CN103955362A - Xen-based operating system kernel monitoring method - Google Patents

Abstract

The invention discloses a Xen-based operating system kernel monitoring method which comprises the following steps: constructing a safety monitoring frame of an operating system kernel by virtue of adopting an Xen virtualization technology, thereby enabling each expansion module to operate in a respective independent non-authorized domain; simulating a cross-domain function calling process of each expansion module by virtue of an Xen event channel and authorization list correspondence mechanism, and inserting a monitoring interface used for safety inspection in the cross-domain function calling process. The Xen virtualization technology is adopted for isolating each expansion module to operate in the respective low-authority domain; then the event channel and authorization list correspondence mechanism of an Xen virtual machine is utilized for simulating the cross-domain function calling process of each expansion module, and each expansion module operates in a respective independent non-authorized domain under a totally isolated state, so that any cross-domain operation can be monitored, the Xen-based operating system kernel monitoring method is more comprehensive, effective, quite convenient and rapid, and can be widely applied to the field of computer software safety.

Description

A kind of operating system nucleus method for supervising based on Xen

Technical field

The present invention relates to security of computer software field, especially a kind of operating system nucleus method for supervising based on Xen.

Background technology

Explanation of nouns:

LKM:Loadable Kernel Module, can be written into kernel module, for the mechanism of Dynamic expansion core functions.

Kernel Rootkit: kernel Rootkit is the main Malware that destroys kernel integrity.

Grand kernel: claiming again core, is a kind of of operating system kernel framework.

Xen: a kind of virtual machine of microkernel designs.

Event Channel: event channel, one of communication mechanism of Xen.

Grant Tabbles: authorization list, one of communication mechanism of Xen.

Core Kernel: core kernel is the non-expansion of operating system nucleus.

Module: module.

Struct IMD_info:IMD_info structure, forms new type for encapsulating the attribute of IMD_info.

Dom:Domain, the territory that Xen provides, operating system nucleus will operate in independently in territory.

VCPU: virtual processor, Xen is abstract to processor.

IP: register, for storing current executive address.

SP:Stack Pointer, stack top register.

BP:Base Pointer, bottom of stack register.

AX: general-purpose register, is generally used for preserving function return value.

DX: general-purpose register, is generally used for preserving function return value.

CR2: abnormality processing register, for storing the rreturn value of abnormality processing function.

The authority territory of Dom0:Xen.

The non-authority territory of DomU:Xen.

IMD:Isolated Module Domain, isolation module territory (abbreviation quarantine domain), for allowing Module isolation move the DomU at place.

Evtchn_port_req_0: by Dom0 to DomU request of access direction communication port used;

Evtchn_port_prov_0: by DomU to Dom0 request of access direction communication port used; A fixed port of EVTCHN_PORT_REQ_U:IDM end and evtchn_port_prov_0 port binding, for carrying out event communication with evtchn_port_prov_0 port, its port numbers is a predefined constant;

A fixed port of EVTCHN_PORT_PROV_U:IDM end and evtchn_port_req_0 port binding, for carrying out event communication with evtchn_port_req_0 port, its port numbers is a predefined constant;

Module stack: execution module code stack used in IMD.

Control stack: carry out control routine stack used in IMD.

Hypervisor call: hypercalls, the programming Control interface that Xen provides.

Modern commercial operation system adopts grand kernel framework as its kernel framework mostly, and the feature of this framework is that whole kernel program is all to move with identity and regulator's pattern of core space, and by LKM scheme, core functions is carried out to dynamic expansion.But hacker can utilize this LKM expanded function, the inside renucleation Rootki by revising key data structure in kernel and code, then utilize hiding malicious process and file, steal private data, even as backdoor programs, exist, destroy the integrality of operating system nucleus, affected the safety of operating system.

The security tool operating in kernel is not enough to break through this Rootkit, basic reason is, kernel and the Rootkit being written into by LKM operate in identical authority space, if security tool can be closed Rootkit, conversely, Rootkit also can closed safe instrument.Therefore, must allow the Rootkit that operates in the security tool in kernel and be written into by LKM operate in different authorities, say more preparatively, can not allow Rootkit operate in highest weight limit, this just must change the LKM mechanism by malicious exploitation, thereby the integrality of operating system nucleus is effectively monitored.

Xen is a kind of microkernel architecture virtual machine of half Intel Virtualization Technology, can have a plurality of operations territory under it, can have a Dom0 territory and a plurality of DomU territory, and wherein Dom0 territory is authority territory, have the highest weight limit of whole operating system, and DomU is non-authority territory.Between territory under Xen virtual machine and territory, in isolation, Event Channel and the Grant Table providing by Xen virtual machine that communicate by letter between territory and territory realizes.The grand kernel framework of the microkernel architecture of Xen virtual machine and legacy operating system different, integrality monitoring when operating system nucleus is moved for realizing by Intel Virtualization Technology provides may.

But, at present also not about Xen virtual machine being applied to the report of monitor operating system kernel integrity aspect.Current, the integrality monitoring scheme while moving for operating system nucleus in the industry, mainly comprises:

A. by virtual machine, protect internal memory page table, then the page that comprises critical data is labeled as read-only, when attempting to revise the content that these pages comprise by triggering page fault and then start monitoring equipment operation is monitored.This mode has just been ignored the protection of other data in order to protect critical data, be not comprehensive protection scheme.

B. by forbidding that the modification of kernel module code and block code is prevented to malicious code injection type attacks, but it lacks the effective protection to data field and stack, also cannot stop the attack of the malicious code of " Return-to-libc " style.

C. by untrusted expansion module is isolated from core kernel, effective monitoring maliciously expand the task operating to core kernel integrity, still, for other outside non-malice expansion, need protect expansion not obtain due protection.

In sum, in the industry pin need badly a kind of comprehensively and effectively, the monitoring scheme of the integrality while moving for operating system nucleus.

Summary of the invention

In order to solve the problems of the technologies described above, the object of the invention is: provide a kind of comprehensive and effective, the operating system nucleus method for supervising based on Xen.

The technical solution adopted for the present invention to solve the technical problems is: a kind of operating system nucleus method for supervising based on Xen, comprising:

A. adopt Xen Intel Virtualization Technology to build the security monitoring framework of operating system nucleus, thereby each expansion module is operated in separately independently in non-authority territory;

B. by event channel and the authorization list communication mechanism of Xen, simulate the function call process of cross-domain of each expansion module, and insert the monitor-interface for security inspection in the function call process of cross-domain.

Further, described steps A, it comprises:

A1. be written into module;

A2. create non-authority territory IMD, and it is carried out to initialization;

A3. module is inserted in the chained list of kernel, and creates struct IMD_info, then struct IMD_info chain is entered in IMD chained list;

A4. the page at module territory setup code in Dom0 territory and control routine place is mapped in the linear address space of IMD;

A5. the page at the code of module itself and data place is mapped in IMD address space, and in IMD territory, the page table entry reading and writing of the shared page of module are set to the authority identical with Dom0 territory with execution authority; Then, the page table entry of the shared page of module is set to carry out then in Dom0 territory;

A6. call kernel function and in Dom0, distribute the page that comprises IMD territory control stack, and page information is kept in the corresponding attribute of IMD_info;

A7. in Dom0 territory, for IMD, distribute port evtchn_port_req_0 and the evtchn_port_prov_0 of 2 event channels, then at the bottom of port numbers evtchn_port_req_0 and evtchn_port_prov_0 being written as to the stack of the stack distributing in IMD territory, and two port numbers evtchn_port_req_0 and evtchn_port_prov_0 are saved in the corresponding attribute of IMD_info;

A8. the IP register of IMD territory virtual processor is set to the function entrance of IMD setup code, and adjusts SP and BP register, to reserve the space of IMD and Dom0 transmission of information;

A9. the territory virtual processor that starts IMD is carried out setup code, so that IMD is carried out to initialization;

A10. the dispatch command that calls Xen enters waiting status, until receive event from event access port evtchn_port_prov_0, is just reawaked;

A11. call module->init function module is carried out to initialization, thereby trigger first function call between the territory from Dom0 to IMD;

A12. initialization complete after release initialization data or the shared region of code.

Further, the function call process of cross-domain of described each expansion module comprises that quarantine domain functional procedure is called in authority territory, the general processing procedure, the quarantine domain that call authority territory function to access exception processing procedure, the quarantine domain of authority territory direction by quarantine domain calls authority territory memory allocation function processing procedure, quarantine domain call processing procedure and the read-write process of quarantine domain to authority numeric field data district that authority territory internal memory discharges function.

Further, the process of quarantine domain function is called in described authority territory, and it comprises:

G1.Dom0 sends the request of calling module function, thereby triggers page exception;

G2. by the information on IMD chained list, judge that whether page exception is caused by the code of module place page, if so, perform step G3, otherwise, keep the abnormality processing mode of operating system self;

G3. according to the position of current stack top in Dom0, current stack contents is copied to the module stack of IMD, and by the CR2 in Dom0, BP and SP register value, be saved in together the control stack of IMD;

G4.Dom0 sends event to the evtchn_port_req_0 port of event channel;

G5. the module stack of IMD is mapped to address space identical with the linear address of current stack in Dom0 in IMD;

G6.IMD recovers from waiting status after detecting and receive event on EVTCHN_PORT_PROV_U end, and obtains the value of CR2 Dom0, BP and SP register from control stack;

G7. with the address of current function, replace the return address on module stack, preserve the BP of IMD and SP value simultaneously in variable IMD_bp and IMD_sp, and be switched to module stack according to the value of BP in taken out Dom0 and SP register;

G8. jump to the indicated address execution function of CR2 register in Dom0 and process, after pending completing, return to the return address after replacement in step G7;

G9., at the bottom of the current AX of IMD and DX content of registers being write to control stack stack, then according to the IMD_bp and the IMD_sp that preserve, stack is switched back to control stack;

G10.IMD sends event to event channel port EVTCHN_PORT_PROV_U, and enters waiting status;

G11.Dom0 recovers to carry out from evtchn_port_req_0 port receives event, and the AX of IMD control stack bottom and the taking-up of DX value are saved in corresponding ax and dx variable;

G12. according to the stack frame condition of current stack, data base in IMD is copied to current stack, then according to ax, dx variable, revise AX and the DX register value of abnormality processing Locale Holding, and the BP of Locale Holding and SP value are modified as and exit BP and a SP value after stack hardwood, then finish invoked procedure.

Further, described by quarantine domain the access exception processing procedure to authority territory direction, it comprises:

The code access of H1.IMD belongs to Dom0 and does not belong to the memory address of module itself, thereby have no progeny in triggering memory abnormal, carries out the call back function of having bound in advance;

H2. preserve and comprise CR2 register at the bottom of stack is arrived at interior register scene, and the event channel port EVTCHN_PORT_REQ_U in IMD sends event with notice Dom0;

H3.Dom0 is waken up receiving the event transmitting from port evtchn_port_req_0 again, calls corresponding processing function;

H4.Dom0 extracts address and the access type of abnormal appearance from the register field data of preserving;

H5. check the address of IMD access and the access ability whether access type exceeds Dom0, the if so, abnormality processing function of call operation system self, otherwise, perform step H6;

H6. call safety inspection function and judge according to module's address and access type information whether this module has the authority of access, if so, perform step H7, otherwise the corresponding render safe procedures of executive operating system is processed to this module;

H7. the access type that judges this module belongs to read-write or belongs to execution, if read-write goes to the read-write process of quarantine domain to authority numeric field data district, if carry out, performs step H8;

H8. judge whether the function that IMD that Dom0 identifies will call is memory allocation function, if so, goes to the processing procedure that quarantine domain calls authority territory memory allocation function, otherwise, perform step H9;

H9. judge whether the function that IMD that Dom0 identifies will call is that internal memory discharges function, if so, goes to quarantine domain and calls the processing procedure that authority territory internal memory discharges function, otherwise, the general processing procedure that quarantine domain calls authority territory function carried out.

Further, described quarantine domain calls the general processing procedure of authority territory function, and it comprises:

P1. preserve the return address in a stack hardwood on the module stack of IMD, and by destination address to be returned, this return address is replaced;

P2. current stack is switched to the module stack of IMD, and go to the abnormal address execution processing procedure of operating system self;

P3. after being finished, return to destination address to be returned, and in the on-the-spot covering of the execution step H2 with current each general-purpose register of virtual processor, be kept at the field data of control stack, then current stack is switched back to the original stack of Dom0;

The return address that P4.Dom0 preserves step P1 write at the bottom of IMD control stack in the reserved IMD and Dom0 transmission of information space of steps A 8, then by event channel port evtchn_port_prov_0, to IMD, send event, and enter waiting status;

P5.IMD is again waken up after receiving the event that EVTCHN_PORT_REQ_U port transmits;

P6.IMD is switched to module stack, restoring scene, and jump to the return address that step P4 preserves, to continue the normal process process of executive operating system self.

Further, described quarantine domain calls the processing procedure of authority territory memory allocation function, and it comprises:

S1.Dom0 is invoked memory allocation function storage allocation;

S2.Dom0 maps to distributed page the address space of IMD with the logical address identical with Dom0 and identical access rights;

S3.Dom0 is set to distributed page to carry out in the page table entry of Dom0;

S4.Dom0 makes corresponding modification and the SP in the virtual processor of IMD and BP pointer is made to corresponding adjustment, the process completing to simulate function call module stack in IMD;

S5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives.

Further, described quarantine domain calls the processing procedure that authority territory internal memory discharges function, and it comprises:

F1.IMD removes page to be discharged from the address space of IMD page table;

F2.IMD calls the release function in Dom0, with releasing memory page;

F3.IMD will return results and write IMD module stack;

F4. at the bottom of the state of context register and former return function address being write to the stack of IMD control stack;

F5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives;

F6.IMD is switched to module stack, restoring scene, and jump to return address that control stack preserves to continue the normal process process of executive operating system self.

Further, the read-write process of described quarantine domain to authority numeric field data district, it comprises:

W1. according to the value of the IP register in IMD, take out its order pointed, and the instruction of taking-up is write to the position V having reserved in advance, then in next command, write unconditional jump instruction, the address value of described unconditional jump instruction is the value of step W3;

W2. preserve the current scene of Dom0, switch stack to the module stack of IMD, and recover the scene in IMD, then jump to the position V in step W1;

W3. together with next address of the current IP address of current state and IMD, deposit IMD control stack in, then switch back original stack, and restoring scene;

W4. to IMD, send event channel signal, wake IMD up, and come back to waiting status, wait for the event that again receives;

W5.IMD is switched to module stack, restoring scene, and jump to the return address of preserving in control stack to continue the normal process process of executive operating system.

The invention has the beneficial effects as follows: adopt Xen Intel Virtualization Technology to be isolated in separately and independently on low rights territory, to move by each expansion module, then utilize function call process between the event channel of Xen virtual machine and the territory of authorization list communication equipment molding expansion module, the state that each expansion module is isolated completely in non-authority territory separately moves, thereby make all monitored arriving of any cross-domain operation, more comprehensively and effectively, and only need in the function call process of cross-domain, insert monitor-interface and can monitor, very convenient and quick.

Accompanying drawing explanation

Below in conjunction with drawings and Examples, the invention will be further described.

Fig. 1 is the flow chart of steps of a kind of operating system nucleus method for supervising based on Xen of the present invention;

Fig. 2 is the process flow diagram of steps A of the present invention;

Fig. 3 is the flow chart of steps that the process of quarantine domain function is called in invention right confinement;

Fig. 4 is the flow chart of steps to the access exception processing procedure of authority territory direction by quarantine domain;

Fig. 5 is the flow chart of steps that quarantine domain calls the general processing procedure of authority territory function;

Fig. 6 is the flow chart of steps that quarantine domain calls the processing procedure of authority territory memory allocation function;

Fig. 7 is that quarantine domain calls the flow chart of steps that authority territory internal memory discharges the processing procedure of function;

Fig. 8 is the flow chart of steps of quarantine domain to the read-write process in authority numeric field data district;

Fig. 9 is the security monitoring framed structure schematic diagram of operating system nucleus that the present invention builds.

Embodiment

With reference to Fig. 1, a kind of operating system nucleus method for supervising based on Xen, comprising:

A. adopt Xen Intel Virtualization Technology to build the security monitoring framework of operating system nucleus, thereby each expansion module is operated in separately independently in non-authority territory;

B. by event channel and the authorization list communication mechanism of Xen, simulate the function call process of cross-domain of each expansion module, and insert the monitor-interface for security inspection in the function call process of cross-domain.

With reference to Fig. 2, be further used as preferred embodiment, described steps A, it comprises:

A1. be written into module;

A2. create non-authority territory IMD, and it is carried out to initialization;

A3. module is inserted in the chained list of kernel, and creates struct IMD_info, then struct IMD_info chain is entered in IMD chained list;

A4. the page at module territory setup code in Dom0 territory and control routine place is mapped in the linear address space of IMD;

A5. the page at the code of module itself and data place is mapped in IMD address space, and in IMD territory, the page table entry reading and writing of the shared page of module are set to the authority identical with Dom0 territory with execution authority; Then, the page table entry of the shared page of module is set to carry out then in Dom0 territory;

A6. call kernel function and in Dom0, distribute the page that comprises IMD territory control stack, and page information is kept in the corresponding attribute of IMD_info;

A7. in Dom0 territory, for IMD, distribute port evtchn_port_req_0 and the evtchn_port_prov_0 of 2 event channels, then at the bottom of port numbers evtchn_port_req_0 and evtchn_port_prov_0 being written as to the stack of the stack distributing in IMD territory, and two port numbers evtchn_port_req_0 and evtchn_port_prov_0 are saved in the corresponding attribute of IMD_info;

A8. the IP register of IMD territory virtual processor is set to the function entrance of IMD setup code, and adjusts SP and BP register, to reserve the space of IMD and Dom0 transmission of information;

A9. the territory virtual processor that starts IMD is carried out setup code, so that IMD is carried out to initialization;

A10. the dispatch command that calls Xen enters waiting status, until receive event from event access port evtchn_port_prov_0, is just reawaked;

A11. call module->init function module is carried out to initialization, thereby trigger first function call between the territory from Dom0 to IMD;

A12. initialization complete after release initialization data or the shared region of code.

Wherein, in steps A 7 by the bottom of port numbers evtchn_port_req_0 and evtchn_port_prov_0 are written as to the stack of the stack distributing in IMD territory, be used to IMD initialization that information is provided, and the port being written as at first at the bottom of the stack of the stack distributing in IMD territory is evtchn_port_req_0.

When calling module->init function in steps A 11 module being carried out to initialization, because the page list item at this module place has been configured to carry out in steps A 5 in Dom0, and also initialization is good in IMD territory, so will trigger first the inter-domain call of Dom0 to IMD.

Be further used as preferred embodiment, the function call process that described each expansion module is cross-domain comprises that quarantine domain functional procedure is called in authority territory, the general processing procedure, the quarantine domain that call authority territory function to access exception processing procedure, the quarantine domain of authority territory direction by quarantine domain calls authority territory memory allocation function processing procedure, quarantine domain call processing procedure and the read-write process of quarantine domain to authority numeric field data district that authority territory internal memory discharges function.

With reference to Fig. 3, be further used as preferred embodiment, the process of quarantine domain function is called in described authority territory, and it comprises:

G1.Dom0 sends the request of calling module function, thereby triggers page exception;

G2. by the information on IMD chained list, judge that whether page exception is caused by the code of module place page, if so, perform step G3, otherwise, keep the abnormality processing mode of operating system self;

G3. according to the position of current stack top in Dom0, current stack contents is copied to the module stack of IMD, and by the CR2 in Dom0, BP and SP register value, be saved in together the control stack of IMD;

G4.Dom0 sends event to the evtchn_port_req_0 port of event channel;

G5. the module stack of IMD is mapped to address space identical with the linear address of current stack in Dom0 in IMD;

G6.IMD recovers from waiting status after detecting and receive event on EVTCHN_PORT_PROV_U end, and obtains the value of CR2 Dom0, BP and SP register from control stack;

G7. with the address of current function, replace the return address on module stack, preserve the BP of IMD and SP value simultaneously in variable IMD_bp and IMD_sp, and be switched to module stack according to the value of BP in taken out Dom0 and SP register;

G8. jump to the indicated address execution function of CR2 register in Dom0 and process, after pending completing, return to the return address after replacement in step G7;

G9., at the bottom of the current AX of IMD and DX content of registers being write to control stack stack, then according to the IMD_bp and the IMD_sp that preserve, stack is switched back to control stack;

G10.IMD sends event to event channel port EVTCHN_PORT_PROV_U, and enters waiting status;

G11.Dom0 recovers to carry out from evtchn_port_req_0 port receives event, and the AX of IMD control stack bottom and the taking-up of DX value are saved in corresponding ax and dx variable;

G12. according to the stack frame condition of current stack, data base in IMD is copied to current stack, then according to ax, dx variable, revise AX and the DX register value of abnormality processing Locale Holding, and the BP of Locale Holding and SP value are modified as and exit BP and a SP value after stack hardwood, then finish invoked procedure.

In step G1, when Dom0 sends the request of calling module function, because all page table entries of module place Dom0 are made as and can not be carried out, therefore will trigger page exception in steps A 5.

With reference to Fig. 4, be further used as preferred embodiment, described by quarantine domain the access exception processing procedure to authority territory direction, it comprises:

The code access of H1.IMD belongs to Dom0 and does not belong to the memory address of module itself, thereby have no progeny in triggering memory abnormal, carries out the call back function of having bound in advance;

H2. preserve and comprise CR2 register at the bottom of stack is arrived at interior register scene, and the event channel port EVTCHN_PORT_REQ_U in IMD sends event with notice Dom0;

H3.Dom0 is waken up receiving the event transmitting from port evtchn_port_req_0 again, calls corresponding processing function;

H4.Dom0 extracts address and the access type of abnormal appearance from the register field data of preserving;

H5. check the address of IMD access and the access ability whether access type exceeds Dom0, the if so, abnormality processing function of call operation system self, otherwise, perform step H6;

H6. call safety inspection function and judge according to module's address and access type information whether this module has the authority of access, if so, perform step H7, otherwise the corresponding render safe procedures of executive operating system is processed to this module;

H7. the access type that judges this module belongs to read-write or belongs to execution, if read-write goes to the read-write process of quarantine domain to authority numeric field data district, if carry out, performs step H8;

H8. judge whether the function that IMD that Dom0 identifies will call is memory allocation function, if so, goes to the processing procedure that quarantine domain calls authority territory memory allocation function, otherwise, perform step H9;

H9. judge whether the function that IMD that Dom0 identifies will call is that internal memory discharges function, if so, goes to quarantine domain and calls the processing procedure that authority territory internal memory discharges function, otherwise, the general processing procedure that quarantine domain calls authority territory function carried out.

Wherein, the call back function of having bound in advance in step H1, refers in the security monitoring framework process of building operating system nucleus the abnormality processing call back function of having been bound by steps A 9.

In step H1, the code access of IMD belongs to Dom0 and while not belonging to the memory address of module itself, and because these place, address pages have been marked as invalidly in page table, therefore can trigger memory abnormal interrupts, and then carries out the call back function of having bound in advance.

With reference to Fig. 5, be further used as preferred embodiment, described quarantine domain calls the general processing procedure of authority territory function, and it comprises:

P1. preserve the return address in a stack hardwood on the module stack of IMD, and by destination address to be returned, this return address is replaced;

P2. current stack is switched to the module stack of IMD, and go to the abnormal address execution processing procedure of operating system self;

P3. after being finished, return to destination address to be returned, and in the on-the-spot covering of the execution step H2 with current each general-purpose register of virtual processor, be kept at the field data of control stack, then current stack is switched back to the original stack of Dom0;

The return address that P4.Dom0 preserves step P1 write at the bottom of IMD control stack in the reserved IMD and Dom0 transmission of information space of steps A 8, then by event channel port evtchn_port_prov_0, to IMD, send event, and enter waiting status;

P5.IMD is again waken up after receiving the event that EVTCHN_PORT_REQ_U port transmits;

P6.IMD is switched to module stack, restoring scene, and jump to the return address that step P4 preserves, to continue the normal process process of executive operating system self.

With reference to Fig. 6, be further used as preferred embodiment, described quarantine domain calls the processing procedure of authority territory memory allocation function, and it comprises:

S1.Dom0 is invoked memory allocation function storage allocation;

S2.Dom0 maps to distributed page the address space of IMD with the logical address identical with Dom0 and identical access rights;

S3.Dom0 is set to distributed page to carry out in the page table entry of Dom0;

S4.Dom0 makes corresponding modification and the SP in the virtual processor of IMD and BP pointer is made to corresponding adjustment, the process completing to simulate function call module stack in IMD;

S5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives.

With reference to Fig. 7, be further used as preferred embodiment, described quarantine domain calls the processing procedure that authority territory internal memory discharges function, and it comprises:

F1.IMD removes page to be discharged from the address space of IMD page table;

F2.IMD calls the release function in Dom0, with releasing memory page;

F3.IMD will return results and write IMD module stack;

F4. at the bottom of the state of context register and former return function address being write to the stack of IMD control stack;

F5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives;

F6.IMD is switched to module stack, restoring scene, and jump to return address that control stack preserves to continue the normal process process of executive operating system self.

With reference to Fig. 8, be further used as preferred embodiment, the read-write process of described quarantine domain to authority numeric field data district, it comprises:

W1. according to the value of the IP register in IMD, take out its order pointed, and the instruction of taking-up is write to the position V having reserved in advance, then in next command, write unconditional jump instruction, the address value of described unconditional jump instruction is the value of step W3;

W2. preserve the current scene of Dom0, switch stack to the module stack of IMD, and recover the scene in IMD, then jump to the position V in step W1;

W3. together with next address of the current IP address of current state and IMD, deposit IMD control stack in, then switch back original stack, and restoring scene;

W4. to IMD, send event channel signal, wake IMD up, and come back to waiting status, wait for the event that again receives;

W5.IMD is switched to module stack, restoring scene, and jump to the return address of preserving in control stack to continue the normal process process of executive operating system.

Below in conjunction with specific embodiment, the present invention is described in further detail.

Embodiment mono-

The present embodiment describes the A2 of steps A, A3, A9 step and step H1.

Struct IMD_info data structure in steps A 2 is defined as:

struct IMD_info {

unsigned int domid；

struct module* module；

struct page* ctl_stack；

struct page* mod_stack[2]；

evtchn_port_t evtchn_port_req_0；

evtchn_port_t evtchn_port_prov_0；

}；

Steps A 3 comprises the following steps:

A31. create a new non-authority territory IMD;

A32., the maximum memory that IMD is set is used number;

A33., the virtual coprocessor number (it is 1 that the present invention arranges it) of IMD is set;

A34. the virtual processor of initialization IMD.

9 of steps A can Further Division be following steps;

A91. the port numbers evtchn_port_req_0, the evtchn_port_prov_0 that Dom0 are left in to the inner event channel of IMD control stack (being the stack of the current operation of IMD) take out;

A92. set up the Event Channel communication between IMD and Dom0, the port numbers EVTCHN_PORT_REQ_U of IMD end and EVTCHN_PORT_PROV_U are set up to binding relationship with evtchn_port_prov_0 and the evtchn_port_req_0 of Dom0 end respectively, and wherein EVTCHN_PORT_REQ_U and EVTCHN_PORT_PROV_U are prior predetermined value;

A93. for IMD distributes an Event Channel port evtchn_port_mmfalt, and by itself and page exception, interrupt (interrupting for No. 14) binding;

A94. for the Event Channel port evtchn_port_mmfalt in IMD arranges call back function;

A95. by the port EVTCHN_PORT_REQ_U to IMD, send event message, represent that initialization completes;

A96.IMD enters waiting status, waits for the event sending from event port EVTCHN_PORT_U that again receives.

When in step H1, the code access of IMD belongs to the memory address of Dom0, the data structure of required transmission event information is:

struct access{

Int flag; // read READ, write WRITE and EXEC call //

unsigned long address；

}；

Embodiment bis-

The present embodiment describes the module uninstall process calling after end.

Call after end, need to unload module, to be written into process (building the security monitoring framework process of operating system nucleus) corresponding with module, and module uninstall process of the present invention comprises the following steps:

Q1. carry out the mod->exit function that Xen system carries, thereby module is unloaded;

Q2. destroy function call process IMD used;

Q3. release module.

Embodiment tri-

With reference to Fig. 9, the third embodiment of the present invention:

The present invention utilizes the mutual isolation characteristic of Xen virtual machine Domain, allows module be isolated on IMD territory and moves, by function call process between the event channel under Xen and authorization list communication mechanism analog domain.Between territory, in the process of function call, just can insert module process monitoring device or module process monitoring interface that the security for inter-domain call checks, thereby the integrality of operating system nucleus is carried out to monitoring comprehensively and effectively.

The hypercalls of Xen is the key that the present invention builds the security monitoring framework of operating system nucleus, and the related hypercalls of each step of the present invention comprises:

(1). create territory

The code that the non-authority of embodiment mono-steps A 31 establishment territory IMD adopts is:

HYPERVISOR_domctl(XEN_DOMCTL_createdomain，

struct struct xen_domctl * xen_domctl）。

(2). the maximum memory number of pages of specified domain in setting steps A32

Embodiment mono-steps A 32 arranges the code that the maximum memory number of pages of specified domain adopts:

HYPERVISOR_memory_op(XENMEM_maximum_ram_page,

struct xen_domctl_max_mem * max_mem)。

(3). the maximum VCPU number of specified domain is set

Embodiment mono-steps A 33 arranges the code that the maximum VCPU number of specified domain adopts: HYPERVISOR_domctl (XEN_DOMCTL_max_vcpus,

struct struct xen_domctl * xen_domctl)。

(4). initialization virtual processor

The code that the virtual processor of embodiment mono-steps A 34 initialization IMD adopts is: HYPERVISOR_vcpu_op (VCPUOP_initialise,

struct vcpu_guest_context * ctxt)。

(5). the maximum memory number of pages of specified domain in setting steps A4, A5 and A6

The code that in setting steps A4, A5 and A6, the maximum memory number of pages of specified domain adopts is:

HYPERVISOR_update_va_mapping_otherdomain(unsigned longva,u64 val64,

unsigned long flags,domid_t domid)。

(6). distribute a not event channel port for binding

In steps A 7, distribute a code that the event channel port of binding does not adopt to be:

HYPERVISOR_event_channel_op(EVTCHNOP_alloc_unbound,

struct evtchn_alloc_unbound * alloc_unbound）。

(7). start virtual register

In steps A 9, starting the code that virtual register adopts is:

HYPERVISOR_vcpu_op(VCPUOP_up,NULL)。

(8). distribute an event channel port and bind with the designated port of specified domain

In embodiment mono-steps A 92, distribute an event channel port and bind with the designated port of specified domain the code adopting and be:

HYPERVISOR_event_channel_op(EVTCHNOP_bind_interdomain，

struct evtchn_bind_interdomain * bind_interdomain)。

(9). the maximum memory number of pages of specified domain in setting steps A93

The code that in embodiment mono-steps A 93, the maximum memory number of pages of specified domain adopts is:

HYPERVISOR_event_channel_op(EVTCHNOP_bind_virq,

struct evtchn_bind_virq * bind_virq)。

(10). for allocate event access port arranges call back function

In embodiment mono-steps A 94, for specifying Event Channel port that the code that call back function adopts is set, be:

HYPERVISOR_set_callbacks(evtchn_port,

unsigned long failsafe_address,

unsigned long syscall_address)。

(11). to allocate event access port, send event

The code adopting to allocate event access port transmission event in embodiment mono-steps A 94 and step G5 is:

HYPERVISOR_event_channel_op(EVTCHNOP_send，

struct evtchn_send * send)。

(12). enter waiting status, while waiting Event Channel port to be specified to receive event, reawake

In embodiment mono-steps A 96, steps A 10 and step S5, enter waiting status, while waiting Event Channel port to be specified to receive event, reawake adopted code and be:

HYPERVISOR_sched_op(SCHEDOP_poll,sched_poll_t * arg)。

(13). switch stack

In step G7, switching the code that stack adopts is:

HYPERVISOR_stack_switch(unsigned long ss, unsigned long esp)。

Compared with prior art, the present invention adopts Xen Intel Virtualization Technology to be isolated in separately and independently on low rights territory, to move by each expansion module, then utilize function call process between the event channel of Xen virtual machine and the territory of authorization list communication equipment molding expansion module, the state that each expansion module is isolated completely in non-authority territory separately moves, thereby make all monitored arriving of any cross-domain operation, more comprehensively and effectively, and only need in the function call process of cross-domain, insert monitor-interface and can monitor, very convenient and quick.

More than that better enforcement of the present invention is illustrated, but the invention is not limited to described embodiment, those of ordinary skill in the art also can make all equivalent variations or replacement under the prerequisite without prejudice to spirit of the present invention, and the distortion that these are equal to or replacement are all included in the application's claim limited range.

Claims (9)

1. the operating system nucleus method for supervising based on Xen, is characterized in that: comprising:

A. adopt Xen Intel Virtualization Technology to build the security monitoring framework of operating system nucleus, thereby each expansion module is operated in separately independently in non-authority territory;

B. by event channel and the authorization list communication mechanism of Xen, simulate the function call process of cross-domain of each expansion module, and insert the monitor-interface for security inspection in the function call process of cross-domain.

2. a kind of operating system nucleus method for supervising based on Xen according to claim 1, is characterized in that: described steps A, and it comprises:

A1. be written into module;

A2. create non-authority territory IMD, and it is carried out to initialization;

A3. module is inserted in the chained list of kernel, and creates struct IMD_info, then struct IMD_info chain is entered in IMD chained list;

A4. the page at module territory setup code in Dom0 territory and control routine place is mapped in the linear address space of IMD;

A5. the page at the code of module itself and data place is mapped in IMD address space, and in IMD territory, the page table entry reading and writing of the shared page of module are set to the authority identical with Dom0 territory with execution authority; Then, the page table entry of the shared page of module is set to carry out then in Dom0 territory;

A6. call kernel function and in Dom0, distribute the page that comprises IMD territory control stack, and page information is kept in the corresponding attribute of IMD_info;

A7. in Dom0 territory, for IMD, distribute port evtchn_port_req_0 and the evtchn_port_prov_0 of 2 event channels, then at the bottom of port numbers evtchn_port_req_0 and evtchn_port_prov_0 being written as to the stack of the stack distributing in IMD territory, and two port numbers evtchn_port_req_0 and evtchn_port_prov_0 are saved in the corresponding attribute of IMD_info;

A8. the IP register of IMD territory virtual processor is set to the function entrance of IMD setup code, and adjusts SP and BP register, to reserve the space of IMD and Dom0 transmission of information;

A9. the territory virtual processor that starts IMD is carried out setup code, so that IMD is carried out to initialization;

A10. the dispatch command that calls Xen enters waiting status, until receive event from event access port evtchn_port_prov_0, is just reawaked;

A11. call module->init function module is carried out to initialization, thereby trigger first function call between the territory from Dom0 to IMD;

A12. initialization complete after release initialization data or the shared region of code.

3. a kind of operating system nucleus method for supervising based on Xen according to claim 1 and 2, is characterized in that: the function call process that described each expansion module is cross-domain comprises that quarantine domain functional procedure is called in authority territory, the general processing procedure, the quarantine domain that call authority territory function to access exception processing procedure, the quarantine domain of authority territory direction by quarantine domain calls authority territory memory allocation function processing procedure, quarantine domain call processing procedure and the read-write process of quarantine domain to authority numeric field data district that authority territory internal memory discharges function.

4. a kind of operating system nucleus method for supervising based on Xen according to claim 3, is characterized in that: the process of quarantine domain function is called in described authority territory, and it comprises:

G1.Dom0 sends the request of calling module function, thereby triggers page exception;

G2. by the information on IMD chained list, judge that whether page exception is caused by the code of module place page, if so, perform step G3, otherwise, keep the abnormality processing mode of operating system self;

G3. according to the position of current stack top in Dom0, current stack contents is copied to the module stack of IMD, and by the CR2 in Dom0, BP and SP register value, be saved in together the control stack of IMD;

G4.Dom0 sends event to the evtchn_port_req_0 port of event channel;

G5. the module stack of IMD is mapped to address space identical with the linear address of current stack in Dom0 in IMD;

G6.IMD recovers from waiting status after detecting and receive event on EVTCHN_PORT_PROV_U end, and obtains the value of CR2 Dom0, BP and SP register from control stack;

G7. with the address of current function, replace the return address on module stack, preserve the BP of IMD and SP value simultaneously in variable IMD_bp and IMD_sp, and be switched to module stack according to the value of BP in taken out Dom0 and SP register;

G8. jump to the indicated address execution function of CR2 register in Dom0 and process, after pending completing, return to the return address after replacement in step G7;

G9., at the bottom of the current AX of IMD and DX content of registers being write to control stack stack, then according to the IMD_bp and the IMD_sp that preserve, stack is switched back to control stack;

G10.IMD sends event to event channel port EVTCHN_PORT_PROV_U, and enters waiting status;

G11.Dom0 recovers to carry out from evtchn_port_req_0 port receives event, and the AX of IMD control stack bottom and the taking-up of DX value are saved in corresponding ax and dx variable;

G12. according to the stack frame condition of current stack, data base in IMD is copied to current stack, then according to ax, dx variable, revise AX and the DX register value of abnormality processing Locale Holding, and the BP of Locale Holding and SP value are modified as and exit BP and a SP value after stack hardwood, then finish invoked procedure.

5. a kind of operating system nucleus method for supervising based on Xen according to claim 4, is characterized in that: described by quarantine domain the access exception processing procedure to authority territory direction, it comprises:

The code access of H1.IMD belongs to Dom0 and does not belong to the memory address of module itself, thereby have no progeny in triggering memory abnormal, carries out the call back function of having bound in advance;

H2. preserve and comprise CR2 register at the bottom of stack is arrived at interior register scene, and the event channel port EVTCHN_PORT_REQ_U in IMD sends event with notice Dom0;

H3.Dom0 is waken up receiving the event transmitting from port evtchn_port_req_0 again, calls corresponding processing function;

H4.Dom0 extracts address and the access type of abnormal appearance from the register field data of preserving;

H5. check the address of IMD access and the access ability whether access type exceeds Dom0, the if so, abnormality processing function of call operation system self, otherwise, perform step H6;

H6. call safety inspection function and judge according to module's address and access type information whether this module has the authority of access, if so, perform step H7, otherwise the corresponding render safe procedures of executive operating system is processed to this module;

H7. the access type that judges this module belongs to read-write or belongs to execution, if read-write goes to the read-write process of quarantine domain to authority numeric field data district, if carry out, performs step H8;

H8. judge whether the function that IMD that Dom0 identifies will call is memory allocation function, if so, goes to the processing procedure that quarantine domain calls authority territory memory allocation function, otherwise, perform step H9;

H9. judge whether the function that IMD that Dom0 identifies will call is that internal memory discharges function, if so, goes to quarantine domain and calls the processing procedure that authority territory internal memory discharges function, otherwise, the general processing procedure that quarantine domain calls authority territory function carried out.

6. a kind of operating system nucleus method for supervising based on Xen according to claim 5, is characterized in that: described quarantine domain calls the general processing procedure of authority territory function, and it comprises:

P1. preserve the return address in a stack hardwood on the module stack of IMD, and by destination address to be returned, this return address is replaced;

P2. current stack is switched to the module stack of IMD, and go to the abnormal address execution processing procedure of operating system self;

P3. after being finished, return to destination address to be returned, and in the on-the-spot covering of the execution step H2 with current each general-purpose register of virtual processor, be kept at the field data of control stack, then current stack is switched back to the original stack of Dom0;

The return address that P4.Dom0 preserves step P1 write at the bottom of IMD control stack in the reserved IMD and Dom0 transmission of information space of steps A 8, then by event channel port evtchn_port_prov_0, to IMD, send event, and enter waiting status;

P5.IMD is again waken up after receiving the event that EVTCHN_PORT_REQ_U port transmits;

P6.IMD is switched to module stack, restoring scene, and jump to the return address that step P4 preserves, to continue the normal process process of executive operating system self.

7. a kind of operating system nucleus method for supervising based on Xen according to claim 6, is characterized in that:

Described quarantine domain calls the processing procedure of authority territory memory allocation function, and it comprises:

S1.Dom0 is invoked memory allocation function storage allocation;

S2.Dom0 maps to distributed page the address space of IMD with the logical address identical with Dom0 and identical access rights;

S3.Dom0 is set to distributed page to carry out in the page table entry of Dom0;

S4.Dom0 makes corresponding modification and the SP in the virtual processor of IMD and BP pointer is made to corresponding adjustment, the process completing to simulate function call module stack in IMD;

S5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives.

8. a kind of operating system nucleus method for supervising based on Xen according to claim 7, is characterized in that: described quarantine domain calls the processing procedure that authority territory internal memory discharges function, and it comprises:

F1.IMD removes page to be discharged from the address space of IMD page table;

F2.IMD calls the release function in Dom0, with releasing memory page;

F3.IMD will return results and write IMD module stack;

F4. at the bottom of the state of context register and former return function address being write to the stack of IMD control stack;

F5.Dom0 sends event channel signal to IMD, wakes IMD up, and comes back to waiting status, waits for the event that again receives;

F6.IMD is switched to module stack, restoring scene, and jump to return address that control stack preserves to continue the normal process process of executive operating system self.

9. a kind of operating system nucleus method for supervising based on Xen according to claim 8, is characterized in that:

The read-write process of described quarantine domain to authority numeric field data district, it comprises:

W1. according to the value of the IP register in IMD, take out its order pointed, and the instruction of taking-up is write to the position V having reserved in advance, then in next command, write unconditional jump instruction, the address value of described unconditional jump instruction is the value of step W3;

W2. preserve the current scene of Dom0, switch stack to the module stack of IMD, and recover the scene in IMD, then jump to the position V in step W1;

W3. together with next address of the current IP address of current state and IMD, deposit IMD control stack in, then switch back original stack, and restoring scene;

W4. to IMD, send event channel signal, wake IMD up, and come back to waiting status, wait for the event that again receives;

W5.IMD is switched to module stack, restoring scene, and jump to the return address of preserving in control stack to continue the normal process process of executive operating system.