CN101599115A - A kind of light weight method of responding to TOCTOU attack - Google Patents

A kind of light weight method of responding to TOCTOU attack Download PDF

Info

Publication number
CN101599115A
CN101599115A CNA2009100881338A CN200910088133A CN101599115A CN 101599115 A CN101599115 A CN 101599115A CN A2009100881338 A CNA2009100881338 A CN A2009100881338A CN 200910088133 A CN200910088133 A CN 200910088133A CN 101599115 A CN101599115 A CN 101599115A
Authority
CN
China
Prior art keywords
attack
vtpm
vid
virtual
formation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100881338A
Other languages
Chinese (zh)
Other versions
CN101599115B (en
Inventor
常晓林
韩臻
刘吉强
邢彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN2009100881338A priority Critical patent/CN101599115B/en
Publication of CN101599115A publication Critical patent/CN101599115A/en
Application granted granted Critical
Publication of CN101599115B publication Critical patent/CN101599115B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of light weight method of responding to TOCTOU attack, this method is guaranteeing to take into full account system performance under the safe prerequisite.In the method, additionally define 1 hypercall and several virtual interruptions (vIRQ) between privileged domain and the monitor of virtual machine, be used for transmitting between monitor of virtual machine and the privileged domain information related to the present invention.The assembly of response method is included in the attack administration module that four moulds realizing in virtual credible equipment (vTPM) the rear end driving of privileged domain are fast and realize in monitor of virtual machine.The system that has implemented response method provided by the invention can resist TOCTOU attack under the more susceptible shape than implementing other response methods; And this response method is practical, and under the situation of not receiving signal to attack, system because having implemented the response method that this invention provides performance does not take place and reduces; This method is revised original system and is lacked in addition, and extensibility is strong; Be applicable to the environment that a plurality of credible client virtual domains are parallel.

Description

A kind of light weight method of responding to TOCTOU attack
Technical field
The present invention relates to computer information safe Trusted Computing field, particularly relate to the light weight method of the TOCTOU attack of response TCG architecture under a kind of Xen virtual environment.
Background technology
The content that the utilization of TCG architecture is solidificated in the PCR register of the TPM hardware chip on the computer motherboard is judged the security of actual platform.Yet making, the Design Mode of most of commercial operation systems only provide the TCG architecture of software loading checking to suffer the attack of TOCTOU (time of check vs timeof use) easily.Utilize the Xen virtual machine can realize a pure software scheme, monitor TOCTOU attack and attack response that client virtual domain takes place.
Fig. 1 has provided virtual credible equipment (vTPM) frame system under a kind of Xen virtual environment.In this vTPM frame system, each virtual Domain is come only sign with DomID; Privileged domain provides an independent vTPM equipment (a vTPM equipment is exactly a process of privileged domain user's space) for each credible client virtual domain, comes only sign with vID; Any TPM instruction from credible virtual field will drive through vTPM front-end driven, vTPM rear end, the vTPM equipment management tool, pass to corresponding vTPM equipment then; The result of TPM instruction transfers back to credible client virtual domain through vTPM equipment management tool, the driving of vTPM rear end, vTPM front-end driven.Fig. 2 is that privileged domain is handled an information flow chart from the TPM instruction of credible virtual field in Fig. 1 system, all TPM instructions from credible virtual field all are placed on the pending_pak formation that the vtpm rear end drives earlier, wait for the processing of " vtpm_op_read processing procedure ".Fig. 3 is that privileged domain is handled a processing sequence from the TPM instruction of credible virtual field in Fig. 1 system; For a TPM instruction, vTPM equipment management tool (process of privileged domain user's space) need call the read function for twice and just obtain a complete TPM instruction (Dhead+Dbody) and corresponding vID (the vTPM equipment management tool judges according to this vID value which vTPM equipment the TPM instruction that is received should send to); And for the result (Dresult) of TPM instruction, the vTPM equipment management tool only need call the memory headroom that the write function once just is delivered to the result credible client virtual domain.Fig. 4 provides the process flow diagram of " vtpm_op_read processing procedure " among Fig. 2, and wherein dash box is the abnormality processing part; The vTPM equipment management tool all triggers this flow process to calling each time of read function, and whether this flow process at first responds according to state (value of the aborted) decision of oneself.Fig. 5 provides the process flow diagram of " vtpm_op_write processing procedure " among Fig. 2, and wherein dash box is the abnormality processing part; The vTPM equipment management tool triggers the flow process of " vtpm_op_write processing procedure " to calling all each time of write function; In this flow process, the vTPM rear end drives at first judges according to the vID that sends over from the vTPM equipment management tool whether the current_pak formation has the information of corresponding vTPM front-end driven (FEpak), if have, judge whether that according to FEpak.flags needs pass to the vTPM front-end driven with TPM instruction process result again.
Based on above-mentioned vTPM frame system, author (Sergey Bratus, Nihal D ' Cunha, EvanSparks, Sean Smith, TOCTOU, Traps, and Trusted Computing, TRUST2008) designed the scheme of monitoring and responding to TOCTOU attack, but this response scheme can not be handled the TOCTOU of following situation and attack (this patent is referred to as JustAttack and attacks), and the result of the TPM instruction under the promptly following situation can not correctly reflect the state of actual platform: receive in privileged domain and forge the TPM instruction that has received when wrapping, but vTPM equipment is not also handled this TPM instruction or result does not also notify the vTPM rear end to drive.At the safety defect of above-mentioned responding system, teacher Han Zhen of Beijing Jiaotong University has applied for a patent (application number 200910078201.2, under the environment of multiple virtual domains at the TOCTOU attack-response method of TPM Trusted Computing), is used to overcome above defective; But this response method has just partly solved the JustAttack problem on safety, this response method brings negative interaction to original system in addition, has reduced original system in the system performance that does not have under the situation of attacking.
Summary of the invention
The light weight method that the objective of the invention is to overcome above-mentioned weak point of the prior art and a kind of responding to TOCTOU attack is provided is guaranteeing to take into full account system performance under the safe prerequisite.This method comprises: when monitor of virtual machine detects attack, notify privileged domain immediately; After privileged domain has notice, forge on the one hand the TPM instruction PCR register of the employed vTPM equipment of credible client virtual domain attacked is carried out content update, on the other hand to vTPM equipment treated but result is not also left the TPM instruction of privileged domain, supervise and and do corresponding processing, guarantee that the result of these TPM instruction can correctly reflect corresponding credible client virtual domain platform status; Partly realize the forgery of TPM instruction and transmission, realization above-mentioned monitoring and processing in the abnormality processing of original system to TPM instruction process result.
Purpose of the present invention can reach by following measure:
The method assembly is included in privileged domain vTPM rear end and drives the attack administration module that four moulds realizing are fast and realize in monitor of virtual machine.The concrete steps of response method are as follows:
Step 1 increases by 1 hypercall and several virtual interruptions (representing with T_vIRQ) at monitor of virtual machine and privileged domain kernel;
Step 2, in the backend_change function that the vTPM rear end drives, realize an initialization module (InitM module), the InitM module is by resolving the only identification number (representing with DomID) of the pairing virtual Domain of the nodename acquisition only identification number of vTPM equipment (representing with vID) in the dev structure in the backend_change function, obtain one then and be not used virtual interruption, should virtual interruption, vID and DomID binding and note, simultaneously binding information is sent to VMMmon by hypercall;
Step 3, VMMmon receives the binding information that hypercall sends, and at first judges whether to have the information of this virtual interruption, if having, before then substituting with new binding relationship, preserve then; If no, then directly preserve; Attack whenever monitor of virtual machine monitors TOCTOU, notify VMMmon immediately, VMMmon at first obtains the DomID of the virtual Domain of being attacked, and obtains corresponding T_vIRQ according to DomID then, at last signal to attack is sent to privileged domain by this virtual interrupt number;
Step 4 realizes that in the vTPM rear end drives a signal to attack that VMMmon is sent carries out pretreated module (AgentM module); Each T_vIRQ has a respective function at the privileged domain kernel, after the privileged domain kernel is received signal to attack, calls the T_vIRQ corresponding processing function, handle then function with the vID of T_vIRQ correspondence as parameter, call AgentM;
Step 5, the abnormality processing in " vtpm_op_read processing procedure " that the vTPM rear end drives partly realizes a module (FpakM), this module is forged the TPM instruction and is sent to the vTPM equipment management tool according to the recorded information of AgentM;
Step 6, the abnormality processing in " vtpm_op_write processing procedure " that the vTPM rear end drives partly realizes a module (MpakM), MpakM cooperates the attack under AgentM and the more susceptible condition of FpakM processing.
Wherein the detailed process of AgentM is as follows:
Step 1 is put into the attack_vID_list formation with vID;
Step 2 if aborted equals 0, then is provided with aborted=2;
Step 3 if the current_pak formation is not empty, is then done following work to all FEpak in the current_pak formation, if FEpak.vID is present in the attack_vID_list formation, then this FEpak is put into the tmp_pak formation; Otherwise put into the attack_pak formation.
Wherein the workflow of FpakM is described further:
Step 1, if aborted is non-vanishing, execution in step 2, otherwise execution in step 9;
Step 2, if aborted is 2, execution in step 3, otherwise execution in step 6;
Step 3, if copied_so_far is non-vanishing, execution in step 4, otherwise step 5;
Step 4, at first take out a bag from pending_pak, send the data to the vTPM equipment management tool, if judging the corresponding vID of this bag then is present in the attack_vID_list formation, then this FEpak is put into the attack_pak formation, otherwise this FEpak is put into the tmp_pak formation, finish;
Step 5 is taken out a vID and delete this vID from this formation from the attack_vID_list formation, forge the TPM_Extend instruction then, preserve and will be preceding 14 from saving and vID sends to the vTPM equipment management tool, put aborted=3 then, copied_so_far=0 will finish;
Step 6, if aborted is 3, execution in step 7, otherwise execution in step 8;
Step 7, the forgery TPM that step 5 is preserved instructs back 24 byte content of bag to pass to the vTPM equipment management tool, if attack_vID_list is empty, then the value of aborted is arranged to 0, otherwise the value of aborted is arranged to 2, finishes;
Step 8, executive system inherited error is handled code;
Step 9, original system send the flow process of packet to the vTPM equipment management tool.
Wherein the workflow of MpakM is described further:
Step 1, with vID search tpm_pak formation, if search, then execution in step 3, otherwise execution in step 2;
Step 2, with vID search attack_pak formation, if search, then execution in step 4, otherwise finish;
Step 3 is carried out the flow process that original system receives packet and issues the vTPM front-end driven;
Step 4 receives the packet of vTPM equipment management tool earlier, if length greater than 14 bytes, then is XOR with the data after 14 bytes with random number and is calculated, is issuing the vTPM front-end driven then.
The present invention has following advantage compared to existing technology:
(1) safe, compare with existing method, can respond the attack of the TOCTOU under the more susceptible condition in the TCG architecture.Privileged domain receives that the result of the TPM instruction that is received after the TOCTOU signal to attack can both correctly reflect the virtual Domain platform status; Receive the TPM instruction that the TOCTOU signal to attack is before received for privileged domain, as long as its result is not also submitted to the vTPM rear end and driven when privileged domain is received the TOCTOU signal to attack, the result of these TPM instructions also can correctly reflect the virtual Domain platform status so.
(2) practical.Under the situation of not receiving signal to attack, performance does not take place because having implemented the response method that this invention provides and reduces in system; This method is revised original system and is lacked in addition, and extensibility is strong; Be applicable to the environment that a plurality of credible client virtual domains are parallel.
Description of drawings
Fig. 1. be the synoptic diagram of virtual credible equipment (vTPM) frame system under a kind of Xen virtual environment;
Fig. 2. for privileged domain in Fig. 1 system is handled an information flow chart from the TPM instruction of credible virtual field;
Fig. 3. for privileged domain in Fig. 1 system is handled a processing sequence from the TPM instruction of credible virtual field;
Fig. 4. be the process flow diagram of " vtpm_op_read processing procedure " among Fig. 2;
Fig. 5. be the process flow diagram of " vtpm_op_write processing procedure " among Fig. 2;
Fig. 6. be the process flow diagram of the light weight method of a kind of responding to TOCTOU attack of the present invention, promptly implemented the Fig. 2 behind the included assembly of the present invention.
Embodiment
In method provided by the invention, additionally defined 1 hypercall (T_hypercall) between privileged domain and the monitor of virtual machine, be used for privileged domain and transmit information to monitor of virtual machine, define several virtual interruptions (T_vIRQ), be used for monitor of virtual machine to the information of privileged domain transmission, each virtual credible client virtual domain that interrupts a corresponding operation about certain credible virtual field.The assembly of response method is included in privileged domain vTPM rear end and drives four moulds fast (InitM, AgentM, FpakM, and MpakM) of realizing and realize attacking administration module (VMMmon) in monitor of virtual machine; Wherein InitM realizes the binding between DomID, vID, the T_vIRQ and binding information is passed to VMMmon; AgentM is responsible for the pairing vID of the virtual Domain of being attacked is put into formation, waits for the FpakM resume module; FpakM forges the TPM instruction and sends to the vTPM equipment management tool according to the recorded information of AgentM; MpakM cooperates the attack under AgentM and the FpakM processing JustAttack situation.
The present invention supposes that Fig. 1 system disposes, and shows as Fig. 6, is the step of response method of the present invention below:
Step 1 increases by 1 hypercall and several virtual interruptions (representing with T_vIRQ) at monitor of virtual machine and privileged domain kernel;
Step 2, in the backend_change function that the vTPM rear end drives, realize an initialization module (InitM module), the InitM module is by resolving the only sign (representing with DomID) of the pairing virtual Domain of the nodename acquisition only sign of vTPM equipment (representing with vID) in the dev structure in the backend_change function, obtain one then and be not used virtual interruption, should virtual interruption, vID and DomID binding and note, simultaneously binding information is sent to VMMmon by hypercall;
Step 3, VMMmon receives the binding information that hypercall sends, and at first judges whether to have the information of this virtual interruption, if having, before then substituting with new binding relationship, preserve then; If no, then directly preserve; Find TOCTOU and attack whenever monitor of virtual machine, notify VMMmon immediately, VMMmon at first obtains the DomID of the virtual Domain of being attacked, and obtains corresponding T_vIRQ according to DomID then, at last signal to attack is sent to privileged domain by this virtual interrupt number;
Step 4 realizes that in the vTPM rear end drives a signal to attack that VMMmon is sent carries out pretreated module (AgentM module); Each T_vIRQ has a respective function at the privileged domain kernel, after the privileged domain kernel is received signal to attack, calls the T_vIRQ corresponding processing function, handle then function with the vID of T_vIRQ correspondence as parameter, call AgentM;
Step 5, the abnormality processing in " vtpm_op_read processing procedure " that the vTPM rear end drives partly realizes a module (FpakM), this module is forged the TPM instruction and is sent to the vTPM equipment management tool according to the recorded information of AgentM;
Step 6, the abnormality processing in " vtpm_op_write processing procedure " that the vTPM rear end drives partly realizes a module (MpakM), MpakM cooperates the attack under AgentM and the FpakM processing JustAttack situation.
Workflow to AgentM is described further below:
Step 1 is put into the attack_vID_list formation with vID.
Step 2 if aborted equals 0, then is provided with aborted=2.
Step 3 if the current_pak formation is not empty, is then done following work to all FEpak in the current_pak formation, if FEpak.vID is present in the attack_vID_list formation, then this FEpak is put into the tmp_pak formation; Otherwise put into the attack_pak formation.
Workflow to FpakM is described further below:
Step 1, if aborted is non-vanishing, execution in step 2, otherwise execution in step 9.
Step 2, if aborted is 2, execution in step 3, otherwise execution in step 6.
Step 3, if copied_so_far little be zero, execution in step 4, otherwise step 5.
Step 4, at first take out a bag from pending_pak, send the data to the vTPM equipment management tool, if judging the corresponding vID of this bag then is present in the attack_vID_list formation, then this FEpak is put into the attack_pak formation, otherwise this FEpak is put into the tmp_pak formation, finish.
Step 5 is taken out a vID and delete this vID from this formation from the attack_vID_list formation, forge the TPM_Extend instruction then, preserve and will be preceding 14 from saving and vID sends to the vTPM equipment management tool, put aborted=3 then, copied_so_far=0 will finish.
Step 6, if aborted is 3, execution in step 7, otherwise execution in step 8.
Step 7, the forgery TPM that step 5 is preserved instructs back 24 byte content of bag to pass to the vTPM equipment management tool, if attack_vID_list is empty, then the value of aborted is arranged to 0, otherwise the value of aborted is arranged to 2, finishes.
Step 8, executive system inherited error is handled code.
Step 9, original system send the flow process of packet to the vTPM equipment management tool.
Workflow to MpakM is described further below:
Step 1, with vID search tpm_pak formation, if search, then execution in step 3, otherwise execution in step 2.
Step 2, with vID search attack_pak formation, if search, then execution in step 4, otherwise finish.
Step 3 is carried out the flow process that original system receives packet and issues the vTPM front-end driven.
Step 4 receives the packet of vTPM equipment management tool earlier, if length greater than 14 bytes, then is XOR with the data after 14 bytes with random number and is calculated, is issuing the vTPM front-end driven then.
Pass through said method, under the parallel environment of many credible virtual fields, the TPM of situation instruction all can correctly reflect client virtual domain platform current state below secure context belongs to: (1) privileged domain receives that the result of the TPM instruction that is received after the TOCTOU signal to attack can both correctly reflect the virtual Domain platform status; (2) receive the TPM instruction that the TOCTOU signal to attack is before received for privileged domain, as long as its result is not also submitted to the vTPM rear end and driven when privileged domain is received the TOCTOU signal to attack, the result of these TPM instructions also can correctly reflect the virtual Domain platform status so.Aspect practicality, under the situation of not receiving signal to attack, performance does not take place because having implemented the response method that this invention provides and reduces in system; This method is revised original system and is lacked in addition, and extensibility is strong.

Claims (4)

1. the light weight method of a responding to TOCTOU attack is characterized in that: the method assembly is included in privileged domain vTPM rear end and drives the attack administration module that four moulds realizing are fast and realize in monitor of virtual machine, and the concrete steps of response method are as follows:
Step 1 increases by 1 hypercall and several virtual interruptions at monitor of virtual machine and privileged domain kernel;
Step 2, in the backend_change function that the vTPM rear end drives, realize an initialization module, the InitM module obtains the only identification number of vTPM equipment by the nodename that resolves in the dev structure in the backend_change function, the only identification number of pairing virtual Domain, obtain one then and be not used virtual interruption, should virtual interruption, vID and DomID binding and note, simultaneously binding information is sent to VMMmon by hypercall;
Step 3, VMMmon receives the binding information that hypercall sends, and at first judges whether to have the information of this virtual interruption, if having, before then substituting with new binding relationship, preserve then; If no, then directly preserve; Attack whenever monitor of virtual machine monitors TOCTOU, notify VMMmon immediately, VMMmon at first obtains the DomID of the virtual Domain of being attacked, and obtains corresponding T_vIRQ according to DomID then, at last signal to attack is sent to privileged domain by this virtual interrupt number;
Step 4 realizes that in the vTPM rear end drives a signal to attack that VMMmon is sent carries out pretreated module; Each T_vIRQ has a respective function at the privileged domain kernel, after the privileged domain kernel is received signal to attack, calls the T_vIRQ corresponding processing function, handle then function with the vID of T_vIRQ correspondence as parameter, call AgentM;
Step 5, the abnormality processing in " vtpm_op_read processing procedure " that the vTPM rear end drives partly realizes a module, this module is forged the TPM instruction and is sent to the vTPM equipment management tool according to the recorded information of AgentM;
Step 6, the abnormality processing in " vtpm_op_write processing procedure " that the vTPM rear end drives partly realizes a module, MpakM cooperates the attack under AgentM and the more susceptible condition of FpakM processing.
2. the light weight method of a kind of responding to TOCTOU attack as claimed in claim 1 is characterized in that:
The detailed process of its AgentM is as follows:
Step 1 is put into an attack_vID_list formation by name with vID;
Step 2 if aborted equals 0, then is provided with aborted=2;
Step 3 if the current_pak formation is not empty, then to the information of all vTPM front-end driven in the current_pak formation, is represented the information of a vTPM front-end driven with FEpak; FEpak does following work, if FEpak.vID is present in the attack_vID_list formation, then this FEpak is put into name tmp_pak formation; Otherwise put into an attack_pak formation by name.
3. the light weight method of a kind of responding to TOCTOU attack as claimed in claim 1 or 2 is characterized in that:
The workflow of its FpakM is described further:
Step 1, if aborted is non-vanishing, execution in step 2, otherwise execution in step 9;
Step 2, if aborted is 2, execution in step 3, otherwise execution in step 6;
Step 3, if copied_so_far is non-vanishing, execution in step 4, otherwise step 5;
Step 4, at first take out a bag from pending_pak, send the data to the vTPM equipment management tool, if judging the corresponding vID of this bag then is present in the attack_vID_list formation, then this FEpak is put into the attack_pak formation, otherwise this FEpak is put into the tmp_pak formation, finish;
Step 5, from the attack_vID_list formation, take out a vID and from this formation this vID of deletion, forge the TPM_Extend instruction then, preserve and will be preceding 14 from saving and vID sends to the vTPM equipment management tool, put aborted=3 and copied_so_far=0 then, will finish;
Step 6, if aborted is 3, execution in step 7, otherwise execution in step 8;
Step 7, the forgery TPM that step 5 is preserved instructs back 24 byte content of bag to pass to the vTPM equipment management tool, if attack_vID_list is empty, then the value of aborted is arranged to 0, otherwise the value of aborted is arranged to 2, finishes;
Step 8, executive system inherited error is handled code, finishes;
Step 9 is carried out original system and is sent the flow process of packet to the vTPM equipment management tool.
4. as the light weight method of claim 1 or 2 or 3 described a kind of responding to TOCTOU attack, be characterised in that:
The workflow of its MpakM is described further:
Step 1, with vID search tpm_pak formation, if search, then execution in step 3, otherwise row step 2;
Step 2, with vID search attack_pak formation, if search, then execution in step 4, do not finish;
Step 3 is carried out the flow process that original system receives packet and issues the vTPM front-end driven;
Step 4 earlier receives the packet of vTPM equipment management tool, if length greater than 14 words, is then done XOR calculating with the data after 14 bytes with random number, drives issuing the vTPM front end then.
CN2009100881338A 2009-07-03 2009-07-03 Light weight method responding to TOCTOU attack Expired - Fee Related CN101599115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100881338A CN101599115B (en) 2009-07-03 2009-07-03 Light weight method responding to TOCTOU attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100881338A CN101599115B (en) 2009-07-03 2009-07-03 Light weight method responding to TOCTOU attack

Publications (2)

Publication Number Publication Date
CN101599115A true CN101599115A (en) 2009-12-09
CN101599115B CN101599115B (en) 2011-02-16

Family

ID=41420558

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100881338A Expired - Fee Related CN101599115B (en) 2009-07-03 2009-07-03 Light weight method responding to TOCTOU attack

Country Status (1)

Country Link
CN (1) CN101599115B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771702A (en) * 2010-01-05 2010-07-07 中兴通讯股份有限公司 Method and system for defending distributed denial of service attack in point-to-point network
CN101950333A (en) * 2010-08-05 2011-01-19 北京交通大学 Method for responding to trusted computing TOCTOU attacks on hardware virtual domain of Xen client
CN102750470A (en) * 2012-05-22 2012-10-24 中国科学院计算技术研究所 Trusted verification method and system for starting loader under full virtualization environment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771702A (en) * 2010-01-05 2010-07-07 中兴通讯股份有限公司 Method and system for defending distributed denial of service attack in point-to-point network
CN101771702B (en) * 2010-01-05 2015-06-10 中兴通讯股份有限公司 Method and system for defending distributed denial of service attack in point-to-point network
CN101950333A (en) * 2010-08-05 2011-01-19 北京交通大学 Method for responding to trusted computing TOCTOU attacks on hardware virtual domain of Xen client
CN101950333B (en) * 2010-08-05 2013-04-10 北京交通大学 Method for dependably computing TOCTOU attack responding to Xen client hardware virtual domain
CN102750470A (en) * 2012-05-22 2012-10-24 中国科学院计算技术研究所 Trusted verification method and system for starting loader under full virtualization environment
CN102750470B (en) * 2012-05-22 2014-10-08 中国科学院计算技术研究所 Trusted verification method and system for starting loader under full virtualization environment

Also Published As

Publication number Publication date
CN101599115B (en) 2011-02-16

Similar Documents

Publication Publication Date Title
KR102297133B1 (en) Computer security systems and methods using asynchronous introspection exceptions
EP2803007B1 (en) Identifying software execution behavior
US9542559B2 (en) Detecting exploitable bugs in binary code
US9858411B2 (en) Execution profiling mechanism
US20040117532A1 (en) Mechanism for controlling external interrupts in a virtual machine system
KR101835250B1 (en) Detection of unauthorized memory modification and access using transactional memory
US20200358812A1 (en) Method for determining main chain of blockchain, device, and storage medium
US8683589B2 (en) Providing protection against unauthorized network access
CN102609298B (en) Based on network interface card virtualization system and the method thereof of hardware queue expansion
TW201419156A (en) Methods, systems and apparatus to capture error conditions in lightweight virtual machine managers
EP3123339A1 (en) Low-overhead detection of unauthorized memory modification using transactional memory
US10007785B2 (en) Method and apparatus for implementing virtual machine introspection
US20160232354A1 (en) System memory integrity monitoring
US20230177162A1 (en) Firmware retrieval and analysis
US8429322B2 (en) Hotplug removal of a device in a virtual machine system
CN101599115B (en) Light weight method responding to TOCTOU attack
CN101599113A (en) Driven malware defence method and device
WO2019062066A1 (en) On-line task execution method for terminal device, server, and readable storage medium
CN103019865B (en) Virtual machine monitoring method and system
US10423789B2 (en) Identification of suspicious system processes
US9128730B2 (en) Method for executing bios tool program in non-SMI mechanism
US8856788B2 (en) Activity based device removal management
CN101488176B (en) TOCTOU attack response method aiming at TPM trusted computation
CN101551839B (en) A method to respond to TOCTOU attacks against TPM trusted computing in the environment of multiple virtual domains
CN202003361U (en) Credible computer system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110216

Termination date: 20120703