CN101630269B - Block-based method for scanning object code and replacing sensitive instruction - Google Patents

Block-based method for scanning object code and replacing sensitive instruction Download PDF

Info

Publication number
CN101630269B
CN101630269B CN200910043831A CN200910043831A CN101630269B CN 101630269 B CN101630269 B CN 101630269B CN 200910043831 A CN200910043831 A CN 200910043831A CN 200910043831 A CN200910043831 A CN 200910043831A CN 101630269 B CN101630269 B CN 101630269B
Authority
CN
China
Prior art keywords
address
instruction
page
bit
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910043831A
Other languages
Chinese (zh)
Other versions
CN101630269A (en
Inventor
张卫华
刘晓建
易晓东
谭郁松
吴庆波
戴华东
孔金珠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN200910043831A priority Critical patent/CN101630269B/en
Publication of CN101630269A publication Critical patent/CN101630269A/en
Application granted granted Critical
Publication of CN101630269B publication Critical patent/CN101630269B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Memory System Of A Hierarchy Structure (AREA)

Abstract

The invention discloses a block-based method for scanning object code and replacing sensitive instruction, aiming to provide a method of searching a minimum object code block which contains an sensitive instruction and is longer than JMP and using JMP to replace the minimum object code block when the sensitive instruction is shorter than JMP. The invention has the technical scheme that the method carries out dynamic scanning to a first scanning entry, wherein, the dynamic scanning mainly comprises basic block scanning for the initial boundary of a basic block and local sensitive instruction replacement for the sensitive instruction in a sensitive instruction queue to be transformed; the method executes GOS kernel code from the first scanning entry address until hardware interrupt or abnormal phenomena happens, or transforming code of an indirect control and transform instruction is executed; the entry address for GOS interrupt and abnormal exception handler or the destination address for indirectly controlling and transmitting instructions can be set as the first scanning entry address to circularly carry out the dynamic scanning. By adopting the block-based method, using INT0/INT3 instruction for replacement can be avoided to the maximum extent, and the BT virtualization performance can be effectively improved.

Description

Based on the method for piece to scanning object code and the responsive instruction of replacement
Technical field
The present invention relates to binary translation (Binary Translation, BT) method, the method that especially object code is scanned and the sensitivity instruction of finding in the scanning is replaced towards X86 architecture operation system virtualizationization.
Background technology
In recent years, along with the appearance of fast development of hardware technology especially multinuclear and even many-core processor, the utilization rate that improves computer system rapid growth computing power becomes the urgent market demand day by day.The operating system Intel Virtualization Technology is through move a plurality of operating systems and service externally is provided simultaneously on same physical machine; Can effectively improve the utilization factor of server; Thereby receive the great attention of each research institution and commercial undertaking, and be used widely in fields such as Server Consolidation, computer security, virtual data centers.
Operating system is virtual depend on a kind of be called the virtual monitor device (Virtual Machine Monitor, system software VMM), by virtualized operating system then be called client operating system (Guest OS, GOS).At present, VMM software mainly realizes that based on three kinds of methods operating systems are virtual, and promptly hardware is auxiliary virtual, half virtual and BT is virtual.The ultimate principle and the characteristics of three kinds of methods are summarized as follows:
1) the auxiliary virtual processor that requires of hardware provides hardware supports, like the VT technology of Intel and the SVM technology of AMD.The hardware anomalies that VMM triggers when carrying out responsive instruction through the client operating system that is captured under the special processor state operation realizes that operating system is virtual, like the virtual machine monitor product Xen of XenSource company and open source software KVM etc.The advantage of this method is simple for realizing, shortcoming is between processor normal state and virtual state, frequently to switch, and System overhead of handover is called much larger than conventional system.
2) level of privilege (like Ring1) operation falls in the half virtual client operating system that requires, and it is virtual to cooperate VMM to realize that its source code appropriate section is made amendment.The limitation of this method is to obtain the GOS source code, and need hope that virtualized operating system makes amendment to any, transplant and maintenance workload huge.Xen is the representative (same VMM can adopt different virtual methods to different GOS) of adopting half Intel Virtualization Technology.
3) BT is virtual then through GOS kernel binary code is scanned, and finds sensitivity instruction wherein, and is converted into corresponding virtual code and realizes that GOS is virtual.Adopt the VMM of BT virtual method that the VMWare Workstation of VMWare company and the VirtualBox of Sun Microsystems are arranged.
Compare with preceding two kinds of methods; The virtual dependence to external conditions such as software and hardwares of BT is minimum---neither need hardware supports; Need not obtain the client operating system source code yet; Its key just is through the sensitivity in scanning discovery kernel binary code instruction, and is converted into and comprises the respective virtual function code and keep that GOS is original to carry out semantic one section constant instruction sequence.So-called " responsive instruction " made a general reference all in case on real processor, carry out and promptly possibly change the virtual condition of processor, thereby causes instruction that VMM or other client operating system can't normally move or isolate the instruction that purpose needs VMM to get involved based on safety.
Responsive instruction transformation method has Instructions Cache and two kinds of local replacements: the Instructions Cache method is not revised the GOS code in the internal memory; But in the instruction buffer, duplicate, change the target code block that is about to execution; And in this buffer zone, carry out the target code block after the conversion, like VMWare and open source software Qemu.Local replacement method then directly replaces with a control transfer instruction in core position, sensitivity instruction place with it; Be generally the JMP instruction; Make object code change flow process and remove to carry out one section virtualization code or safety inspection code with the original semantic equivalence of responsive instruction, to reach virtual or safety isolation purpose.The and instruction caching method is compared, and local replacement method has advantages such as simple, intuitive, EMS memory occupation amount are little, but when adopting this method, with running into the responsive instruction length of part inevitably less than the i.e. situation of short responsive instruction of replacement instruction.For example: in the X86 architecture,, use 5 bytes or longer JMP jump instruction usually as replacement instruction in order directly to jump to any virtual address space; And some responsive instruction; Like the POPF instruction, have only 1 byte length, can't directly replace to the JMP instruction.
To this situation; At present the known VMM software based on this locality replacement method all adopts the soft interrupt instruction (INT0 or INT3 instruction) that can trigger hardware anomalies to replace, and adopts INT3 instruction (0xCC) the replacement all length of 1 byte length to instruct less than the sensitivity of JMP instruction like the VirtualBox of Sun Microsystems.But adopt the major defect of INT0/INT3 instruction replacement to be: all can trigger hardware anomalies when carrying out this instruction, especially when being replaced instruction and frequently being called, the switching repeatedly of hardware state will cause a large amount of system overheads at every turn.Therefore; When responsive instruction length during less than the JMP instruction length; How to seek and comprise the minimum target code block that the instruction of this sensitivity and length are not less than the JMP instruction, and this minimum target code block is replaced with the JMP instruction, to reduce the probability that uses INT3 instruction replacement; Keeping the original execution of object code semantic constant simultaneously, is the major issue that those skilled in the art pay close attention to.
Summary of the invention
The technical matters that the present invention will solve is: provide a kind of based on the method for piece to scanning object code and the responsive instruction of replacement; When responsive instruction length during less than the JMP jump instruction; Searching comprises this sensitivity instruction and length is not less than the minimum target code block that JMP instructs; And, keep the original execution of minimum target code block semantic constant simultaneously with this minimum target code block of JMP instruction replacement.Comprise the replacement code block that the minimum target code block of specifying responsive instruction and length to be not less than the JMP instruction is called this sensitivity instruction, be called for short replace block.
For accurate description the present invention, at first provide following explanation and definition:
In the X86 architecture, all control transfer instructions comprise: JCC, JMP, CALL, RET and IRET instruction.These control transfer instructions can be divided into two types: the transfer instruction of having ready conditions and unconditional branch instruction.Except that whole JCC instructions, the JMP/CALL/RET/IRET instruction all is a unconditional branch instruction.All control transfer instructions can be divided into clear and definite control transfer instruction of destination address and the indeterminate control transfer instruction of destination address again.The clear and definite control transfer instruction of destination address comprises: all JCC instructions, directly CALL instruction and directly JMP instruction abbreviate direct control transfer instruction as; The indeterminate control transfer instruction of destination address then comprises: CALL instruction indirectly, JMP instruction indirectly, LCALL instruction, LJMP instruction, RET instruction and IRET instruction abbreviate indirect control transfer instruction as.Just because of control transfer instruction characteristic intrinsic, reprogramming execution flow process, just make object code have the notion of code block, promptly transfer to the another one code block and continue to carry out from a code block.
Definition 1: fundamental block (Basic Block; BB) be meant that with the initial executive address of GOS, GOS Interrupt Process function first address or control transfer instruction destination address be initial border, with unconditional control transfer instruction or the scan address be the successive objective instruction sequence of end boundary.
Definition 2: replace block (Replaced Block RB) is meant the shortest successive objective instruction sequence that meets the following conditions:
1) is positioned at fundamental block inside (comprising fundamental block self);
2) comprise responsive instruction of appointment and length and be not less than the JMP instruction length;
3) do not contain under the destination address (except this replace block first address) of any control transfer instruction within the fundamental block scope, outside this replace block scope.
Definition 3: conversion block (Translated Block; TB) be meant that replace block is replaced after, carry out, comprise virtual code or safety inspection code and have the one group of semantic instruction sequence of carrying out of equal value via replacement instruction (being generally JMP instruction or INT3 instruction) with former replace block.
Definition 4: responsive instruction queue to be converted is meant with the responsive instruction address realization of linear linked list form, that find when preserving fundamental block scanning and the data structure of relevant information thereof.Responsive instruction queue node to be converted is an index value with responsive instruction address, arranges according to the order of sequence by address size.
Definition 5: entry address to be scanned formation is meant with the control transfer instruction destination address realization of linear linked list form, that find when preserving dynamic scan and the data structure of call address thereof.Formation node in entry address to be scanned is an index value with the destination address, arranges according to the order of sequence by address size.
Define 6 caller address queues and be meant the data structure that realizes with the linear linked list form, preserve control transfer instruction address with same target address.Caller address queue node is an index value with the control transfer instruction address, is included among each node of entry address to be scanned formation.
Definition 6: replaced RB effective information balanced binary tree be meant realize with balanced binary tree AVL (balanced binary tree is with inventor G.M.Adelson-Velskii and E.M.Landis naming) form, preservation is replaced the data structure of RB relevant information.Node is an index value to be replaced the RB first address in the tree, out of Memory comprise the length that is replaced RB and with corresponding TB in the corresponding relation etc. of every instruction address.
Definition 7: the scanning information bitmap is meant with bitmap (one section continuously and virtually internal storage location) form data structure that realize, that be used to preserve GOS kernel virtual address scanning mode and relevant information.In the scanning information bitmap; The scanning information of every GOS virtual address by with this address one to one scanning information bit (abbreviation bit) describe, each scanning information bit is made up of two bits: the virtual address of this bit correspondence of 00 expression is not scanned or non-instruction first address; The corresponding virtual address of 01 this bit of expression is scanned; The corresponding virtual address of 10 this bits of expression is not scanned or non-instruction first address and be fundamental block border or control transfer instruction destination address; The corresponding virtual address of 11 these bits of expression has been scanned and has been fundamental block boundary address or control transfer instruction destination address.Can find out from above description: when the high position of bit was 1, the corresponding virtual address of expression was the destination address of fundamental block border or control transfer instruction; When the low level of bit was 1, the corresponding virtual address of expression was scanned.Because corresponding two bits in each virtual address, so the continuously and virtually internal memory that each 4KB GOS kernel code page or leaf needs the 1KB size is as its scanning information bitmap.Otherwise each 4KB data page can be used as the scanning information bitmap of 4 continuous GOS kernel code pages or leaves, and the data page of this purposes is called the scanning information bitmap page.
Scanning information bitmap index structure is made up of scanning information bitmap page catalogue page (hereinafter to be referred as the page directory page or leaf), scanning information bitmap page table page (hereinafter to be referred as page table page) and scanning information bitmap page (hereinafter to be referred as bitmap page).Accordingly, GOS kernel virtual address is divided into page directory index, Page table index and three position sections of page or leaf bias internal: the highest X position is a page directory index, corresponding 2 XIndividual page directory item is deposited the first address of page table page; Middle Y position is a Page table index, corresponding 2 YIndividual page table entry is deposited the first address of bitmap page; Minimum Z position is the page or leaf bias internal, deposits the side-play amount (with two bits is unit calculate) of the corresponding scanning information bit in kernel virtual address in bitmap page.
On the basis of above-mentioned definition, the concrete technical scheme of the present invention is following:
Step 1. is created and the initialization global data structures:
1.1 create and initialization scan information bit map sheet catalogue page: distribute a data page as the page directory page or leaf in the scanning information bitmap index structure, and the page directory item in the page directory page or leaf all was initialized as for 0 (representing the not scanning as yet of whole GOS kernel virtual address spaces);
1.2 reaching, initialization entry address to be scanned formation replaced RB effective information balanced binary tree: entry address to be scanned formation is reached the head pointer of having replaced RB effective information balanced binary tree be made as NULL.
1.3 make global variable M=JMP replacement instruction length.
Step 2. is obtained the initial executive address of GOS kernel from GOS kernel loads program (like Grub) input parameter, be designated as the first port address that is scanned into, and then the first port address that is scanned into is carried out dynamic scan:
2.1. adopt the first scanning mode that is scanned into port address of scanning mode querying method inspection:, change step 3 if scan; If scanning is not designated as the initial border of fundamental block with the first port address that is scanned into, change 2.2.The scanning mode querying method is: at first will be divided into page directory index, Page table index and three position sections of page or leaf bias internal by inquire address; Check the page directory item that page directory index is pointed to then,, then return-1 and represent that this address is not scanned and the corresponding bit in this address does not exist if the page directory item is 0.If page directory Xiang Buwei 0; Then continue the page table entry that the inspection Page table index is pointed to; If page table entry is 0; Return then that-1 this address of expression is not scanned and the corresponding bit in this address does not exist,, then calculate by the physical location of the corresponding bit of inquire address and return the actual value of bit according to scanning information bitmap page first address in the page table entry and page or leaf bias internal if page table entry is not 0.Confirm by the scanning mode of the first address of scan instruction according to the actual value of bit at last: the actual value low level of bit is that 1 expression scans, is not scanning of 0 expression.
2.2. fundamental block scanning is carried out on the initial border of fundamental block, and method is:
2.2.1 initialization responsive instruction queue to be converted: responsive instruction queue head pointer to be converted is made as NULL;
2.2.2 the fundamental block start address is made as address to be scanned;
Decipher operation below carrying out according to decode results 2.2.3 treat the instruction of place, scan address:
2.2.3.1 if responsive instruction or indirect control transfer instruction are then added this instruction to responsive instruction queue to be converted, change 2.2.4;
If 2.2.3.2 direct control transfer instruction; Then at first adopt this destination address of destination address validity checking method inspection whether to point to and replaced RB inside: replaced RB inside if point to; Then add direct control transfer instruction to responsive instruction queue to be converted so that when replacement revised its destination address, change 2.2.4 then; If do not point to and replace RB inside, then adopt the scanning mode of scanning mode querying method inspection destination address in 2.1, if destination address has scanned and then changeed 2.2.4, otherwise add destination address to entry address to be scanned formation, change 2.2.4.The destination address validity checking method is: adopt general balanced binary tree traversal method traversal to replace RB effective information balanced binary tree; Find index value less than the intended target address and with the immediate node in intended target address; If the intended target address is less than or equal to this node index value (promptly having replaced the first address of RB) and adds the RB of the replacement length that writes down in the node; Showing then that the intended target address is pointed to has replaced RB inside, has not replaced RB inside otherwise do not point to.
2.2.3.3 if ordinary instruction is then changeed 2.2.4;
2.2.4 by the scanning mode of scan instruction, method is according to decode results record: at first adopt scanning information bit indexing means to obtain, the low level of this bit is made as 1 by the physical location of the corresponding bit of scan instruction first address; Adopt scanning information bit indexing means to obtain successively these bits being made as 00 then by the physical location of the corresponding bit of all remainder bytes of scan instruction; Last if be direct control transfer instruction by scan instruction, then adopt scanning information bit indexing means to obtain the physical location of the corresponding bit of this control transfer instruction destination address, and the high position of this bit is made as 1.Wherein, scanning information bit indexing means is: at first will be divided into page directory index, Page table index and three position sections of page or leaf bias internal by index address; Checking then whether the page directory item that page directory index is pointed to is 0, is then to distribute a data page also the first address of this page table page to be write in the page directory item corresponding in the page directory page or leaf as scanning information bitmap page table page immediately; Checking then whether the page table entry that Page table index is pointed to is 0, is then to distribute a data page also the first address of this bitmap page to be write in the page table entry corresponding in the page table page as the scanning information bitmap page immediately; Obtain by the physical location of the corresponding bit of index address according to scanning information bitmap page first address and page or leaf bias internal at last.
2.2.5 will be added this instruction length by the scan instruction address, obtain the first address of next bar instruction.
2.2.6 if be unconditional control transfer instruction or adopt in 2.1 the scanning mode querying method to find that next bar instruction first address scans by scan instruction; Then next bar instruction first address is made as the end boundary of fundamental block; And the high position of its scanning information bit is made as 1; Represent that this address is fundamental block boundary address or control transfer instruction destination address, finish this fundamental block scanning then and change 2.3; Otherwise change 2.2.7.
2.2.7 next bar instruction first address is made as address to be scanned, change 2.2.3, proceed fundamental block scanning.
2.3 the local replacement of sensitivity instruction based on replace block is carried out in instruction to the sensitivity in the responsive instruction queue to be converted:
2.3.1 if responsive instruction queue to be converted is empty, then stop replacement, change step 3; If responsive instruction queue to be converted is not empty; From responsive instruction queue to be converted, take out minimum responsive instruction address; The replace block that comprises this sensitivity instruction is sought in (from the initial border of fundamental block to the continuous virtual address space the fundamental block end boundary) in fundamental block, and finding method is following:
2.3.1.1 should the sensitivity instruction self be made as current RB;
2.3.1.2 if current RB length is not less than the M byte, then current RB is made as RB to be converted, changes 2.3.3; If current RB length is less than the M byte, to attempt instructing current RB to the low address space extending neighboring, extended method is following:
A1. if current RB first address is the initial border of fundamental block, change 2.3.1.3; Otherwise instruct current RB to one of low address space expansion; Method is: adopt the scanning information bit indexing means among the 2.2.4 to begin to low address space search sweep information bitmap from current RB first address; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding first low level is 1 bit, is that 1 the corresponding virtual address (promptly being expanded the first address of instruction) of bit is made as the initial border of current RB with this low level, changes B1.
B1. if being expanded the high position of the corresponding bit of instruction first address is 1, represent the destination address that this bit corresponding address is a control transfer instruction, carry out C1; Otherwise change 2.3.1.2.
C1. check entry address to be scanned formation; If find that to be expanded the instruction first address be the node of index value; Then adopt the caller formation of this node of traversal extended method inspection; All are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2.If do not find that to be expanded the instruction first address be the node of index value, directly change 2.3.1.2.The traversal extended method is: adopt destination address validity checking method among the 2.2.3.2 to check successively whether each caller address is positioned within the fundamental block scope and is positioned at outside the current RB scope; Be the border that then the caller address is made as current RB: if the caller address less than current RB first address, then is made as current RB first address with this address; If the caller address greater than the end boundary of current RB, then is made as next bar instruction first address (being the control transfer instruction length that the caller address adds this place, address) of caller address the end boundary of current RB.Otherwise check next caller address.
2.3.1.3 attempt arriving current RB to high address spatial spread adjacent instructions, extended method is following:
A2. if the end boundary that current RB end boundary is a fundamental block; Change 2.3.2; Otherwise instruct current RB to one of high address spatial spread; Method is: adopt the scanning information bit indexing means among the 2.2.4 to begin to high address space search scanning information bitmap from current RB end boundary; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding second low level is that 1 bit (after the corresponding current RB article one next bar instruction first address of scan instruction) or first are set to 10 bit (end boundary of corresponding fundamental block), and the virtual address that this bit is corresponding is made as current RB end boundary, and first low level that finds to be 1 the corresponding virtual address of bit promptly be expanded the instruction first address.
B2. if being expanded the corresponding bit of instruction first address is 10, change 2.3.2; Otherwise inspection is expanded the high position of the corresponding bit of instruction first address, if a high position is 1, changes C2, if a high position is 0, changes 2.3.1.2.
C2. check entry address to be scanned formation; If find that to be expanded the instruction first address be the node of index value; Then adopt the caller formation of this node of traversal extended method inspection among the C1; All are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2.If do not find that to be expanded the instruction first address be the node of index value, directly change 2.3.1.2.
2.3.2 if current RB length less than M byte (showing that fundamental block length is less than the JMP replacement instruction), then is made as RB to be converted with the sensitivity instruction; Otherwise current RB is made as RB to be converted.
Have the semantic transcode piece of carrying out of equal value 2.3.3 the conventional method in the employing binary translation generates with RB to be converted, be designated as TB.
2.3.4 if the length of RB to be converted is not less than the M byte, then M byte before this RB is replaced with the JMP instruction, destination address is the TB first address that generates among the 2.2.3, remainder bytes is filled with the NOP instruction, has been replaced RB; If the length of RB to be converted is less than the M byte, then the first byte with this RB replaces with the INT3 instruction, and remainder bytes is filled with the NOP instruction, has been replaced RB.
2.3.5 in replacing RB effective information balanced binary tree, create the node replaced RB, this node comprise the first address of replacing RB, length and and the TB instruction between these effective informations of address corresponding relation.For the RB that is replaced by INT3 instruction (actual be responsive instruction), will information recorded finds and carries out its transcode in the RB effective information balanced binary tree based on replacing by VMM INT3 abnormality processing function when this INT3 instruction is carried out; RB for being replaced by the JMP instruction then instructs direct execution to replace the transcode of RB through JMP.
2.3.6 travel through responsive instruction queue to be scanned, deleting all is the node of index value with the responsive instruction address of replacing among the RB, changes 2.3.1.
2.4 travel through entry address to be scanned formation, delete all to be scanned into the node that port address is an index value.
2.5 if entry address to be scanned formation is empty, then finish this dynamic scan, change step 3; Otherwise from the formation of entry address to be scanned, take out maximum and be not scanned into port address, be designated as the initial border of fundamental block, change 2.2 and carry out fundamental block scanning next time.
Step 3. begins to carry out the GOS kernel code from the first port address that is scanned into, and until producing hardware interrupts or unusual, or carries out the transcode of indirect control transfer instruction.
Step 4. is made as the first port address that is scanned into the entry address of GOS interruption or abnormality processing function or the destination address of indirect control transfer instruction, changes 2.1.
Can know according to above process: after GOS being executed the dynamic scan first time; GOS just be in original code and transcode repeatedly, the alternate run state; And operation along with GOS; Under the prerequisite of the GOS kernel module that dynamic load is not new, the GOS kernel code of non-scanned will be fewer and feweri, thereby the system overhead that dynamic scan is introduced also can be more and more littler.
Adopt the present invention can reach following technique effect:
1. adopt based on the sensitivity of replace block and instruct local replacement method; With the replace block is that unit replaces; Can avoid the use of INT0/INT3 instruction to greatest extent and replace (only using INT3 instruction replacement during less than the JMP replacement instruction), thereby effectively improve the BT virtualizing performance in fundamental block length.
2. can replace the responsive instruction of the X86 of any definition, extensibility is good, applicability is wide.
3. be that indexes dynamic is created the scanning information bitmap with GOS kernel virtual address, not only can reduce memory cost, and can effectively prevent to misplace to attack and change and attack based on the virtual address that buffer zone overflows.
Therefore, the present invention both can satisfy employing BT technology and realize the virtualized software support of operating system demand, also can be applied to require object code is carried out the application scenarios of safety inspection or isolation.
Description of drawings
Fig. 1 is an overview flow chart of the present invention;
Fig. 2 is a fundamental block scanning process flow diagram in the 2.2nd step of the present invention;
Fig. 3 is the local replacement of a responsive instruction process flow diagram in the 2.3rd step of the present invention
Fig. 4 is that the present invention defines scanning information bitmap index structure and indexing means synoptic diagram in 7
The practical implementation method
Fig. 1 is overall flow figure of the present invention
1. create and the initialization global data structures.
2. from GOS kernel loads program input parameter, obtain the initial executive address of GOS kernel, be designated as the first port address that is scanned into, then the first port address that is scanned into is carried out dynamic scan:
2.1. adopt the first scanning mode that is scanned into port address of scanning mode querying method inspection:, change 3 if scan; If scanning is not designated as the initial border of fundamental block with the first port address that is scanned into, change 2.2.
2.2. fundamental block scanning is carried out on the initial border of fundamental block.
2.3 the local replacement of sensitivity instruction based on replace block is carried out in instruction to the sensitivity in the responsive instruction queue to be converted.
2.4 travel through entry address to be scanned formation, delete all to be scanned into the node that port address is an index value.
2.5 if entry address to be scanned formation is empty, then finish this dynamic scan, change 3; Otherwise from the formation of entry address to be scanned, take out maximum and be not scanned into port address, be designated as the initial border of fundamental block and change 2.2.
3 begin to carry out the GOS kernel code from the first port address that is scanned into, until producing hardware interrupts or unusual or carry out the transcode of indirect control transfer instruction.
4. the entry address of GOS interruption or abnormality processing function or the destination address of indirect control transfer instruction are made as the first port address that is scanned into, change 2.1.
Fig. 2 is a fundamental block scanning process flow diagram in 2.2 steps of the present invention
2.2.1 initialization responsive instruction queue to be converted: responsive instruction queue head pointer to be converted is made as NULL.
2.2.2 the fundamental block start address is made as address to be scanned.
Decipher operation below carrying out according to decode results 2.2.3 treat the instruction of place, scan address:
2.2.3.1 if responsive instruction or indirect control transfer instruction are then added this instruction to responsive instruction queue to be converted, change 2.2.4.
If 2.2.3.2 direct control transfer instruction; Then adopt this destination address of destination address validity checking method inspection whether to point to and replaced RB inside: replaced RB inside if point to; Then add direct control transfer instruction to responsive instruction queue to be converted, change 2.2.4 then; If do not point to and replace RB inside, then check the scanning mode of destination address, if destination address has scanned and then changeed 2.2.4, otherwise add destination address to entry address to be scanned formation, change 2.2.4.
If 2.2.3.3 ordinary instruction is changeed 2.2.4.
2.2.4 according to decode results record by the scanning mode of scan instruction: at first adopt scanning information bit indexing means to obtain, the low level of this bit be made as 1 by the physical location of the corresponding bit of scan instruction first address; Adopt scanning information bit indexing means to obtain successively these bits being made as 00 then by the physical location of the corresponding bit of all remainder bytes of scan instruction; Last if be direct control transfer instruction by scan instruction, then adopt scanning information bit indexing means to obtain the physical location of the corresponding bit of this control transfer instruction destination address, and the high position of this bit is made as 1.
2.2.5 will be added this instruction length by the scan instruction address, obtain the first address of next bar instruction.
2.2.6 as if being that unconditional control transfer instruction or next bar instruction first address scans by scan instruction, then the first address of next bar instruction is made as the end boundary of fundamental block, and the high position of its scanning information bit is made as 1, change 2.3 then; Otherwise change 2.2.7.
2.2.7 the first address of next bar instruction is made as address to be scanned, changes 2.2.3.
Fig. 3 is based on the local process flow diagram of replacing of the sensitivity instruction of replace block in 2.3 steps of the present invention
2.3.1 if responsive instruction queue to be converted is empty, then stop replacement, change step 3; If responsive instruction queue to be converted is not empty; From responsive instruction queue to be converted, take out minimum responsive instruction address; The replace block that comprises this sensitivity instruction is sought in (from the initial border of fundamental block to the continuous virtual address space the fundamental block end boundary) in fundamental block, and finding method is following:
2.3.1.1 should the sensitivity instruction self be made as current RB;
2.3.1. 2 if current RB length is not less than the M byte, then current RB is made as RB to be converted, changes 2.3.3; If current RB length is less than the M byte, to attempt instructing current RB to the low address space extending neighboring, extended method is following:
A1. if current RB first address is the initial border of fundamental block, change 2.3.1.3; Otherwise instruct current RB to one of low address space expansion; Method is: adopt the scanning information bit indexing means among the 2.2.4 to begin to low address space search sweep information bitmap from current RB first address; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding first low level is 1 bit, is that 1 the corresponding virtual address (promptly being expanded the first address of instruction) of bit is made as the initial border of current RB with this low level, changes B1.
B1. if being expanded the high position of the corresponding bit of instruction first address is 1, represent the destination address that this bit corresponding address is a control transfer instruction, change C1; Otherwise change 2.3.1.2.
C1. check entry address to be scanned formation; If find that to be expanded the instruction first address be the node of index value; Then adopt the caller formation of this node of traversal extended method inspection; All are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2.If do not find that to be expanded the instruction first address be the node of index value, directly change 2.3.1.2.
2.3.1.3 attempt arriving current RB to high address spatial spread adjacent instructions, extended method is following:
A2. if the end boundary that current RB end boundary is a fundamental block; Change 2.3.2; Otherwise instruct current RB to one of high address spatial spread; Method is: adopt the scanning information bit indexing means among the 2.2.4 to begin to high address space search scanning information bitmap from current RB end boundary; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding second low level is that 1 bit (after the corresponding current RB article one next bar instruction first address of scan instruction) or first are set to 10 bit (end boundary of corresponding fundamental block), and the virtual address that this bit is corresponding is made as current RB end boundary, and first low level that finds to be 1 the corresponding virtual address of bit promptly be expanded the instruction first address.
B2. if being expanded the corresponding bit of instruction first address is 10, change 2.3.2; Otherwise inspection is expanded the high position of the corresponding bit of instruction first address, if a high position is 1, changes C2, if a high position is 0, changes 2.3.1.2.
C2. check entry address to be scanned formation; If find that to be expanded the instruction first address be the node of index value; Then adopt the caller formation of this node of traversal extended method inspection; All are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2.If do not find that to be expanded the instruction first address be the node of index value, directly change 2.3.1.2.
2.3.2 if current RB length less than M byte (showing that fundamental block length is less than the JMP replacement instruction), then is made as RB to be converted with the sensitivity instruction; Otherwise current RB is made as RB to be converted.
Have the semantic transcode piece of carrying out of equal value 2.3.3 the conventional method in the employing binary translation generates with RB to be converted, be designated as TB.
2.3.4 if the length of RB to be converted is not less than the M byte, then M byte before this RB is replaced with the JMP instruction, destination address is the TB first address that generates among the 2.2.3, remainder bytes is filled with the NOP instruction, has been replaced RB; If the length of RB to be converted is less than the M byte, then the first byte with this RB replaces with the INT3 instruction, and remainder bytes is filled with the NOP instruction, has been replaced RB.
2.3.5 in replacing RB effective information balanced binary tree, create the node replaced RB, this node comprise the first address of replacing RB, length and and the TB instruction between these effective informations of address corresponding relation.For the RB that is replaced by INT3 instruction (actual be responsive instruction), will information recorded finds and carries out its transcode in the RB effective information balanced binary tree based on replacing by VMM INT3 abnormality processing function when this INT3 instruction is carried out; RB for being replaced by the JMP instruction then instructs direct execution to replace the transcode of RB through JMP.
2.3.6 travel through responsive instruction queue to be scanned, deleting all is the node of index value with the responsive instruction address of replacing among the RB, changes 2.3.1.
Fig. 4 is that the present invention defines scanning information bitmap and indexing means synoptic diagram thereof in 7
With the X86-32 bit architecture is example: 32 kernel virtual addresses are divided into page directory index, Page table index and three position sections of page or leaf bias internal altogether.Wherein: most-significant byte is a page directory index, corresponding 256 list items; Middle 10 is Page table index, corresponding 1024 list items; Minimum 14 then are the side-play amount (with two bits is unit calculate) of the corresponding bit in kernel virtual address in the scanning information bitmap page.Specify GOS kernel virtual address va corresponding scanning information bit index and acquisition methods following:
1) get the most-significant byte (being page directory index) of va, moving to left adds address, page directory beginning of the page after 2, obtains the first address of the corresponding page directory item of va, from the page directory item, takes out the first address of page table page;
2) get 10 of the centres (being Page table index) of va, moving to left adds the first address of page table page after 2, obtains the first address of the corresponding page table entry of va, the first address of fetch bit map sheet from page table entry;
3) get the low 14 of va, moving to right adds the first address of bitmap page after 2, obtains the internal storage location address (being arranged in the scanning information bitmap page) at the corresponding scanning information bit place of va, is designated as pScanByte;
4) low 14 with va carry out position and computing with 0x3, obtain the side-play amount of scanning information bit in pScanByted of va correspondence, are designated as offset;
5) calculate the actual value of the corresponding scanning information bit of va by following formula, be designated as ScanBit:
ScanBit=(pScanByte&(0x3<<(offset<<1)))>>(offset<<1)
" < < " is left shift operator, ">> " in the formula is shift right operator, and expression is with 16 system signless integers move to left or the move to right figure place of appointment; " & " is the position AND operator.

Claims (7)

1. one kind based on the method for piece to scanning object code and the responsive instruction of replacement, it is characterized in that may further comprise the steps:
Step 1. is created and the initialization global data structures:
1.1 create and initialization scan information bit map sheet catalogue page: distribute a data page as the page directory page or leaf in the scanning information bitmap index structure, and the page directory item in the page directory page or leaf all is initialized as 0; The scanning information bitmap is meant with bitmap form data structure that realize, that be used to preserve GOS kernel virtual address scanning mode and relevant information; In the scanning information bitmap; The scanning information of every GOS virtual address by with this address one to one the scanning information bit be called bit and describe, each scanning information bit is made up of two bits: the corresponding virtual address of 00 this bit of expression is not scanned or non-instruction first address; The corresponding virtual address of 01 this bit of expression is scanned; The corresponding virtual address of 10 this bits of expression is not scanned or non-instruction first address and be fundamental block border or control transfer instruction destination address; The corresponding virtual address of 11 these bits of expression has been scanned and has been fundamental block boundary address or control transfer instruction destination address; Fundamental block is meant that with the initial executive address of GOS, GOS Interrupt Process function first address or control transfer instruction destination address be initial border, with unconditional control transfer instruction or the scan address be the successive objective instruction sequence of end boundary; Scanning information bitmap index structure is made up of scanning information bitmap page catalogue page, scanning information bitmap page table page and scanning information bitmap page; GOS kernel virtual address is divided into page directory index, Page table index and three position sections of page or leaf bias internal; Page directory index is deposited the first address of page table page; Page table index is deposited the first address of bitmap page, and the page or leaf bias internal is deposited the corresponding side-play amount of scanning information bit in bitmap page in kernel virtual address;
1.2 reaching, initialization entry address to be scanned formation replaced RB effective information balanced binary tree: entry address to be scanned formation is reached the head pointer of having replaced RB effective information balanced binary tree be made as NULL; Entry address to be scanned formation is meant with the control transfer instruction destination address realization of linear linked list form, that find when preserving dynamic scan and the data structure of call address thereof; Formation node in entry address to be scanned is an index value with the destination address, arranges according to the order of sequence by address size; Replaced RB effective information balanced binary tree be meant realize with balanced binary tree AVL form, preserve the data structure that is replaced the RB relevant information; Node is an index value to be replaced the RB first address in the tree, out of Memory comprise the length that is replaced RB and with corresponding TB in the corresponding relation of every instruction address; RB is a replace block, refers to the shortest successive objective instruction sequence that meets the following conditions: be positioned at fundamental block inside, comprise fundamental block self; Comprise and specify responsive instruction and length to be not less than the JMP instruction length; Except the destination address that does not contain any control transfer instruction within the affiliated fundamental block scope, outside this replace block scope, this replace block first address; TB is a conversion block, refer to that replace block is replaced after, carry out, comprise virtual code or safety inspection code and have the one group of semantic instruction sequence of carrying out of equal value via replacement instruction with former replace block;
1.3 make global variable M=JMP replacement instruction length;
Step 2. is obtained the initial executive address of GOS kernel from GOS kernel loads program input parameter, be designated as the first port address that is scanned into, and then the first port address that is scanned into is carried out dynamic scan:
2.1. adopt the first scanning mode that is scanned into port address of scanning mode querying method inspection:, change step 3 if scan; If scanning is not designated as the initial border of fundamental block with the first port address that is scanned into, change 2.2;
2.2. fundamental block scanning is carried out on the initial border of fundamental block, and method is:
2.2.1 initialization responsive instruction queue to be converted: responsive instruction queue head pointer to be converted is made as NULL; Responsive instruction queue to be converted is meant with the responsive instruction address realization of linear linked list form, that find when preserving fundamental block scanning and the data structure of relevant information thereof; Responsive instruction queue node to be converted is an index value with responsive instruction address, arranges according to the order of sequence by address size;
2.2.2 the fundamental block start address is made as address to be scanned;
Decipher operation below carrying out according to decode results 2.2.3 treat the instruction of place, scan address:
2.2.3.1 if responsive instruction or indirect control transfer instruction are then added this instruction to responsive instruction queue to be converted, change 2.2.4;
If 2.2.3.2 direct control transfer instruction; Then at first adopt this destination address of destination address validity checking method inspection whether to point to and replaced RB inside: replaced RB inside if point to; Then add direct control transfer instruction to responsive instruction queue to be converted, change 2.2.4 then; If do not point to and replace RB inside, then adopt the scanning mode of scanning mode querying method inspection destination address, if destination address has scanned and then changeed 2.2.4, otherwise add destination address to entry address to be scanned formation, change 2.2.4;
2.2.3.3 if ordinary instruction is then changeed 2.2.4;
2.2.4 by the scanning mode of scan instruction, method is according to decode results record: at first adopt scanning information bit indexing means to obtain, the low level of this bit is made as 1 by the physical location of the corresponding bit of scan instruction first address; Adopt scanning information bit indexing means to obtain successively these bits being made as 00 then by the physical location of the corresponding bit of all remainder bytes of scan instruction; Last if be direct control transfer instruction by scan instruction, then adopt scanning information bit indexing means to obtain the physical location of the corresponding bit of this control transfer instruction destination address, and the high position of this bit is made as 1;
2.2.5 will be added this instruction length by the scan instruction address, obtain the first address of next bar instruction;
2.2.6 if be that unconditional control transfer instruction or next bar instruction first address scans by scan instruction; Then next bar instruction first address is made as the end boundary of fundamental block; And the high position of its scanning information bit is made as 1; Represent that this address is fundamental block boundary address or control transfer instruction destination address, finish this fundamental block scanning then and change 2.3; Otherwise change 2.2.7;
2.2.7 next bar instruction first address is made as address to be scanned, change 2.2.3, proceed fundamental block scanning;
2.3 the local replacement of sensitivity instruction based on replace block is carried out in instruction to the sensitivity in the responsive instruction queue to be converted:
2.3.1 if responsive instruction queue to be converted is empty, then stop replacement, change step 3; If responsive instruction queue to be converted is not empty, from responsive instruction queue to be converted, take out minimum responsive instruction address, in fundamental block, seek the replace block that comprises this sensitivity instruction, finding method is following:
2.3.1.1 should the sensitivity instruction self be made as current RB;
2.3.1.2 if current RB length is not less than the M byte, then current RB is made as RB to be converted, changes 2.3.3; If current RB length is less than the M byte, to attempt instructing current RB to the low address space extending neighboring, extended method is following:
A1. if current RB first address is the initial border of fundamental block, change 2.3.1.3; Otherwise instruct current RB to one of low address space expansion, change B1;
B1. if this low level is the high position of 1 bit is 1, carries out C1, otherwise change 2.3.1.2;
C1. check entry address to be scanned formation; If find with low level to be that the corresponding virtual address of 1 bit is the node of index value; Then adopt the caller formation of this node of traversal extended method inspection; All are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2; If do not find with low level to be that the corresponding virtual address of 1 bit is the node of index value, then change 2.3.1.2; The caller formation is meant the data structure that realizes with the linear linked list form, preserve the control transfer instruction address with same target address; Caller address queue node is an index value with the control transfer instruction address, is included among each node of entry address to be scanned formation;
2.3.1.3 attempt arriving current RB to high address spatial spread adjacent instructions, extended method is following:
A2. if the current RB end boundary end boundary that is fundamental block is changeed 2.3.2, otherwise instruct current RB to fundamental block of high address spatial spread;
B2. if being expanded the corresponding bit of instruction first address is 10, change 2.3.2; Otherwise inspection is expanded the high position of the corresponding bit of instruction first address, if a high position is 1, changes C2, if a high position is 0, changes 2.3.1.2;
C2. check entry address to be scanned formation; If find that to be expanded the instruction first address be the node of index value; Then adopt the caller formation of this node of traversal extended method inspection, all are expanded to current RB in the caller address within the fundamental block scope and all instructions between the current RB, change 2.3.1.2; If do not find that to be expanded the instruction first address be the node of index value, directly change 2.3.1.2;
2.3.2 if current RB length less than the M byte, then is made as RB to be converted with the sensitivity instruction; Otherwise current RB is made as RB to be converted;
Have the semantic transcode piece of carrying out of equal value 2.3.3 the conventional method in the employing binary translation generates with RB to be converted, be designated as TB;
2.3.4 if the length of RB to be converted is not less than the M byte, then M byte before this RB is replaced with the JMP instruction, destination address is the TB first address, remainder bytes is filled with the NOP instruction, has been replaced RB; If the length of RB to be converted is less than the M byte, then the first byte with this RB replaces with the INT3 instruction, and remainder bytes is filled with the NOP instruction, has been replaced RB;
2.3.5 in replacing RB effective information balanced binary tree, create the node replaced RB, this node comprise the first address of replacing RB, length and and the TB instruction between these effective informations of address corresponding relation;
2.3.6 travel through responsive instruction queue to be scanned, deleting all is the node of index value with the responsive instruction address of replacing among the RB, changes 2.3.1;
2.4 travel through entry address to be scanned formation, delete all to be scanned into the node that port address is an index value;
2.5 if entry address to be scanned formation is empty, then finish this dynamic scan, change step 3; Otherwise from the formation of entry address to be scanned, take out maximum and be not scanned into port address, be designated as the initial border of fundamental block, change 2.2 and carry out fundamental block scanning next time;
Step 3 begins to carry out the GOS kernel code from the first port address that is scanned into, until producing hardware interrupts or unusual or carry out the transcode of indirect control transfer instruction;
Step 4. is made as the first port address that is scanned into the entry address of GOS interruption or abnormality processing function or the destination address of indirect control transfer instruction, changes 2.1.
2. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement, it is characterized in that said scanning mode querying method is: at first will be divided into page directory index, Page table index and three position sections of page or leaf bias internal by inquire address; Check the page directory item that page directory index is pointed to then,, then return-1 and represent that this address is not scanned and the corresponding bit in this address does not exist if the page directory item is 0; If page directory Xiang Buwei 0; Then continue the page table entry that the inspection Page table index is pointed to; If page table entry is 0; Return then that-1 this address of expression is not scanned and the corresponding bit in this address does not exist,, then calculate by the physical location of the corresponding bit of inquire address and return the actual value of bit based on scanning information bitmap page first address in the page table entry and page or leaf bias internal if page table entry is not 0; At last confirm to be scanned the scanning mode of the first address of instruction based on the actual value of bit: the actual value low level of bit is that 1 expression scans, is scanning of 0 expression;
3. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement; It is characterized in that said destination address validity checking method is: adopt balanced binary tree traversal method traversal to replace RB effective information balanced binary tree; Find index value less than the intended target address and with the immediate node in intended target address; If the intended target address is less than or equal to the first address of replacing RB and adds the RB of the replacement length that writes down in the node; Showing then that the intended target address is pointed to has replaced RB inside, has not replaced RB inside otherwise do not point to.
4. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement, it is characterized in that said scanning information bit indexing means is: at first will be divided into page directory index, Page table index and three position sections of page or leaf bias internal by index address; Checking then whether the page directory item that page directory index is pointed to is 0, is then to distribute a data page also the first address of this page table page to be write in the page directory item corresponding in the page directory page or leaf as scanning information bitmap page table page immediately; Checking then whether the page table entry that Page table index is pointed to is 0, is then to distribute a data page also the first address of this bitmap page to be write in the page table entry corresponding in the page table page as the scanning information bitmap page immediately; Obtain by the physical location of the corresponding bit of index address according to scanning information bitmap page first address and page or leaf bias internal at last.
5. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement; It is characterized in that saidly instructing the method for current RB to be: adopt scanning information bit indexing means to begin to low address space search sweep information bitmap from current RB first address to fundamental block of low address space expansion; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding first low level is 1 bit, is that the first address that 1 the corresponding virtual address of bit promptly is expanded instruction is made as the initial border of current RB with this low level.
6. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement; It is characterized in that said traversal extended method is: adopt the destination address validity checking method to check successively whether each caller address is positioned within the fundamental block scope and is positioned at outside the current RB scope; It is the border that then the caller address is made as current RB; Even the caller address then is made as current RB first address with this address less than current RB first address; If the caller address then is made as this address the end boundary of current RB, otherwise checks next caller address greater than the end boundary of current RB.
7. as claimed in claim 1 based on the method for piece to scanning object code and the responsive instruction of replacement; It is characterized in that saidly instructing the method for current RB to be: adopt scanning information bit indexing means to begin to high address space search scanning information bitmap from current RB end boundary to fundamental block of high address spatial spread; Obtain the physical location of the corresponding bit of every continuation address successively and check the actual value of each bit; Finding second low level is that 1 bit or first are set to 10 bit; The virtual address that this bit is corresponding is made as current RB end boundary, and first low level that finds to be 1 the corresponding virtual address of bit promptly be expanded the instruction first address.
CN200910043831A 2009-07-03 2009-07-03 Block-based method for scanning object code and replacing sensitive instruction Expired - Fee Related CN101630269B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910043831A CN101630269B (en) 2009-07-03 2009-07-03 Block-based method for scanning object code and replacing sensitive instruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910043831A CN101630269B (en) 2009-07-03 2009-07-03 Block-based method for scanning object code and replacing sensitive instruction

Publications (2)

Publication Number Publication Date
CN101630269A CN101630269A (en) 2010-01-20
CN101630269B true CN101630269B (en) 2012-08-29

Family

ID=41575387

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910043831A Expired - Fee Related CN101630269B (en) 2009-07-03 2009-07-03 Block-based method for scanning object code and replacing sensitive instruction

Country Status (1)

Country Link
CN (1) CN101630269B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102109975B (en) * 2009-12-24 2015-03-11 华为技术有限公司 Method, device and system for determining function call relationship
US8756591B2 (en) 2011-10-03 2014-06-17 International Business Machines Corporation Generating compiled code that indicates register liveness
US8615745B2 (en) 2011-10-03 2013-12-24 International Business Machines Corporation Compiling code for an enhanced application binary interface (ABI) with decode time instruction optimization
US8612959B2 (en) 2011-10-03 2013-12-17 International Business Machines Corporation Linking code for an enhanced application binary interface (ABI) with decode time instruction optimization
CN102999374B (en) * 2012-12-10 2016-05-25 北京神州绿盟信息安全科技股份有限公司 A kind of information recording method based on virtual machine
CN103197915B (en) * 2013-03-01 2015-08-19 华为技术有限公司 A kind of method, device and physical machine processing sensitive instructions
CN105335305B (en) * 2015-10-30 2018-05-15 深圳盛思科教文化有限公司 The buffering implementation method and device of a kind of interactive programmable hardware
CN107798241B (en) * 2016-09-07 2020-01-31 龙芯中科技术有限公司 Attack detection device, system and method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076281A1 (en) * 2007-12-10 2009-06-18 Sandbridge Technologies, Inc. Accelerating traceback on a signal processor

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076281A1 (en) * 2007-12-10 2009-06-18 Sandbridge Technologies, Inc. Accelerating traceback on a signal processor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈龙 等.二进制翻译中解析多目标分支语句的图匹配方法.《计算机研究与发展》.2008,第2008年卷(第10期),1789-1798. *

Also Published As

Publication number Publication date
CN101630269A (en) 2010-01-20

Similar Documents

Publication Publication Date Title
CN101630269B (en) Block-based method for scanning object code and replacing sensitive instruction
KR102592376B1 (en) Apparatus and method for controlling command execution operation
CN101398768B (en) Construct method of distributed virtual machine monitor system
KR102599484B1 (en) Processor with advanced operating system support
AU2012208973B2 (en) Techniques for memory de-duplication in a virtual system
TWI752951B (en) An apparatus and method for performing operations on capability metadata
US7596677B1 (en) Paging cache optimization for virtual machine
US8171255B1 (en) Optimization of paging cache protection in virtual environment
US8046521B2 (en) Computer virtualization apparatus and program and method therefor
US20190065301A1 (en) Security enhanced out of process user space handling of hardware events
US11461128B2 (en) Apparatus and method for managing use of capabilities
US10592431B2 (en) Independent shared and process virtual address translations
US20120017209A1 (en) Optimizing a file system interface in a virtualized computing environment
EP3789881A1 (en) Method and device for monitoring memory access behavior of sample process
CN104239237A (en) TLB (translation lookaside buffer) management method and device
US20160055027A1 (en) Virtual machine image disk usage
CN110799939A (en) Apparatus and method for controlling execution of instructions
US10437735B2 (en) Process isolation for out of process page fault handling
EP2755129B1 (en) Memory allocation method, program, and system
CN102662857B (en) For carrying out virtualized equipment and method for storage
US11983555B2 (en) Storage snapshots for nested virtual machines
US20230185593A1 (en) Virtual device translation for nested virtual machines
US11748136B2 (en) Event notification support for nested virtual machines
US20220405111A1 (en) Improving memory access handling for nested virtual machines
US11960420B2 (en) Direct memory control operations on memory data structures

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120829

Termination date: 20150703

EXPY Termination of patent right or utility model