CN-121980608-A - EBPF-based SQLite database runtime behavior sensing and access control method

Abstract

A eBPF-based SQLite database runtime behavior awareness and access control method belongs to the technical field of computer system security, and the current scheme is either too dependent on application layer logic or the protection of a hardware layer is not practical. The system comprises three logic modules, wherein each module cooperates to form a closed loop, namely a kernel probe module, a eBPF program is deployed on a kernel critical path and is responsible for capturing an original event and executing forced interception. The policy decision module operates in the user space, receives the audit event reported by the kernel, performs deep analysis, performs risk judgment according to the existing policy, and generates a dynamic control policy. The data interaction module serves as a secure communication bridge between the kernel and the user mode. The invention is independent of application integrity, and can carry out fine-grained audit and interception on SQLite operation in a kernel layer. The method does not depend on whether the application layer logic is sound or not, and can effectively block high-risk behaviors such as data stealing and the like even if the application is broken.

Inventors

• ZENG JIAHAO
• HU JUN

Assignees

• 北京工业大学

Dates

Publication Date

20260505

Application Date

20251231

Claims (2)

1. 1. A eBPF-based SQLite database runtime behavior awareness and access control method is characterized in that, The system used is composed of the following three logic modules, and the modules work cooperatively to form a closed loop: 1) Kernel probe module The key path of kernel deploys eBPF program, is responsible for catching the primitive incident and executing the forced interception; Comprising two subunits: a) The behavior perception probe is hooked at the SQLite library function SQLite 3_preparation_v2 inlet and is used for acquiring an original SQL statement and a calling process context; b) The access control probe is hooked on file_open and file_permission hooks of the Linux security module and is used for implementing forced access control on the database file; 2) Policy decision module Running in a user space, receiving an audit event reported by a kernel, performing deep analysis, performing risk judgment according to an existing strategy, and generating a dynamic control strategy; Core functions: analyzing SQL sentences, and judging whether the SQL sentences are override or abnormal operation such as full-table scanning; Matching a static white list based on the physical identity of the process, namely exe_dev+exe_ino; If attack is found, the process PID is added into a dynamic blacklist immediately; 3) Data interaction module The method has the function of being used as a safety communication bridge between the kernel and the user mode; Two types of data structures are included: a) Ring Buffer, which is used to asynchronously push audit event from kernel to user strategy decision module; b) The shared Map comprises a static white list Map and a dynamic black list Map, and is used for the kernel probe module to inquire the access strategy in real time.
2. 2. The method according to claim 1, characterized in that: Step one, initializing and deploying When the system is started, loading a predefined static white list, namely an authorized program list, into a white list Map of the kernel; installing a behavior aware probe at SQLite 3_preparation_v2 function address of SQLite library; Installing access control probes at the security_file_open and security_file_permission hooks of the LSM framework; step two, SQL behavior capturing and reporting When either process invokes SQLite to execute SQL, the behavior aware probe is triggered; The probe reads the physical identity of the executable file of the calling process, namely the device number+inode number and the original SQL character string; Packaging the information into audit events, and pushing the audit events to a policy decision module in a user mode through Ring Buffer; Step three, risk analysis and strategy generation After the policy decision module receives the event: a) Analyzing SQL sentences, judging the operation type and the target object, namely a table and a column; b) Querying a system policy to verify whether the process is authorized to perform such operations; c) If abnormality is found, if the unauthorized process executes SELECT, writing the PID of the process into a dynamic blacklist Map; Forced access control When a process attempts to open or read and write a database file, an access control probe is triggered; The probe performs the following inspection flows: a) The blacklist priority is that the dynamic blacklist Map is queried by the current PID, if hit, access is immediately refused; b) White list spam-if the blacklist is missed, the static white list Map is queried with the physical identity of the process, and the operation is allowed only when the process hits.

Description

EBPF-based SQLite database runtime behavior sensing and access control method Technical Field The invention belongs to the technical field of computer system security, and particularly relates to a security protection method for monitoring and forced access control in kernel-level running of an SQLite database in an embedded or lightweight application scene. Background The present inventors have found that the following prior art is specifically: [1] White jin, hu Zeming, sun Gongsheng SQLite3 Security Access control based on multistage roles of RBAC model [ J ]. Computer System applications, 24 (5): 177-182. [2]MUTTI S,BACIS E,PARABOSCHI S.SeSQLite:Security Enhanced SQLite:Mandatory Access Control for Android databases[C/OL]//Proceedings of the 31st Annual Computer Security Applications Conference.Los Angeles CA USA:ACM,2015:411-420[2025-12-23].https://dl.acm.org/doi/10.1145/2818000.2818041.DOI:10.1145/2818000.2818041. [3] MA C, LUD, LV C, etc .BiTDB:Constructing A Built-in TEE Secure Database for Embedded Systems[J/OL].IEEE Transactions on Knowledge and Data Engineering,2024,36(9):4472-4485.DOI:10.1109/TKDE.2024.3380367. [1] An access control method based on the expansion of the sqlite native callback API is provided; [2] A method for combining SQLite native API extensions with a system layer is provided; [3] A method of protecting SQLite with a viable execution environment is provided. [1] Depending on the logic control of the application layer, once the application layer is broken by the vulnerability, an attacker can directly bypass; [2] Depending on the logic control of the application layer, once the application layer is broken by the loophole, only the system-level coarse-grained file protection is left; [3] too emphasis on security causes data islanding problems, which are not applicable in most scenarios and performance impairment is large. Disclosure of Invention Since the current solution either relies too much on application layer logic or the protection of the hardware layer is not practical. The invention provides a novel security method which is independent of application integrity and can carry out fine-grained audit and interception on SQLite operation in a kernel layer. The method does not depend on whether the application layer logic is sound or not, and can effectively block high-risk behaviors such as data stealing and the like even if the application is broken. 1. Noun interpretation 1.eBPF Definition: A lightweight virtual machine technology provided by a Linux kernel allows a user-mode program to realize non-invasive system call monitoring, performance analysis and safety protection functions by loading eBPF programs into the kernel. The function in the invention: As a kernel-level monitoring tool, the probe program can be deployed without modifying kernel source codes, and SQLite runtime behaviors are captured and access control is implemented. LSM hook Definition: The Linux security module LSM framework is used for inserting a predefined function call point into a custom security check logic such as security_file_ open, security _file_permission. The function in the invention: As a deployment location of the access control probe, a file operation request such as open, read, write is intercepted, and forced access control based on physical identity is implemented. EBPF Probe Definition: Lightweight eBPF programs deployed in the Linux kernel for non-intrusively capturing system calls, function calls, or process context information. The function in the invention: a behavior sensing probe, which is hooked on an SQLite library function such as SQLite 3_preparation_v2, and captures the physical identity of an original SQL sentence and a calling process; and the access control probe is hooked on the LSM hook to implement file access interception based on a static white list and a dynamic black list. 4.Ring Buffer Definition: eBPF to provide an efficient data transfer structure for asynchronously transferring event data between kernel mode and user mode. The function in the invention: as an audit event transmission channel, pushing information such as SQL sentences, process contexts and the like captured by the kernel probe to a user state policy decision module, and avoiding blocking a kernel execution path. 5.eBPF Map Definition: And eBPF the shared data structure between the program and the user mode program is used for storing Key Value pairs, namely Key-Value Pair, and supporting data synchronization across CPU cores. The function in the invention: the static white list Map is used for storing the physical identity of the authorization program, namely the equipment number plus the Inode number, and is used for white list verification; and the dynamic blacklist Map is used for storing the process PID which is blocked in real time and is used for rapidly intercepting abnormal behaviors. 2. System composition of the invention The system is composed of the following three logic modules,