WO2016141719A1 - Channel detection method and apparatus - Google Patents

Channel detection method and apparatus Download PDF

Info

Publication number
WO2016141719A1
WO2016141719A1 PCT/CN2015/092975 CN2015092975W WO2016141719A1 WO 2016141719 A1 WO2016141719 A1 WO 2016141719A1 CN 2015092975 W CN2015092975 W CN 2015092975W WO 2016141719 A1 WO2016141719 A1 WO 2016141719A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
target
sequence
target subsequence
subsequence
Prior art date
Application number
PCT/CN2015/092975
Other languages
French (fr)
Chinese (zh)
Inventor
袁劲枫
王胜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016141719A1 publication Critical patent/WO2016141719A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a channel detection method and apparatus.
  • virtual machines between tenants usually share the same physical host's memory.
  • the specific sharing method can be shared by memory deduplication technology.
  • Memory deduplication technology combines the same physical memory pages. Only one physical copy of the memory page is kept, and all other virtual machines map the physical memory page together.
  • a write operation exception event such as a copy-on-write (COW) page write operation exception event, and Rewrite a physical memory page for the virtual machine to write.
  • COW copy-on-write
  • the specific construction method of the hidden channel is as shown in FIG. 1.
  • the ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
  • Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K).
  • the encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for memory consolidation after encoding.
  • Receiver requests the same size of n*4K memory and loads the same file A into memory.
  • the operating system automatically performs a memory page merge.
  • Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity, and the decoding rule is: one by one memory page Write operation, and measure the execution time of the memory page write operation.
  • the specific measurement method is to acquire the system time before writing to a certain memory page, and then acquire the system time after the memory page write operation is completed, if The memory page is the memory page after the merge. Because the extra memory page copy process is required, the memory page write operation takes longer to execute than the normal memory page write operation, so Receiver can execute according to the memory page write operation.
  • the length of time is decoded. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page is decoded to 0, and the Receiver receives the information.
  • the memory deduplication mechanism is directly turned off. This method can solve the hidden channel attack, but loses the advantage of the memory deduplication mechanism. , has a greater impact on system performance.
  • the embodiment of the invention provides a channel detection method and device, which can accurately detect whether a hidden channel exists in the system, and does not affect the function of a normal memory deduplication mechanism in the system.
  • a first aspect of the embodiments of the present invention provides a channel detection method, which may include:
  • the time attribute of the target subsequence includes a first time difference between a start time and an end time of the target subsequence.
  • Determining whether the time attribute of the target subsequence meets a preset condition including:
  • Determining that there is a hidden channel in the system when the time attribute of the target subsequence meets a preset condition including:
  • the determining whether the first time difference of the target sub-sequence is less than a first preset threshold including:
  • determining that there is a hidden channel in the system including:
  • the method further includes:
  • a second aspect of the present invention provides a channel detecting apparatus, including:
  • the intercepting module is configured to: when the at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes an acquiring time event;
  • An obtaining module configured to search for a target subsequence from the sequence of events, and obtain the target subsequence The time attribute of the column;
  • a determining module configured to determine whether a time attribute of the target subsequence meets a preset condition
  • a determining module configured to determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
  • the time attribute of the target subsequence includes a first time difference between a start time and an end time of the target subsequence.
  • the determining module is specifically configured to determine whether the first time difference of the target sub-sequence is less than a first preset threshold
  • the determining module is specifically configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
  • the acquiring module includes:
  • a searching unit configured to sequentially search for a preset number of target sub-sequences from the sequence of events
  • a calculating unit configured to calculate a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences.
  • the determining module is specifically configured to determine each target subsequence in the preset number of target subsequences Whether the first time difference is less than the first preset threshold.
  • the determining module includes a determining unit and a determining unit
  • the determining unit is configured to determine, when the first time difference of each target sub-sequence in the target number sub-sequence of the preset number is less than the first preset threshold, determine the preset number of targets Whether the second time difference between the start time of the first target subsequence and the end time of the last target subsequence in the subsequence is less than a second preset threshold, and the second preset threshold is less than the preset number ,
  • the determining unit is configured to determine that a hidden channel exists in the system when the second time difference is less than the second preset threshold.
  • the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, Find the target subsequence in the sequence of events and obtain the time genus of the target subsequence If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system.
  • This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
  • FIG. 1 is a schematic diagram of constructing a hidden channel according to an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of a channel detecting method according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an instruction flow according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of another channel detecting method according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a covert channel detection algorithm according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of an algorithm for abnormal COW page write operation according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a channel detecting apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an acquisition module according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of another channel detecting apparatus according to an embodiment of the present invention.
  • the channel detection method in the embodiment of the present invention can be applied to a process of detecting a covert channel based on a memory deduplication technology in a multi-tenant cloud environment.
  • FIG. 2 is a schematic flowchart of a channel detecting method according to an embodiment of the present invention. As shown in FIG. 2, the channel detecting method includes:
  • a virtual machine between tenants usually shares the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is the same physical memory.
  • the pages are merged, leaving only one physical copy of the memory page, and all other virtual machines co-map the physical memory page.
  • the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started.
  • COW page copies a physical memory page for the virtual machine to write.
  • Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
  • the specific construction method of the hidden channel is as shown in FIG. 1.
  • the ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
  • Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K).
  • the encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
  • Receiver requests the same size of N*4K memory and loads the same file A into memory.
  • the operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity.
  • the decoding rule is: writing the memory page by page, and measuring the execution time of the memory page write operation. The specific measurement method is to write a certain memory page. Obtain the system time before, and then obtain the system time after the memory page write operation is completed. If the memory page is the memory page after the merge, the memory page write operation is performed because an additional memory page copy process is required. It takes longer than the normal memory page write operation, so Receiver can decode according to the length of the memory page write operation. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page Decoded to 0, Receiver receives the information.
  • the purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical.
  • the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed.
  • the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page.
  • Receiver can decode 0 or 1 information by writing to the memory page and measuring the length of the write operation.
  • the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream.
  • the specific acquisition method is: intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes acquiring a time event.
  • the event sequence may further include an abnormal event of a memory page write operation after the merge.
  • the memory page is the memory page generated by the memory de-merging of the memory pages of different virtual machines.
  • the acquisition time event in the event sequence may include the acquisition time event of the operating system itself, and may also include malicious users.
  • the acquisition time event, the operating system's own acquisition time events are usually separated by a long time.
  • the target subsequence is searched from the acquired sequence of events.
  • the target subsequence may exist in multiple forms.
  • the target subsequence may include two adjacent target acquisition time events, since the operating system itself usually The time interval for getting time events is long, so you can pass The time interval attribute of two adjacent target acquisition time events in the target sequence is detected.
  • the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception.
  • the target acquires the time event
  • the black circle represents the target write operation abnormal event in the intercepted event sequence
  • the target subsequence that is searched is the target write operation abnormal event between the two target acquisition time events.
  • the time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
  • the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
  • the preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
  • the step S102 may be specifically: determining whether the first time difference of the target subsequence is less than a first preset threshold
  • Step S103 may be specifically: determining that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
  • the setting of the first predetermined threshold is critical to detecting the decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
  • T-Min cow(n) The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
  • T-Max normal(n) The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
  • T min(cow) The memory write operation instruction is the minimum execution time required to write to the merged memory page.
  • T max (normal) The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
  • T cow Where t ⁇ t, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
  • the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ⁇ T (1) ⁇ 2T max(cow) .
  • This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
  • the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event.
  • the target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This way can accurately detect whether the system is in the system There is a hidden channel, which improves the security of the system, and this detection method does not affect the function of the normal memory deduplication mechanism of the system.
  • FIG. 4 is a schematic flowchart of another channel detection method according to an embodiment of the present invention. if a sequence of events includes multiple target sub-sequences, as shown in FIG. 4, a channel detection method according to this embodiment is shown in FIG. Including steps:
  • step S200 of the embodiment of the present invention please refer to the step S100 of the embodiment shown in FIG. 1 , and details are not described herein.
  • the event sequence may include multiple target subsequences, wherein the target subsequence includes two target acquisition time events, and between the two target acquisition time events.
  • the target write operation abnormal event searches for a preset number (n) of target sub-sequences in the operating system execution instruction stream, and the preset number of values (ie, the value of n) is preset by the user.
  • calculating a first time difference between a start time and an end time of each target sub-sequence in a preset number of target sub-sequences sequentially calculating each target sub-sequence The first time difference ⁇ t 1 , ⁇ t 2 , ⁇ t 3 Vietnamese ⁇ t n .
  • S203 Determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold
  • determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than a first preset threshold if each sub-sequence in the preset number of target sub-sequences The first time difference is less than the first preset threshold, that is, ⁇ t i ⁇ T (1) , i ⁇ [1, n], and it is determined that there is a hidden channel in the system.
  • the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
  • the method further includes:
  • the second time difference is less than the second predetermined threshold, it is determined that a hidden channel exists in the system.
  • the communication bandwidth of the hidden channel is detected, and the specific detection method is to further determine the starting point of the first target subsequence in the target subsequence of the preset number. Whether the second time difference between the start time and the end time of the last target subsequence is less than a second preset threshold, and if less than the second preset threshold, determining that there is a covert channel in the system. As shown in Figure 3, it is judged:
  • the second preset threshold T (n) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
  • T (n) cannot exceed n. Since the amount of information transmitted in actual applications is larger than n, the threshold of T( n ) is slightly smaller than n.
  • the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event.
  • the target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system.
  • This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
  • FIG. 5 is a flowchart of a covert channel detection algorithm according to an embodiment of the present invention.
  • an event sequence includes an acquisition time event and a COW page write operation abnormal event.
  • these two events are continuously intercepted. That is, along the direction in which the operating system executes the instruction stream, these two events are continuously intercepted and processed into the processing routine.
  • the algorithm flow of the processing routine is as shown in Figure 5: in the processing function, t now is used to record the current system time, and t pre caches the system time of the last time the processing function was entered.
  • t cow_pf records the system time of the most recent COW page write exception event. It is a global variable and is updated by the page fault exception handler in Figure 6.
  • t beg records the start time of the detected first target subsequence, and is used to calculate the execution time of the n subsequences when the nth is detected.
  • the Count variable is used to record the first target subsequence detected.
  • the current system time t now is first obtained, and then subtracted from the system time t pre of the last acquisition time event of the cache to determine whether the time interval is less than the threshold T (1) , and greater than the current subsequence Not a hidden channel decoding operation, updating t pre . Otherwise, it is further determined whether the last COW page write operation abnormal event is between the two acquisition time events, and it indicates that the decoding operation of the hidden channel is detected, the Count is updated, and it is determined whether the nth decoding operation is currently detected. If yes, it is further determined whether the time interval of the n decoding operations is less than the threshold T (n) , and if it is less, it is determined that the hidden channel is detected.
  • FIG. 6 is a flowchart of a page fault processing algorithm according to an embodiment of the present invention:
  • the current page fault exception variable PFEC is a write operation exception. If yes, continue to traverse the COW page linked list, and determine whether the memory page belongs to the memory after the memory is re-merged according to the virtual address pf_va of the memory page where the page fault exception occurs. The page, if it is, indicates that the COW page write operation exception event has been intercepted, thereby recording the current system time to the global variable t cow_pf .
  • FIG. 7 is a schematic structural diagram of a channel detecting apparatus according to an embodiment of the present invention.
  • a channel detecting apparatus according to this embodiment includes: an intercepting module 100, and an acquiring module. 101.
  • the intercepting module 100 is configured to intercept an event sequence executed by the operating system in the operating system instruction stream when the at least two virtual machines perform memory de-merging on the same physical host, where the event sequence includes an acquiring time event;
  • a virtual machine between tenants usually shares the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is the same physical memory.
  • the pages are merged, leaving only one physical copy of the memory page, and all other virtual machines co-map the physical memory page.
  • the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started.
  • COW page copies a physical memory page for the virtual machine to write.
  • Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
  • the specific construction method of the hidden channel is as shown in FIG. 1.
  • the ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
  • Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K).
  • the encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
  • Receiver requests the same size of N*4K memory and loads the same file A into memory.
  • the operating system automatically performs a memory page merge.
  • Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity, and the decoding rule is: one by one memory page Write operation, and measure the execution time of the memory page write operation.
  • the specific measurement method is to acquire the system time before writing to a certain memory page, and then acquire the system time after the memory page write operation is completed, if The memory page is the memory page after the merge. Because the extra memory page copy process is required, the memory page write operation takes longer to execute than the normal memory page write operation, so Receiver can execute according to the memory page write operation.
  • the length of time is decoded. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page is decoded to 0, and the Receiver receives the information.
  • the purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical.
  • the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed.
  • the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page.
  • Receiver can decode the 01 information by writing to the memory page and measuring the length of the write operation.
  • the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream.
  • the specific acquisition method is that the intercepting module 100 intercepts an operating system execution event sequence in the operating system instruction stream, and the event sequence includes an acquisition time event.
  • the event sequence may further include an abnormal memory page write operation after the merge.
  • the event needs to be described.
  • the acquisition time event in the sequence of events may include the acquisition time event of the operating system itself, and may also include the acquisition time event of the malicious user.
  • the acquisition time event of the operating system itself is usually separated by a long interval.
  • the obtaining module 101 is configured to search for a target subsequence from the sequence of events, and obtain a time attribute of the target subsequence;
  • the obtaining module 101 searches for a target subsequence from the acquired sequence of events, and the target subsequence may exist in multiple forms, for example, the target subsequence may include two adjacent target acquisition time events, since The time interval of the acquisition time event of the system itself is relatively long, so it can be detected by the time interval attribute of the time event of two adjacent targets in the target sequence.
  • the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception.
  • the target gets the time event
  • the small black circle represents the intercepted
  • the target write operation exception event the target subsequence found is a target write operation exception event between the two target acquisition time events.
  • the time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
  • the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
  • the determining module 102 is configured to determine whether a time attribute of the target subsequence meets a preset condition
  • the determining module 103 is configured to determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
  • the determining module 102 determines whether the acquired time attribute of the target subsequence satisfies a preset condition.
  • the determining module 103 determines that a hidden channel exists in the system.
  • the preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
  • the determining module 102 is specifically configured to determine whether the first time difference of the target sub-sequence is less than a first preset threshold
  • the determining module 103 is specifically configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
  • the setting of the first predetermined threshold is critical to detecting the decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
  • T-Min cow(n) The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
  • T-Max normal(n) The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
  • T min(cow) The memory write operation instruction is the minimum execution time required to write to the merged memory page.
  • T max (normal) The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
  • T cow Where t ⁇ t, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
  • the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ⁇ T (1) ⁇ 2T max(cow) .
  • This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
  • the operating system execution event sequence is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a sequence of events.
  • the target subsequence is searched, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to satisfy the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system.
  • This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
  • the searching unit 1010 is configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
  • the event sequence may include multiple target subsequences, wherein the target subsequence includes two target acquisition time events, and between the two target acquisition time events.
  • the target write operation abnormal event the search unit 1010 sequentially searches for a preset number (n) of target sub-sequences in the operating system execution instruction stream, and the preset number of values (ie, the value of n) is preset by the user.
  • the calculating unit 1011 is configured to calculate a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences.
  • the calculating unit 1011 calculates a first time difference between a start time and an end time of each target sub-sequence in a preset number of target sub-sequences, as shown in FIG.
  • the determining module 102 is specifically configured to determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
  • the determining module 103 is specifically configured to determine that a hidden channel exists in the system when the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold.
  • the determining module 102 determines whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold, when the preset number of target sub-sequences
  • the first time difference of each subsequence is less than the first predetermined threshold, that is, ⁇ t i ⁇ T (1) , i ⁇ [1, n], and the determining module 103 determines that there is a hidden channel in the system.
  • the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
  • the determining module 102 includes a determining unit and a determining unit;
  • a determining unit configured to determine a target subsequence of the preset number when the first time difference of each target subsequence in the preset number of target subsequences is less than the first preset threshold Whether the second time difference between the start time of the first target subsequence and the end time of the last target subsequence is less than a second preset threshold; the second preset threshold is less than the preset number;
  • a determining unit configured to determine, when the second time difference is less than the second preset threshold, In a hidden channel.
  • the communication bandwidth of the hidden channel is detected.
  • the specific detection method is: the determining unit further determines the first target subsequence in the preset number of target sub-sequences. Whether the second time difference between the start time and the end time of the last target subsequence is less than a second preset threshold, and if less than the second preset threshold, the determining unit determines that there is a covert channel in the system. As shown in Figure 3, it is judged:
  • the second preset threshold T( n ) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
  • T (n) cannot exceed n. Since the amount of information transmitted in the actual application is larger than n, the threshold of T (n) is slightly smaller than n.
  • the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event.
  • the target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system.
  • This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
  • FIG. 9 is a schematic structural diagram of another channel detecting apparatus according to an embodiment of the present invention.
  • the channel detecting device of FIG. 9 can be used to implement the steps and methods in the foregoing method embodiments.
  • the channel detecting apparatus includes a processor 200, a transceiver 201, a memory 202, and a bus 203.
  • the memory 202 is for storing instructions
  • the processor 200 is for executing instructions in the memory 202 to perform subsequent channel detecting operations.
  • the memory 202 can include read only memory and random access memory, the various components of the data communication device being coupled together by a bus system 203, wherein the bus system 203 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But to be clear For the sake of clarity, various buses are labeled as bus system 203 in the figure. The individual components are described in detail below:
  • the processor is configured to intercept an event sequence executed by an operating system in an operating system instruction stream when at least two virtual machines perform memory de-merging on the same physical host, where the event sequence includes an acquisition time event;
  • the processor is further configured to search for a target subsequence from the sequence of events, and acquire a time attribute of the target subsequence;
  • the processor is further configured to determine whether a time attribute of the target subsequence meets a preset condition
  • the processor is further configured to determine that a hidden channel exists in the system if a time attribute of the target subsequence satisfies a preset condition.
  • the virtual machines of the tenant usually share the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is to perform the same physical memory page. Merge, leaving only one physical copy of the memory page, all other virtual machines co-map the physical memory page.
  • the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started.
  • COW page copies a physical memory page for the virtual machine to write.
  • Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
  • the specific construction method of the hidden channel is as shown in FIG. 1.
  • the ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
  • Receiver controls Sender to request a memory of size N*4K and load file A into memory in. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K).
  • the encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
  • Receiver requests the same size of N*4K memory and loads the same file A into memory.
  • the operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity.
  • the decoding rule is: writing the memory page by page, and measuring the execution time of the memory page write operation. The specific measurement method is to write a certain memory page. Obtain the system time before, and then obtain the system time after the memory page write operation is completed. If the memory page is the memory page after the merge, the memory page write operation is performed because an additional memory page copy process is required. It takes longer than the normal memory page write operation, so Receiver can decode according to the length of the memory page write operation. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page Decoded to 0, Receiver receives the information.
  • the purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical.
  • the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed.
  • the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page.
  • Receiver can decode the 01 information by writing to the memory page and measuring the length of the write operation.
  • the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream.
  • the specific acquisition method is: intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes acquiring a time event.
  • the event sequence may further include an abnormal event of a memory page write operation after the merge.
  • the memory page is the memory page generated by the memory de-merging of the memory pages of different virtual machines.
  • the acquisition time event in the event sequence may include the acquisition time event of the operating system itself, and may also include malicious users.
  • the acquisition time event, the operating system's own acquisition time events are usually separated by a long time.
  • the target subsequence is searched from the obtained sequence of events, and the target subsequence may exist in multiple forms, for example, the target subsequence may include two adjacent target acquisition time events, The time interval of the acquisition time event of the operating system itself is relatively long, so it can be detected by the time interval attribute of the time event of two adjacent targets in the target sequence.
  • the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception.
  • the target acquires the time event
  • the black circle represents the target write operation abnormal event in the intercepted event sequence
  • the target subsequence that is searched is the target write operation abnormal event between the two target acquisition time events.
  • the time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
  • the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
  • the preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
  • the processor is further configured to determine whether the first time difference of the target subsequence is less than a first preset threshold
  • the processor is further configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
  • the setting of the first preset threshold is very critical for detecting a decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
  • T-Min cow(n) The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
  • T-Max normal(n) The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
  • T min(cow) The memory write operation instruction is the minimum execution time required to write to the merged memory page.
  • T max (normal) The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
  • T cow Where t ⁇ t, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
  • the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ⁇ T (1) ⁇ 2T max(cow) .
  • This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
  • event sequence includes multiple target subsequences
  • the processor is further configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
  • the processor is further configured to calculate a first time difference between a start time and an end time of each target subsequence in the preset number of target subsequences.
  • the event sequence may include multiple target subsequences, where the target subsequence includes two target acquisition time events, and a target write operation abnormal event between the two target acquisition time events.
  • the value of the preset number i.e., the value of n is preset by the user.
  • calculating a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences sequentially calculating a first time difference ⁇ t of each target sub-sequence 1 , ⁇ t 2 , ⁇ t 3 Vietnamese ⁇ t n .
  • the processor is further configured to determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
  • the processor is further configured to determine that a hidden channel exists in the system when the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold.
  • determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than a first preset threshold if the first time difference of each sub-sequence in the preset number of target sub-sequences is Less than the first preset threshold, ie, ⁇ t i ⁇ T (1) , i ⁇ [1, n], it is determined that there is a hidden channel in the operating system.
  • the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
  • the processor is further configured to determine whether a second time difference between a start time of the first target subsequence and an end time of the last target subsequence in the preset number of target subsequences is less than a second preset a threshold, the second preset threshold is less than the preset number;
  • the processor is further configured to determine that a hidden channel exists in the system when the second time difference is less than the second preset threshold.
  • the specific detection method is to further determine the start time and the last time of the first target subsequence in the preset number of target subsequences. Whether the second time difference between the end times of the target subsequences is less than a second preset threshold, and if less than the second preset threshold, determining that there is a covert channel in the system. As shown in Figure 3, it is judged:
  • the second preset threshold T (n) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
  • T (n) cannot exceed n. Since the amount of information transmitted in the actual application is larger than n, the threshold of T (n) is slightly smaller than n.
  • the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event.
  • the target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system.
  • This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • modules or units in the terminal in the embodiment of the present invention may be combined, divided, and deleted according to actual needs.
  • the components of the microcontroller and the like may be implemented by a general-purpose integrated circuit, such as a central processing unit (CPU), or an application specific integrated circuit (ASIC).
  • a general-purpose integrated circuit such as a central processing unit (CPU), or an application specific integrated circuit (ASIC).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

A channel detection method and apparatus. The method comprises: when at least two virtual machines performing memory deduplication merge on the same physical host, intercepting an event sequence executed by an operating system in an operating system instruction stream, wherein the event sequence comprises a time acquisition event; searching for a target sub-sequence from the event sequence, and acquiring a time attribute of the target sub-sequence; and judging whether the time attribute of the target sub-sequence satisfies a pre-set condition, and when the time attribute of the target sub-sequence satisfies the pre-set condition, determining that a hidden channel exists in the system. The use of the present invention can accurately detect whether a hidden channel exists in the system, and will not influence a normal function of a memory deduplication mechanism in the system.

Description

一种信道检测方法及装置Channel detection method and device 技术领域Technical field
本发明涉及网络安全技术领域,尤其涉及一种信道检测方法及装置。The present invention relates to the field of network security technologies, and in particular, to a channel detection method and apparatus.
背景技术Background technique
在多租户云环境中,通常租户间的虚拟机共享同一个物理主机的内存,具体的共享方法可以是采用内存去重技术进行共享,内存去重技术即是将相同的物理内存页进行合并,只保留一份该内存页的物理拷贝,所有其他虚拟机共同映射该物理内存页。在后续使用过程中,当某个虚拟机需要对该内存页进行写操作时,操作系统将启动写操作异常事件,例如写时复制(Copy-On-Write,COW)页写操作异常事件,并为该虚拟机重新拷贝一份物理内存页进行写操作。In a multi-tenant cloud environment, virtual machines between tenants usually share the same physical host's memory. The specific sharing method can be shared by memory deduplication technology. Memory deduplication technology combines the same physical memory pages. Only one physical copy of the memory page is kept, and all other virtual machines map the physical memory page together. During subsequent use, when a virtual machine needs to write to the memory page, the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, and Rewrite a physical memory page for the virtual machine to write.
然而,内存去重技术在云平台中的引入也会导致意想不到的安全漏洞。因为恶意用户和普通用户的虚拟机有可能位于同一个物理主机上,并利用内存去重技术进行内存页的合并。恶意用户可以通过这种共享内存的机制构建起隐蔽信道从而窃取其他普通用户中的隐私信息,比如密钥等等。However, the introduction of memory deduplication technology in the cloud platform can also lead to unexpected security vulnerabilities. Because the virtual machine of the malicious user and the ordinary user may be located on the same physical host, and the memory deduplication technology is used to merge the memory pages. Malicious users can use this shared memory mechanism to construct a covert channel to steal private information from other ordinary users, such as keys.
隐蔽信道具体的构建方法为,如图1所示,普通用户Sender和恶意用户Receiver分别为位于同一物理主机上的两台虚拟机,Receiver通过某种手段入侵了Sender,此时Receiver希望能够隐蔽地将窃取到的用户隐私数据传递出来而不被检测到,则可以基于内存去重机制构建隐蔽信道进行信息传递,假设有N bit信息需要传递:The specific construction method of the hidden channel is as shown in FIG. 1. The ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
Receiver控制Sender申请一份大小为N*4K的内存,并加载文件A到内存中。然后Receiver控制Sender将申请的内存按照内存页粒度(4K)进行编码,编码的规则是:需要传递的信息为0则修改当前内存页(任意修改),需要传递的信息为1则跳过不修改进入下一个内存页。编码完毕后等待内存合并。Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K). The encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for memory consolidation after encoding.
Receiver申请相同大小为n*4K的内存,并加载相同的文件A到内存中。操作系统自动进行内存页合并。Receiver等待一段时间后,开始接收信息。即是将所申请的内存按照内存页粒度进行解码,解码的规则是:逐个内存页进行 写操作,同时测量内存页写操作执行的时间,具体的测量方式是在对某一个内存页进行写操作之前获取一次系统时间,对该内存页写操作执行完毕后再获取一次系统时间,若该内存页为进行合并之后的内存页,由于需要额外的内存页拷贝过程,所以该内存页写操作执行所花费的时间比普通内存页写操作执行时间更长,因此Receiver可以根据内存页写操作执行时间长短进行解码,例如,某一个内存页写操作执行时间过长则当前页解码为1,否则当前页解码为0,Receiver接收信息完毕。Receiver requests the same size of n*4K memory and loads the same file A into memory. The operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity, and the decoding rule is: one by one memory page Write operation, and measure the execution time of the memory page write operation. The specific measurement method is to acquire the system time before writing to a certain memory page, and then acquire the system time after the memory page write operation is completed, if The memory page is the memory page after the merge. Because the extra memory page copy process is required, the memory page write operation takes longer to execute than the normal memory page write operation, so Receiver can execute according to the memory page write operation. The length of time is decoded. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page is decoded to 0, and the Receiver receives the information.
现有技术中,为避免恶意用户通过隐蔽信道将普通用户的隐私数据传递出去,则直接关闭内存去重机制,这种方式虽然能够解决隐蔽信道的攻击,但是却失去了内存去重机制的优势,对系统性能影响较大。In the prior art, in order to prevent malicious users from transmitting the private data of the ordinary user through the covert channel, the memory deduplication mechanism is directly turned off. This method can solve the hidden channel attack, but loses the advantage of the memory deduplication mechanism. , has a greater impact on system performance.
发明内容Summary of the invention
本发明实施例提供一种信道检测方法及装置,可以准确检测出系统中是否存在隐蔽信道,且不会影响系统中正常的内存去重机制的功能。The embodiment of the invention provides a channel detection method and device, which can accurately detect whether a hidden channel exists in the system, and does not affect the function of a normal memory deduplication mechanism in the system.
本发明实施例第一方面提供了一种信道检测方法,可包括:A first aspect of the embodiments of the present invention provides a channel detection method, which may include:
当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截所述操作系统执行的事件序列,所述事件序列中包括获取时间事件;When at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in an operating system instruction stream, where the event sequence includes an acquisition time event;
从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;Finding a target subsequence from the sequence of events, and acquiring a time attribute of the target subsequence;
判断所述目标子序列的时间属性是否满足预设条件;Determining whether the time attribute of the target subsequence satisfies a preset condition;
当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道。When the time attribute of the target subsequence satisfies a preset condition, it is determined that there is a covert channel in the system.
基于第一方面,在第一方面的第一种可行的实施方式中,所述目标子序列的时间属性包括所述目标子序列的起始时间与结束时间之间的第一时间差。Based on the first aspect, in a first possible implementation of the first aspect, the time attribute of the target subsequence includes a first time difference between a start time and an end time of the target subsequence.
所述判断所述目标子序列的时间属性是否满足预设条件,包括:Determining whether the time attribute of the target subsequence meets a preset condition, including:
判断所述目标子序列的所述第一时间差是否小于第一预设阈值;Determining whether the first time difference of the target subsequence is less than a first preset threshold;
所述当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道,包括:Determining that there is a hidden channel in the system when the time attribute of the target subsequence meets a preset condition, including:
当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统 中存在隐蔽信道。Determining the system when the first time difference of the target subsequence is less than the first predetermined threshold There is a hidden channel in it.
基于第一方面的第一种可行的实施方式中,在第一方面的第二种可行的实施方式中,若所述事件序列中包括多个目标子序列;In a first feasible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, if the event sequence includes multiple target sub-sequences;
所述从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性,包括:And searching for the target subsequence from the sequence of events, and acquiring time attributes of the target subsequence, including:
从所述事件序列中依次查找预设个数的目标子序列;Finding a preset number of target sub-sequences from the sequence of events;
计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。Calculating a first time difference between a start time and an end time of each target subsequence in the preset number of target subsequences.
基于第一方面的第二种可行的实施方式,在第一方面的第三种可行的实施方式中,所述判断所述目标子序列的所述第一时间差是否小于第一预设阈值,包括:The second possible implementation manner of the first aspect, in the third possible implementation manner of the first aspect, the determining whether the first time difference of the target sub-sequence is less than a first preset threshold, including :
判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值;Determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
所述当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道,包括;When the first time difference of the target subsequence is less than the first preset threshold, determining that there is a hidden channel in the system, including:
当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,确定系统中存在隐蔽信道。When the first time difference of each target subsequence in the preset number of target subsequences is less than the first preset threshold, it is determined that there is a covert channel in the system.
基于第一方面第三种可行的实施方式,在第一方面的第四种可行的实施方式中,所述当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值之后,还包括:According to a third possible implementation manner of the first aspect, in the fourth possible implementation manner of the first aspect, the first one of each target sub-sequence in the preset number of target sub-sequences After the time difference is less than the first preset threshold, the method further includes:
判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数;Determining whether a second time difference between a start time of the first target sub-sequence and an end time of the last target sub-sequence in the target number sub-sequence is less than a second preset threshold, the second pre- Setting a threshold smaller than the preset number;
当所述第二时间差小于所述第二预设阈值时,确定系统中存在隐蔽信道。When the second time difference is less than the second preset threshold, it is determined that there is a hidden channel in the system.
本发明第二方面提供一种信道检测装置,包括:A second aspect of the present invention provides a channel detecting apparatus, including:
拦截模块,用于当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截所述操作系统执行的事件序列,所述事件序列中包括获取时间事件;The intercepting module is configured to: when the at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes an acquiring time event;
获取模块,用于从所述事件序列中查找目标子序列,并获取所述目标子序 列的时间属性;An obtaining module, configured to search for a target subsequence from the sequence of events, and obtain the target subsequence The time attribute of the column;
判断模块,用于判断所述目标子序列的时间属性是否满足预设条件,a determining module, configured to determine whether a time attribute of the target subsequence meets a preset condition,
确定模块,用于当所述目标子序列的时间属性满足预设条件,确定系统中存在隐蔽信道。And a determining module, configured to determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
基于第二方面,在第二方面的第一种可行的实施方式中,所述目标子序列的时间属性包括所述目标子序列的起始时间与结束时间之间的第一时间差。;Based on the second aspect, in a first possible implementation of the second aspect, the time attribute of the target subsequence includes a first time difference between a start time and an end time of the target subsequence. ;
所述判断模块具体用于判断所述目标子序列的所述第一时间差是否小于第一预设阈值;The determining module is specifically configured to determine whether the first time difference of the target sub-sequence is less than a first preset threshold;
所述确定模块具体用于当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。The determining module is specifically configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
基于第二方面第一种可行的实施方式,在第二方面的第二种可行的实施方式中,若所述事件序列中包括多个目标子序列;所述获取模块包括:Based on the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, if the event sequence includes multiple target sub-sequences, the acquiring module includes:
查找单元,用于从所述事件序列中依次查找预设个数的目标子序列;a searching unit, configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
计算单元,用于计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。And a calculating unit, configured to calculate a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences.
基于第二方面第二种可行的实施方式,在第二方面的第三种可行的实施方式中,所述判断模块具体用于判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值。Based on the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the determining module is specifically configured to determine each target subsequence in the preset number of target subsequences Whether the first time difference is less than the first preset threshold.
基于第二方面第三种可行的实施方式,在第二方面第四种可行的实施方式中,所述确定模块包括判断单元和确定单元;Based on the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the determining module includes a determining unit and a determining unit;
所述判断单元,用于当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数,The determining unit is configured to determine, when the first time difference of each target sub-sequence in the target number sub-sequence of the preset number is less than the first preset threshold, determine the preset number of targets Whether the second time difference between the start time of the first target subsequence and the end time of the last target subsequence in the subsequence is less than a second preset threshold, and the second preset threshold is less than the preset number ,
所述确定单元,用于当所述第二时间差小于所述第二预设阈值时,确定系统中存在隐蔽信道。The determining unit is configured to determine that a hidden channel exists in the system when the second time difference is less than the second preset threshold.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截该操作系统执行的事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属 性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, Find the target subsequence in the sequence of events and obtain the time genus of the target subsequence If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图1是本发明实施例提供的一种隐蔽信道构建示意图;1 is a schematic diagram of constructing a hidden channel according to an embodiment of the present invention;
图2是本发明实施例提供的一种信道检测方法的流程示意图;2 is a schematic flowchart of a channel detecting method according to an embodiment of the present invention;
图3是本发明实施例提供的一种指令流示意图;3 is a schematic diagram of an instruction flow according to an embodiment of the present invention;
图4是本发明实施例提供的另一种信道检测方法的流程示意图;4 is a schematic flowchart of another channel detecting method according to an embodiment of the present invention;
图5是本发明实施例提供的一种隐蔽信道检测算法流程图;FIG. 5 is a flowchart of a covert channel detection algorithm according to an embodiment of the present invention;
图6是本发明实施例提供的一种COW页写操作异常算法流程图;6 is a flowchart of an algorithm for abnormal COW page write operation according to an embodiment of the present invention;
图7是本发明实施例提供的一种信道检测装置的结构示意图;FIG. 7 is a schematic structural diagram of a channel detecting apparatus according to an embodiment of the present invention;
图8是本发明实施例提供的一种获取模块的结构示意图;FIG. 8 is a schematic structural diagram of an acquisition module according to an embodiment of the present invention;
图9是本发明实施例提供的另一种信道检测装置的结构示意图。FIG. 9 is a schematic structural diagram of another channel detecting apparatus according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例中的信道检测方法可以应用于多租户云环境下基于内存去重技术所构建的隐蔽信道的检测过程中。The channel detection method in the embodiment of the present invention can be applied to a process of detecting a covert channel based on a memory deduplication technology in a multi-tenant cloud environment.
下面将结合附图1至附图6,对本发明实施例提供的信道检测方法进行介 绍和说明。The channel detection method provided by the embodiment of the present invention will be described below with reference to FIG. 1 to FIG. Shaohe explained.
请参照图2,是本发明实施例提供的一种信道检测方法的流程示意图;如图2所示,所述信道检测方法包括:2 is a schematic flowchart of a channel detecting method according to an embodiment of the present invention; as shown in FIG. 2, the channel detecting method includes:
S100,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截所述操作系统执行的事件序列,所述事件序列中包括获取时间事件;S100, when at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in an operating system instruction stream, where the event sequence includes an acquisition time event;
在一个实施例中,在多租户云环境中,通常租户间的虚拟机共享同一个物理主机的内存,共享方法可以是采用内存去重技术进行共享,内存去重技术即是将相同的物理内存页进行合并,只保留一份该内存页的物理拷贝,所有其他虚拟机共同映射该物理内存页。在后续使用过程中,当某个虚拟机对该内存页进行写操作时,操作系统将启动写操作异常事件,例如写时复制(Copy-On-Write,COW)页写操作异常事件,当启动COW页写操作异常事件时,操作系统为该虚拟机重新拷贝一份物理内存页进行写操作。内存去重技术能够有效地提高云环境中的物理内存利用率,增加单台物理主机上的并发虚拟机数量,因此被广泛应用于各大商业和开源的虚拟机管理器中。In an embodiment, in a multi-tenant cloud environment, a virtual machine between tenants usually shares the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is the same physical memory. The pages are merged, leaving only one physical copy of the memory page, and all other virtual machines co-map the physical memory page. During subsequent use, when a virtual machine writes to the memory page, the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started. When the COW page writes an operation exception event, the operating system copies a physical memory page for the virtual machine to write. Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
然而,内存去重技术在云平台中的引入也会导致意想不到的安全漏洞。因为恶意用户和普通用户的虚拟机有可能位于同一个物理主机上,并利用内存去重技术进行内存页的合并。恶意用户可以通过这种共享内存的机制构建起隐蔽信道从而窃取其他普通用户中的隐私信息,比如密钥等等。However, the introduction of memory deduplication technology in the cloud platform can also lead to unexpected security vulnerabilities. Because the virtual machine of the malicious user and the ordinary user may be located on the same physical host, and the memory deduplication technology is used to merge the memory pages. Malicious users can use this shared memory mechanism to construct a covert channel to steal private information from other ordinary users, such as keys.
隐蔽信道具体的构建方法为,如图1所示,普通用户Sender和恶意用户Receiver分别为位于同一物理主机上的两台虚拟机,Receiver通过某种手段入侵了Sender,此时Receiver希望能够隐蔽地将窃取到的用户隐私数据传递出来而不被检测到,则可以基于内存去重机制构建隐蔽信道进行信息传递,假设有N bit信息需要传递:The specific construction method of the hidden channel is as shown in FIG. 1. The ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
Receiver控制Sender申请一份大小为N*4K的内存,并加载文件A到内存中。然后Receiver控制Sender将申请的内存按照内存页粒度(4K)进行编码,编码的规则是:需要传递的信息为0则修改当前内存页(任意修改),需要传递的信息为1则跳过不修改进入下一个内存页。编码完毕后等待内存页合并。Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K). The encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
Receiver申请相同大小为N*4K的内存,并加载相同的文件A到内存中。 操作系统自动进行内存页合并。Receiver等待一段时间后,开始接收信息。即是将所申请的内存按照内存页粒度进行解码,解码的规则是:逐个内存页进行写操作,同时测量内存页写操作执行的时间,具体的测量方式是在对某一个内存页进行写操作之前获取一次系统时间,对该内存页写操作执行完毕后再获取一次系统时间,若该内存页为进行合并之后的内存页,由于需要额外的内存页拷贝过程,所以该内存页写操作执行所花费的时间比普通内存页写操作执行时间更长,因此Receiver可以根据内存页写操作执行时间长短进行解码,例如,某一个内存页写操作执行时间过长则当前页解码为1,否则当前页解码为0,Receiver接收信息完毕。Receiver requests the same size of N*4K memory and loads the same file A into memory. The operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity. The decoding rule is: writing the memory page by page, and measuring the execution time of the memory page write operation. The specific measurement method is to write a certain memory page. Obtain the system time before, and then obtain the system time after the memory page write operation is completed. If the memory page is the memory page after the merge, the memory page write operation is performed because an additional memory page copy process is required. It takes longer than the normal memory page write operation, so Receiver can decode according to the length of the memory page write operation. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page Decoded to 0, Receiver receives the information.
普通用户Sender和恶意用户Receiver加载相同的文件A的目的是为了保证Sender和Receiver申请的内存页初始内容完全相同,后续Sender在进行编码之后,编码为0的内存页由于Sender进行了修改,所以两端对应的内存页不相同,不会进行内存页合并,相反,编码为1的内存页由于两端内容完全相同,因此经过一段时间之后,内存页会被合并为同一物理内存页。最后Receiver通过对内存页进行写操作并测量写操作执行时间的长短就能解码出0或1信息。The purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical. After the subsequent Sender is encoded, the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed. On the contrary, the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page. Finally, Receiver can decode 0 or 1 information by writing to the memory page and measuring the length of the write operation.
由于恶意用户Receiver是通过获取系统时间来不断进行解码操作的,因此本发明实施例针对操作系统指令流中获取时间事件来进行隐蔽信道的检测。具体的获取方法为,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,可选的,该事件序列中还可以包括对合并之后内存页写操作异常事件,合并之后内存页为不同虚拟机的内存页进行内存去重合并时所产生的内存页,需要说明的是,事件序列中的获取时间事件可能包括操作系统自身的获取时间事件,也可能包括恶意用户的获取时间事件,操作系统自身的获取时间事件通常间隔比较长。Since the malicious user Receiver continuously performs the decoding operation by acquiring the system time, the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream. The specific acquisition method is: intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes acquiring a time event. Optionally, the event sequence may further include an abnormal event of a memory page write operation after the merge. After the merge, the memory page is the memory page generated by the memory de-merging of the memory pages of different virtual machines. It should be noted that the acquisition time event in the event sequence may include the acquisition time event of the operating system itself, and may also include malicious users. The acquisition time event, the operating system's own acquisition time events are usually separated by a long time.
S101,从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;S101. Search for a target subsequence from the sequence of events, and obtain a time attribute of the target subsequence.
在一个实施例中,从所获取的事件序列中查找目标子序列,目标子序列的存在形式可以有多种,例如目标子序列可以包括两个相邻的目标获取时间事件,由于通常操作系统自身的获取时间事件的时间间隔比较长,因此可以通过 目标序列中两个相邻的目标获取时间事件的时间间隔属性进行检测。In an embodiment, the target subsequence is searched from the acquired sequence of events. The target subsequence may exist in multiple forms. For example, the target subsequence may include two adjacent target acquisition time events, since the operating system itself usually The time interval for getting time events is long, so you can pass The time interval attribute of two adjacent target acquisition time events in the target sequence is detected.
可选的,为了检测的准确性,减少误报率,目标子序列包括目标获取时间事件以及在目标获取时间事件之间的目标写操作异常事件,如图3所示,白色小圆圈代表拦截到的事件序列中目标获取时间事件,黑色小圆圈代表拦截到的事件序列中目标写操作异常事件,则所查找的目标子序列即是两个目标获取时间事件之间夹着一个目标写操作异常事件。目标子序列的时间属性包括目标子序列的起始时间与结束时间之间的第一时间差,即是目标子序列中第一个目标获取时间事件对应的系统时间与第二个目标获取时间事件对应的系统时间之差。Optionally, for the accuracy of the detection and the false positive rate, the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception. In the event sequence, the target acquires the time event, and the black circle represents the target write operation abnormal event in the intercepted event sequence, then the target subsequence that is searched is the target write operation abnormal event between the two target acquisition time events. . The time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
需要说明的是,本发明实施例中目标子序列的存在形式不作限定,目标子序列的时间属性也不作限定。It should be noted that, in the embodiment of the present invention, the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
S102,判断所述目标子序列的时间属性是否满足预设条件;S102. Determine whether a time attribute of the target subsequence meets a preset condition.
S103,当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道。S103. Determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
在一个实施例中,判断所获取的目标子序列的时间属性是否满足预设条件,当目标子序列的时间属性满足预设条件时,则确定系统中存在隐蔽信道。预设条件需要根据目标子序列的时间属性所确定,例如,若目标子序列的时间属性为目标子序列的起始时间与结束时间之间的第一时间差,则预设条件为,该第一时间差小于第一预设阈值。In an embodiment, it is determined whether the acquired time attribute of the target subsequence satisfies a preset condition, and when the time attribute of the target subsequence satisfies a preset condition, determining that a hidden channel exists in the system. The preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
可选的,步骤S102可以具体为判断所述目标子序列的所述第一时间差是否小于第一预设阈值;Optionally, the step S102 may be specifically: determining whether the first time difference of the target subsequence is less than a first preset threshold;
步骤S103可以具体为当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。Step S103 may be specifically: determining that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
在一个实施例中,第一预设阈值的设置对于检测单次隐蔽信道的解码操作非常关键。设置的过短,则恶意用户有可能通过在两次获取时间事件之间插入一些无用的指令来延长执行时间的方式(但恶意用户仍然可以区分出COW页写操作和普通页写操作)来逃避检测。相反,如果设置的过长,则会导致误报率的增加。In one embodiment, the setting of the first predetermined threshold is critical to detecting the decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
假设隐蔽信道在两次获取时间事件之间执行了n条指令(其中有一条是内 存写操作指令),则为了能够准确编码信息,需要满足:Assume that the covert channel executes n instructions between two acquisition time events (one of which is within In order to accurately encode information, it is necessary to satisfy:
T-Mincow(n)>T-Maxnormal(n) T-Min cow(n) >T-Max normal(n)
T-Mincow(n):执行n条指令的最短时间,其中内存写操作指令为对合并之后的内存页的写操作。T-Min cow(n) : The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
T-Maxnormal(n):执行n条指令的最长时间,其中内存写操作指令为对普通内存页的写操作。T-Max normal(n) : The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
假设n-1条普通指令执行的平均误差时间为Δt,即可进一步推导出:Assuming that the average error time of n-1 normal instruction execution is Δt, it can be further derived:
Tmin(cow)-Tmax(normal)>(n-1)*ΔtT min(cow) -T max(normal) >(n-1)*Δt
Tmin(cow):执行内存写操作指令为对合并后的内存页的写,需要的最短执行时间。T min(cow) : The memory write operation instruction is the minimum execution time required to write to the merged memory page.
Tmax(normal):执行内存写操作指令为对普通内存页的写,需要的最长执行时间。T max (normal) : The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
假设n-1条普通指令的平均执行时间为t,则可推出:Assuming that the average execution time of n-1 normal instructions is t, you can push:
(n-1)*t+Tmin(cow)≤T(1)≤(n-1)*t+Tmax(cow) (n-1)*t+T min(cow) ≤T (1) ≤(n-1)*t+T max(cow)
Figure PCTCN2015092975-appb-000001
Figure PCTCN2015092975-appb-000001
2Tmin(cow)≤T(1)≤2Tmax(cow) 2T min(cow) ≤T (1) ≤2T max(cow)
其中t≈Δt,Tcow>>Tnomal,可选的,通常Tcow的值比Tnomal的值大10倍以上,不同的系统中所大于的倍数不同。Where t≈Δt, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
综上所述,第一预设阈值T(1)能估计出来的值就是2倍的对合并后的内存页的写操作的执行时间,不过对合并后的内存页写操作的执行时间也是有一个范围的,即最大时间Tmax(normal)和最小时间Tmin(cow),因此2Tmin(cow)≤T(1)≤2Tmax(cow)。这个最大时间和最小时间在不同系统上是不一样的,需要根据实际系统的测量值在部署的时候进行设置。In summary, the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ≤ T (1) ≤ 2T max(cow) . This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否 存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event. The target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This way can accurately detect whether the system is in the system There is a hidden channel, which improves the security of the system, and this detection method does not affect the function of the normal memory deduplication mechanism of the system.
请参照图4,是本发明实施例提供的另一种信道检测方法的流程示意图;若事件序列中包括多个目标子序列,如图4所示,本实施例所述的一种信道检测方法包括步骤:4 is a schematic flowchart of another channel detection method according to an embodiment of the present invention; if a sequence of events includes multiple target sub-sequences, as shown in FIG. 4, a channel detection method according to this embodiment is shown in FIG. Including steps:
S200,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,所述事件序列中包括获取时间事件;S200, when at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes an acquisition time event;
本发明实施例步骤S200,请参照图1所示的实施例步骤S100,在此不进行赘述。For the step S200 of the embodiment of the present invention, please refer to the step S100 of the embodiment shown in FIG. 1 , and details are not described herein.
S201,从所述事件序列中依次查找预设个数的目标子序列;S201. Search for a preset number of target sub-sequences from the sequence of events;
作为一种可选的实施方式,如图3所示,事件序列中可以包括多个目标子序列,其中,目标子序列包括两个目标获取时间事件,以及在两个目标获取时间事件之间的目标写操作异常事件,在操作系统执行指令流中依次查找预设个数(n个)目标子序列,预设个数的值(即n的值)由用户预先设定。As an optional implementation manner, as shown in FIG. 3, the event sequence may include multiple target subsequences, wherein the target subsequence includes two target acquisition time events, and between the two target acquisition time events. The target write operation abnormal event searches for a preset number (n) of target sub-sequences in the operating system execution instruction stream, and the preset number of values (ie, the value of n) is preset by the user.
S202,计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。S202. Calculate a first time difference between a start time and an end time of each target subsequence in the preset number of target subsequences.
作为一种可选的实施方式,计算预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差,如图3所示,依次计算各个目标子序列的第一时间差Δt1,Δt2,Δt3.....ΔtnAs an optional implementation manner, calculating a first time difference between a start time and an end time of each target sub-sequence in a preset number of target sub-sequences, as shown in FIG. 3, sequentially calculating each target sub-sequence The first time difference Δt 1 , Δt 2 , Δt 3 ..... Δt n .
S203,判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值;S203: Determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
S204,当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,确定系统中存在隐蔽信道。S204. When the first time difference of each target subsequence in the preset number of target subsequences is less than the first preset threshold, determining that there is a covert channel in the system.
作为一种可选的实施方式,判断预设个数的目标子序列中每个目标子序列的第一时间差是否均小于第一预设阈值,若预设个数的目标子序列中每个子序列的第一时间差均小于第一预设阈值,即是Δti<T(1),i∈[1,n],则确定系统中存在隐蔽信道。需要说明的是,第一预设阈值T(1)可以为对合并之后内存页写操 作执行时间的两倍。As an optional implementation manner, determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than a first preset threshold, if each sub-sequence in the preset number of target sub-sequences The first time difference is less than the first preset threshold, that is, Δt i <T (1) , i ∈ [1, n], and it is determined that there is a hidden channel in the system. It should be noted that the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
可选的,为进一步提高隐蔽信道的检测准确率,考虑隐蔽信道的通信带宽,则在步骤S204中的所述当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值之后,还包括:Optionally, in order to further improve the detection accuracy of the hidden channel, considering the communication bandwidth of the hidden channel, the first of each target sub-sequence in the preset number of target sub-sequences in step S204 After a time difference is less than the first preset threshold, the method further includes:
判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数;Determining whether a second time difference between a start time of the first target sub-sequence and an end time of the last target sub-sequence in the target number sub-sequence is less than a second preset threshold, the second pre- Setting a threshold smaller than the preset number;
若所述第二时间差小于所述第二预设阈值,则确定系统中存在隐蔽信道。If the second time difference is less than the second predetermined threshold, it is determined that a hidden channel exists in the system.
作为一种可选的实施方式,为提高检测的准确率,结合隐蔽信道的通信带宽进行检测,具体的检测方法是,进一步判断预设个数的目标子序列中第一个目标子序列的起始时间与最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,若小于第二预设阈值,则确定系统中存在隐蔽信道。如图3所示,即是判断:As an optional implementation manner, in order to improve the detection accuracy, the communication bandwidth of the hidden channel is detected, and the specific detection method is to further determine the starting point of the first target subsequence in the target subsequence of the preset number. Whether the second time difference between the start time and the end time of the last target subsequence is less than a second preset threshold, and if less than the second preset threshold, determining that there is a covert channel in the system. As shown in Figure 3, it is judged:
Δti<T(1) i∈[1,n] && tn-end-t1-beg<T(n) Δt i <T (1) i∈[1,n] && t n-end -t 1-beg <T (n)
通常认为当通信带宽低于1bps时,该信道是没有通信价值的。第二预设阈值T(n)阀值用于控制隐蔽信道传输n bit信息时的最长传输时间。即是保证:It is generally believed that when the communication bandwidth is less than 1 bps, the channel has no communication value. The second preset threshold T (n) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
Figure PCTCN2015092975-appb-000002
即T(n)<n
Figure PCTCN2015092975-appb-000002
 That is T (n) <n
因此T(n)的值不能超过n。由于实际应用中所传输的信息量比n要大,因此T(n)的阀值比n还稍微小点。Therefore the value of T (n) cannot exceed n. Since the amount of information transmitted in actual applications is larger than n, the threshold of T( n ) is slightly smaller than n.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。 In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event. The target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
请参照图5,为本发明实施例提供的一种隐蔽信道检测算法流程图,在本发明实施例中,事件序列包括获取时间事件以及COW页写操作异常事件。在操作系统执行过程中,会不断地拦截到这两种事件的发生。即沿着操作系统执行指令流的方向上,会不断地拦截到这两种事件并进入处理例程中处理。FIG. 5 is a flowchart of a covert channel detection algorithm according to an embodiment of the present invention. In the embodiment of the present invention, an event sequence includes an acquisition time event and a COW page write operation abnormal event. During the execution of the operating system, these two events are continuously intercepted. That is, along the direction in which the operating system executes the instruction stream, these two events are continuously intercepted and processed into the processing routine.
当拦截到获取时间事件的执行时,处理例程的算法流程如图5所示:在处理函数中,tnow用于记录当前系统时间,tpre缓存了上一次进入该处理函数的系统时间。tcow_pf记录了最近一次执行COW页写操作异常事件的系统时间,是一个全局变量,由图6中的页错误异常处理函数进行更新。tbeg记录了检测到的第一个目标子序列的起始时间,用于计算当检测到第n个时,这n个子序列的执行时间。Count变量用于记录当前检测到的第几个目标子序列。在算法开始时,首先获取当前系统时间tnow,然后和缓存的上一次获取时间事件发生的系统时间tpre相减,判断时间间隔是否小于阀值T(1),大于则表示当前子序列并不是隐蔽信道解码操作,更新tpre。否则进一步判断最近一次COW页写操作异常事件是否介于这两次获取时间事件之间,是则表示检测到一次隐蔽信道的解码操作,更新Count,并判断当前是否是检测到第n次解码操作,是则进一步判断n次解码操作的时间间隔是否小于阀值T(n),若小于则确定检测到隐蔽信道。When intercepting the execution of the acquisition time event, the algorithm flow of the processing routine is as shown in Figure 5: in the processing function, t now is used to record the current system time, and t pre caches the system time of the last time the processing function was entered. t cow_pf records the system time of the most recent COW page write exception event. It is a global variable and is updated by the page fault exception handler in Figure 6. t beg records the start time of the detected first target subsequence, and is used to calculate the execution time of the n subsequences when the nth is detected. The Count variable is used to record the first target subsequence detected. At the beginning of the algorithm, the current system time t now is first obtained, and then subtracted from the system time t pre of the last acquisition time event of the cache to determine whether the time interval is less than the threshold T (1) , and greater than the current subsequence Not a hidden channel decoding operation, updating t pre . Otherwise, it is further determined whether the last COW page write operation abnormal event is between the two acquisition time events, and it indicates that the decoding operation of the hidden channel is detected, the Count is updated, and it is determined whether the nth decoding operation is currently detected. If yes, it is further determined whether the time interval of the n decoding operations is less than the threshold T (n) , and if it is less, it is determined that the hidden channel is detected.
进一步,请参照图6为本发明实施例提供的一种页错误处理算法流程图:Further, please refer to FIG. 6 , which is a flowchart of a page fault processing algorithm according to an embodiment of the present invention:
在系统运行过程中,对经过内存去重合并之后的内存页进行写操作时,将会触发COW页写操作异常事件,并进入到页错误异常处理函数中,本发明在该处理函数中的算法流程如图6所示:During the system running process, when a memory page after memory de-merging is written, a COW page write operation exception event is triggered, and the page error exception processing function is entered, and the algorithm of the present invention in the processing function The process is shown in Figure 6:
首先需要判断当前页错误异常变量PFEC是否属于写操作异常,如果是则继续遍历COW页链表,根据发生页错误异常的内存页的虚拟地址pf_va判断该内存页是否属于经过内存去重合并之后的内存页,如果是则表明拦截到了COW页写操作异常事件,从而记录当前系统时间到全局变量tcow_pf中。First, it is necessary to determine whether the current page fault exception variable PFEC is a write operation exception. If yes, continue to traverse the COW page linked list, and determine whether the memory page belongs to the memory after the memory is re-merged according to the virtual address pf_va of the memory page where the page fault exception occurs. The page, if it is, indicates that the COW page write operation exception event has been intercepted, thereby recording the current system time to the global variable t cow_pf .
下面结合附图7至附图9,阐述本发明实施例提供的信道检测装置的具体实现。The specific implementation of the channel detecting apparatus provided by the embodiment of the present invention is described below with reference to FIG. 7 to FIG.
请参照图7,为本发明实施例提供的一种信道检测装置的结构示意图,如图7所示,本实施例所述的一种信道检测装置包括:拦截模块100、获取模块 101、判断模块102和确定模块103。FIG. 7 is a schematic structural diagram of a channel detecting apparatus according to an embodiment of the present invention. As shown in FIG. 7, a channel detecting apparatus according to this embodiment includes: an intercepting module 100, and an acquiring module. 101. The determining module 102 and the determining module 103.
拦截模块100,用于当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,所述事件序列中包括获取时间事件;The intercepting module 100 is configured to intercept an event sequence executed by the operating system in the operating system instruction stream when the at least two virtual machines perform memory de-merging on the same physical host, where the event sequence includes an acquiring time event;
在一个实施例中,在多租户云环境中,通常租户间的虚拟机共享同一个物理主机的内存,共享方法可以是采用内存去重技术进行共享,内存去重技术即是将相同的物理内存页进行合并,只保留一份该内存页的物理拷贝,所有其他虚拟机共同映射该物理内存页。在后续使用过程中,当某个虚拟机对该内存页进行写操作时,操作系统将启动写操作异常事件,例如写时复制(Copy-On-Write,COW)页写操作异常事件,当启动COW页写操作异常事件时,操作系统为该虚拟机重新拷贝一份物理内存页进行写操作。内存去重技术能够有效地提高云环境中的物理内存利用率,增加单台物理主机上的并发虚拟机数量,因此被广泛应用于各大商业和开源的虚拟机管理器中。In an embodiment, in a multi-tenant cloud environment, a virtual machine between tenants usually shares the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is the same physical memory. The pages are merged, leaving only one physical copy of the memory page, and all other virtual machines co-map the physical memory page. During subsequent use, when a virtual machine writes to the memory page, the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started. When the COW page writes an operation exception event, the operating system copies a physical memory page for the virtual machine to write. Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
然而,内存去重技术在云平台中的引入也会导致意想不到的安全漏洞。因为恶意用户和普通用户的虚拟机有可能位于同一个物理主机上,并利用内存去重技术进行内存页的合并。恶意用户可以通过这种共享内存的机制构建起隐蔽信道从而窃取其他普通用户中的隐私信息,比如密钥等等。However, the introduction of memory deduplication technology in the cloud platform can also lead to unexpected security vulnerabilities. Because the virtual machine of the malicious user and the ordinary user may be located on the same physical host, and the memory deduplication technology is used to merge the memory pages. Malicious users can use this shared memory mechanism to construct a covert channel to steal private information from other ordinary users, such as keys.
隐蔽信道具体的构建方法为,如图1所示,普通用户Sender和恶意用户Receiver分别为位于同一物理主机上的两台虚拟机,Receiver通过某种手段入侵了Sender,此时Receiver希望能够隐蔽地将窃取到的用户隐私数据传递出来而不被检测到,则可以基于内存去重机制构建隐蔽信道进行信息传递,假设有N bit信息需要传递:The specific construction method of the hidden channel is as shown in FIG. 1. The ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
Receiver控制Sender申请一份大小为N*4K的内存,并加载文件A到内存中。然后Receiver控制Sender将申请的内存按照内存页粒度(4K)进行编码,编码的规则是:需要传递的信息为0则修改当前内存页(任意修改),需要传递的信息为1则跳过不修改进入下一个内存页。编码完毕后等待内存页合并。Receiver controls Sender to request a memory of size N*4K and load file A into memory. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K). The encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
Receiver申请相同大小为N*4K的内存,并加载相同的文件A到内存中。操作系统自动进行内存页合并。Receiver等待一段时间后,开始接收信息。即是将所申请的内存按照内存页粒度进行解码,解码的规则是:逐个内存页进行 写操作,同时测量内存页写操作执行的时间,具体的测量方式是在对某一个内存页进行写操作之前获取一次系统时间,对该内存页写操作执行完毕后再获取一次系统时间,若该内存页为进行合并之后的内存页,由于需要额外的内存页拷贝过程,所以该内存页写操作执行所花费的时间比普通内存页写操作执行时间更长,因此Receiver可以根据内存页写操作执行时间长短进行解码,例如,某一个内存页写操作执行时间过长则当前页解码为1,否则当前页解码为0,Receiver接收信息完毕。Receiver requests the same size of N*4K memory and loads the same file A into memory. The operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity, and the decoding rule is: one by one memory page Write operation, and measure the execution time of the memory page write operation. The specific measurement method is to acquire the system time before writing to a certain memory page, and then acquire the system time after the memory page write operation is completed, if The memory page is the memory page after the merge. Because the extra memory page copy process is required, the memory page write operation takes longer to execute than the normal memory page write operation, so Receiver can execute according to the memory page write operation. The length of time is decoded. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page is decoded to 0, and the Receiver receives the information.
普通用户Sender和恶意用户Receiver加载相同的文件A的目的是为了保证Sender和Receiver申请的内存页初始内容完全相同,后续Sender在进行编码之后,编码为0的内存页由于Sender进行了修改,所以两端对应的内存页不相同,不会进行内存页合并,相反,编码为1的内存页由于两端内容完全相同,因此经过一段时间之后,内存页会被合并为同一物理内存页。最后Receiver通过对内存页进行写操作并测量写操作执行时间的长短就能解码出01信息。The purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical. After the subsequent Sender is encoded, the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed. On the contrary, the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page. Finally, Receiver can decode the 01 information by writing to the memory page and measuring the length of the write operation.
由于恶意用户Receiver是通过获取系统时间来不断进行解码操作的,因此本发明实施例针对操作系统指令流中获取时间事件来进行隐蔽信道的检测。具体的获取方法为,拦截模块100在操作系统指令流中拦截操作系统执行事件序列,该事件序列中包括获取时间事件,可选的,该事件序列中还可以包括对合并之后内存页写操作异常事件,需要说明的是,事件序列中的获取时间事件可能包括操作系统自身的获取时间事件,也可能包括恶意用户的获取时间事件,操作系统自身的获取时间事件通常间隔比较长。Since the malicious user Receiver continuously performs the decoding operation by acquiring the system time, the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream. The specific acquisition method is that the intercepting module 100 intercepts an operating system execution event sequence in the operating system instruction stream, and the event sequence includes an acquisition time event. Optionally, the event sequence may further include an abnormal memory page write operation after the merge. The event needs to be described. The acquisition time event in the sequence of events may include the acquisition time event of the operating system itself, and may also include the acquisition time event of the malicious user. The acquisition time event of the operating system itself is usually separated by a long interval.
获取模块101,用于从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;The obtaining module 101 is configured to search for a target subsequence from the sequence of events, and obtain a time attribute of the target subsequence;
在一个实施例中,获取模块101从所获取的事件序列中查找目标子序列,目标子序列的存在形式可以有多种,例如目标子序列可以包括两个相邻的目标获取时间事件,由于通常系统自身的获取时间事件的时间间隔比较长,因此可以通过目标序列中两个相邻的目标获取时间事件的时间间隔属性进行检测。In an embodiment, the obtaining module 101 searches for a target subsequence from the acquired sequence of events, and the target subsequence may exist in multiple forms, for example, the target subsequence may include two adjacent target acquisition time events, since The time interval of the acquisition time event of the system itself is relatively long, so it can be detected by the time interval attribute of the time event of two adjacent targets in the target sequence.
可选的,为了检测的准确性,减少误报率,目标子序列包括目标获取时间事件以及在目标获取时间事件之间的目标写操作异常事件,如图3所示,白色小圆圈代表拦截到的事件序列中目标获取时间事件,黑色小圆圈代表拦截到的 事件序列中目标写操作异常事件,则所查找的目标子序列即是两个目标获取时间事件之间夹着一个目标写操作异常事件。目标子序列的时间属性包括目标子序列的起始时间与结束时间之间的第一时间差,即是目标子序列中第一个目标获取时间事件对应的系统时间与第二个目标获取时间事件对应的系统时间之差。Optionally, for the accuracy of the detection and the false positive rate, the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception. In the event sequence, the target gets the time event, and the small black circle represents the intercepted In the event sequence, the target write operation exception event, the target subsequence found is a target write operation exception event between the two target acquisition time events. The time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
需要说明的是,本发明实施例中目标子序列的存在形式不作限定,目标子序列的时间属性也不作限定。It should be noted that, in the embodiment of the present invention, the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
判断模块102,用于判断所述目标子序列的时间属性是否满足预设条件;The determining module 102 is configured to determine whether a time attribute of the target subsequence meets a preset condition;
确定模块103,用于当所述目标子序列的时间属性满足预设条件,确定系统中存在隐蔽信道。The determining module 103 is configured to determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
在一个实施例中,判断模块102判断所获取的目标子序列的时间属性是否满足预设条件,当目标子序列的时间属性满足预设条件时,确定模块103确定系统中存在隐蔽信道。预设条件需要根据目标子序列的时间属性所确定,例如,若目标子序列的时间属性为目标子序列的起始时间与结束时间之间的第一时间差,则预设条件为,该第一时间差小于第一预设阈值。In one embodiment, the determining module 102 determines whether the acquired time attribute of the target subsequence satisfies a preset condition. When the time attribute of the target subsequence satisfies the preset condition, the determining module 103 determines that a hidden channel exists in the system. The preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
可选的,所述判断模块102具体用于判断所述目标子序列的所述第一时间差是否小于第一预设阈值;Optionally, the determining module 102 is specifically configured to determine whether the first time difference of the target sub-sequence is less than a first preset threshold;
所述确定模块103具体用于当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。The determining module 103 is specifically configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
在一个实施例中,第一预设阈值的设置对于检测单次隐蔽信道的解码操作非常关键。设置的过短,则恶意用户有可能通过在两次获取时间事件之间插入一些无用的指令来延长执行时间的方式(但恶意用户仍然可以区分出COW页写操作和普通页写操作)来逃避检测。相反,如果设置的过长,则会导致误报率的增加。In one embodiment, the setting of the first predetermined threshold is critical to detecting the decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
假设隐蔽信道在两次获取时间事件之间执行了n条指令(其中有一条是内存写操作指令),则为了能够准确编码信息,需要满足:Assuming that the covert channel executes n instructions between two acquisition time events (one of which is a memory write operation instruction), in order to be able to accurately encode the information, it is necessary to satisfy:
T-Mincow(n)>T-Maxnormal(n) T-Min cow(n) >T-Max normal(n)
T-Mincow(n):执行n条指令的最短时间,其中内存写操作指令为对合并之后的内存页的写操作。 T-Min cow(n) : The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
T-Maxnormal(n):执行n条指令的最长时间,其中内存写操作指令为对普通内存页的写操作。T-Max normal(n) : The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
假设n-1条普通指令执行的平均误差时间为Δt,即可进一步推导出:Assuming that the average error time of n-1 normal instruction execution is Δt, it can be further derived:
Tmin(cow)-Tmax(normal)>(n-1)*ΔtT min(cow) -T max(normal) >(n-1)*Δt
Tmin(cow):执行内存写操作指令为对合并后的内存页的写,需要的最短执行时间。T min(cow) : The memory write operation instruction is the minimum execution time required to write to the merged memory page.
Tmax(normal):执行内存写操作指令为对普通内存页的写,需要的最长执行时间。T max (normal) : The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
假设n-1条普通指令的平均执行时间为t,则可推出:Assuming that the average execution time of n-1 normal instructions is t, you can push:
(n-1)*t+Tmin(cow)≤T(1)≤(n-1)*t+Tmax(cow) (n-1)*t+T min(cow) ≤T (1) ≤(n-1)*t+T max(cow)
Figure PCTCN2015092975-appb-000003
Figure PCTCN2015092975-appb-000003
2Tmin(cow)≤T(1)≤2Tmax(cow) 2T min(cow) ≤T (1) ≤2T max(cow)
其中t≈Δt,Tcow>>Tnomal,可选的,通常Tcow的值比Tnomal的值大10倍以上,不同的系统中所大于的倍数不同。Where t≈Δt, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
综上所述,第一预设阈值T(1)能估计出来的值就是2倍的对合并后的内存页的写操作的执行时间,不过对合并后的内存页写操作的执行时间也是有一个范围的,即最大时间Tmax(normal)和最小时间Tmin(cow),因此2Tmin(cow)≤T(1)≤2Tmax(cow)。这个最大时间和最小时间在不同系统上是不一样的,需要根据实际系统的测量值在部署的时候进行设置。In summary, the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ≤ T (1) ≤ 2T max(cow) . This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the operating system execution event sequence is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a sequence of events. The target subsequence is searched, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to satisfy the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
请参照图8,若所述事件序列中包括多个目标子序列;本发明实施例提供 一种获取模块的结构示意图,如图8所示,本实施例中的获取模块包括:Please refer to FIG. 8 , if the event sequence includes multiple target sub-sequences; A schematic diagram of a structure of an acquisition module, as shown in FIG. 8, the acquisition module in this embodiment includes:
查找单元1010,用于从所述事件序列中依次查找预设个数的目标子序列;The searching unit 1010 is configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
作为一种可选的实施方式,如图3所示,事件序列中可以包括多个目标子序列,其中,目标子序列包括两个目标获取时间事件,以及在两个目标获取时间事件之间的目标写操作异常事件,查找单元1010在操作系统执行指令流中依次查找预设个数(n个)目标子序列,预设个数的值(即n的值)由用户预先设定。As an optional implementation manner, as shown in FIG. 3, the event sequence may include multiple target subsequences, wherein the target subsequence includes two target acquisition time events, and between the two target acquisition time events. The target write operation abnormal event, the search unit 1010 sequentially searches for a preset number (n) of target sub-sequences in the operating system execution instruction stream, and the preset number of values (ie, the value of n) is preset by the user.
计算单元1011,用于计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。The calculating unit 1011 is configured to calculate a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences.
作为一种可选的实施方式,计算单元1011计算预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差,如图3所示,依次计算各个目标子序列的第一时间差Δt1,Δt2,Δt3......ΔtnAs an optional implementation manner, the calculating unit 1011 calculates a first time difference between a start time and an end time of each target sub-sequence in a preset number of target sub-sequences, as shown in FIG. The first time difference Δt 1 , Δt 2 , Δt 3 ... Δt n of the target subsequence.
可选的,所述判断模块102具体用于判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值;Optionally, the determining module 102 is specifically configured to determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
所述确定模块103具体用于当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,确定系统中存在隐蔽信道。The determining module 103 is specifically configured to determine that a hidden channel exists in the system when the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold.
作为一种可选的实施方式,判断模块102判断预设个数的目标子序列中每个目标子序列的第一时间差是否均小于第一预设阈值,当预设个数的目标子序列中每个子序列的第一时间差均小于第一预设阈值,即是Δti<T(1),i∈[1,n],则确定模块103确定系统中存在隐蔽信道。需要说明的是,第一预设阈值T(1)可以为对合并之后内存页写操作执行时间的两倍。As an optional implementation manner, the determining module 102 determines whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold, when the preset number of target sub-sequences The first time difference of each subsequence is less than the first predetermined threshold, that is, Δt i <T (1) , i ∈ [1, n], and the determining module 103 determines that there is a hidden channel in the system. It should be noted that the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
可选的,为进一步提高隐蔽信道的检测准确率,考虑隐蔽信道的通信带宽,所述确定模块102包括判断单元和确定单元;Optionally, in order to further improve the detection accuracy of the hidden channel, considering the communication bandwidth of the hidden channel, the determining module 102 includes a determining unit and a determining unit;
判断单元,用于当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值;所述第二预设阈值小于所述预设个数;a determining unit, configured to determine a target subsequence of the preset number when the first time difference of each target subsequence in the preset number of target subsequences is less than the first preset threshold Whether the second time difference between the start time of the first target subsequence and the end time of the last target subsequence is less than a second preset threshold; the second preset threshold is less than the preset number;
确定单元,用于当所述第二时间差小于所述第二预设阈值,确定系统中存 在隐蔽信道。a determining unit, configured to determine, when the second time difference is less than the second preset threshold, In a hidden channel.
作为一种可选的实施方式,为提高检测的准确率,结合隐蔽信道的通信带宽进行检测,具体的检测方法是,判断单元进一步判断预设个数的目标子序列中第一个目标子序列的起始时间与最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,若小于第二预设阈值,则确定单元确定系统中存在隐蔽信道。如图3所示,即是判断:As an optional implementation manner, in order to improve the detection accuracy, the communication bandwidth of the hidden channel is detected. The specific detection method is: the determining unit further determines the first target subsequence in the preset number of target sub-sequences. Whether the second time difference between the start time and the end time of the last target subsequence is less than a second preset threshold, and if less than the second preset threshold, the determining unit determines that there is a covert channel in the system. As shown in Figure 3, it is judged:
Δt1<T(1) i∈[1,n] && tn-end-t1-beg<T(n) Δt 1 <T (1) i∈[1,n] && t n-end -t 1-beg <T (n)
通常认为当通信带宽低于1bps时,该信道是没有通信价值的。第二预设阈值T(n)阀值用于控制隐蔽信道传输n bit信息时的最长传输时间。即是保证:It is generally believed that when the communication bandwidth is less than 1 bps, the channel has no communication value. The second preset threshold T( n ) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
Figure PCTCN2015092975-appb-000004
即T(n)<n
Figure PCTCN2015092975-appb-000004
 That is T (n) <n
因此T(n)的值不能超过n。由于实际应用中所传输的信息量比n要大,因此T(n)的阀值比n还稍微小点。Therefore the value of T (n) cannot exceed n. Since the amount of information transmitted in the actual application is larger than n, the threshold of T (n) is slightly smaller than n.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event. The target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
请参照图9,为本发明实施例提供的另一种信道检测装置的结构示意图。图9的信道检测装置可用于实现上述方法实施例中各步骤及方法。图9的实施例中,信道检测装置包括处理器200、收发器201、存储器202以及总线203。存储器202用于存储指令,处理器200用于执行存储器202中的指令,以完成后续信道检测操作。存储器202可以包括只读存储器和随机存取存储器,数据通信装置的各个组件通过总线系统203耦合在一起,其中总线系统203除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说 明起见,在图中将各种总线都标为总线系统203。下面对各个组件进行详细描述:FIG. 9 is a schematic structural diagram of another channel detecting apparatus according to an embodiment of the present invention. The channel detecting device of FIG. 9 can be used to implement the steps and methods in the foregoing method embodiments. In the embodiment of FIG. 9, the channel detecting apparatus includes a processor 200, a transceiver 201, a memory 202, and a bus 203. The memory 202 is for storing instructions, and the processor 200 is for executing instructions in the memory 202 to perform subsequent channel detecting operations. The memory 202 can include read only memory and random access memory, the various components of the data communication device being coupled together by a bus system 203, wherein the bus system 203 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But to be clear For the sake of clarity, various buses are labeled as bus system 203 in the figure. The individual components are described in detail below:
所述处理器,用于当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,所述事件序列中包括获取时间事件;The processor is configured to intercept an event sequence executed by an operating system in an operating system instruction stream when at least two virtual machines perform memory de-merging on the same physical host, where the event sequence includes an acquisition time event;
所述处理器还用于从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;The processor is further configured to search for a target subsequence from the sequence of events, and acquire a time attribute of the target subsequence;
所述处理器还用于判断所述目标子序列的时间属性是否满足预设条件;The processor is further configured to determine whether a time attribute of the target subsequence meets a preset condition;
所述处理器还用于若所述目标子序列的时间属性满足预设条件,确定系统中存在隐蔽信道。The processor is further configured to determine that a hidden channel exists in the system if a time attribute of the target subsequence satisfies a preset condition.
可选的,在多租户云环境中,通常租户间的虚拟机共享同一个物理主机的内存,共享方法可以是采用内存去重技术进行共享,内存去重技术即是将相同的物理内存页进行合并,只保留一份该内存页的物理拷贝,所有其他虚拟机共同映射该物理内存页。在后续使用过程中,当某个虚拟机对该内存页进行写操作时,操作系统将启动写操作异常事件,例如写时复制(Copy-On-Write,COW)页写操作异常事件,当启动COW页写操作异常事件时,操作系统为该虚拟机重新拷贝一份物理内存页进行写操作。内存去重技术能够有效地提高云环境中的物理内存利用率,增加单台物理主机上的并发虚拟机数量,因此被广泛应用于各大商业和开源的虚拟机管理器中。Optionally, in a multi-tenant cloud environment, the virtual machines of the tenant usually share the memory of the same physical host, and the sharing method may be shared by using a memory deduplication technology, and the memory deduplication technology is to perform the same physical memory page. Merge, leaving only one physical copy of the memory page, all other virtual machines co-map the physical memory page. During subsequent use, when a virtual machine writes to the memory page, the operating system will initiate a write operation exception event, such as a copy-on-write (COW) page write operation exception event, when started. When the COW page writes an operation exception event, the operating system copies a physical memory page for the virtual machine to write. Memory deduplication technology can effectively improve the physical memory utilization in the cloud environment and increase the number of concurrent virtual machines on a single physical host. Therefore, it is widely used in various commercial and open source virtual machine managers.
然而,内存去重技术在云平台中的引入也会导致意想不到的安全漏洞。因为恶意用户和普通用户的虚拟机有可能位于同一个物理主机上,并利用内存去重技术进行内存页的合并。恶意用户可以通过这种共享内存的机制构建起隐蔽信道从而窃取其他普通用户中的隐私信息,比如密钥等等。However, the introduction of memory deduplication technology in the cloud platform can also lead to unexpected security vulnerabilities. Because the virtual machine of the malicious user and the ordinary user may be located on the same physical host, and the memory deduplication technology is used to merge the memory pages. Malicious users can use this shared memory mechanism to construct a covert channel to steal private information from other ordinary users, such as keys.
隐蔽信道具体的构建方法为,如图1所示,普通用户Sender和恶意用户Receiver分别为位于同一物理主机上的两台虚拟机,Receiver通过某种手段入侵了Sender,此时Receiver希望能够隐蔽地将窃取到的用户隐私数据传递出来而不被检测到,则可以基于内存去重机制构建隐蔽信道进行信息传递,假设有N bit信息需要传递:The specific construction method of the hidden channel is as shown in FIG. 1. The ordinary user Sender and the malicious user Receiver are respectively two virtual machines located on the same physical host, and Receiver invades the Sender by some means, and the Receiver hopes to covertly If the stolen user privacy data is transmitted without being detected, the hidden channel can be constructed based on the memory deduplication mechanism for information transmission, and it is assumed that N bit information needs to be transmitted:
Receiver控制Sender申请一份大小为N*4K的内存,并加载文件A到内存 中。然后Receiver控制Sender将申请的内存按照内存页粒度(4K)进行编码,编码的规则是:需要传递的信息为0则修改当前内存页(任意修改),需要传递的信息为1则跳过不修改进入下一个内存页。编码完毕后等待内存页合并。Receiver controls Sender to request a memory of size N*4K and load file A into memory in. Then Receiver controls Sender to encode the requested memory according to the memory page granularity (4K). The encoding rule is: if the information to be transmitted is 0, the current memory page is modified (arbitrarily modified), and the information to be passed is 1 to skip without modification. Go to the next memory page. Wait for the memory page to merge after encoding.
Receiver申请相同大小为N*4K的内存,并加载相同的文件A到内存中。操作系统自动进行内存页合并。Receiver等待一段时间后,开始接收信息。即是将所申请的内存按照内存页粒度进行解码,解码的规则是:逐个内存页进行写操作,同时测量内存页写操作执行的时间,具体的测量方式是在对某一个内存页进行写操作之前获取一次系统时间,对该内存页写操作执行完毕后再获取一次系统时间,若该内存页为进行合并之后的内存页,由于需要额外的内存页拷贝过程,所以该内存页写操作执行所花费的时间比普通内存页写操作执行时间更长,因此Receiver可以根据内存页写操作执行时间长短进行解码,例如,某一个内存页写操作执行时间过长则当前页解码为1,否则当前页解码为0,Receiver接收信息完毕。Receiver requests the same size of N*4K memory and loads the same file A into memory. The operating system automatically performs a memory page merge. Receiver waits for a while and starts receiving messages. That is, the requested memory is decoded according to the memory page granularity. The decoding rule is: writing the memory page by page, and measuring the execution time of the memory page write operation. The specific measurement method is to write a certain memory page. Obtain the system time before, and then obtain the system time after the memory page write operation is completed. If the memory page is the memory page after the merge, the memory page write operation is performed because an additional memory page copy process is required. It takes longer than the normal memory page write operation, so Receiver can decode according to the length of the memory page write operation. For example, if the execution time of a memory page write operation is too long, the current page is decoded to 1, otherwise the current page Decoded to 0, Receiver receives the information.
普通用户Sender和恶意用户Receiver加载相同的文件A的目的是为了保证Sender和Receiver申请的内存页初始内容完全相同,后续Sender在进行编码之后,编码为0的内存页由于Sender进行了修改,所以两端对应的内存页不相同,不会进行内存页合并,相反,编码为1的内存页由于两端内容完全相同,因此经过一段时间之后,内存页会被合并为同一物理内存页。最后Receiver通过对内存页进行写操作并测量写操作执行时间的长短就能解码出01信息。The purpose of loading the same file A by the normal user Sender and the malicious user Receiver is to ensure that the initial contents of the memory page requested by Sender and Receiver are identical. After the subsequent Sender is encoded, the memory page encoded as 0 is modified by Sender, so two The memory pages corresponding to the end are different, and the memory page merge is not performed. On the contrary, the memory page coded as 1 has the same content at both ends, so after a period of time, the memory pages are merged into the same physical memory page. Finally, Receiver can decode the 01 information by writing to the memory page and measuring the length of the write operation.
由于恶意用户Receiver是通过获取系统时间来不断进行解码操作的,因此本发明实施例针对操作系统指令流中获取时间事件来进行隐蔽信道的检测。具体的获取方法为,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,可选的,该事件序列中还可以包括对合并之后内存页写操作异常事件,合并之后内存页为不同虚拟机的内存页进行内存去重合并时所产生的内存页,需要说明的是,事件序列中的获取时间事件可能包括操作系统自身的获取时间事件,也可能包括恶意用户的获取时间事件,操作系统自身的获取时间事件通常间隔比较长。Since the malicious user Receiver continuously performs the decoding operation by acquiring the system time, the embodiment of the present invention performs the detection of the hidden channel for acquiring the time event in the operating system instruction stream. The specific acquisition method is: intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes acquiring a time event. Optionally, the event sequence may further include an abnormal event of a memory page write operation after the merge. After the merge, the memory page is the memory page generated by the memory de-merging of the memory pages of different virtual machines. It should be noted that the acquisition time event in the event sequence may include the acquisition time event of the operating system itself, and may also include malicious users. The acquisition time event, the operating system's own acquisition time events are usually separated by a long time.
可选的,从所获取的事件序列中查找目标子序列,目标子序列的存在形式可以有多种,例如目标子序列可以包括两个相邻的目标获取时间事件,由于通 常操作系统自身的获取时间事件的时间间隔比较长,因此可以通过目标序列中两个相邻的目标获取时间事件的时间间隔属性进行检测。Optionally, the target subsequence is searched from the obtained sequence of events, and the target subsequence may exist in multiple forms, for example, the target subsequence may include two adjacent target acquisition time events, The time interval of the acquisition time event of the operating system itself is relatively long, so it can be detected by the time interval attribute of the time event of two adjacent targets in the target sequence.
可选的,为了检测的准确性,减少误报率,目标子序列包括目标获取时间事件以及在目标获取时间事件之间的目标写操作异常事件,如图3所示,白色小圆圈代表拦截到的事件序列中目标获取时间事件,黑色小圆圈代表拦截到的事件序列中目标写操作异常事件,则所查找的目标子序列即是两个目标获取时间事件之间夹着一个目标写操作异常事件。目标子序列的时间属性包括目标子序列的起始时间与结束时间之间的第一时间差,即是目标子序列中第一个目标获取时间事件对应的系统时间与第二个目标获取时间事件对应的系统时间之差。Optionally, for the accuracy of the detection and the false positive rate, the target subsequence includes a target acquisition time event and a target write operation abnormal event between the target acquisition time events, as shown in FIG. 3, the white small circle represents interception. In the event sequence, the target acquires the time event, and the black circle represents the target write operation abnormal event in the intercepted event sequence, then the target subsequence that is searched is the target write operation abnormal event between the two target acquisition time events. . The time attribute of the target subsequence includes a first time difference between the start time and the end time of the target subsequence, that is, the system time corresponding to the first target acquisition time event in the target subsequence corresponds to the second target acquisition time event. The difference in system time.
需要说明的是,本发明实施例中目标子序列的存在形式不作限定,目标子序列的时间属性也不作限定。It should be noted that, in the embodiment of the present invention, the existence form of the target subsequence is not limited, and the time attribute of the target subsequence is not limited.
可选的,判断所获取的目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定操作系统中存在隐蔽信道。预设条件需要根据目标子序列的时间属性所确定,例如,若目标子序列的时间属性为目标子序列的起始时间与结束时间之间的第一时间差,则预设条件为,该第一时间差小于第一预设阈值。Optionally, it is determined whether the time attribute of the acquired target subsequence satisfies a preset condition, and if the time attribute of the target subsequence satisfies a preset condition, determining that a hidden channel exists in the operating system. The preset condition needs to be determined according to the time attribute of the target subsequence. For example, if the time attribute of the target subsequence is the first time difference between the start time and the end time of the target subsequence, the preset condition is that the first condition The time difference is less than the first preset threshold.
所述处理器还用于判断所述目标子序列的所述第一时间差是否小于第一预设阈值;The processor is further configured to determine whether the first time difference of the target subsequence is less than a first preset threshold;
所述处理器还用于当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。The processor is further configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
可选的,第一预设阈值的设置对于检测单次隐蔽信道的解码操作非常关键。设置的过短,则恶意用户有可能通过在两次获取时间事件之间插入一些无用的指令来延长执行时间的方式(但恶意用户仍然可以区分出COW页写操作和普通页写操作)来逃避检测。相反,如果设置的过长,则会导致误报率的增加。Optionally, the setting of the first preset threshold is very critical for detecting a decoding operation of a single covert channel. If the setting is too short, it is possible for a malicious user to evade by inserting some useless instructions between the two acquisition time events to extend the execution time (but the malicious user can still distinguish between the COW page write operation and the normal page write operation). Detection. Conversely, if you set it too long, it will lead to an increase in false positive rate.
假设隐蔽信道在两次获取时间事件之间执行了n条指令(其中有一条是内存写操作指令),则为了能够准确编码信息,需要满足:Assuming that the covert channel executes n instructions between two acquisition time events (one of which is a memory write operation instruction), in order to be able to accurately encode the information, it is necessary to satisfy:
T-Mincow(n)>T-Maxnormal(n) T-Min cow(n) >T-Max normal(n)
T-Mincow(n):执行n条指令的最短时间,其中内存写操作指令为对合并之后的内存页的写操作。T-Min cow(n) : The shortest time to execute n instructions, where the memory write operation is a write to the memory page after the merge.
T-Maxnormal(n):执行n条指令的最长时间,其中内存写操作指令为对普通内存页的写操作。T-Max normal(n) : The maximum time for executing n instructions, where the memory write operation is a write to a normal memory page.
假设n-1条普通指令执行的平均误差时间为Δt,即可进一步推导出:Assuming that the average error time of n-1 normal instruction execution is Δt, it can be further derived:
Tmin(cow)-Tmax(normal)>(n-1)*ΔtT min(cow) -T max(normal) >(n-1)*Δt
Tmin(cow):执行内存写操作指令为对合并后的内存页的写,需要的最短执行时间。T min(cow) : The memory write operation instruction is the minimum execution time required to write to the merged memory page.
Tmax(normal):执行内存写操作指令为对普通内存页的写,需要的最长执行时间。T max (normal) : The maximum execution time required to execute a memory write operation instruction for writing to a normal memory page.
假设n-1条普通指令的平均执行时间为t,则可推出:Assuming that the average execution time of n-1 normal instructions is t, you can push:
(n-1)*t+Tmin(cow)≤T(1)≤(n-1)*t+Tmax(cow) (n-1)*t+T min(cow) ≤T (1) ≤(n-1)*t+T max(cow)
Figure PCTCN2015092975-appb-000005
Figure PCTCN2015092975-appb-000005
2Tmin(cow)≤T(1)≤2Tmax(cow) 2T min(cow) ≤T (1) ≤2T max(cow)
其中t≈Δt,Tcow>>Tnomal,可选的,通常Tcow的值比Tnomal的值大10倍以上,不同的系统中所大于的倍数不同。Where t≈Δt, T cow >>T nomal , optionally, the value of T cow is usually 10 times larger than the value of T nomal , and the multiples greater than the different systems are different.
综上所述,第一预设阈值T(1)能估计出来的值就是2倍的对合并后的内存页的写操作的执行时间,不过对合并后的内存页写操作的执行时间也是有一个范围的,即最大时间Tmax(normal)和最小时间Tmin(cow),因此2Tmin(cow)≤T(1)≤2Tmax(cow)。这个最大时间和最小时间在不同系统上是不一样的,需要根据实际系统的测量值在部署的时候进行设置。In summary, the first preset threshold T (1) can be estimated to be 2 times the execution time of the merged memory page write operation, but the execution time of the merged memory page write operation is also A range, ie maximum time T max (normal) and minimum time T min (cow) , so 2T min(cow) ≤ T (1) ≤ 2T max(cow) . This maximum time and minimum time are different on different systems, and need to be set at the time of deployment according to the measured values of the actual system.
若所述事件序列中包括多个目标子序列;If the event sequence includes multiple target subsequences;
所述处理器还用于从所述事件序列中依次查找预设个数的目标子序列;The processor is further configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
所述处理器还用于计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。The processor is further configured to calculate a first time difference between a start time and an end time of each target subsequence in the preset number of target subsequences.
可选的,如图3所示,事件序列中可以包括多个目标子序列,其中,目标子序列包括两个目标获取时间事件,以及在两个目标获取时间事件之间的目标写操作异常事件,在系统执行指令流中依次查找预设个数(n个)目标子序列, 预设个数的值(即n的值)由用户预先设定。Optionally, as shown in FIG. 3, the event sequence may include multiple target subsequences, where the target subsequence includes two target acquisition time events, and a target write operation abnormal event between the two target acquisition time events. Finding a preset number (n) of target sub-sequences in sequence in the system execution instruction stream. The value of the preset number (i.e., the value of n) is preset by the user.
可选的,计算预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差,如图3所示,依次计算各个目标子序列的第一时间差Δt1,Δt2,Δt3.....ΔtnOptionally, calculating a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences, as shown in FIG. 3, sequentially calculating a first time difference Δt of each target sub-sequence 1 , Δt 2 , Δt 3 ..... Δt n .
所述处理器还用于判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值;The processor is further configured to determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
所述处理器还用于当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值,确定系统中存在隐蔽信道。The processor is further configured to determine that a hidden channel exists in the system when the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold.
可选的,判断预设个数的目标子序列中每个目标子序列的第一时间差是否均小于第一预设阈值,若预设个数的目标子序列中每个子序列的第一时间差均小于第一预设阈值,即是Δti<T(1),i∈[1,n],则确定操作系统中存在隐蔽信道。需要说明的是,第一预设阈值T(1)可以为对合并之后内存页写操作执行时间的两倍。Optionally, determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than a first preset threshold, if the first time difference of each sub-sequence in the preset number of target sub-sequences is Less than the first preset threshold, ie, Δt i <T (1) , i ∈ [1, n], it is determined that there is a hidden channel in the operating system. It should be noted that the first preset threshold T (1) may be twice the execution time of the memory page write operation after the merge.
所述处理器还用于判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数;The processor is further configured to determine whether a second time difference between a start time of the first target subsequence and an end time of the last target subsequence in the preset number of target subsequences is less than a second preset a threshold, the second preset threshold is less than the preset number;
所述处理器还用于当所述第二时间差小于所述第二预设阈值时,确定系统中存在隐蔽信道。The processor is further configured to determine that a hidden channel exists in the system when the second time difference is less than the second preset threshold.
可选的,为提高检测的准确率,结合隐蔽信道的通信带宽进行检测,具体的检测方法是,进一步判断预设个数的目标子序列中第一个目标子序列的起始时间与最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,若小于第二预设阈值,则确定系统中存在隐蔽信道。如图3所示,即是判断:Optionally, in order to improve the detection accuracy, the communication bandwidth of the hidden channel is detected, and the specific detection method is to further determine the start time and the last time of the first target subsequence in the preset number of target subsequences. Whether the second time difference between the end times of the target subsequences is less than a second preset threshold, and if less than the second preset threshold, determining that there is a covert channel in the system. As shown in Figure 3, it is judged:
Δti<T(1) i∈[1,n] && tn-end-t1-beg-T(n) Δt i <T (1) i∈[1,n] && t n-end -t 1-beg -T (n)
通常认为当通信带宽低于1bps时,该信道是没有通信价值的。第二预设阈值T(n)阀值用于控制隐蔽信道传输n bit信息时的最长传输时间。即是保证:It is generally believed that when the communication bandwidth is less than 1 bps, the channel has no communication value. The second preset threshold T (n) threshold is used to control the longest transmission time when the covert channel transmits n bit information. That is to guarantee:
Figure PCTCN2015092975-appb-000006
即T(n)<n
Figure PCTCN2015092975-appb-000006
 That is T (n) <n
因此T(n)的值不能超过n。由于实际应用中所传输的信息量比n要大,因此T(n)的阀值比n还稍微小点。Therefore the value of T (n) cannot exceed n. Since the amount of information transmitted in the actual application is larger than n, the threshold of T (n) is slightly smaller than n.
本发明实施例中,当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截操作系统执行的事件序列,该事件序列中包括获取时间事件,从事件序列中查找目标子序列,并获取目标子序列的时间属性,判断目标子序列的时间属性是否满足预设条件,若目标子序列的时间属性满足预设条件,则确定系统中存在隐蔽信道。这种方式可以准确检测出系统中是否存在隐蔽信道,提高了系统安全性,并且这种检测方式也不会影响系统正常的内存去重机制的功能。In the embodiment of the present invention, when at least two virtual machines perform memory deduplication on the same physical host, the sequence of events executed by the operating system is intercepted in the operating system instruction stream, and the event sequence includes an acquisition time event, a secondary event. The target subsequence is searched in the sequence, and the time attribute of the target subsequence is obtained, and the time attribute of the target subsequence is determined to meet the preset condition. If the time attribute of the target subsequence satisfies the preset condition, it is determined that there is a hidden channel in the system. This method can accurately detect whether there is a hidden channel in the system, improve system security, and this detection method will not affect the function of the system's normal memory deduplication mechanism.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the foregoing embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
本发明实施例方法中的步骤可以根据实际需要进行顺序调整、合并和删减。The steps in the method of the embodiment of the present invention may be sequentially adjusted, merged, and deleted according to actual needs.
本发明实施例终端中的模块或单元可以根据实际需要进行合并、划分和删减。The modules or units in the terminal in the embodiment of the present invention may be combined, divided, and deleted according to actual needs.
本发明实施例的微控制器等部件,可以以通用集成电路,如中央处理器(Central Processing Unit,CPU),或以专用集成电路(Application Specific Integrated Circuit,ASIC)来实现。The components of the microcontroller and the like may be implemented by a general-purpose integrated circuit, such as a central processing unit (CPU), or an application specific integrated circuit (ASIC).
以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。 The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and thus equivalent changes made in the claims of the present invention are still within the scope of the present invention.

Claims (10)

  1. 一种信道检测方法,其特征在于,包括:A channel detection method, comprising:
    当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截所述操作系统执行的事件序列,所述事件序列中包括获取时间事件;When at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in an operating system instruction stream, where the event sequence includes an acquisition time event;
    从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;Finding a target subsequence from the sequence of events, and acquiring a time attribute of the target subsequence;
    判断所述目标子序列的时间属性是否满足预设条件;Determining whether the time attribute of the target subsequence satisfies a preset condition;
    当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道。When the time attribute of the target subsequence satisfies a preset condition, it is determined that there is a covert channel in the system.
  2. 如权利要求1所述的方法,其特征在于,所述目标子序列的时间属性包括所述目标子序列的起始时间与结束时间之间的第一时间差;The method of claim 1 wherein the time attribute of the target subsequence comprises a first time difference between a start time and an end time of the target subsequence;
    所述判断所述目标子序列的时间属性是否满足预设条件,包括:Determining whether the time attribute of the target subsequence meets a preset condition, including:
    判断所述目标子序列的所述第一时间差是否小于第一预设阈值;Determining whether the first time difference of the target subsequence is less than a first preset threshold;
    所述当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道,包括:Determining that there is a hidden channel in the system when the time attribute of the target subsequence meets a preset condition, including:
    当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。When the first time difference of the target subsequence is less than the first preset threshold, it is determined that a hidden channel exists in the system.
  3. 如权利要求2所述的方法,其特征在于,若所述事件序列中包括多个目标子序列;The method of claim 2, wherein the sequence of events comprises a plurality of target subsequences;
    所述从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性,包括:And searching for the target subsequence from the sequence of events, and acquiring time attributes of the target subsequence, including:
    从所述事件序列中依次查找预设个数的目标子序列;Finding a preset number of target sub-sequences from the sequence of events;
    计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。Calculating a first time difference between a start time and an end time of each target subsequence in the preset number of target subsequences.
  4. 如权利要求3所述的方法,其特征在于,所述判断所述目标子序列的 所述第一时间差是否小于第一预设阈值,包括:The method of claim 3 wherein said determining said target subsequence Whether the first time difference is less than a first preset threshold, including:
    判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值;Determining whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is less than the first preset threshold;
    所述当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道,包括:When the first time difference of the target subsequence is less than the first preset threshold, determining that there is a hidden channel in the system includes:
    当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,确定系统中存在隐蔽信道。When the first time difference of each target subsequence in the preset number of target subsequences is less than the first preset threshold, it is determined that there is a covert channel in the system.
  5. 如权利要求4所述的方法,其特征在于,所述当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值之后,还包括:The method according to claim 4, wherein after the first time difference of each of the target subsequences in the predetermined number of target subsequences is less than the first preset threshold, include:
    判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数;Determining whether a second time difference between a start time of the first target sub-sequence and an end time of the last target sub-sequence in the target number sub-sequence is less than a second preset threshold, the second pre- Setting a threshold smaller than the preset number;
    当所述第二时间差小于所述第二预设阈值时,确定系统中存在隐蔽信道。When the second time difference is less than the second preset threshold, it is determined that there is a hidden channel in the system.
  6. 一种信道检测装置,其特征在于,包括:A channel detecting device, comprising:
    拦截模块,用于当至少两台虚拟机在同一个物理主机上进行内存去重合并时,在操作系统指令流中拦截所述操作系统执行的事件序列,所述事件序列中包括获取时间事件;The intercepting module is configured to: when the at least two virtual machines perform memory de-merging on the same physical host, intercepting an event sequence executed by the operating system in the operating system instruction stream, where the event sequence includes an acquiring time event;
    获取模块,用于从所述事件序列中查找目标子序列,并获取所述目标子序列的时间属性;An obtaining module, configured to search for a target subsequence from the sequence of events, and obtain a time attribute of the target subsequence;
    判断模块,用于判断所述目标子序列的时间属性是否满足预设条件;a determining module, configured to determine whether a time attribute of the target subsequence meets a preset condition;
    确定模块,用于当所述目标子序列的时间属性满足预设条件时,确定系统中存在隐蔽信道。And a determining module, configured to determine that a hidden channel exists in the system when a time attribute of the target subsequence satisfies a preset condition.
  7. 如权利要求6所述的装置,其特征在于,所述目标子序列的时间属性包括所述目标子序列的起始时间与结束时间之间的第一时间差;The apparatus according to claim 6, wherein the time attribute of the target subsequence comprises a first time difference between a start time and an end time of the target subsequence;
    所述判断模块具体用于判断所述目标子序列的所述第一时间差是否小于 第一预设阈值;The determining module is specifically configured to determine whether the first time difference of the target subsequence is less than First preset threshold;
    所述确定模块具体用于当所述目标子序列的所述第一时间差小于所述第一预设阈值时,确定系统中存在隐蔽信道。The determining module is specifically configured to determine that a hidden channel exists in the system when the first time difference of the target subsequence is less than the first preset threshold.
  8. 如权利要求7所述的装置,其特征在于,若所述事件序列中包括多个目标子序列;所述获取模块包括:The apparatus according to claim 7, wherein if the sequence of events comprises a plurality of target subsequences; the obtaining module comprises:
    查找单元,用于从所述事件序列中依次查找预设个数的目标子序列;a searching unit, configured to sequentially search for a preset number of target sub-sequences from the sequence of events;
    计算单元,用于计算所述预设个数的目标子序列中每个目标子序列的起始时间与结束时间之间的第一时间差。And a calculating unit, configured to calculate a first time difference between a start time and an end time of each target sub-sequence in the preset number of target sub-sequences.
  9. 如权利要求8所述的装置,其特征在于,所述判断模块具体用于判断所述预设个数的目标子序列中每个目标子序列的所述第一时间差是否均小于所述第一预设阈值。The apparatus according to claim 8, wherein the determining module is specifically configured to determine whether the first time difference of each target sub-sequence in the preset number of target sub-sequences is smaller than the first Preset threshold.
  10. 如权利要求9所述的装置,其特征在于,所述确定模块包括判断单元和确定单元;The apparatus according to claim 9, wherein said determining module comprises a determining unit and a determining unit;
    所述判断单元,用于当所述预设个数的目标子序列中每个目标子序列的所述第一时间差均小于所述第一预设阈值时,判断所述预设个数的目标子序列中第一个目标子序列的起始时间和最后一个目标子序列的结束时间之间的第二时间差是否小于第二预设阈值,所述第二预设阈值小于所述预设个数,The determining unit is configured to determine, when the first time difference of each target sub-sequence in the target number sub-sequence of the preset number is less than the first preset threshold, determine the preset number of targets Whether the second time difference between the start time of the first target subsequence and the end time of the last target subsequence in the subsequence is less than a second preset threshold, and the second preset threshold is less than the preset number ,
    所述确定单元,用于当所述第二时间差小于所述第二预设阈值时,确定系统中存在隐蔽信道。 The determining unit is configured to determine that a hidden channel exists in the system when the second time difference is less than the second preset threshold.
PCT/CN2015/092975 2015-03-11 2015-10-27 Channel detection method and apparatus WO2016141719A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510105652.6 2015-03-11
CN201510105652.6A CN106034108B (en) 2015-03-11 2015-03-11 A kind of channel detection method and device

Publications (1)

Publication Number Publication Date
WO2016141719A1 true WO2016141719A1 (en) 2016-09-15

Family

ID=56879993

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/092975 WO2016141719A1 (en) 2015-03-11 2015-10-27 Channel detection method and apparatus

Country Status (2)

Country Link
CN (1) CN106034108B (en)
WO (1) WO2016141719A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110838913A (en) * 2019-11-26 2020-02-25 华侨大学 Time type network covert channel detection method based on secret sharing
CN113128274A (en) * 2019-12-31 2021-07-16 深圳云天励飞技术有限公司 Data analysis method and device, electronic equipment and storage medium
CN113347119A (en) * 2021-04-30 2021-09-03 北京华为数字技术有限公司 Method, device, equipment and storage medium for sending data packet

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254260A (en) * 2010-05-21 2011-11-23 微软公司 Scalable billing with de-duplication and sequencing
US20120167087A1 (en) * 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Apparatus and method for driving virtual machine, and method for deduplication of virtual machine image
CN103019884A (en) * 2012-11-21 2013-04-03 北京航空航天大学 Memory page de-weight method and memory page de-weight device based on virtual machine snapshot
CN103377285A (en) * 2012-04-25 2013-10-30 国际商业机器公司 Enhanced reliability in deduplication technology over storage clouds

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7665136B1 (en) * 2005-11-09 2010-02-16 Symantec Corporation Method and apparatus for detecting hidden network communication channels of rootkit tools
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254260A (en) * 2010-05-21 2011-11-23 微软公司 Scalable billing with de-duplication and sequencing
US20120167087A1 (en) * 2010-12-23 2012-06-28 Electronics And Telecommunications Research Institute Apparatus and method for driving virtual machine, and method for deduplication of virtual machine image
CN103377285A (en) * 2012-04-25 2013-10-30 国际商业机器公司 Enhanced reliability in deduplication technology over storage clouds
CN103019884A (en) * 2012-11-21 2013-04-03 北京航空航天大学 Memory page de-weight method and memory page de-weight device based on virtual machine snapshot

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110838913A (en) * 2019-11-26 2020-02-25 华侨大学 Time type network covert channel detection method based on secret sharing
CN110838913B (en) * 2019-11-26 2022-09-30 华侨大学 Time type network covert channel detection method based on secret sharing
CN113128274A (en) * 2019-12-31 2021-07-16 深圳云天励飞技术有限公司 Data analysis method and device, electronic equipment and storage medium
CN113128274B (en) * 2019-12-31 2024-05-07 深圳云天励飞技术有限公司 Data analysis method and device, electronic equipment and storage medium
CN113347119A (en) * 2021-04-30 2021-09-03 北京华为数字技术有限公司 Method, device, equipment and storage medium for sending data packet
CN113347119B (en) * 2021-04-30 2023-01-06 北京华为数字技术有限公司 Method, device, equipment and storage medium for sending data packet

Also Published As

Publication number Publication date
CN106034108B (en) 2019-07-19
CN106034108A (en) 2016-10-19

Similar Documents

Publication Publication Date Title
EP3057272B1 (en) Technologies for concurrency of cuckoo hashing flow lookup
JP5425286B2 (en) How to track memory usage in a data processing system
TWI549060B (en) Access methods and devices for virtual machine data
WO2017215448A1 (en) Cross-application data sharing method and web browser
US9003228B2 (en) Consistency of data in persistent memory
US10310748B2 (en) Determining data locality in a distributed system using aggregation of locality summaries
US11392545B1 (en) Tracking access pattern of inodes and pre-fetching inodes
WO2016141719A1 (en) Channel detection method and apparatus
US10613783B2 (en) Techniques for managing data which is accessible by multiple storage processors
US9552304B2 (en) Maintaining command order of address translation cache misses and subsequent hits
US9880849B2 (en) Allocation of load instruction(s) to a queue buffer in a processor system based on prediction of an instruction pipeline hazard
US9697127B2 (en) Semiconductor device for controlling prefetch operation
US9619336B2 (en) Managing production data
JP2019537097A (en) Tracking I-node access patterns and prefetching I-nodes
US10031777B2 (en) Method and system for scheduling virtual machines in integrated virtual machine clusters
US20110258424A1 (en) Distributive Cache Accessing Device and Method for Accelerating to Boot Remote Diskless Computers
US10902014B1 (en) Reducing network traffic when replicating memory data across hosts
US10901914B2 (en) Method for writing multiple copies into storage device, and storage device
US10394820B2 (en) Constructing and querying a bloom filter to detect the absence of data from one or more endpoints
US10235293B2 (en) Tracking access pattern of inodes and pre-fetching inodes
US10616291B2 (en) Response caching
US8516313B2 (en) Shared error searching
US9442863B1 (en) Cache entry management using read direction detection
US20200167282A1 (en) Coherence protocol for distributed caches
US11321495B2 (en) Anomalous cache coherence transaction detection in a heterogeneous system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15884397

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15884397

Country of ref document: EP

Kind code of ref document: A1