during runtime. The disclosed embodiment provides a configuration audit rule service in the user space, and the authorized user configures the events and formats that need to be audited according to the needs. During the operation of the kernel system, only the relevant events configured by the authorized user are conditionally recorded, and the operating system is securely monitored under the premise of maximizing the simplification of the kernel as much as possible.

应当理解的是，以上的一般描述和后文的细节描述仅是示例性和解释性的，并不能限制本公开。It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

结合附图，通过以下非限制性实施方式的详细描述，本公开的其它特征、目的和优点将变得更加明显。在附图中：Other features, objectives and advantages of the present disclosure will become more apparent through the following detailed description of non-limiting embodiments in conjunction with the accompanying drawings. In the accompanying drawings:

图1示出根据本公开一实施方式的基于微内核操作系统的安全监控方法的流程图。FIG1 shows a flow chart of a security monitoring method based on a microkernel operating system according to an embodiment of the present disclosure.

图2示出根据本公开一实施方式的日志缓冲区和/或审计缓冲区的实现效果示意图。FIG2 is a schematic diagram showing the implementation effect of a log buffer and/or an audit buffer according to an embodiment of the present disclosure.

图3(a)-图3(c)示出根据本公开一实施方式中微内核操作系统的安全监控系统包括的日志系统和审计系统的一种实现示意图。3(a) to 3(c) show a schematic diagram of an implementation of a log system and an audit system included in a security monitoring system of a microkernel operating system according to an embodiment of the present disclosure.

图4示出根据本公开一实施方式的基于微内核操作系统的安全监控装置的结构框图。FIG4 shows a structural block diagram of a security monitoring device based on a microkernel operating system according to an embodiment of the present disclosure.

图5示出根据本公开一实施方式的电子设备的结构框图。FIG5 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure.

图6是适于用来实现根据本公开一实施方式的基于微内核操作系统的安全监控方法的计算机系统的结构示意图。FIG6 is a schematic diagram of the structure of a computer system suitable for implementing a security monitoring method based on a microkernel operating system according to an embodiment of the present disclosure.

DETAILED DESCRIPTION

下文中，将参考附图详细描述本公开的示例性实施方式，以使本领域技术人员可容易地实现它们。此外，为了清楚起见，在附图中省略了与描述示例性实施方式无关的部分。Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. In addition, for the sake of clarity, parts not related to the description of the exemplary embodiments are omitted in the accompanying drawings.

在本公开中，应理解，诸如“包括”或“具有”等的术语旨在指示本说明书中所公开的特征、数字、步骤、行为、部件、部分或其组合的存在，并且不排除一个或多个其他特征、数字、步骤、行为、部件、部分或其组合存在或被添加的可能性。In the present disclosure, it should be understood that terms such as "including" or "having" are intended to indicate the presence of features, numbers, steps, behaviors, components, parts, or a combination thereof disclosed in the specification, and do not exclude the possibility that one or more other features, numbers, steps, behaviors, components, parts, or a combination thereof exist or are added.

另外还需要说明的是，在不冲突的情况下，本公开中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本公开。It should also be noted that, in the absence of conflict, the embodiments and features in the embodiments of the present disclosure may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings and in combination with the embodiments.

下面通过具体实施例详细介绍本公开实施例的细节。The details of the embodiments of the present disclosure are described in detail below through specific examples.

图1示出根据本公开一实施方式的基于微内核操作系统的安全监控方法的流程图。如图1所示，该基于微内核操作系统的安全监控方法包括以下步骤：FIG1 shows a flow chart of a security monitoring method based on a microkernel operating system according to an embodiment of the present disclosure. As shown in FIG1 , the security monitoring method based on a microkernel operating system includes the following steps:

在步骤S101中，响应于用户空间的执行对象对微内核操作系统中的系统调用接口的调用请求，在内核空间将所述调用请求对应的系统调用事件类型与预先配置的审计配置信息进行匹配；In step S101, in response to a call request from an execution object in a user space to a system call interface in a microkernel operating system, a system call event type corresponding to the call request is matched with pre-configured audit configuration information in a kernel space;

在步骤S102中，在所述系统调用事件类型与所述审计配置信息相匹配时，将所述系统调用接口进入内核空间运行时的入口审计信息记录在所述执行对象的审计上下文结构中，并将所述系统调用接口退出时的出口审计信息也记录在所述执行对象的审计上下文结构中；In step S102, when the system call event type matches the audit configuration information, the entry audit information of the system call interface when entering the kernel space for runtime is recorded in the audit context structure of the execution object, and the exit audit information of the system call interface when exiting is also recorded in the audit context structure of the execution object;

在步骤S103中，在退出所述系统调用接口时将所述审计上下文结构中的入口审计信息和出口审计信息从所述内核空间输出至用户空间的审计缓冲区。In step S103, when exiting the system call interface, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to the audit buffer of the user space.

本实施例中，对于微内核操作系统来说，内核部分被最大限度的简化。内核部分仅包括了最基本的IPC(进程间通信)机制、地址空间管理和调度机制等用于实现操作系统服务的基本功能，而在服务层面，比如设备驱动、文件系统、应用程序间通信等都将通过用户态服务程序的方式实现。当普通的应用程序需要操作系统的相关服务时，其需要通过发起进程间通信给相应的服务程序，由这些服务程序进行相关操作，必要时服务程序也会通过执行内核提供的系统调用接口陷入到内核态运行，以便完成一些基本的操作，并把结果再通过进程间通信反馈给应用程序。In this embodiment, for the microkernel operating system, the kernel part is simplified to the greatest extent. The kernel part only includes the most basic IPC (inter-process communication) mechanism, address space management and scheduling mechanism, etc., which are used to realize the basic functions of the operating system service. At the service level, such as device drivers, file systems, and communication between applications, etc., will be implemented by user-mode service programs. When an ordinary application needs the relevant services of the operating system, it needs to initiate inter-process communication to the corresponding service program, and these service programs perform relevant operations. If necessary, the service program will also fall into the kernel state operation by executing the system call interface provided by the kernel, so as to complete some basic operations, and then feed the results back to the application through inter-process communication.

本公开实施例首先考虑应用场景为微内核操作系统，在微内核操作系统架构上增加了安全监控系统，并尽可能简化内核部分，将安全监控系统的功能作为用户空间服务程序来实现。The disclosed embodiment first considers the application scenario of a microkernel operating system, adds a security monitoring system to the microkernel operating system architecture, simplifies the kernel part as much as possible, and implements the functions of the security monitoring system as a user space service program.

本公开实施例中的安全监控系统至少包括审计系统。审计系统用于安全跟踪，并且审计系统的设计以尽可能最大化地简化内核为目标，将相关审计服务设计在用户空间。The security monitoring system in the embodiment of the present disclosure at least includes an audit system. The audit system is used for security tracking, and the design of the audit system aims to simplify the kernel as much as possible, and the relevant audit services are designed in the user space.

审计事件是系统审计用户动作的最小单位,审计事件的收集就是指一定安全级别审计标准下的审计事件的确立。从主体角度来说，系统需要记录用户进行的所有活动，从客体角度来说，系统要记录某一客体的所有存取活动。An audit event is the smallest unit of a user's action in the system audit. The collection of audit events refers to the establishment of audit events under a certain security level audit standard. From the subject's perspective, the system needs to record all activities performed by users. From the object's perspective, the system needs to record all access activities of a certain object.

审计事件可主要分为系统调用类事件和用户可信事件，本公开实施例针对系统调用类事件作出了如下设计：Audit events can be mainly divided into system call events and user trusted events. The present disclosure embodiment makes the following design for system call events:

系统调用类事件的主体为线程。系统调用类事件可以理解为用户空间的执行对象比如线程等对微内核操作系统所提供的系统调用接口的调用事件。因此，本公开实施例中，安全监控系统在检测到系统调用类事件，也即检测到用户空间的执行对象对系统调用接口的调用请求之后，可以利用本公开实施例针对系统调用类事件设计的审计系统进行审计信息的收集，并将审计信息输出至用户空间的日志文件中，以便后续相关权限用户基于日志文件对微内核操作系统的使用进行审计。The subject of the system call class event is the thread. The system call class event can be understood as the call event of the execution object of the user space, such as the thread, to the system call interface provided by the microkernel operating system. Therefore, in the embodiment of the present disclosure, after the security monitoring system detects the system call class event, that is, detects the call request of the execution object of the user space to the system call interface, it can use the audit system designed for the system call class event in the embodiment of the present disclosure to collect audit information, and output the audit information to the log file of the user space, so that the subsequent relevant authorized users can audit the use of the microkernel operating system based on the log file.

本公开实施例在用户空间可以为相关权限用户提供配置审计配置信息的管理工具，该管理工具可以提供审计信息配置接口或者命令输入接口，相关权限用户可以通过该审计信息配置接口或者输入命令的方式，配置相应的审计规则，还可以配置审计信息的输出格式等。相关权限用户配置的审计配置信息可以存储在相应的存储文件中，以便后续由安全监控系统进行读取。The disclosed embodiment can provide a management tool for configuring audit configuration information for users with relevant authority in the user space. The management tool can provide an audit information configuration interface or a command input interface. Users with relevant authority can configure corresponding audit rules through the audit information configuration interface or by inputting commands, and can also configure the output format of audit information, etc. The audit configuration information configured by users with relevant authority can be stored in a corresponding storage file so that it can be read by the security monitoring system later.

本公开实施例中，安全监控系统可以通过编程实现，安全监控系统运行后，可以通过在用户空间启动一个或多个检测线程检测系统调用类事件。安全监控系统中的该一个或多个检测线程在检测到系统调用类事件之后，可以将该系统调用事件的类型与存储文件中审计配置信息中设定的规则进行匹配，如果当前检测到的系统调用类事件是相关权限用户预先配置的需要进行审计的内容相关的事件，也即当前系统调用事件类型与预先配置的审计配置信息相匹配时，将当前调用的系统调用接口进入内核态运行时的入口审计信息写入该执行对象对应的审计上下文结构中，而在该系统调用接口执行完成并退出时的出口审计信息也写入该执行对象对应的审计上下文结构中。In the disclosed embodiment, the security monitoring system can be implemented by programming. After the security monitoring system is running, one or more detection threads can be started in the user space to detect system call events. After detecting the system call event, the one or more detection threads in the security monitoring system can match the type of the system call event with the rules set in the audit configuration information in the storage file. If the currently detected system call event is an event related to the content that needs to be audited that is pre-configured by the relevant permission user, that is, when the current system call event type matches the pre-configured audit configuration information, the entry audit information of the currently called system call interface when entering the kernel state is written into the audit context structure corresponding to the execution object, and the exit audit information when the system call interface is executed and exited is also written into the audit context structure corresponding to the execution object.

该审计上下文结构可以在编程时，在执行对象的源代码中编写好，并且在安全监控系统运行后，该执行对象被创建时所建立，系统调用接口退出时，由安全监控系统运行后启动的一个或多个信息输出线程将相应的该上下文结构中的入口审计信息和出口审计信息从内核空间输出至用户空间的审计缓冲区中。该审计上下文结构则可以清空。The audit context structure can be written in the source code of the execution object during programming, and after the security monitoring system is running, the execution object is When the system call interface is exited, one or more information output threads started by the security monitoring system after the operation will output the corresponding entry audit information and exit audit information in the context structure from the kernel space to the audit buffer of the user space. The audit context structure can be cleared.

在一些实施例中，审计上下文结构可以如下所示：
In some embodiments, the audit context structure may be as follows:

其中，入口审计信息和出口审计信息可以基于审计上下文结构而定，也即审计上下文结构中预先定义了入口审计信息和出口审计信息分别包括哪些。如上文中的审计上下文结构所示，入口审计信息可以包括但不限于审计上下文结构中的审计状态、序列号、系统调用进入时间、系统调用号、系统调用参数等；出口审计信息可以包括但不限于系统调用返回代码和审计上下文结构中的内容是否输出至审计缓冲区的标志等。在一些实施例中，用户空间的审计缓冲区可以在安全监控系统初始化时创建，并且由安全监控系统初始化时启动的读写线程对该审计缓冲区进行读写操作。Among them, the entry audit information and the exit audit information can be determined based on the audit context structure, that is, the audit context structure predefines what the entry audit information and the exit audit information include respectively. As shown in the audit context structure above, the entry audit information may include but is not limited to the audit status, sequence number, system call entry time, system call number, system call parameters, etc. in the audit context structure; the exit audit information may include but is not limited to the system call return code and the flag of whether the content in the audit context structure is output to the audit buffer, etc. In some embodiments, the audit buffer of the user space can be created when the security monitoring system is initialized, and the read and write threads started when the security monitoring system is initialized perform read and write operations on the audit buffer.

在本实施例的一个可选实现方式中，所述方法进一步还包括以下步骤：In an optional implementation of this embodiment, the method further includes the following steps:

该可选的实现方式中，如果当前调用的系统调用接口对应的系统调用事件类型与权限用户优选配置的审计配置信息不相匹配，则说明当前系统调用涉及的内容不是权限用户关心的审计信息，因此可以不产生相关的审计信息。然而，为了后续查看需要，可以将相关的日志信息写入用户空间的日志缓冲区。在一些实施例中，可以由安全监控系统运行后启动的日志输出线程将相关的日志信息写入用户空间的日志缓冲区。In this optional implementation, if the system call event type corresponding to the currently called system call interface does not match the audit configuration information preferably configured by the authorized user, it means that the content involved in the current system call is not the audit information that the authorized user is concerned about, so no relevant audit information may be generated. However, for subsequent viewing needs, the relevant log information may be written into the log buffer of the user space. In some embodiments, the log output thread started after the security monitoring system is running may write the relevant log information into the log buffer of the user space.

也就是说，在安全监控系统初始化时，可以在用户空间建立审计缓冲区和日志缓冲区，对于微内核操作系统中的系统调用类事件，如果权限用户没有预先配置需要对当前的系统调用类事件相关的审计信息进行审计，则日志输出线程还可以将当前的系统调用类事件相关的第一内核态日志信息写入日志缓冲区。需要说明的是，相关的第一内核态日志信息可以包括但不限于系统调用类事件的开始时间、结束时间、运行过程中对微内核操作系统的修改操作等相关日志。在微内核操作系统中可以专门设置一日志输出线程，专门将内核空间运行的程序的相关日志写入到用户空间的日志缓冲区中。That is to say, when the security monitoring system is initialized, an audit buffer and a log buffer can be established in the user space. For system call events in the microkernel operating system, if the authorized user does not pre-configure the need to audit the audit information related to the current system call event, the log output thread can also write the first kernel state log information related to the current system call event into the log buffer. It should be noted that the relevant first kernel state log information may include but is not limited to the start time, end time, and related logs of the modification operation of the microkernel operating system during the operation of the system call event. In the microkernel operating system, a log output thread can be specially set to write the relevant logs of the program running in the kernel space into the log buffer of the user space.

该可选的实现方式中，日志缓冲区中还可以记录用户空间产生的用户态日志信息，并且内核空间产生的第二内核态日志信息也可以写入日志缓冲区中。本实施中为了能够区分在内核空间中系统调用类事件产生的日志信息以及其他情况下产生的日志信息，将系统调用类事件产生的日志信息称之为第一内核态日志信息，而其他情况下产生的日志信息称之为第二内核态日志信息。在一些实施例中，可以由安全监控系统初始化时建立的日志输出线程将第一内核态日志信息写入日志缓冲区。可以理解的是，第一内核态日志信息和第二内核态日志信息可以由相同的日志输出线程处理，也可以由不同的日志输出线程来处理。In this optional implementation, the log buffer can also record user-mode log information generated by the user space, and the second kernel-mode log information generated by the kernel space can also be written into the log buffer. In order to distinguish the log information generated by system call events in the kernel space from the log information generated in other situations, the log information generated by system call events is called the first kernel-mode log information, and the log information generated in other situations is called the second kernel-mode log information. The log information is referred to as the second kernel state log information. In some embodiments, the first kernel state log information can be written into the log buffer by the log output thread established when the security monitoring system is initialized. It is understandable that the first kernel state log information and the second kernel state log information can be processed by the same log output thread, or by different log output threads.

在一些实施例中，用户空间的用户态日志信息可以包括但不限于运行在用户空间的应用软件运行日志、在用户空间对配置信息的修改记录等；第一内核态日志信息或第二内核态日志信息可以包括但不限于微内核操作系统的运行记录、微内核操作系统中的报警提示记录、用户线程对微内核操作系统的操作日志记录、用户线程在微内核操作系统中的行为记录等。In some embodiments, user-state log information in the user space may include but is not limited to operation logs of application software running in the user space, modification records of configuration information in the user space, etc.; first kernel-state log information or second kernel-state log information may include but is not limited to operation records of the microkernel operating system, alarm prompt records in the microkernel operating system, operation log records of user threads on the microkernel operating system, behavior records of user threads in the microkernel operating system, etc.

内核空间产生的第一内核态日志信息和第二内核态日志信息可以由专门设置的日志输出线程将日志信息从内核空间输出至用户空间的日志缓冲区中。用户空间产生的日志信息可以由相应的日志输出线程写入用户空间的日志缓冲区中。在一些实施例中，该相应的日志输出线程可以是安全监控系统运行后启动的。The first kernel state log information and the second kernel state log information generated by the kernel space can be output from the kernel space to the log buffer of the user space by a specially arranged log output thread. The log information generated by the user space can be written into the log buffer of the user space by the corresponding log output thread. In some embodiments, the corresponding log output thread can be started after the security monitoring system is running.

该可选的实现方式中，日志信息记录在用户空间建立的日志缓冲区中，安全监控系统可以在运行后启动日志读取线程，在日志缓冲区满了或者定期，可以由日志读取线程将日志缓冲区中的日志信息写入日志文件中。写入日志文件的过程可以在用户空间进行，该日志读取线程可以在用户空间通过调用文件系统接口将日志信息从日志缓冲区写入日志文件。在另一些实施例中，日志缓冲区中的日志信息也可以由日志读取线程通过调用文件系统接口直接输出到控制台，存储在控制台上的存储设备，和/或显示在控制台上的显示器，供相关人员查看。In this optional implementation, the log information is recorded in the log buffer established in the user space, and the security monitoring system can start the log reading thread after operation. When the log buffer is full or periodically, the log reading thread can write the log information in the log buffer into the log file. The process of writing the log file can be carried out in the user space, and the log reading thread can write the log information from the log buffer to the log file by calling the file system interface in the user space. In other embodiments, the log information in the log buffer can also be directly output to the console by the log reading thread by calling the file system interface, stored in the storage device on the console, and/or displayed on the display on the console for relevant personnel to view.

该可选的实现方式中，用户空间也会产生一些权限用户想要审计的信息，权限用户可以针对用户空间也预先配置审计配置信息，将想要审计的事件类型和/或信息类型配置在审计配置信息中，用户空间产生用户空间审计信息后，可以由安全监控系统运行后启动的审计匹配线程与审计配置信息进行匹配，如果相匹配则将其写入审计缓冲区中，如果不相匹配则可以不写入审计缓冲区，而是由相关的日志线程写入日志缓冲区中。In this optional implementation, the user space will also generate some information that the authorized user wants to audit. The authorized user can also pre-configure audit configuration information for the user space, and configure the event type and/or information type to be audited in the audit configuration information. After the user space generates user space audit information, the audit matching thread started after the security monitoring system is running can match it with the audit configuration information. If there is a match, it will be written to the audit buffer. If there is a mismatch, it will not be written to the audit buffer, but will be written to the log buffer by the relevant log thread.

该可选的实现方式中，权限用户可以通过用户空间预先设定的接口输入用户配置信息，该用户配置信息可以用于更新用户空间中预先存储的审计配置信息。通过这种方式，权限用户可以在用户空间预先配置审计配置信息，还可以后续对审计配置信息进行修改等编辑操作。安全监控系统运行后，可以提供供用户输入用户配置信息的接口，通过该接口，安全监控系统可以接收用户输入的用户配置信息，并将接收到的用户配置信息更新至配置信息的存储文件中。In this optional implementation, the authorized user can input user configuration information through the interface pre-set in the user space, and the user configuration information can be used to update the audit configuration information pre-stored in the user space. In this way, the authorized user can pre-configure the audit configuration information in the user space, and can also perform editing operations such as modifying the audit configuration information later. After the security monitoring system is running, an interface for the user to input user configuration information can be provided. Through this interface, the security monitoring system can receive the user configuration information input by the user, and update the received user configuration information to the storage file of the configuration information.

该可选的实现方式中，日志文件可以存储在用户空间，用户可以通过安全监控系统提供的查看接口在用户空间请求查看日志文件，该查看接口接收到用户的请求后，可以通过调用文件系统接口将该日志文件输出给用户，例如可以打开该日志文件，并显示在用户的显示设备上。In this optional implementation, the log file can be stored in the user space, and the user can request to view the log file in the user space through the viewing interface provided by the security monitoring system. After receiving the user's request, the viewing interface can output the log file to the user by calling the file system interface. For example, the log file can be opened and displayed on the user's display device.

该可选的实现方式中，用户空间和内核空间的审计信息均记录在用户空间建立的审计缓冲区中，安全监控系统可以在运行后启动审计读取线程，在审计缓冲区满了或者定期，可以由审计读取线程将审计缓冲区中的审计信息写入审计文件中。写入审计文件的过程可以在用户空间进行，审计读取线程在用户空间通过调用文件系统接口将审计信息从审计缓冲区写入审计文件。在另一些实施例中，审计缓冲区中的审计信息也可以由审计读取线程通过调用文件系统接口直接输出到控制台，存储在控制台上的存储设备，和/或显示在控制台上的显示器，供相关人员查看。In this optional implementation, the audit information of both user space and kernel space is recorded in the audit buffer established in the user space. The security monitoring system can start the audit reading thread after running. When the audit buffer is full or periodically, the audit reading thread can write the audit information in the audit buffer to the audit buffer. The process of writing the audit file can be performed in the user space, and the audit reading thread writes the audit information from the audit buffer to the audit file by calling the file system interface in the user space. In other embodiments, the audit information in the audit buffer can also be directly output to the console, stored in the storage device on the console, and/or displayed on the display on the console by the audit reading thread by calling the file system interface for relevant personnel to view.

该可选的实现方式中，审计信息被写入审计文件后，权限用户查看审计文件时，可以基于预先配置好的审计规则将审计信息生成为审计报告的形式，输出给权限用户。安全监控系统还可以为用户提供查看审计文件的查看接口，该查看接口接收到用户的请求后，可以在确定当前用户有权限的情况下将审计报告输出给该用户。In this optional implementation, after the audit information is written into the audit file, when the authorized user views the audit file, the audit information can be generated in the form of an audit report based on pre-configured audit rules and output to the authorized user. The security monitoring system can also provide the user with a viewing interface for viewing the audit file. After receiving the user's request, the viewing interface can output the audit report to the user if it is determined that the current user has the authority.

该可选的实现方式中，可以在安全监控系统初始化过程中，在用户空间创建审计缓冲区链表，该审计缓冲区链表中存储指向审计缓冲区的指针。也就是说，在用户空间可以创建多个审计缓冲区，并且每个审计缓冲区的指针可以存储在审计缓冲区链表中。预先可以设置在审计缓冲区链表中最多能够存储的审计缓冲区的指针个数，该最多个数用预设阈值来表示。在审计缓冲区链表中的指针个数超过该预设阈值后，可以启动将审计缓冲区中的审计信息写入审计文件的进程，由该进程将审计缓冲区链表中存储的指针指向的审计缓冲区中的审计信息写入审计文件，审计信息成功写入审计文件的审计缓冲区的指针可以从审计缓冲区链表中删除。In this optional implementation, during the initialization process of the security monitoring system, an audit buffer linked list can be created in the user space, and the audit buffer linked list stores a pointer to the audit buffer. That is, multiple audit buffers can be created in the user space, and the pointer of each audit buffer can be stored in the audit buffer linked list. The maximum number of pointers of the audit buffer that can be stored in the audit buffer linked list can be set in advance, and the maximum number is represented by a preset threshold. After the number of pointers in the audit buffer linked list exceeds the preset threshold, a process of writing the audit information in the audit buffer to the audit file can be started, and the process writes the audit information in the audit buffer pointed to by the pointer stored in the audit buffer linked list to the audit file, and the pointer of the audit buffer whose audit information is successfully written into the audit file can be deleted from the audit buffer linked list.

在本实施例的一个可选实现方式中，用户空间的审计缓冲区和/或日志缓冲区采用双缓冲区模式。In an optional implementation of this embodiment, the audit buffer and/or log buffer of the user space adopts a double buffer mode.

该可选的实现方式中，为减少系统调用次数，从而降低操作系统在用户态与核心态切换所耗费的时间，本公开实施例在用户空间维护了审计缓冲区以及日志缓冲区，日志信息以及审计信息分别按照统一的格式写入到日志缓冲区和审计缓冲区中，用户空间的日志读取线程和审计读取线程分别负责监听和读取日志缓冲区和审计缓冲区的信息，并写入到日志文件和审计文件中。而在内核空间，日志输出线程将内核的日志信息写入到用户空间的日志缓冲区中，而审计输出线程将内核态的审计信息写入用户空间的审计缓冲区中。In this optional implementation, in order to reduce the number of system calls, thereby reducing the time spent by the operating system switching between user state and kernel state, the disclosed embodiment maintains an audit buffer and a log buffer in the user space, and the log information and the audit information are written into the log buffer and the audit buffer respectively in a unified format. The log reading thread and the audit reading thread of the user space are responsible for monitoring and reading the information of the log buffer and the audit buffer respectively, and writing them into the log file and the audit file. In the kernel space, the log output thread writes the kernel's log information into the log buffer of the user space, and the audit output thread writes the kernel state's audit information into the audit buffer of the user space.

缓冲区的设置主要是为了解决日志信息或审计信息的产生以及读取的速率不匹配问题，除了速率不匹配问题，在本公开实施例的场景中，读取缓冲区和写入缓冲区的操作往往伴随着读写线程带来的安全问题。为此，本公开实施例采用双缓冲模式设计用户空间的日志缓冲区和审计缓冲区。The buffer is set mainly to solve the problem of rate mismatch between the generation and reading of log information or audit information. In addition to the rate mismatch, in the scenario of the disclosed embodiment, the operations of reading and writing buffers are often accompanied by security issues brought by read and write threads. To this end, the disclosed embodiment adopts a double buffer mode to design the log buffer and audit buffer of the user space.

数组在物理存储上是一维的连续线性结构，一次性分配能够避免频繁的内存申请和释放，且访问效率较高，故本公开实施例采用数组形式的双缓冲区。An array is a one-dimensional continuous linear structure in physical storage. One-time allocation can avoid frequent memory application and release, and has high access efficiency. Therefore, the embodiment of the present disclosure adopts a double buffer in the form of an array.

如图2所示，审计缓冲区实现为两个缓冲区Buff_1和Buff_2，Buff_1用于当前的写线程也即审计输出线程存放审计信息，当审计缓冲区Buff_1满的时候触发调换操作将审计缓冲区Buff_1中的内容调换到审计缓冲区Buff_2中，再由读线程也即审计读取线程从审计缓冲区Buff_2中读取数据，写入到审计文件中。同理，日志缓冲区也可以实现为两个缓冲区Buff_1和Buff_2，Buff_1用于当前的写线程也即日志输出线程存放日志信息，当审计缓冲区Buff_1满的时候触发调换操作将日志缓冲区Buff_1中的内容调换到日志缓冲区Buff_2中，再由读线程也即日志读取线程从日志缓冲区Buff_2中读取数据，写入到日志文件中。As shown in Figure 2, the audit buffer is implemented as two buffers Buff_1 and Buff_2. Buff_1 is used by the current writing thread, i.e., the audit output thread, to store audit information. When the audit buffer Buff_1 is full, a swap operation is triggered to swap the content in the audit buffer Buff_1 to the audit buffer Buff_2. Then the reading thread, i.e., the audit reading thread, reads data from the audit buffer Buff_2 and writes it into the audit file. Similarly, the log buffer can also be implemented as two buffers Buff_1 and Buff_2. Buff_1 is used by the current writing thread, i.e., the log output thread, to store log information. When the audit buffer Buff_1 is full, a swap operation is triggered to swap the content in the log buffer Buff_1 to the log buffer Buff_2. Then the reading thread, i.e., the log reading thread, reads data from the log buffer Buff_2 and writes it into the log file.

在本实施例的一个可选实现方式中，在审计缓冲区的双缓冲模式下，当前写审计信息的第一审计缓冲区写满后，调换第一审计缓冲区和第二审计缓冲区的地址，使得内核态的审计输出线程写审计信息的缓冲区指针从用户空间的所述第一审计缓冲区的地址切换至指向第二审计缓冲区的地址，而审计读取线程读取审计信息的缓冲区指针指向所述第一审计缓冲区的地址。In an optional implementation of the present embodiment, in the double buffer mode of the audit buffer, after the first audit buffer currently writing audit information is full, the addresses of the first audit buffer and the second audit buffer are swapped, so that the buffer pointer for writing audit information by the kernel-state audit output thread is switched from the address of the first audit buffer in the user space to the address of the second audit buffer, while the buffer pointer for reading audit information by the audit reading thread points to the address of the first audit buffer.

该可选的实现方式中，在对两个审计缓冲区进行调换时，由于需要对两个审计缓冲区分别进行上锁，缓冲区内容的复制算法会导致上锁的时间较长，影响整体的性能。因此，本公开实施例中，在进行缓冲区调换操作时，可以直接交换两个审计缓冲区的地址，将审计输出线程在执行写操作时指向审计缓冲区Buff_1的指针指向审计缓冲区 Buff_2，将审计读取线程在执行读操作时指向Buff_2的指针指向Buff_1，再进行后续的读写操作，达到交换缓冲区的目的，此时在临界区内的操作只有交换指针，所以执行速度较快。双缓冲区模式的设计只需要保证有一个缓冲区能够进行数据的写入，有一个缓冲区能够进行数据的读取即可，这样内核态的审计输出线程在向缓冲区写入的时候，不会因为用户态的执行速度慢而阻塞内核态的审计输出线程的执行，进一步提高了内核态的处理效率。In this optional implementation, when swapping two audit buffers, since the two audit buffers need to be locked separately, the copy algorithm of the buffer contents will cause a long locking time, affecting the overall performance. Therefore, in the embodiment of the present disclosure, when performing a buffer swap operation, the addresses of the two audit buffers can be directly swapped, and the pointer of the audit output thread pointing to the audit buffer Buff_1 when performing a write operation can be pointed to the audit buffer Buff_2, the pointer that the audit reading thread points to when performing a read operation points to Buff_2 points to Buff_1, and then performs subsequent read and write operations to achieve the purpose of exchanging buffers. At this time, the operation in the critical section is only exchanging pointers, so the execution speed is faster. The design of the double buffer mode only needs to ensure that there is a buffer for writing data and a buffer for reading data. In this way, when the kernel-state audit output thread writes to the buffer, it will not block the execution of the kernel-state audit output thread due to the slow execution speed of the user state, further improving the processing efficiency of the kernel state.

本公开实施例中不需要建立大缓冲区，而是设置数组形式的双缓冲区，将读写操作所用到的缓冲区分开，设计成两个缓冲区，能够避免对同一缓冲区上锁时间较长导致的线程阻塞。同时数组形式的缓冲区是一次性分配，能够避免频繁的内存分配和释放。在本实施例的一个可选实现方式中，在日志缓冲区的双缓冲模式下，当前写日志信息的第一日志缓冲区写满后，调换第一日志缓冲区和第二日志缓冲区的地址，使得内核态的日志输出线程写日志信息的缓冲区指针从用户空间的所述第一日志缓冲区的地址切换至指向第二日志缓冲区的地址，而日志读取线程读取日志信息的缓冲区指针指向所述第一日志缓冲区的地址。In the disclosed embodiment, there is no need to establish a large buffer, but to set up a double buffer in the form of an array, separate the buffer used for read and write operations, and design it into two buffers, which can avoid thread blocking caused by a long locking time on the same buffer. At the same time, the buffer in the form of an array is allocated once, which can avoid frequent memory allocation and release. In an optional implementation method of this embodiment, in the double buffer mode of the log buffer, after the first log buffer for writing log information is full, the addresses of the first log buffer and the second log buffer are swapped, so that the buffer pointer of the log output thread in the kernel state that writes log information is switched from the address of the first log buffer in the user space to the address pointing to the second log buffer, and the buffer pointer of the log reading thread that reads log information points to the address of the first log buffer.

该可选的实现方式中，在对两个日志缓冲区进行调换时，由于需要对两个日志缓冲区分别进行上锁，缓冲区内容的复制算法会导致上锁的时间较长，影响整体的性能。因此，本公开实施例在进行缓冲区调换操作时，直接交换两个日志缓冲区的地址，将日志输出线程在执行写操作时指向日志缓冲区Buff_1的指针指向日志缓冲区Buff_2，将日志读取线程在执行读操作时指向Buff_2的指针指向Buff_1，再进行后续的读写操作，达到交换缓冲区的目的，此时在临界区内的操作只有交换指针，所以执行速度较快。双缓冲区模式的设计只需要保证有一个缓冲区能够进行数据的写入，有一个缓冲区能够进行数据的读取即可，这样内核态的日志输出线程在向缓冲区写入的时候，不会因为用户态的执行速度慢而阻塞内核态的日志输出线程的执行，进一步提高了内核态的处理效率。In this optional implementation, when the two log buffers are swapped, since the two log buffers need to be locked respectively, the copy algorithm of the buffer content will cause the locking time to be long, affecting the overall performance. Therefore, when the buffer swap operation is performed, the disclosed embodiment directly exchanges the addresses of the two log buffers, points the pointer of the log output thread pointing to the log buffer Buff_1 when performing the write operation to the log buffer Buff_2, and points the pointer of the log reading thread pointing to Buff_2 when performing the read operation to Buff_1, and then performs subsequent read and write operations to achieve the purpose of swapping the buffers. At this time, the operation in the critical area only involves swapping pointers, so the execution speed is faster. The design of the double buffer mode only needs to ensure that there is a buffer that can write data and a buffer that can read data, so that when the log output thread of the kernel state writes to the buffer, it will not block the execution of the log output thread of the kernel state due to the slow execution speed of the user state, further improving the processing efficiency of the kernel state.

除此之外，还可以采用信号量机制来解决多线程访问缓冲区产生的同步互斥问题，对于同一个缓冲区的读取和写入操作实现线程互斥，在缓冲区完成调换操作之后，通知读取线程进行缓冲区的读取操作。In addition, the semaphore mechanism can also be used to solve the synchronization and mutual exclusion problems caused by multi-threaded access to the buffer. Thread mutual exclusion can be implemented for the read and write operations of the same buffer. After the buffer swap operation is completed, the reading thread is notified to perform the buffer read operation.

建立空闲的审计缓冲区；Create a free audit buffer;

该可选的实现方式中，安全监控系统在初始化时，可以预先建立多个空闲的审计缓冲区，并将空闲的审计缓冲区的指针存储在空闲审计缓冲区链表中。在内核空间的系统调用接口退出时，需要将调用该系统调用接口的执行对象的审计上下文结构中的审计信息从内核空间输出到用户空间时，可以由审计输出线程从该空闲审计缓冲区链表中请求一个空闲的审计缓冲区，并将审计上下文结构中的审计信息写入该空闲的审计缓冲区中。In this optional implementation, when the security monitoring system is initialized, multiple idle audit buffers can be pre-established, and pointers to the idle audit buffers can be stored in an idle audit buffer list. When the system call interface in the kernel space exits, when it is necessary to output the audit information in the audit context structure of the execution object that calls the system call interface from the kernel space to the user space, the audit output thread can request an idle audit buffer from the idle audit buffer list, and write the audit information in the audit context structure into the idle audit buffer.

需要说明的是，可以由相应的审计输出线程将写入审计信息的审计缓冲区的指针从空闲审计缓冲区链表中取出后，写入非空闲审计缓冲区链表中，而空闲审计缓冲区链表中的指向该审计缓冲区的执行可以删除。It should be noted that the corresponding audit output thread can take out the pointer of the audit buffer where the audit information is written from the free audit buffer list and write it into the non-free audit buffer list, while the execution pointing to the audit buffer in the free audit buffer list can be deleted.

该可选的实现方式中，可以由审计输出线程将创建的空闲审计缓冲区的指针写入审计缓冲区链表中，在内核空间的执行对象请求审计缓冲区时，审计输出线程还可以从审计缓冲区链表中找到空闲的审计缓冲区，并将该执行对象的审计上下文结构中的审计信息写入该空闲的审计缓冲区中。In this optional implementation, the audit output thread can write the pointer of the created free audit buffer into the audit buffer linked list. When the execution object in the kernel space requests the audit buffer, the audit output thread can also find the free audit buffer from the audit buffer linked list and write the audit information in the audit context structure of the execution object into the free audit buffer.

如果该审计缓冲区链表中没有指向空闲的审计缓冲区的指针时，可以由审计输出线程重新为当前的执行对象分配新的审计缓冲区，并由相应的审计输出线程将该执行对象的审计上下文结构中的审计信息写入新的审计缓冲区中。If there is no pointer to an idle audit buffer in the audit buffer list, the audit output thread can reallocate a new audit buffer for the current execution object, and the corresponding audit output thread can write the audit information in the audit context structure of the execution object into the new audit buffer.

该可选的实现方式中，审计信息可以由审计读取线程定期或者审计缓冲区写满之后写入审计文件中。审计文件在用户空间存储，并且可以预先在安全监控系统初始化时设定其存储容量，一个审计文件中存储的审计信息的大小超过该预设存储容量后，可以由安全监控系统运行后启动的文件建立线程建立一个新的审计文件，后续的审计信息可以写入该新的审计文件中。In this optional implementation, the audit information can be written to the audit file by the audit reading thread periodically or after the audit buffer is full. The audit file is stored in the user space, and its storage capacity can be set in advance when the security monitoring system is initialized. The size of the audit information stored in an audit file When the preset storage capacity is exceeded, a new audit file can be created by the file creation thread started after the security monitoring system is running, and subsequent audit information can be written into the new audit file.

在一些实施例中，审计文件过多时，比如多于预设数量后，可以由安全监控系统运行后启动的文件删除线程按照审计文件建立的时间先后顺序，将最先建立的一个或多个审计文件删除，保留较新建立的几个审计文件。In some embodiments, when there are too many audit files, such as more than a preset number, the file deletion thread started after the security monitoring system is running can delete the first one or more audit files created in the order of the time when the audit files were created, and retain the more recently created audit files.

图3(a)-图3(c)示出根据本公开一实施方式中微内核操作系统的安全监控系统包括的日志系统和审计系统的一种实现示意图。如图3(a)所示，日志系统可以在用户空间维护日志缓冲区，日志信息按照统一的格式写入到日志缓冲区中，日志系统中的klogd线程可以负责监听和得到日志缓冲区的日志信息，并写入到日志文件中。在内核空间，日志输出线程printk可以将内核空间的消息写入到日志缓冲区中。Figures 3(a)-3(c) show a schematic diagram of a log system and an audit system included in a security monitoring system of a microkernel operating system according to an embodiment of the present disclosure. As shown in Figure 3(a), the log system can maintain a log buffer in user space, and log information is written into the log buffer in a unified format. The klogd thread in the log system can be responsible for monitoring and obtaining log information in the log buffer and writing it into a log file. In kernel space, the log output thread printk can write kernel space messages into the log buffer.

日志信息可以按照操作系统安全技术标准，将该标准中限定的相关日志信息记录下来，该标准中定义了日志部分需要记录的事件有：系统的运行记录、报警提示记录、操作日志记录、用户行为记录、应用软件运行日志、配置信息修改记录等。Log information can be recorded in accordance with the operating system security technical standard. The standard defines the events that need to be recorded in the log part, including: system operation records, alarm prompt records, operation log records, user behavior records, application software operation logs, configuration information modification records, etc.

如图3(b)所示，本公开实施例采用的日志协议格式为syslog日志协议标准,第一部分PRI为优先级，包括日志的程序模块facility和消息的严重级别serverity。优先级通常由字符"<"开始，后面是1～3位的数字，然后以">"结尾，其中数字的部分由日志的程序模块和消息的严重级别编号计算得到。在一些实施例中，优先级的数值可以等于程序模块代码乘以8，再加上严重级别编号。As shown in FIG. 3( b ), the log protocol format adopted by the embodiment of the present disclosure is the syslog log protocol standard. The first part PRI is the priority, which includes the program module facility of the log and the severity level serverity of the message. The priority usually starts with the character "<", followed by a 1-3 digit number, and then ends with ">", where the numeric part is calculated from the program module of the log and the severity level number of the message. In some embodiments, the value of the priority can be equal to the program module code multiplied by 8, plus the severity level number.

第二部分HEADER为日志的消息头，日志的消息头由时间戳、设备的ip地址或者主机名组成。时间戳紧跟着">"，时间戳与设备ip地址或者主机名之间用一个空格分开。The second part, HEADER, is the log message header. The log message header consists of a timestamp and the device's IP address or host name. The timestamp is followed by ">", and the timestamp and the device's IP address or host name are separated by a space.

第三部分MSG为日志信息，是需要记录日志的部分，即日志的描述信息，一般也分为两个字段。其中一个字段用于表示消息产生的程序或线程名称，设定长度在32个字符之内；另一个字段用于记录详细的描述信息。这两个字段之间用"["、":"或者空格来进行分割。The third part, MSG, is the log information, which is the part that needs to be recorded in the log, that is, the log description information, which is generally divided into two fields. One field is used to indicate the program or thread name that generates the message, and the set length is within 32 characters; the other field is used to record detailed description information. The two fields are separated by "[", ":" or space.

如图3(c)所示，审计系统在用户空间中，由auditd线程读取审计缓冲区中的审计信息，并将审计信息写入到审计文件audit.log中。下面从审计事件、审计信息过滤、审计缓冲区设置、审计命令四个方面来介绍本实施例中的审计系统。As shown in Figure 3(c), in the user space, the audit system reads the audit information in the audit buffer by the auditd thread and writes the audit information into the audit file audit.log. The following describes the audit system in this embodiment from four aspects: audit events, audit information filtering, audit buffer settings, and audit commands.

1.审计事件1. Audit events

审计事件是系统审计用户动作的最小单位,审计事件的收集就是指一定安全级别审计标准下的审计事件的确立。从主体角度来说，系统需要记录用户进行的所有活动，从客体角度来说，系统要记录某一客体的所有存取活动。审计事件可主要分为系统调用类事件和用户可信事件，本公开针对系统调用类事件作出了以下设计：Audit events are the smallest unit of user actions audited by the system. The collection of audit events refers to the establishment of audit events under a certain security level audit standard. From the perspective of the subject, the system needs to record all activities performed by the user. From the perspective of the object, the system needs to record all access activities of a certain object. Audit events can be mainly divided into system call events and user trusted events. This disclosure makes the following designs for system call events:

系统调用类事件，主体可以为线程，本公开在线程结构中添加审计上下文结构指针audit_context，记录线程上下文的审计信息。当线程从进入系统调用到退出系统调用时，使用审计上下文结构来记录系统调用进入和退出的数据，例如参数、调用号、成功/失败标识、系统调用的返回结果等。For system call events, the subject can be a thread. The present disclosure adds an audit context structure pointer audit_context to the thread structure to record the audit information of the thread context. When a thread enters a system call and exits the system call, the audit context structure is used to record the system call entry and exit data, such as parameters, call number, success/failure flag, and the return result of the system call.

在一些实施例中，审计系统在系统调用接口的入口和出口添加审计函数(入口函数audit_syscall_entry和出口函数audit_syscall_exit)，并将系统调用接口进入和退出时的审计信息写入审计上下文结构，系统调用退出时审计信息写出到缓冲区。审计信息写出后，审计上下文可以清空。In some embodiments, the audit system adds audit functions (entry function audit_syscall_entry and exit function audit_syscall_exit) at the entry and exit of the system call interface, and writes the audit information when the system call interface enters and exits into the audit context structure, and writes the audit information to the buffer when the system call exits. After the audit information is written, the audit context can be cleared.

如果线程创建时创建了审计上下文结构并设置了相应状态，那么在系统调用接口的入口处进行审计上下文的填充，由入口函数audit_syscall_entry将系统调用接口进入时的入口审计信息记录到线程的审计上下文结构中，出口函数audit_syscall_exit将出口审计信息写入到审计上下文结构中。审计上下文结构中的信息最终由审计输出线程写入到审计缓冲区。If the audit context structure is created and the corresponding status is set when the thread is created, the audit context is filled at the entrance of the system call interface. The entry function audit_syscall_entry records the entry audit information when the system call interface enters the audit context structure of the thread, and the exit function audit_syscall_exit writes the exit audit information into the audit context structure. The information in the audit context structure is finally written to the audit buffer by the audit output thread.

2.审计消息的过滤。2. Filtering of audit messages.

权限用户可以通过审计系统中设计的auditctl命令设置要过滤掉的事件类型，也即配置审计配置信息，将不想查看的事件规则(主要是类型信息)放入规则链表中。审计系统可以提供过滤函数audit_filter_type(int type)，参数为事件类型，对于不同类型的规则链表，只有当过滤检查通过并返回true时，审计系统才会输出相关的审计信息。也即在当前的系统调用事件类型与审计配置信息中的相匹配时，审计系统才输出相关的审计信息。Authorized users can set the event types to be filtered out through the auditctl command designed in the audit system, that is, configure the audit configuration information, and put the event rules (mainly type information) that they do not want to view into the rule list. The audit system can provide a filter function audit_filter_type (int type), the parameter is the event type, for different types of rule lists, the audit system will output relevant audit information only when the filter check passes and returns true. That is, the audit system will output relevant audit information only when the current system call event type matches the audit configuration information.

3.缓冲区设置3. Buffer settings

审计系统在用户空间设置审计缓冲区，并设计审计缓冲区链表，用来存填充了审计信息的审计缓冲区的指针。当审计缓冲区链表中的缓冲区数量超过上限时，当前线程可以等待用户空间的相关线程将审计信息写入审计日志文件，直到缓冲区个数小于上限值。The audit system sets up an audit buffer in the user space and designs an audit buffer linked list to store pointers to the audit buffers filled with audit information. When the number of buffers in the audit buffer linked list exceeds the upper limit, the current thread can wait for the relevant thread in the user space to write the audit information into the audit log file. until the number of buffers is less than the upper limit.

同时还可以设计一个空闲审计缓冲区链表，用来存空闲的审计缓冲区。当申请审计缓冲区时，系统先查看空闲审计缓冲区链表是否存在空闲的审计缓冲区，如果存在，则返回给申请者，如果不存在，则分配一个新的审计缓冲区。释放申请的审计缓冲区时，可以检查空闲缓冲区链表是否已经超过上限，如果没超过则将要释放的审计缓冲区放入空闲缓冲区链表，否则，直接释放。At the same time, a free audit buffer list can also be designed to store free audit buffers. When applying for an audit buffer, the system first checks whether there is a free audit buffer in the free audit buffer list. If so, it returns it to the applicant. If not, a new audit buffer is allocated. When releasing the requested audit buffer, it can be checked whether the free buffer list has exceeded the upper limit. If not, the audit buffer to be released is placed in the free buffer list. Otherwise, it is released directly.

4.用户管理工具4. User Management Tools

在用户空间提供配置审计配置信息、搜索日志以及请求产生审计报告的管理工具，在一些实施例中，用户可以通过调用相应的命令如auditctl、ausearch、aureport等启动上述三种管理工具，即使用命令对审计系统进行配置、操作。Ausearch命令基于不同搜索规则来查询后台日志；aureport命令用于产生审计日志的总结报告；auditctl命令用来设置审计规则，在系统启动的时候可以，读取配置文件中的规则，也能够增加或删除规则。Provide management tools for configuring audit configuration information, searching logs, and requesting the generation of audit reports in the user space. In some embodiments, users can start the above three management tools by calling corresponding commands such as auditctl, ausearch, aureport, etc., that is, use commands to configure and operate the audit system. The Ausearch command queries the background log based on different search rules; the aureport command is used to generate a summary report of the audit log; the auditctl command is used to set audit rules. When the system starts, it can read the rules in the configuration file and can also add or delete rules.

审计系统中的用户线程auditd将符合规则和格式的审计信息从审计缓冲区中写入审计文件。The user thread auditd in the audit system writes audit information that complies with the rules and format from the audit buffer to the audit file.

本公开为了减少存储空间的消耗，从日志的生成、记录、清理等方面实现了空间开销的降低。具体体现在以下几个方面：In order to reduce the consumption of storage space, this disclosure reduces the space overhead from the aspects of log generation, recording, and cleaning. This is specifically reflected in the following aspects:

1.设置缓冲区1. Set up the buffer

在日志系统和审计系统两部分，分别设置了日志缓冲区和审计缓冲区，并且设置了审计缓冲区链表，缓冲区的引入能够解决日志数据生成和文件写入的速度不匹配问题。In the log system and audit system, a log buffer and an audit buffer are set up respectively, and an audit buffer linked list is set up. The introduction of the buffer can solve the speed mismatch problem between log data generation and file writing.

2.降低对同一事件的记录频率2. Reduce the frequency of recording the same event

将多个相同的事件合并在一个日志项中，同时以计数器的方式来记录事件的数量，当更多的事件组合在一个日志项中时，日志记录的开销就会降低。Combine multiple identical events into one log entry and record the number of events as a counter. When more events are combined into one log entry, the logging overhead is reduced.

3.筛选和过滤审计事件3. Screening and filtering audit events

在用户空间提供配置审计配置信息的工具，权限用户可以根据实际需求对需要审计的事件、格式等进行配置，审计系统提供相关函数，以便仅对用户实际需要审计的相关事件进行有条件的记录。A tool for configuring audit configuration information is provided in the user space. Authorized users can configure the events and formats that need to be audited according to actual needs. The audit system provides relevant functions to conditionally record only the relevant events that the user actually needs to audit.

4.分文件写或定期删除文件4. Write files in batches or delete files regularly

当日志文件或审计文件达到限定大小时，将新创建一个日志文件或审计并将新的日志内容或审计写入新的文件；When the log file or audit file reaches the specified size, a new log file or audit file will be created and the new log content or audit will be written to the new file;

当日志文件或审计文件数量达到设定阈值时，按照文件创建顺序的先后删除部分文件。When the number of log files or audit files reaches the set threshold, some files are deleted in the order in which they were created.

本公开实施例通过设计和实现基于微内核操作系统的安全监控系统，记录和分析操作系统的运行时信息，来保证操作系统的安全。目前很少有微内核操作系统对安全审计模块进行相对完善的设计，本公开设计与实现了一个符合操作系统安全标准的基于微内核操作系统的安全监控系统，能够实时地记录操作系统运行时状态和信息，并在日志记录的基础上向管理者作出一定反馈，保证操作系统的安全性和可靠性；此外在日志信息较完善的基础之上，对系统运行状态和用户行为进行监控，并指出潜在的危害，同时，尽可能减少空间消耗。The disclosed embodiment designs and implements a security monitoring system based on a microkernel operating system, records and analyzes the runtime information of the operating system, and ensures the security of the operating system. Currently, few microkernel operating systems have a relatively complete design of the security audit module. The disclosed embodiment designs and implements a security monitoring system based on a microkernel operating system that meets the operating system security standards, which can record the operating system runtime status and information in real time, and provide certain feedback to the administrator based on the log records to ensure the security and reliability of the operating system; in addition, based on the relatively complete log information, the system operation status and user behavior are monitored, and potential hazards are pointed out, while minimizing space consumption as much as possible.

下述为本公开装置实施例，可以用于执行本公开方法实施例。The following are embodiments of the apparatus of the present disclosure, which can be used to execute embodiments of the method of the present disclosure.

图4示出根据本公开一实施方式的基于微内核操作系统的安全监控装置的结构框图。该装置可以通过软件、硬件或者两者的结合实现成为电子设备的部分或者全部。如图4所示，该基于微内核操作系统的安全监控装置包括：FIG4 shows a block diagram of a security monitoring device based on a microkernel operating system according to an embodiment of the present disclosure. The device can be implemented as part or all of an electronic device through software, hardware, or a combination of both. As shown in FIG4 , the security monitoring device based on a microkernel operating system includes:

响应模块401，被配置为响应于用户空间的执行对象对微内核操作系统中的系统调用接口的调用请求，在内核空间将所述调用请求对应的系统调用事件类型与预先配置的审计配置信息进行匹配；The response module 401 is configured to respond to a call request of the execution object in the user space to the system call interface in the microkernel operating system, and match the system call event type corresponding to the call request with the pre-configured audit configuration information in the kernel space;

记录模块402，被配置为在所述系统调用事件类型与所述审计配置信息相匹配时，将所述系统调用接口进入内核空间运行时的入口审计信息记录在所述执行对象的审计上下文结构中，并将所述系统调用接口退出时的出口审计信息也记录在所述执行对象的审计上下文结构中；The recording module 402 is configured to record the entry audit information of the system call interface when it enters the kernel space and runs in the audit context structure of the execution object, and also record the exit audit information of the system call interface when it exits in the audit context structure of the execution object when the system call event type matches the audit configuration information;

第一输出模块403，被配置为在退出所述系统调用接口时将所述审计上下文结构中的入口审计信息和出口审计信息从所述内核空间输出至用户空间的审计缓冲区。The first output module 403 is configured to output the entry audit information and the exit audit information in the audit context structure from the kernel space to the audit buffer of the user space when exiting the system call interface.

本实施例中，对于微内核操作系统来说，内核部分被最大限度的简化。内核部分仅包括了最基本的IPC(进程间通信)机制、地址空间管理和调度机制等用于实现操作系统服务的基本功能，而在服务层面，比如设备驱动、文件系统、应用程序间通信等都将通过用户态服务程序的方式实现。当普通的应用程序需要操作系统的相关服务时，其需要通过发起进程间通信给相应的服务程序，由这些服务程序进行相关操作，必要时服务程序也会通过执行内核提供的系统调用接口陷入到内核态运行，以便完成一些基本的操作，并把结果再通过进程间通信反馈给应用程序。 In this embodiment, for the microkernel operating system, the kernel part is simplified to the greatest extent. The kernel part only includes the most basic IPC (inter-process communication) mechanism, address space management and scheduling mechanism, etc., which are used to realize the basic functions of the operating system service. At the service level, such as device drivers, file systems, and communication between applications, etc., will be implemented by user-mode service programs. When an ordinary application needs the relevant services of the operating system, it needs to initiate inter-process communication to the corresponding service program, and these service programs perform relevant operations. If necessary, the service program will also fall into the kernel state operation by executing the system call interface provided by the kernel, so as to complete some basic operations, and then feed the results back to the application through inter-process communication.

该审计上下文结构可以在编程时，在执行对象的源代码中编写好，并且在安全监控系统运行后，该执行对象被创建时所建立，系统调用接口退出时，由安全监控系统运行后启动的一个或多个信息输出线程将相应的该上下文结构中的入口审计信息和出口审计信息从内核空间输出至用户空间的审计缓冲区中。该审计上下文结构则可以清空。The audit context structure can be written in the source code of the execution object during programming, and is established when the execution object is created after the security monitoring system is running. When the system call interface exits, one or more information output threads started after the security monitoring system runs output the corresponding entry audit information and exit audit information in the context structure from the kernel space to the audit buffer of the user space. The audit context structure can be cleared.

本公开实施例设计和实现了基于微内核操作系统的安全监控方案，通过记录和分析操作系统的运行时信息，来保证操作系统安全。已有技术中，少有针对微内核操作系统设计完善的安全审计方案，而本公开实施例设计与实现了符合操作系统安全标准的基于微内核操作系统的安全监控方案，并利用该安全监控方案实时地记录操作系统运行时的状态和信息。本公开实施例通过在用户空间提供配置审计规则服务，权限用户根据需求对需要进行审计的事件、格式等做配置，内核系统运行过程中仅针对权限用户所配置的相关事件进行有条件的记录，在尽可能最大化简化内核的前提下对操作系统进行安全监控。The disclosed embodiment designs and implements a security monitoring solution based on a microkernel operating system, and ensures the security of the operating system by recording and analyzing the runtime information of the operating system. In the prior art, there are few well-designed security audit solutions for microkernel operating systems, while the disclosed embodiment designs and implements a security monitoring solution based on a microkernel operating system that meets the security standards of the operating system, and uses the security monitoring solution to record the operating system running information in real time. The disclosed embodiment provides a configuration audit rule service in the user space, and the authorized user configures the events and formats that need to be audited according to the needs. During the operation of the kernel system, only the relevant events configured by the authorized user are conditionally recorded, and the operating system is securely monitored under the premise of maximizing the simplification of the kernel.

在本实施例的一个可选实现方式中，所述装置还包括：In an optional implementation of this embodiment, the device further includes:

该可选的实现方式中，日志缓冲区中还可以记录用户空间产生的用户态日志信息，并且内核空间产生的第二内核态日志信息也可以写入日志缓冲区中。本实施中为了能够区分在内核空间中系统调用类事件产生的日志信息以及其他情况下产生的日志信息，将系统调用类事件产生的日志信息称之为第一内核态日志信息，而其他情况下产生的日志信息称之为第二内核态日志信息。在一些实施例中，可以由安全监控系统初始化时建立的日志输出线程将第一内核态日志信息写入日志缓冲区。可以理解的是，第一内核态日志信息和第二内核态日志信息可以由相同的日志输出线程处理，也可以由不同的日志输出线程来处理。In this optional implementation, the user state log information generated by the user space can also be recorded in the log buffer, and the second kernel state log information generated by the kernel space can also be written into the log buffer. In order to be able to distinguish the log information generated by the system call class event in the kernel space from the log information generated in other cases, the log information generated by the system call class event is referred to as the first kernel state log information, and the log information generated in other cases is referred to as the second kernel state log information. In some embodiments, the first kernel state log information can be written into the log buffer by the log output thread established when the security monitoring system is initialized. It is understandable that the first kernel state log information and the second kernel state log information can be processed by the same log output thread, or by different log output threads.

内核空间产生的第一内核态日志信息和第二内核态日志信息可以由专门设置的日志输出线程将日志信息从内核空间输出至用户空间的日志缓冲区中。用户空间产生的日志信息可以由相应的线程写入用户空间的日志缓冲区中。在一些实施例中，该相应的线程可以是安全监控系统运行后启动的。The first kernel state log information and the second kernel state log information generated by the kernel space can be output from the kernel space to the log buffer of the user space by a specially set log output thread. The log information generated by the user space can be written into the log buffer of the user space by the corresponding thread. In some embodiments, the corresponding thread can be started after the security monitoring system is running.

第四写入模块，被配置为在所述用户空间审计信息与所述审计配置信息相匹配时，将所述用户空间审计信息写入所述审计缓冲区中。The fourth writing module is configured to write the user space audit information into the audit configuration information when the user space audit information matches the audit configuration information. into the audit buffer.

该可选的实现方式中，用户空间和内核空间的审计信息均记录在用户空间建立的审计缓冲区中，安全监控系统可以在运行后启动审计读取线程，在审计缓冲区满了或者定期，可以由审计读取线程将审计缓冲区中的审计信息写入审计文件中。写入审计文件的过程可以在用户空间进行，审计读取线程在用户空间通过调用文件系统接口将审计信息从审计缓冲区写入审计文件。在另一些实施例中，审计缓冲区中的审计信息也可以由审计读取线程通过调用文件系统接口直接输出到控制台，存储在控制台上的存储设备，和/或显示在控制台上的显示器，供相关人员查看。In this optional implementation, the audit information of the user space and the kernel space are all recorded in the audit buffer established in the user space. The security monitoring system can start the audit reading thread after running. When the audit buffer is full or periodically, the audit reading thread can write the audit information in the audit buffer into the audit file. The process of writing the audit file can be performed in the user space. The audit reading thread writes the audit information from the audit buffer to the audit file by calling the file system interface in the user space. In other embodiments, the audit information in the audit buffer can also be directly output to the console by the audit reading thread by calling the file system interface, stored in the storage device on the console, and/or displayed on the display on the console for relevant personnel to view.

所述第二调用模块，包括：The second calling module includes:

该可选的实现方式中，可以在安全监控系统初始化过程中，在用户空间创建审计缓冲区链表，该审计缓冲区链表中存储指向审计缓冲区的指针。也就是说，在用户空间可以创建多个审计缓冲区，并且每个审计缓冲区的指针可以存储在审计缓冲区链表中。预先可以设置在审计缓冲区链表中最多能够存储的审计缓冲区的指针个数，该最多个数用预设阈值来表示。在审计缓冲区链表中的指针个数超过该预设阈值后，可以启动将审计缓冲区中的审计信息写入审计文件的进程，由该进程将审计缓冲区链表中存储的指针指向的审计缓冲区中的审计信息写入审计文件，审计信息成功写入审计文件的审计缓冲区的指针可以从审计缓冲区链表中删除。In this optional implementation, during the initialization of the security monitoring system, an audit buffer linked list can be created in the user space, and the audit buffer linked list stores pointers to the audit buffers. That is, multiple audit buffers can be created in the user space, and the pointer to each audit buffer can be stored in the audit buffer linked list. The maximum number of pointers to the audit buffers that can be stored in the audit buffer linked list can be set in advance, and the maximum number is represented by a preset threshold. After the number of pointers in the audit buffer linked list exceeds the preset threshold, a process for writing the audit information in the audit buffer to the audit file can be started, and the process writes the audit information in the audit buffer pointed to by the pointer stored in the audit buffer linked list to the audit file, and the audit The pointer to the audit buffer whose information is successfully written to the audit file can be deleted from the audit buffer list.

该可选的实现方式中，在对两个审计缓冲区进行调换时，由于需要对两个审计缓冲区分别进行上锁，缓冲区内容的复制算法会导致上锁的时间较长，影响整体的性能。因此，本公开实施例在进行缓冲区调换操作时，直接交换两个审计缓冲区的地址，将审计输出线程在执行写操作时指向审计缓冲区Buff_1的指针指向审计缓冲区Buff_2，将审计读取线程在执行读操作时指向Buff_2的指针指向Buff_1，再进行后续的读写操作，达到交换缓冲区的目的，此时在临界区内的操作只有交换指针，所以执行速度较快。双缓冲区模式的设计只需要保证有一个缓冲区能够进行数据的写入，有一个缓冲区能够进行数据的读取即可，这样内核态的审计输出线程在向缓冲区写入的时候，不会因为用户态的执行速度慢而阻塞内核态的审计输出线程的执行，进一步提高了内核态的处理效率。In this optional implementation, when swapping two audit buffers, since the two audit buffers need to be locked separately, the copy algorithm of the buffer content will cause the locking time to be long, affecting the overall performance. Therefore, when performing the buffer swap operation, the disclosed embodiment directly swaps the addresses of the two audit buffers, and points the pointer of the audit output thread pointing to the audit buffer Buff_1 when performing the write operation to the audit buffer Buff_2, and points the pointer of the audit read thread pointing to Buff_2 when performing the read operation to Buff_1, and then performs subsequent read and write operations to achieve the purpose of swapping buffers. At this time, the operation in the critical area is only to swap pointers, so the execution speed is faster. The design of the double buffer mode only needs to ensure that there is a buffer that can write data and a buffer that can read data. In this way, when the audit output thread in the kernel state writes to the buffer, it will not block the execution of the audit output thread in the kernel state due to the slow execution speed of the user state, further improving the processing efficiency of the kernel state.

本公开实施例中不需要建立大缓冲区，而是设置数组形式的双缓冲区，将读写操作所用到的缓冲区分开，设计成两个缓冲区，能够避免对同一缓冲区上锁时间较长导致的线程阻塞。同时数组形式的缓冲区是一次性分配，能够避免频繁的内存分配和释放。In the disclosed embodiment, there is no need to establish a large buffer, but to set up a double buffer in the form of an array, separate the buffer used for read and write operations, and design it into two buffers, which can avoid thread blocking caused by locking the same buffer for a long time. At the same time, the buffer in the form of an array is allocated once, which can avoid frequent memory allocation and release.

在本实施例的一个可选实现方式中，在日志缓冲区的双缓冲模式下，当前写日志信息的第一日志缓冲区写满后，调换第一日志缓冲区和第二日志缓冲区的地址，使得内核态的日志输出线程写日志信息的缓冲区指针从用户空间的所述第一日志缓冲区的地址切换至指向第二日志缓冲区的地址，而日志读取线程读取日志信息的缓冲区指针指向所述第一日志缓冲区的地址。In an optional implementation of the present embodiment, in the double buffer mode of the log buffer, after the first log buffer for writing log information is full, the addresses of the first log buffer and the second log buffer are swapped, so that the buffer pointer for writing log information by the kernel-state log output thread is switched from the address of the first log buffer in the user space to the address of the second log buffer, and the buffer pointer for reading log information by the log reading thread points to the address of the first log buffer.

第一建立模块，被配置为建立空闲的审计缓冲区； A first establishment module is configured to establish an idle audit buffer;

所述第一输出模块，包括：The first output module comprises:

删除模块，被配置为在所述审计文件的个数超过预设数量后，按照时间先后顺序删除最先建立的一个或多个审计文件。The deletion module is configured to delete one or more audit files that were created first in chronological order after the number of the audit files exceeds a preset number.

该可选的实现方式中，审计信息可以由审计读取线程定期或者审计缓冲区写满之后写入审计文件中。审计文件在用户空间存储，并且可以预先在安全监控系统初始化时设定其存储容量，一个审计文件中存储的审计信息的大小超过该预设存储容量后，可以由安全监控系统运行后启动的文件建立线程建立一个新的审计文件，后续的审计信息可以写入该新的审计文件中。In this optional implementation, the audit information can be written into the audit file by the audit reading thread periodically or after the audit buffer is full. The audit file is stored in the user space, and its storage capacity can be set in advance when the security monitoring system is initialized. When the size of the audit information stored in an audit file exceeds the preset storage capacity, a new audit file can be created by the file creation thread started after the security monitoring system is running, and subsequent audit information can be written into the new audit file.

本公开实施例还提供一种芯片，所述芯片包括上述基于微内核操作系统的安全监控装置，所述芯片可以是任意一种可以实现上文描述的基于微内核操作系统的安全监控过程的芯片，所述装置可以通过软件、硬件或者两者的结合实现成为芯片的部分或者全部。基于微内核操作系统的安全监控过程可以参见上文中对基于微内核操作系统的安全监控方法的描述，在此不再赘述。The embodiment of the present disclosure also provides a chip, the chip includes the above-mentioned security monitoring device based on the microkernel operating system, the chip can be any chip that can implement the security monitoring process based on the microkernel operating system described above, and the device can be implemented as part or all of the chip through software, hardware, or a combination of both. The security monitoring process based on the microkernel operating system can refer to the description of the security monitoring method based on the microkernel operating system above, which will not be repeated here.

本公开还公开了一种电子设备，图5示出根据本公开一实施方式的电子设备的结构框图，如图5所示，所述电子设备500包括存储器501和处理器502；其中，The present disclosure also discloses an electronic device. FIG5 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure. As shown in FIG5 , the electronic device 500 includes a memory 501 and a processor 502; wherein,

所述存储器501用于存储一条或多条计算机指令，其中，所述一条或多条计算机指令被所述处理器502执行以实现上述方法步骤。The memory 501 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 502 to implement the above method steps.

如图6所示，计算机系统600包括处理单元601，其可以根据存储在只读存储器(ROM)602中的程序或者从存储部分608加载到随机访问存储器(RAM)603中的程序而执行上述实施方式中的各种处理。在RAM603中，还存储有计算机系统600操作所需的各种程序和数据。处理单元601、ROM602以及RAM603通过总线604彼此相连。输入/输出(I/O)接口605也连接至总线604。As shown in FIG6 , the computer system 600 includes a processing unit 601, which can perform various processes in the above-mentioned embodiments according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage part 608 into a random access memory (RAM) 603. Various programs and data required for the operation of the computer system 600 are also stored in the RAM 603. The processing unit 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to the bus 604.

以下部件连接至I/O接口605：包括键盘、鼠标等的输入部分606；包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分607；包括硬盘等的存储部分608；以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分609。通信部分609经由诸如因特网的网络执行通信处理。驱动器610也根据需要连接至I/O接口605。可拆卸介质611，诸如磁盘、光盘、磁光盘、半导体存储器等等，根据需要安装在驱动器610上，以便于从其上读出的计算机程序根据需要被安装入存储部分608。其中，所述处理单元601可实现为CPU、GPU、TPU、FPGA、NPU等处理单元。The following components are connected to the I/O interface 605: an input section 606 including a keyboard, a mouse, etc.; an output section 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, a modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I/O interface 605 as needed. A removable medium 611, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 610 as needed so that The computer program read therefrom is installed into the storage part 608 as needed. The processing unit 601 can be implemented as a processing unit such as a CPU, a GPU, a TPU, a FPGA, or a NPU.

特别地，根据本公开的实施方式，上文描述的方法可以被实现为计算机软件程序。例如，本公开的实施方式包括一种计算机程序产品，其包括有形地包含在及其可读介质上的计算机程序，所述计算机程序包含用于执行所述方法的程序代码。在这样的实施方式中，该计算机程序可以通过通信部分609从网络上被下载和安装，和/或从可拆卸介质611被安装。In particular, according to an embodiment of the present disclosure, the method described above can be implemented as a computer software program. For example, an embodiment of the present disclosure includes a computer program product, which includes a computer program tangibly contained on a readable medium thereof, and the computer program includes a program code for executing the method. In such an embodiment, the computer program can be downloaded and installed from a network through the communication part 609, and/or installed from a removable medium 611.

附图中的流程图和框图，图示了按照本公开各种实施方式的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上，路程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分，所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意，在有些作为替换的实现中，方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如，两个接连地表示的方框实际上可以基本并行地执行，它们有时也可以按相反的顺序执行，这依所涉及的功能而定。也要注意的是，框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合，可以用执行规定的功能或操作的专用的基于硬件的系统来实现，或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagram in the accompanying drawings illustrate the possible architecture, functions and operations of the system, method and computer program product according to various embodiments of the present disclosure. In this regard, each box in the road map or block diagram can represent a module, a program segment or a part of a code, and the module, a program segment or a part of the code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some alternative implementations, the functions marked in the box can also occur in a different order from the order marked in the accompanying drawings. For example, two boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each box in the block diagram and/or flow chart, and the combination of the boxes in the block diagram and/or flow chart can be implemented with a dedicated hardware-based system that performs the specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.

描述于本公开实施方式中所涉及到的单元或模块可以通过软件的方式实现，也可以通过硬件的方式来实现。所描述的单元或模块也可以设置在处理器中，这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定。The units or modules involved in the embodiments described in the present disclosure may be implemented by software or hardware. The units or modules described may also be arranged in a processor, and the names of these units or modules do not constitute limitations on the units or modules themselves in some cases.

作为另一方面，本公开还提供了一种计算机可读存储介质，该计算机可读存储介质可以是上述实施方式中所述装置中所包含的计算机可读存储介质；也可以是单独存在，未装配入设备中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序，所述程序被一个或者一个以上的处理器用来执行描述于本公开的方法。As another aspect, the present disclosure further provides a computer-readable storage medium, which may be a computer-readable storage medium included in the device described in the above embodiment; or a computer-readable storage medium that exists independently and is not assembled into the device. The computer-readable storage medium stores one or more programs, and the programs are used by one or more processors to execute the method described in the present disclosure.

以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解，本公开中所涉及的发明范围，并不限于上述技术特征的特定组合而成的技术方案，同时也应涵盖在不脱离所述发明构思的情况下，由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本公开中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。 The above description is only a preferred embodiment of the present disclosure and an explanation of the technical principles used. Those skilled in the art should understand that the scope of the invention involved in the present disclosure is not limited to the technical solution formed by a specific combination of the above technical features, but should also cover other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the inventive concept. For example, the above features are replaced with the technical features with similar functions disclosed in the present disclosure (but not limited to) by each other.

Claims

A security monitoring method based on a microkernel operating system, characterized by comprising:

In response to a call request from an execution object in a user space to a system call interface in a microkernel operating system, matching a system call event type corresponding to the call request with pre-configured audit configuration information in a kernel space;

When the system call event type matches the audit configuration information, the entry audit information of the system call interface when entering the kernel space for runtime is recorded in the audit context structure of the execution object, and the exit audit information of the system call interface when exiting is also recorded in the audit context structure of the execution object;

When exiting the system call interface, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to the audit buffer of the user space.

The method according to claim 1, characterized in that the method further comprises:

When the system call event type corresponding to the call request does not match the audit configuration information, the first kernel state log information generated by the system call interface during the execution of the kernel space is written into the log buffer of the user space.

The method according to claim 2, characterized in that the method further comprises:

Writing the user state log information generated by the user space into the log buffer; and/or,

The second kernel state log information generated by the kernel space is written into the log buffer; wherein the second kernel state log information is log information generated by the non-system call interface in the kernel space.

Read the log information in the log buffer in the user space;

The file system interface is called to output the log information in the log buffer to a console or a log file.

Get user space audit information generated by user space;

Matching the user space audit information with the audit configuration information;

When the user space audit information matches the audit configuration information, the user space audit information is written into the audit buffer.

Receiving user configuration information input by the user in the user space through a preset interface;

The audit configuration information stored in the user space is updated based on the user configuration information.

The method according to claim 4, characterized in that the method further comprises:

Receive a user's request to view the log file in the user space;

The log file is output to a user based on the viewing request.

Reading the audit information in the audit buffer in the user space;

The file system interface is called to output the audit information in the audit buffer area to an audit file.

The method according to claim 8, characterized in that the method further comprises:

Receiving a user's request to view the audit file in the user space;

An audit report is output to a user based on the audit information in the audit file.

The method according to claim 8 or 9, characterized in that the method further comprises:

An audit buffer linked list is set in the user space; the audit buffer linked list is used to store a pointer pointing to the audit buffer;

Calling a file system interface to output the audit information in the audit buffer area to an audit file includes:

After the number of pointers in the audit buffer linked list exceeds a preset threshold, in the user space, based on the pointers in the audit buffer linked list, the file system interface is called to output the audit information in the audit buffer to the audit file;

Delete the corresponding pointer in the audit buffer linked list.

Create a free audit buffer;

storing a pointer to the idle audit buffer in an idle audit buffer linked list;

When exiting the system call interface, the entry audit information and the exit audit information in the audit context structure are output from the kernel space to the audit buffer of the user space, including:

Requesting an idle audit buffer from the idle audit buffer linked list;

The audit information in the audit context structure is written into the idle audit buffer.

The method according to claim 11, characterized in that the method further comprises:

When there is no idle audit buffer in the idle audit buffer chain list, reallocate the audit buffer;

The audit information in the audit context structure is written into the reallocated audit buffer.

After the content in the audit file exceeds the preset storage capacity, a new audit file is created;

After the number of the audit files exceeds a preset number, one or more audit files created first are deleted in chronological order.

A security monitoring device based on a microkernel operating system, characterized by comprising:

A response module is configured to respond to a call request of an execution object in a user space to a system call interface in a microkernel operating system, and match a system call event type corresponding to the call request with pre-configured audit configuration information in a kernel space;

A recording module configured to record, when the system call event type matches the audit configuration information, entry audit information of the system call interface when it enters the kernel space for runtime in the audit context structure of the execution object, and also record exit audit information of the system call interface when it exits in the audit context structure of the execution object;

The first output module is configured to output the entry audit information and the exit audit information in the audit context structure from the kernel space to the audit buffer of the user space when exiting the system call interface.

The device according to claim 14, characterized in that the device further comprises:

The first writing module is configured to write the first kernel state log information generated by the system call interface during the execution of the kernel space into the log buffer of the user space when the system call event type corresponding to the call request does not match the audit configuration information.

The device according to claim 15, characterized in that the device further comprises:

A second writing module is configured to write the user state log information generated by the user space into the log buffer; and/or,

The third writing module writes the second kernel state log information generated by the kernel space into the log buffer; wherein the second kernel state log information is log information generated by the non-system call interface in the kernel space.

A first reading module is configured to read the log information in the log buffer in the user space;

The first calling module is configured to call a file system interface to output the log information in the log buffer to a console or a log file.

An acquisition module, configured to acquire user space audit information generated by the user space;

A matching module, configured to match the user space audit information with the audit configuration information;

A fourth writing module is configured to write the user space audit information into the audit buffer when the user space audit information matches the audit configuration information.

A first receiving module is configured to receive user configuration information input by a user in a user space through a preset interface;

An update module is configured to update the audit configuration information stored in the user space based on the user configuration information.

The device according to claim 18, characterized in that the device further comprises:

A second receiving module is configured to receive a user's request to view the log file in the user space;

The second output module is configured to output the log file to a user based on the viewing request.

A second reading module is configured to read the audit information in the audit buffer in the user space;

The second calling module is configured to call a file system interface to output the audit information in the audit buffer area to an audit file.

The device according to claim 21, characterized in that the device further comprises:

A third receiving module is configured to receive a user's request to view the audit file in a user space;

The third output module is configured to output an audit report to a user based on the audit information in the audit file.

The device according to claim 21 or 22, characterized in that the device further comprises:

A setting module is configured to set an audit buffer linked list in the user space; the audit buffer linked list is used to store a pointer pointing to the audit buffer;

The second calling module includes:

A calling submodule is configured to call a file system interface in a user space based on the pointers in the audit buffer chain list to output the audit information in the audit buffer to the audit file after the number of pointers in the audit buffer chain list exceeds a preset threshold;

The deletion submodule is configured to delete the corresponding pointer in the audit buffer linked list.

A first establishment module is configured to establish an idle audit buffer;

A storage module, configured to store a pointer pointing to the idle audit buffer in an idle audit buffer linked list;

The first output module comprises:

A request submodule, configured to request an idle audit buffer from the idle audit buffer linked list;

The writing submodule is configured to write the audit information in the audit context structure into the idle audit buffer.

The device according to claim 24, characterized in that the device further comprises:

an allocation module, configured to reallocate an audit buffer when there is no idle audit buffer in the idle audit buffer chain list;

A fifth writing module is configured to write the audit information in the audit context structure into the reallocated audit buffer.

A second establishing module is configured to establish a new audit file after the content in the audit file exceeds a preset storage capacity;

The deletion module is configured to delete one or more audit files that were created first in chronological order after the number of the audit files exceeds a preset number.

An electronic device, characterized in that it comprises a storage, a processor, and a computer program stored in the storage, wherein the processor executes the computer program to implement the method described in any one of claims 1-13.

A computer-readable storage medium having computer instructions stored thereon, characterized in that when the computer instructions are executed by a processor, the method described in any one of claims 1 to 13 is implemented.

A chip for executing instructions, wherein the instructions are executed by the chip to implement the method steps described in any one of claims 1 to 13.