CN102129531A - Xen-based active defense method - Google Patents
Xen-based active defense method Download PDFInfo
- Publication number
- CN102129531A CN102129531A CN2011100699239A CN201110069923A CN102129531A CN 102129531 A CN102129531 A CN 102129531A CN 2011100699239 A CN2011100699239 A CN 2011100699239A CN 201110069923 A CN201110069923 A CN 201110069923A CN 102129531 A CN102129531 A CN 102129531A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- user
- end driven
- xen
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a virtual machine Xen-based active defense method, which comprises the following steps of: generating a virtual machine for a user by using Xen, and making the user perform operation in the virtual machine; simultaneously removing conventional security programs required to be installed in the virtual machine and arranging the removed security programs outside the virtual machine of a system, so that kernel modules of the security programs are invisible for rogue programs; in addition, setting a front-end drive in the virtual machine of the user to make the security modules outside the virtual machine can scan and intervene in the operation in the virtual machine, and simultaneously protecting the front-end drive by using a memory protection module in a monitor layer of the virtual machine to prevent the front-end drive from being attacked by the rogue programs. In the method, the kernel modules are arranged outside the virtual machine, and are invisible for the rogue programs, thereby achieving security higher than that of a conventional security program deployment method; in addition, a para-virtualization front/rear-end drive communication way is introduced to greatly reduce system overhead caused by virtualization and make the method highly practicable.
Description
Technical field
The invention belongs to computer safety field.
Background technology
Currently, rogue programs such as virus become increasingly complex along with becoming; the protection computer system becomes more and more difficult; sometimes only detect these rogue programs unusual difficulty, and concerning some rogue program, remove them and do not destroy original system and can't accomplish.
The mode that present main flow business security software generally adopts use characteristic sign indicating number scanner uni initiatively to defend to combine is protected operating system of user, wherein condition code scanning is primarily aimed at the known malicious program, Installed System Memory and file are scanned, compare with the rogue program condition code that is stored in the database, thereby find the known malicious program; And for unknown virus, the various heuritic approaches of main use judge whether a program has the feature of rogue program, because the complicacy of rogue program and the deficiency of algorithm, this method has certain failing to report and rate of false alarm, therefore more at present employings are defense technique initiatively, has both inserted watchdog routine in the system core position, just notifies the user in case detect undefined behavior, decide by the user and how to handle the behavior, thereby improved the accuracy of judging malicious act greatly.
However, computer user's bad dream is still continuing.We often can run into the situation that security procedure is closed automatically and again can not started; this mainly is because security classes software and rogue program all are to be in the protected system; rogue program is had an opportunity to obtain system's highest weight limit equally and is captured security procedure, and game between the two is endless.The security that how to improve security procedure self becomes the problem that presses for solution.
In recent years, along with the lifting of hardware performance, Intel Virtualization Technology begins to spread to desktop user, because the natural isolation of virtual machine, many security classes projects are all carried out on this basis.At present, the main thought of this type of research is that application is transferred in the virtual machine of an isolation, make it not be subjected to the influence of physical host system, the method that proposes as the OpenTC project of Trusted Computing tissue, but virtual machine is to use a computing environment of software simulation or hardware secondary analog, have the characteristic the same with real system, though therefore isolate with the physical system environmental facies, but its inner security does not improve, if security classes software is installed in virtual machine, is still had the problem of narrating previously.Therefore; some researchs are attempted the security classes program is peeled off from protected virtual machine; be placed in franchise virtual machine (being in charge of the special virtual machine of every other virtual machine) or the virtual machine monitor (nucleus module of virtual machine program); in virtual machine inside; the assembly that is in this level is sightless; therefore rogue program can't be attacked these assemblies; improved security; this class technology is called VM Introspection (virtual machine examine oneself technology); can in franchise virtual machine, obtain the internal memory of user virtual machine (protected virtual machine) and resolve as the Xenaccess method; but it can't conduct interviews to file system, also can't intervene virtual machine inside.The Lares project of U.S. Georgia technical college has proposed a kind of active defence method that can intervene the virtual machine internal act, can intercept and capture the virtual machine internal act and send in the franchise virtual machine, but the data transfer mode of its use is very simple, adopt hypercalls directly to be absorbed in virtual machine monitor, be not suitable for transmitting mass data, such as the file system of scanning user virtual machine, and because its circular wait meeting takies system CPU in a large number.Intel has proposed a kind of internal memory and data guard method of basic lightweight virtual machine, can guarantee that internal memory and the data used are not distorted, and calls its method but need to revise the existing application program display, does not therefore have practicality.
Summary of the invention
In order to address these problems, the inventor proposes a kind of active defence method based on Xen.Xen is a kind of virtual machine of type i, system has installed after the Xen, can increase a virtual machine monitor layer in hardware and the original operating system, and original operating system will operate on this virtual machine monitor layer, become a special virtual machine, be called franchise virtual machine, franchise virtual machine can be controlled generation, destruction and leading subscriber virtual machine.A kind of active defence method based on Xen; it utilizes Xen to generate virtual machine and uses for the user; by being set in franchise virtual machine, the rear end drives simultaneously; front-end driven is set in user virtual machine; obtain information in the user virtual machine by the communication that the front and back end drives; and the behavior in the user virtual machine controlled, the byte level internal memory write-protect of front-end driven in virtual machine monitor layer realizes user virtual machine simultaneously, the front and back end drives communication and uses accurate virtual communication modes.
Front-end driven operates in the user virtual machine, being embodied as a Virtual PC I drives, with the system start-up auto-initiation, front-end driven mainly comprises two functions: at first be that interception system calls, the mode of using traditional hook SSDT table and the redirect code being set realizes.It is for the behavior in the user virtual machine is intervened that interception system calls, and the information of intercepting and capturing will be sent to the rear end and drive, and be judged by decision-making module.
The rear end drives and is implemented as a kernel module, mainly contain two functions: the system information and the related data of communicating by letter with front-end driven and obtaining intercepting and capturing, then these data transfer are given the decision-making module of user's attitude, after decision-making module is made judgement, the result is sent to front-end driven; Also need behind front-end driven initialization hook and redirect code, notify the memory protect module protection corresponding memory addresses scope in the virtual machine monitor in addition.
When front-end driven is communicated by letter with the rear end driving, adopted accurate virtualized communication mode.The accurate virtual retouching operation system kernel that requires, therefore be used to the (SuSE) Linux OS of increasing income mostly, and at present most personal user uses non-Windows operating system of increasing income, in order in the user virtual machine of using Windows operating system, to use this technology, at first require the user virtual machine intraware to know that clearly it is in the virtual machine, and transplant the code of the Xen mechanism that the separate type driving model uses, comprise hypercalls (Hypercall), event channel, Xenstore, authorization list (Grant table).Wherein Xenstore is based on that the shared drive mode realizes, be used for when user virtual machine starts, reading the device initialize information that the privileged domain virtual machine provides, also use Xenstore and rear end to drive during the front-end driven initialization and connect, communicate with the rear end driving by event channel and I/O ring afterwards.After the front-end driven interception system information, use hypercalls to abandon scheduling to the virtual machine monitor request, the wait decision-making module is made a strategic decision, thereby has improved performance greatly.
The I/O ring is the structure for separate type driving swap data that realizes on Xen shared drive mechanism, is divided into two kinds: the I/O ring of pickup groove (Fixed slot) size, used by network, memory device; The I/O ring of variable slot (Variable) size is used by Xenstore.In the method, need the data of transmission to mainly contain two kinds: fileinfo and HASH value thereof; File with needs are scanned adopts the I/O of unified fixed size groove to encircle to these information, and distinguishes data type with a zone bit.When the rear end drove initialization, it distributed a not event channel of binding, and initialization I/O ring, and event channel port numbers and ring address are write Xenstore.Front-end driven reads these information by Xenstore, binds this event channel, and mapping ring address, and the interrupt number that should use when using hypercalls notice virtual machine monitor to notify this virtual Domain, distributes simultaneously to interrupt one of registration for this reason and handle function.
In order to protect the front-end driven in user virtual machine, realize byte level internal memory write-protect module in virtual machine monitor layer, front-end driven is carried out the byte level write-protect.At first note the memory address range that needs protection; it when SPT is initial empty table; along with system's operation is set up gradually; be that a page generates in the process of SPT; whether this page that detects among the GPT comprises the memory address that needs protection; if; then should in SPT, be labeled as read-only by page or leaf; so just realized the write-protect of page or leaf level; but not all byte all needs protection in the page; if at this moment taking place one writes unusual; just need in handling function, further check and cause whether the address that writes in this unusual statement is the address that will protect; to cause in the CR2 register that unusual address and protected address compare,, otherwise need this write operation of simulation if it is unusual then to return a page or leaf to user virtual machine.
For making this method have practicality, at first must realize two kinds of major functions of conventional security program: detect the known malicious program by internal memory and file scan, defend unknown rogue program by the active defense technique.Internal memory scanning for virtual machine inside, the existing virtual machine technology of examining oneself can be accomplished, file scan need be between user virtual machine and franchise virtual machine transferring large number of data, therefore must guarantee the transmission of the suitable mass data of communication modes between the two, and Properties Control within the acceptable range, in the method, used a kind of virtual unit transmission mode, solved this problem based on accurate virtual equipment I/O mode.And in order to improve the security of security procedure self, this method has been transferred to the core component of security procedure in franchise virtual machine and the virtual machine monitor, makes that the rogue program in the user virtual machine can't be attacked it.In order to realize initiatively defense technique; require and to intervene the virtual machine internal act; at present; the simple assembly that is in the franchise virtual machine that relies on is not accomplished this point; although therefore this method has all been transferred to the primary clustering of active defense technique in the franchise virtual machine; still need in user virtual machine, leave over a part of assembly; this part is called as front-end driven; because front-end driven is in the user virtual machine; rogue program can be attacked it; therefore; this method has realized a byte level internal memory write-protect module in virtual machine monitor layer, and the front-end driven in the user virtual machine is protected, and prevents that it from being distorted; because memory protect is implemented in virtual machine monitor layer, has guaranteed can't walk around this protection in user virtual machine.
Description of drawings
Fig. 1 is that the present invention realizes the Active Defending System Against Organization Chart based on Xen.
Fig. 2 is that the present invention realizes each the module interaction diagrams of Active Defending System Against based on Xen.
Embodiment
This method realizes that based on Xen one-piece construction is a type i virtual machine typical architecture, except that Xen self assembly; comprise four modules; as Fig. 1: at first be the front-end driven that is in the protected virtual Domain, be embodied as a virtual PCI and drive that responsible interception system calls and communicates by letter with franchise virtual Domain.Second assembly is that the rear end that is in the franchise virtual Domain drives, be embodied as a kernel module, it is communicated by letter with front-end driven, obtain system's acquisition of information, and pass to the decision-making module of user's attitude in the franchise virtual Domain, decision-making module is used for policy development and decision-making, and in our prototype system, it is one and comprises the toy data base of using black and white lists and signature.The 4th module is the memory protect module that is in virtual machine monitor layer, provides the internal memory write-protect to the assembly in the protected virtual Domain.
Wherein, protected virtual machine is called the guest virtual machine machine, and franchise virtual machine is to have the special virtual machine that control generates the client computer authority, communicates by the I/O ring between guest virtual machine and the franchise virtual machine; The memory protect module is in the virtual machine monitor, and virtual machine monitor operates in system's superlative degree.
Front-end driven operates in the user virtual machine, being embodied as a Virtual PC I drives, with the system start-up auto-initiation, front-end driven mainly comprises two functions: at first be that interception system calls, the mode of using traditional hook SSDT table and the redirect code being set realizes.It is for the behavior in the user virtual machine is intervened that interception system calls, the information of intercepting and capturing will be sent to the rear end and drive, judge by decision-making module,, adopt using the mode that the feature in feature and the database is compared of extracting for position-location application.
The rear end drives and is implemented as a kernel module, mainly contain two functions: the system information and the related data of communicating by letter with front-end driven and obtaining intercepting and capturing, then these data transfer are given the decision-making module of user's attitude, after decision-making module is made judgement, the result is sent to front-end driven; Also need behind front-end driven initialization hook and redirect code, notify the memory protect module protection corresponding memory addresses scope in the virtual machine monitor in addition.
When front-end driven is communicated by letter with the rear end driving, adopted accurate virtualized communication mode, because the accurate virtual retouching operation system kernel that requires, be not suitable for the such commercial operation system of Windows, therefore by the PV-on-HVM technology, make and on fully virtualized virtual machine, use accurate virtualized separate type driving model in this way, thereby improve I/O efficient greatly.This technology at first requires client virtual domain to know that clearly it is in the virtual machine, and transplants the code of the Xen mechanism that the separate type driving model uses, and comprises hypercalls (Hypercall), event channel, Xenstore, authorization list (Grant table).Hypercalls is that the special system that is used for being absorbed in virtual machine monitor layer calls, event channel is the asynchronous mechanism that Xen provides, authorization list is the licensing scheme of Xen at different virtual inter-domain sharing internal memory, the shared drive mode that is based on Xenstore realizes, be used for when client virtual domain starting, reading the device initialize information that the privileged domain virtual machine provides, also use Xenstore and rear end to drive during the front-end driven initialization and connect, communicate with the rear end driving by event channel and I/O Ring afterwards.After the front-end driven interception system information, use SCHEDOP_block to abandon scheduling, wait for that decision-making module makes a strategic decision, compare and use hypercalls to be blocked in mode in the virtual machine monitor among the Lares, improved performance greatly to the virtual machine monitor request.
The I/O ring is widely used in the virtual driving model of standard, and it is the structure for separate type driving swap data that realizes on Xen shared drive mechanism, is divided into two kinds: the I/O ring of pickup groove (Fixed slot) size, used by network, memory device; The I/O ring of variable slot (Variable) size is used by Xenstore.In the method, need the data of transmission to mainly contain two kinds: fileinfo and HASH value thereof; The file that is scanned with needs adopts the I/O ring of unified fixed size grooves to these information, shares 4 pages in client and virtual machine, each groove 1024 byte, and distinguish data type with a mark domain.When the rear end drove initialization, it distributed a not event channel of binding, and initialization I/O Ring, and event channel port numbers and ring address are write Xenstore.Front-end driven reads these information by Xenstore, binds this event channel, and mapping Ring address, and the interrupt number that should use when using hypercalls notice virtual machine monitor to notify this virtual Domain, distributes simultaneously to interrupt one of registration for this reason and handle function.
Whether decision-making module is in the user's space in the franchise virtual Domain, comprises a policy database, is mainly used to judge the legitimacy of an application program, and determine to allow this application program to carry out, and decision-making module uses common communication modes to communicate by letter with kernel module.
In order to protect the front-end driven in user virtual machine, realize byte level internal memory write-protect module in virtual machine monitor layer, front-end driven is carried out the byte level write-protect.At first note the memory address range that needs protection; it when SPT is initial empty table; along with system's operation is set up gradually; be that a page generates in the process of SPT; whether this page that detects among the GPT comprises the memory address that needs protection; if; then should in SPT, be labeled as read-only by page or leaf; so just realized the write-protect of page or leaf level; but not all byte all needs protection in the page; if at this moment taking place one writes unusual; just need in handling function, further check and cause whether the address that writes in this unusual statement is the address that will protect; to cause in the CR2 register that unusual address and protected address compare,, otherwise need this write operation of simulation if it is unusual then to return a page or leaf to guest virtual machine.
The reciprocal process of all modules such as Fig. 2: 1. the rear end drives to distribute and does not bind event channel and share page or leaf.2. the rear end drives initialization I/O ring.3. the rear end drives Ring address and tunnel ends slogan is write Xenstore (shared storage area that is used for initialization apparatus that Xen provides).4. front-end driven reads corresponding information from Xenstore.5. front-end driven binding event channel shines upon I/O ring internal memory.6. front-end driven notifies virtual machine monitor employed interrupt number.7. front-end driven distributes an event channel to drive binding to the rear end, sets up two-way connection.
Claims (1)
1. active defence method based on Xen, it is characterized in that: utilize Xen to generate user virtual machine and use for the user, by being set in franchise virtual machine, the rear end drives simultaneously, front-end driven is set in user virtual machine, obtain information in the user virtual machine by the communication that the front and back end drives, and the behavior in the user virtual machine controlled, the byte level internal memory write-protect of front-end driven in virtual machine monitor layer realizes user virtual machine simultaneously, the front and back end drives communication and uses accurate virtual communication modes;
Front-end driven operates in the user virtual machine, be embodied as a virtual peripheral component interconnect PCI device drives, with the system start-up auto-initiation, front-end driven comprises two functions: at first be that interception system calls, the mode of using hook SSDT table and the redirect code being set realizes; The information of intercepting and capturing will be sent to the rear end and drive, and be judged by decision-making module;
The rear end drives and is implemented as a kernel module, two functions are arranged: the system information and the related data of communicating by letter with front-end driven and obtaining intercepting and capturing, then these data transfer are given the decision-making module of user's attitude, after decision-making module is made judgement, the result is sent to front-end driven; Also need behind front-end driven initialization hook and redirect code, notify the memory protect module protection corresponding memory addresses scope in the virtual machine monitor in addition;
When front-end driven is communicated by letter with the rear end driving, adopted accurate virtualized communication mode; Require the user virtual machine intraware to know that clearly intraware is in the virtual machine, and transplant the code of the Xen mechanism that the separate type driving model uses, comprise hypercalls Hypercall, event channel, Xenstore, authorization list Grant table; Wherein Xenstore is the shared storage area that is used for initialization apparatus that Xen provides, be used for when user virtual machine starts, reading the device initialize information that franchise virtual machine provides, also use Xenstore and rear end to drive during the front-end driven initialization and connect, communicate with the rear end driving by event channel and I/O ring afterwards; After the front-end driven interception system information, use hypercalls to abandon scheduling to the virtual machine monitor request, the wait decision-making module is made a strategic decision;
The I/O ring is the structure for separate type driving swap data that realizes on Xen shared drive mechanism, is divided into two kinds: the I/O ring of pickup groove size, used by network, memory device; The I/O ring of variable slot size is used by Xenstore; Need the data of transmission to have two kinds: fileinfo and HASH value thereof; File with needs are scanned adopts the I/O of unified fixed size groove to encircle to these information, and distinguishes data type with a zone bit;
When the rear end drove initialization, it distributed a not event channel of binding, and initialization I/O ring, and event channel port numbers and ring address are write Xenstore; Front-end driven reads these information by Xenstore, binds this event channel, and mapping ring address, and the interrupt number that should use when using hypercalls notice virtual machine monitor to notify this virtual Domain, distributes simultaneously to interrupt one of registration for this reason and handle function;
Realize byte level internal memory write-protect module in virtual machine monitor layer, front-end driven is carried out the byte level write-protect; At first note the memory address range that needs protection; Chinese shadow page table SPT is empty table when initial; along with system's operation is set up gradually; be that a page generates in the process of SPT; whether this page that detects among the user virtual machine page table GPT comprises the memory address that needs protection; if; then should in SPT, be labeled as read-only by page or leaf; so just realized the write-protect of page or leaf level; but not all byte all needs protection in the page; if at this moment taking place one writes unusual; just need in handling function, further check and cause whether the address that writes in this unusual statement is the address that will protect; cause unusual address and the protected address that store in the CR2 register with CPU compare, if it is unusual then to return a page or leaf to user virtual machine, otherwise need this write operation of simulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100699239A CN102129531B (en) | 2011-03-22 | 2011-03-22 | Xen-based active defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100699239A CN102129531B (en) | 2011-03-22 | 2011-03-22 | Xen-based active defense method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102129531A true CN102129531A (en) | 2011-07-20 |
| CN102129531B CN102129531B (en) | 2013-07-24 |
Family
ID=44267614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100699239A Expired - Fee Related CN102129531B (en) | 2011-03-22 | 2011-03-22 | Xen-based active defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102129531B (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
| CN102722678A (en) * | 2012-05-31 | 2012-10-10 | 北京朋创天地科技有限公司 | Executable program protection mechanism for virtual desktop |
| CN102799491A (en) * | 2012-06-19 | 2012-11-28 | 中国科学院计算技术研究所 | Inter-virtual-machine secure communication method |
| CN103023912A (en) * | 2012-12-26 | 2013-04-03 | 蓝盾信息安全技术股份有限公司 | Method for preventing network attacks based on virtual machines |
| CN103207763A (en) * | 2013-04-26 | 2013-07-17 | 上海交通大学 | Front-end caching method based on xen virtual disk device |
| CN103996004A (en) * | 2014-06-12 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Highly-available system design method based on virtualization |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN104750534A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Method, device and system for triggering self-examination of virtual machine |
| CN104899512A (en) * | 2015-05-26 | 2015-09-09 | 浪潮电子信息产业股份有限公司 | Windows system service descriptor table tamper-proofing apparatus and method |
| CN104951694A (en) * | 2014-03-24 | 2015-09-30 | 华为技术有限公司 | Isolation method and apparatus for management virtual machine |
| CN105389133A (en) * | 2015-12-02 | 2016-03-09 | 华为技术有限公司 | Virtual memory driving method and driver |
| CN105393229A (en) * | 2013-07-17 | 2016-03-09 | 比特梵德知识产权管理有限公司 | Page fault injection in virtual machines to cause mapping of swapped-out memory pages into (VM) virtu alized memory |
| CN105653937A (en) * | 2015-12-30 | 2016-06-08 | 北京神州绿盟信息安全科技股份有限公司 | File protection method and apparatus |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106446674A (en) * | 2016-07-27 | 2017-02-22 | 长春理工大学 | Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment |
| CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
| CN106850661A (en) * | 2017-02-28 | 2017-06-13 | 郑州云海信息技术有限公司 | One kind virtualization method for safety monitoring and system |
| CN106850565A (en) * | 2016-12-29 | 2017-06-13 | 河北远东通信系统工程有限公司 | A kind of network data transmission method of high speed |
| CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
| WO2017107625A1 (en) * | 2015-12-23 | 2017-06-29 | 华为技术有限公司 | Method and device for protecting virtual machine kernel |
| CN107169347A (en) * | 2017-05-08 | 2017-09-15 | 中国科学院信息工程研究所 | A kind of enhancing ARM platform virtual machines are examined oneself safe method and device |
| CN108563491A (en) * | 2018-04-17 | 2018-09-21 | 哈尔滨工业大学 | A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself |
| CN110874468A (en) * | 2018-08-31 | 2020-03-10 | 华为技术有限公司 | Application program safety protection method and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| CN101493781A (en) * | 2008-01-24 | 2009-07-29 | 中国长城计算机深圳股份有限公司 | Virtual machine system and start-up method thereof |
| US20090199132A1 (en) * | 2006-07-10 | 2009-08-06 | Devicevm, Inc. | Quick access to virtual applications |
-
2011
- 2011-03-22 CN CN2011100699239A patent/CN102129531B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| US20090199132A1 (en) * | 2006-07-10 | 2009-08-06 | Devicevm, Inc. | Quick access to virtual applications |
| CN101493781A (en) * | 2008-01-24 | 2009-07-29 | 中国长城计算机深圳股份有限公司 | Virtual machine system and start-up method thereof |
Non-Patent Citations (4)
| Title |
|---|
| 《中国万方数据库》 20091231 贺青 "基于Xen的高隐秘性虚拟密网设计与研究" , * |
| 《计算机工程》 20091205 胡冷非等 "基于Xen的I/O准虚拟化驱动研究" 第35卷, 第23期 * |
| 胡冷非等: ""基于Xen的I/O准虚拟化驱动研究"", 《计算机工程》 * |
| 贺青: ""基于Xen的高隐秘性虚拟密网设计与研究"", 《中国万方数据库》 * |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
| CN102722678B (en) * | 2012-05-31 | 2016-06-15 | 北京朋创天地科技有限公司 | A kind of virtual desktop executable program protection mechanism |
| CN102722678A (en) * | 2012-05-31 | 2012-10-10 | 北京朋创天地科技有限公司 | Executable program protection mechanism for virtual desktop |
| CN102799491A (en) * | 2012-06-19 | 2012-11-28 | 中国科学院计算技术研究所 | Inter-virtual-machine secure communication method |
| CN103023912A (en) * | 2012-12-26 | 2013-04-03 | 蓝盾信息安全技术股份有限公司 | Method for preventing network attacks based on virtual machines |
| CN103207763B (en) * | 2013-04-26 | 2015-11-25 | 上海交通大学 | Based on the front end caching method of xen virtual disk device |
| CN103207763A (en) * | 2013-04-26 | 2013-07-17 | 上海交通大学 | Front-end caching method based on xen virtual disk device |
| CN105393229A (en) * | 2013-07-17 | 2016-03-09 | 比特梵德知识产权管理有限公司 | Page fault injection in virtual machines to cause mapping of swapped-out memory pages into (VM) virtu alized memory |
| CN105393229B (en) * | 2013-07-17 | 2019-01-18 | 比特梵德知识产权管理有限公司 | Page fault injection in virtual machine |
| US9785770B2 (en) | 2013-12-26 | 2017-10-10 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for triggering virtual machine introspection |
| CN104750534B (en) * | 2013-12-26 | 2018-10-30 | 华为技术有限公司 | The method, apparatus and system that triggering virtual machine is examined oneself |
| CN104750534A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Method, device and system for triggering self-examination of virtual machine |
| CN104951694A (en) * | 2014-03-24 | 2015-09-30 | 华为技术有限公司 | Isolation method and apparatus for management virtual machine |
| US9971623B2 (en) | 2014-03-24 | 2018-05-15 | Huawei Technologies Co., Ltd. | Isolation method for management virtual machine and apparatus |
| CN104951694B (en) * | 2014-03-24 | 2018-04-10 | 华为技术有限公司 | A kind of partition method and device for managing virtual machine |
| CN103996004A (en) * | 2014-06-12 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Highly-available system design method based on virtualization |
| CN103996004B (en) * | 2014-06-12 | 2018-09-04 | 浪潮电子信息产业股份有限公司 | A kind of high-availability system design method based on virtualization |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN104461678B (en) * | 2014-11-03 | 2017-11-24 | 中国科学院信息工程研究所 | A kind of method and system that cryptographic service is provided in virtualized environment |
| CN104899512A (en) * | 2015-05-26 | 2015-09-09 | 浪潮电子信息产业股份有限公司 | Windows system service descriptor table tamper-proofing apparatus and method |
| CN105389133B (en) * | 2015-12-02 | 2018-10-12 | 华为技术有限公司 | A kind of driving method and driver of virtual memory |
| CN105389133A (en) * | 2015-12-02 | 2016-03-09 | 华为技术有限公司 | Virtual memory driving method and driver |
| CN106909437A (en) * | 2015-12-23 | 2017-06-30 | 华为技术有限公司 | The guard method of virtual machine kernel and device |
| CN106909437B (en) * | 2015-12-23 | 2021-01-29 | 华为技术有限公司 | Virtual machine kernel protection method and device |
| US10754943B2 (en) | 2015-12-23 | 2020-08-25 | Huawei Technologies Co., Ltd. | Virtual machine kernel protection method and apparatus |
| WO2017107625A1 (en) * | 2015-12-23 | 2017-06-29 | 华为技术有限公司 | Method and device for protecting virtual machine kernel |
| CN105653937A (en) * | 2015-12-30 | 2016-06-08 | 北京神州绿盟信息安全科技股份有限公司 | File protection method and apparatus |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106446674A (en) * | 2016-07-27 | 2017-02-22 | 长春理工大学 | Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment |
| CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
| CN106850565A (en) * | 2016-12-29 | 2017-06-13 | 河北远东通信系统工程有限公司 | A kind of network data transmission method of high speed |
| CN106850565B (en) * | 2016-12-29 | 2019-06-18 | 河北远东通信系统工程有限公司 | A kind of network data transmission method of high speed |
| CN106850661A (en) * | 2017-02-28 | 2017-06-13 | 郑州云海信息技术有限公司 | One kind virtualization method for safety monitoring and system |
| CN106897121B (en) * | 2017-03-01 | 2019-06-25 | 四川大学 | It is a kind of based on virtualization technology without proxy client process protection method |
| CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
| CN107169347B (en) * | 2017-05-08 | 2019-07-05 | 中国科学院信息工程研究所 | A kind of enhancing ARM platform virtual machine is examined oneself safe method and device |
| CN107169347A (en) * | 2017-05-08 | 2017-09-15 | 中国科学院信息工程研究所 | A kind of enhancing ARM platform virtual machines are examined oneself safe method and device |
| CN108563491A (en) * | 2018-04-17 | 2018-09-21 | 哈尔滨工业大学 | A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself |
| CN108563491B (en) * | 2018-04-17 | 2022-03-29 | 哈尔滨工业大学 | Virtual machine-based introspection automation management, configuration and introspection method |
| CN110874468A (en) * | 2018-08-31 | 2020-03-10 | 华为技术有限公司 | Application program safety protection method and related equipment |
| CN110874468B (en) * | 2018-08-31 | 2024-02-09 | 华为技术有限公司 | Application program security protection method and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102129531B (en) | 2013-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102129531B (en) | Xen-based active defense method | |
| Cui et al. | Securing display path for security-sensitive applications on mobile devices | |
| Embleton et al. | SMM rootkits: a new breed of OS independent malware | |
| US8732824B2 (en) | Method and system for monitoring integrity of running computer system | |
| US8434155B2 (en) | Pre-boot protected memory channel | |
| Qi et al. | ForenVisor: A tool for acquiring and preserving reliable data in cloud live forensics | |
| US20160350530A1 (en) | Data blackhole processing method based on mobile storage device, and mobile storage device | |
| Zhang et al. | Memory forensic challenges under misused architectural features | |
| Jayaram Masti et al. | An architecture for concurrent execution of secure environments in clouds | |
| Cheng et al. | DriverGuard: Virtualization-based fine-grained protection on i/o flows | |
| Salaün | Practical overview of a Xen covert channel | |
| Sever et al. | Efficiency and security of docker based honeypot systems | |
| Wang et al. | Vmdetector: A vmm-based platform to detect hidden process by multi-view comparison | |
| CN107169347B (en) | A kind of enhancing ARM platform virtual machine is examined oneself safe method and device | |
| Zhang et al. | Now you see me: Hide and seek in physical address space | |
| Grace et al. | Transparent protection of commodity os kernels using hardware virtualization | |
| US20230098117A1 (en) | Translation lookaside buffer (tlb) poisoning attacks on secure encrypted virtualization | |
| Stewin | Detecting peripheral-based attacks on the host memory | |
| US20170185767A1 (en) | Stand-alone data black hole processing method and computing device | |
| Sparks et al. | Windows Rootkits a game of" hide and seek" | |
| Zhang et al. | Super Root: A New Stealthy Rooting Technique on ARM Devices | |
| Zheng et al. | TZ-KPM: Kernel protection mechanism on embedded devices on hardware-assisted isolated environment | |
| Ding et al. | Improving flask implementation using hardware assisted in-VM isolation | |
| Brookes | Mitigating Privilege Escalation | |
| RU2768196C2 (en) | Protected storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130724 |