藉由系統組態設定分析提升系統安全性

Abstract

組態設定對於軟體系統而言是不可或缺的一部分，亦在系統安全上扮演重要角色。在Windows系統中，登錄檔儲存數量非常龐大的組態資訊。過去以登錄檔為分析主體的研究應用在許多方面，有的應用在入侵偵測系統，有的應用在組態錯誤偵測系統。我們提出一個系統組態分析系統來檢測組態設定的問題，此系統所關心的組態除了登錄檔以外亦包含檔案系統的狀態及資訊。此系統主要檢查三種問題：一是關於Microsoft的軟體更新檢查；二是關於因檔案系統異常造成的應用程式錯誤；三是關於因登錄檔的異常內容而造成的應用程式錯誤。系統的核心架構主要由三個元件構成：一是在用戶端執行以得到用戶組態資訊的組態萃取工具；二是針對健康樣本產生組態統計資訊的組態統計資訊產生器；三是檢查待測組態的組態檢測程式。組態統計資訊產生器透過分析蒐集的健康樣本建立組態統計資訊，而檢測程式則依據此組態統計資訊檢測待測組態，並指出有問題的組態資訊。我們分別對上述三種問題做實驗。在Microsoft軟體更新檢查方面，有90%的準確率判斷待測組態是否在軟體更新上是否有缺漏。在檢查由檔案系統狀態異常所造成的應用程式執行錯誤方面，此系統也有70%以上的準確率。在檢查由登錄檔異常所造成的應用程式行為異常方面，此系統雖無法解決應用程式的異常行為，但能指出待測機器與健康樣本之間登錄檔組態的差異。

Configuration is an essential part of any software system and plays a key role in the security of a system. On Windows, the registry stores a large amount of configuration information. There is research about registry which applied it on many applications. Some applied on intrusion detection. Some applied on configuration error detection. We propose a system for examining problems of a Windows system’s configuration, which covers not only the Windows registry but also the file system. The system checks for three kinds of problem: 1) missing updates for Microsoft software, 2) corruption in file system that causes abnormal application behavior, 3) corruption in Windows registry that causes abnormal application behavior. The system consists of three main components. The first is configuration extractor running on the client-side to extract a user system’s configuration. The second is configuration statistics builder which produces a statistics of healthy samples collected. The other is the configuration examiner which examines the target configuration. Statistics builder produces configuration statistics from healthy samples, and examiner examines target configuration with the statistics. The system is evaluated against all three types of problems. On the checking for missing updates for Microsoft software, the system achieves 90% accuracy, and on the checking for corruption in the file system, the system achieves higher than 70% accuracy. For the checking for corruption in Windows registry that causes abnormal application behavior, although the system cannot fix the abnormal behavior of application, the system points out the registry difference between sick machine and the statistics from healthy machines.