CN103279414B - A kind of convert channel detection method being applicable to Xen virtual platform - Google Patents
A kind of convert channel detection method being applicable to Xen virtual platform Download PDFInfo
- Publication number
- CN103279414B CN103279414B CN201310195439.XA CN201310195439A CN103279414B CN 103279414 B CN103279414 B CN 103279414B CN 201310195439 A CN201310195439 A CN 201310195439A CN 103279414 B CN103279414 B CN 103279414B
- Authority
- CN
- China
- Prior art keywords
- variable
- description symbol
- symbol table
- function
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of convert channel detection method being applicable to Xen virtual platform, this method is: the atom operation 1) searching Xen virtual platform, and the entrance function determining every unary operation; 2) a variable description symbol table is constructed to each entrance function, and provide output parameter list; 3) the variable description symbol table obtained is got common factor between two, if there is a variable in occuring simultaneously, this variable reads attribute R in a variable description symbol table, attribute W is write in another variable description symbol table, and this variable and this have an entrance function corresponding to variable description symbol table reading attribute R spread out of parameters equivalent, then judge that this variable is as potential convert channel; 4) scenario building is carried out to the potential convert channel detected, verify whether this potential convert channel is true convert channel.The present invention significantly reduces workload, accurately can locate position and the call relation of the shared resource of potential convert channel.
Description
Technical field
The invention belongs to the security fields of virtual platform, relate generally to a kind of detection method of Xen virtual platform being carried out to convert channel.
Background technology
Xen virtual platform comes from the virtual machine project of increasing income that univ cambridge uk's computer laboratory starts in April, 2002, is now widely deployed in large server, carries out security study have important theory and realistic meaning to it.
The concept of convert channel is put forward in 1973 by Lampson the earliest, and China standard GB/T 17859-1999 specifies that convert channel is that operation process is to endanger the communication channel of the mode transmission information of system strategy.Secure operating system is in the material time crossed over from the third level to the fourth stage now, and Covert Channel Analysis is exactly key one ring wherein.
Propose time of 40 years so far from convert channel problem, the research object of convert channel includes from operating system, database, network cloud environment until now.But with regard to the depth of investigation, research methods all now and engineering practice are carried out for operating system aspect mostly.Along with the rise of cloud computing, the cloud security problem comprising convert channel is also outstanding day by day.
Cloud computing be continue mainframe computer to client-server big change after another great change, be regarded as the third wave of infotech.Intel Virtualization Technology is the core component of cloud computing system, is the gordian technique with efficiency utilization is fully integrated in various calculating and storage resources, is the foundation stone of cloud computing infrastructure dirigibility.Therefore profound significance is had to the security study of Intel Virtualization Technology to cloud security, and Xen virtual platform is as one of current most widely used virtualization software, the convert channel problem studied on it not only has very large impetus to the perfect of convert channel theory and expansion, also has the convert channel problem in cloud security, cloud environment and well inspires meaning.
Below the Patent relevant to Covert channel mark that is virtual platform that be that can find at present.
Publication number is 101364203, denomination of invention a kind of patent belonging to Covert Channel Analysis technical field that has been the disclosure of the invention of " a kind of systematic analysis towards Covert Channel Analysis and division methods ".Described method comprises: towards systematic analysis and the division methods of Covert Channel Analysis, step 10: initialization action; Step 11: whether discriminant function calling graph is empty, if be idle running step 12, represent that analyzing partitioning algorithm terminates, otherwise goes to step 13; Step 12: export the result analyzed; Step 13: whether discriminant function calling graph is communicated with; Step 14: find out all disconnected branches of function call graph; Step 15: each connected component of cycle analysis function call graph; Step 16: whether there is the node not relying on other nodes in discriminant function calling graph; Step 18: the node being 0 out-degree is deleted from function call graph, and this node is added the end of result chained list; Step 19: whether there is very big strong continune subgraph in discriminant function calling graph; Go to step 1A as existed, otherwise go to step 11; Step 1A: find very big strong continune subgraph in function call graph; Step 1B: delete this very big strong continune subgraph, step 1C: terminate.
Although this patent is also under the jurisdiction of Covert Channel Analysis technical field, its focus paid close attention to mainly is placed on the function calling relationship analyzing whole system, and system is divided into connected component and analyzes.
Publication number is 101257417, and denomination of invention has been the disclosure of the invention of " the ICP/IP protocol convert channel detection method based on fuzzy neural network " based on the ICP/IP protocol convert channel detection method of fuzzy neural network.The method adopts the method for fuzzy neural network to analyze by the territory in the TCP/IP data packet head structure of network interface, introduce a kind of new method of Sampling network convert channel, first the method obtains the TCP/IP packet flowed out from network interface, analysis is carried out to the option field in data head-coating structure and obtains network connection features vector, proper vector is sent into fuzzy neural network, adaptive neuro-fuzzy inference system is utilized to train fuzzy neural network, obtain the model of fuzzy neural network, then proper vector is sent in the model of the complete fuzzy neural network of training, obtain output valve, finally fuzzy clustering is carried out to output valve, thus tell in the data of output whether there is convert channel.This invention is applicable to mainstream operation system, has range of application widely, can increase the security of operating system, effectively prevent confidential information from revealing.
Although this patent also relates to the realization of convert channel detection method.But it to as if for the analysis of the Network Covert Channel such as ICP/IP protocol, adopt the method for fuzzy neural network to realize.
Summary of the invention
For the Covert Channel Analysis problem of Xen virtual platform, current not Patents relates to this field.But along with the rise of cloud computing, the cloud security problem comprising convert channel is also outstanding day by day.Intel Virtualization Technology, as the core component of cloud computing system, is analyzed the convert channel of Xen virtual platform and is just had more theory and realistic meaning.The present invention is directed to this demand, a kind of convert channel detection method being applicable to Xen virtual platform is provided, the present invention takes the entrance function of the key operation of Analysis of X en virtual platform related mechanism and strategy, analysis is carried out to its external variable and provides its variable description symbol, and then obtain the variable description symbol table of function.The variable description symbol table of different function is compared, potential convert channel can be identified.
Below some terms related in invention are first set forth:
One, atom operation a: atom operation refers in Xen system, for realizing the basic operation of certain function of Xen fundamental mechanism and strategy, usual Xen system is that its each fundamental mechanism/strategy both defines one group of atom operation fixed.
With Xen fundamental mechanism and all atom operation of policy-related (noun), can analyze from the description of Xen systemic-function specification or its codes implement and draw.From code level analysis, each atom operation is operation corresponding to each case branch of switch statement in its alignment processing function.
Two, marking variable: suppose variable a be function f access external variable (external variable refers to the variable of action scope outside function body in function f.The method finding the external variable of a function sees whether the variable that function is quoted has it to define in function body, if nothing, be then the external variable of function), then the kernel data structure corresponding to variable a is identified out the marking variable just defining variable a.The written form of marking variable be " data structure. variable ", if kernel data structure exists nested, then according to " outermost layer data structure. .... innermost layer data structure. variable " mode write.
Three, variable description symbol: the variable description symbol in function uses < marking variable, function name, and function is to the operation of variable, and the condition needed for read operation, the condition > needed for retouching operation represents.(variable here refers in particular to the Partial Variable of action scope outside function body)
Wherein, the operation of function to variable have reading, amendment and both have concurrently three kinds (wherein in function, the new variable created is considered as readable amendment), represent with R, W and RW respectively; Reading or the condition needed for retouching operation refer to that function reads to this variable or revise the condition that must meet, and if there is no namely restrictive condition replaces with NULL.
Four, variable description symbol table: the variable description symbol table set of the descriptor of external variables all for function composition just being formed this function.Wherein, the variable description symbol table of the every other function of this function call is also included.
If analyze external variables all in function, corresponding variable description symbol set can be obtained.Owing to removing under function recursive call sum functions calls the prerequisite of ring, concerning a function, its function calling relationship is finite.Therefore the variable description symbol table of other functions of this function call is included in the set obtained.
Five, variable is of equal value: according to another name rule, if be the another name of variable b to variable a; Or the numerical value change of variable a and variable b exist corresponding relation, this Two Variables can be considered as being of equal value.
Based on Xen virtual platform convert channel detection method as shown in Figure 1, concrete steps are:
1) find out all atom operation according to the fundamental mechanism of Xen with strategy, and determine its entrance function;
2) to each entrance function constructed variable descriptor table, and output parameter list (can analyze from the data transition functions such as function return value or similar copy_to_user () and draw) is provided; Wherein the method for constructed variable descriptor table is: analyze the external variable in entrance function and all call functions thereof, obtain the descriptor < marking variable of external variable, function name, function is to the operation of variable, condition needed for read operation, the condition > needed for retouching operation.These variable descriptions symbol is formed the variable description symbol table that namely set forms this entrance function.
3) by the variable description symbol table obtained with marking variable attribute for standard gets friendship (Two Variables descriptor table can be same) between two.Under conjunction of occuring simultaneously is not empty prerequisite, if occur simultaneously, the read-write properties that there is the variable of a certain variable in original Two Variables descriptor table in closing have R and W respectively, and this variable and authority have the words spreading out of parameters equivalent of the entrance function corresponding to variable description symbol table of R, this variable just can form potential convert channel, as shown in Figure 2.Parameters equivalent mentioned here refers to, the Two Variables that another name rule or variable interact relation can be utilized to obtain can be considered as being of equal value.
4) whether carry out scenario building to the potential convert channel identified, be true convert channel to verify.General scenario building is that atom operation carries out write operation to this variable by being W to this variable read-write attribute, and then read-write properties are that the atom operation of R reads, and then analyzes and draw received secret information.
Compared with prior art, good effect of the present invention is:
One, owing to starting with for the entrance function of the fundamental mechanism of Xen and the key operation of strategy, solve the problem of the analytical work exponential increase caused because of factors such as system source code are huge, complex structure, significantly reduce workload.
Two, because method is carried out on the labor basis of the external variable to function, position and the call relation of the shared resource of potential convert channel can accurately be located.
Accompanying drawing explanation
Fig. 1 is holistic approach process flow diagram of the present invention;
Fig. 2 be variable description symbol table with marking variable attribute for standard gets friendship method flow diagram between two.
Embodiment
The present invention is the entrance function of the key operation taking Analysis of X en virtual platform related mechanism and strategy, carries out analysis and provides its variable description symbol, and then obtain the variable description symbol table of function to its external variable.The variable description symbol table of different function is compared, potential convert channel can be identified.Specifically be implemented as follows: (being operating as example with query event channel status)
1) find out all atom operation according to the Mode and policy of Xen, and determine its entrance function;
The ultimate principle that Xen virtual platform control and management is correlated with comprises with core technology and controlling and the hypercalls communicating relevant (Hypercalls) and event channel (EventChannels) to virtual machine level of privilege, share and transmit relevant authorization list (GrantTables) to virtual-machine data, the equipment I relevant to virtual device models/O ring and XenStore etc.
In the event channel mechanism of Xen system, corresponding all atom operation comprise establishment event channel operation EVTCHNOP_alloc_unbound, bindings EVTCHNOP_bind_interdomain between territory, binding virtual interrupt operation EVTCHNOP_bind_virq, binding physical interrupt operation EVTCHNOP_bind_pirq, binding virtual IP address I operates EVTCHNOP_bind_ipi, close event channel operation EVTCHNOP_close, send event notification operations EVTCHNOP_send, query event channel status operation EVTCHNOP_status, binding VCPU operates EVTCHNOP_bind_vcpu, remove mask bit manipulation EVTCHNOP_unmask, resetting event channel operation EVTCHNOP_reset etc.
Wherein, the entrance function of the atom operation of query event channel status is function evtchn_status (); Between the territory of event channel, the entrance function of bindings is function evtchn_bind_interdomain ().
2) to each entrance function constructed variable descriptor table, and output parameter list is provided;
In the atom operation of query event channel status, variable chn-> state is the external variable of its entrance function evtchn_status (), core texture body corresponding to it is structevtchn, then its marking variable is structevtchn.state.Then the variable description symbol of variable chn-> state in function evtchn_status () is:
<structevtchn.state,evtchn_status,R,NULL,NULL>;
Analysis obtains the variable description symbol table of this function after obtaining the variable description symbol of all external variables in function evtchn_status ():
{<structevtchn.state,evtchn_status,R,NULL,NULL>};
In like manner, between the territory obtaining event channel, the variable states descriptor table of bindings entrance function evtchn_bind_interdomain () is:
<structtask_struct.domain.domain_id,evtchn_bind_interdomain,R,structevtchn_bind_interdomain.remote_dom=DOMID_SELF,NULL>,
<structevtchn.state,evtchn_bind_interdomain,RW,NULL,NULL>,
<structevtchn.u.unbound.remote_domid,evtchn_bind_interdomain,R,NULL,NULL>,
<structevtchn.u.unbound.remote_port,evtchn_bind_interdomain,W,NULL,NULL>}。
3) by the variable description symbol table obtained with marking variable attribute for standard gets common factor (Two Variables descriptor table can be same) between two.
The variable description symbol table of EVTCHNOP_status and EVTCHNOP_bind_interdomain atom operation is got common factor between two, common factor is combined into
<structevtchn.state,evtchn_status,R,NULL,NULL>,
<structevtchn.state,evtchn_bind_interdomainRW,NULL,NULL>}
And chn-> state and EVTCHNOP_status feature operation entrance function evtchn_status spread out of parameters equivalent, so structevtchn.state variable just forms a potential convert channel.
4) whether carry out scenario building to the potential convert channel identified, be true convert channel to verify.The method of current scenario building is: transmit leg virtual machine process realizes the write operation to structevtchn.state variable by EVTCHNOP_bind_interdomain feature operation, take over party's virtual machine process realizes the read operation to structevtchn.state variable by EVTCHNOP_status feature operation, determines by the change of perception structevtchn.state variable the data that transmit leg transmits.
Aforesaid operations is repeated to other atom operation.
Claims (6)
1. be applicable to a convert channel detection method for Xen virtual platform, the steps include:
1) search the atom operation of Xen virtual platform, and determine the entrance function of every unary operation; Wherein, described atom operation is the basic operation of certain function realizing fundamental mechanism and strategy in Xen virtual platform;
2) a variable description symbol table is constructed to each entrance function, and provide output parameter list; Wherein, the method constructing described variable description symbol table is: obtain the external variable in entrance function and all call functions of this entrance function, a variable description symbol is built to each external variable obtained, these variable descriptions symbol is formed the variable description symbol table that namely set forms this entrance function; The method for expressing of described variable description symbol is: < marking variable, function name, function to the operation of variable, the condition needed for read operation, the condition > needed for retouching operation;
3) the variable description symbol table obtained is got common factor between two, if there is a variable in occuring simultaneously, this variable reads attribute R in a variable description symbol table, attribute W is write in another variable description symbol table, and this variable and this have the output parameter of the entrance function corresponding to variable description symbol table reading attribute R of equal value, then judge that this variable is as potential convert channel;
Wherein, judge the method for parameters equivalent for: utilize another name this variable of rule judgment to have the output parameter relation of equivalence of the entrance function corresponding to the variable description symbol table reading attribute R with this, if variable a is the another name of variable b, then variable a and variable b equivalence; Or utilize variable interact relation judge this variable and this have the output parameter relation of equivalence of the entrance function corresponding to variable description symbol table reading attribute R, if the numerical value change of variable a and variable b exist corresponding relation, then variable a and variable b is considered as equivalence;
4) scenario building is carried out to the potential convert channel detected, verify whether this potential convert channel is true convert channel.
2. the method for claim 1, is characterized in that the method for expressing of described marking variable is: establish variable a to be the external variable that function f is accessed, the kernel data structure corresponding to variable a is H, then the marking variable form of variable a is H.a.
3. method as claimed in claim 2, is characterized in that, if the kernel data structure of variable exists nested, then according to " outermost layer data structure. .... innermost layer data structure. variable " mode represent.
4. the method for claim 1, is characterized in that the attribute of described external variable in variable description symbol table comprises: write attribute W, read attribute R, or have reading and writing attribute RW simultaneously.
5. the method for claim 1, is characterized in that from Xen virtual platform, drawing described atom operation with strategy according to the fundamental mechanism of Xen virtual platform.
6. method as claimed in claim 5, is characterized in that the fundamental mechanism of described Xen virtual platform comprises with strategy: control with the relevant hypercalls that communicates to virtual machine level of privilege, control with the relevant event channel that communicates with virtual machine level of privilege, share and transmit the authorization list and the equipment I/O ring relevant with virtual device models and XenStore of being correlated with virtual-machine data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310195439.XA CN103279414B (en) | 2013-05-23 | 2013-05-23 | A kind of convert channel detection method being applicable to Xen virtual platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310195439.XA CN103279414B (en) | 2013-05-23 | 2013-05-23 | A kind of convert channel detection method being applicable to Xen virtual platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103279414A CN103279414A (en) | 2013-09-04 |
| CN103279414B true CN103279414B (en) | 2016-04-20 |
Family
ID=49061943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310195439.XA Expired - Fee Related CN103279414B (en) | 2013-05-23 | 2013-05-23 | A kind of convert channel detection method being applicable to Xen virtual platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103279414B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103763399A (en) * | 2014-02-18 | 2014-04-30 | 苏州云拓网络科技有限公司 | Cloud server operation supporting system based on XEN virtualization framework |
| CN105678176A (en) * | 2016-01-15 | 2016-06-15 | 瑞达信息安全产业股份有限公司 | Mandatory access control method under virtual environment |
| CN106355250B (en) * | 2016-08-31 | 2019-04-30 | 天津南大通用数据技术股份有限公司 | The optimization method and device of judgement private communication channel neural network based |
| CN106502650A (en) * | 2016-09-28 | 2017-03-15 | 乐视控股(北京)有限公司 | A kind of read only attribute amending method, device |
| EP3367606B1 (en) * | 2017-02-24 | 2019-09-18 | Secure-IC SAS | Automatic insertion of masking into an algorithm |
| CN109858510A (en) * | 2018-11-28 | 2019-06-07 | 南京知常容信息技术有限公司 | A kind of detection method for http protocol ETag value covert communications |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257417A (en) * | 2008-03-25 | 2008-09-03 | 浙江大学 | Method for detecting TCP/IP protocol concealed channel based on fuzzy neural network |
| CN102402466A (en) * | 2011-08-10 | 2012-04-04 | 华为技术有限公司 | Method and system for resolving multilateral conflicts of virtualization platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8145362B2 (en) * | 2006-08-04 | 2012-03-27 | Eestor, Inc. | Utility grid power averaging and conditioning |
-
2013
- 2013-05-23 CN CN201310195439.XA patent/CN103279414B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257417A (en) * | 2008-03-25 | 2008-09-03 | 浙江大学 | Method for detecting TCP/IP protocol concealed channel based on fuzzy neural network |
| CN102402466A (en) * | 2011-08-10 | 2012-04-04 | 华为技术有限公司 | Method and system for resolving multilateral conflicts of virtualization platform |
Non-Patent Citations (2)
| Title |
|---|
| 虚拟可信平台层次化安全体系结构设计;沈晴霓 等;《北京工业大学学报》;20100531;第36卷(第5期);第605-610页 * |
| 高等级安全操作系统的设计;卿斯汉 等;《中国科学E辑:信息科学》;20071231;第37卷(第2期);第238-253页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103279414A (en) | 2013-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103279414B (en) | A kind of convert channel detection method being applicable to Xen virtual platform | |
| CN106104514B (en) | Accelerate method, system and the medium of the object in access object repository | |
| TW201902176A (en) | Method and apparatus for writing transaction data into a blockchain system | |
| CN102349056B (en) | Dynamically composing data stream processing applications | |
| CN109947998A (en) | The calculating data lineage of network across heterogeneous system | |
| CN105488431A (en) | Authority management method and device for block chain system | |
| CN106055450B (en) | A kind of binary log analysis method and device | |
| CN108932588A (en) | A kind of the GROUP OF HYDROPOWER STATIONS Optimal Scheduling and method of front and back end separation | |
| CN104145257A (en) | Semantic cache cloud services for connected devices | |
| CN105049420A (en) | Security protocol formal verification method using expanded UML model as framework | |
| CN103618652A (en) | Audit and depth analysis system and audit and depth analysis method of business data | |
| CN107526645A (en) | A kind of communication optimization method and system | |
| CN109906597A (en) | To with data set that restricted data set and untethered system are stored and fetched from cloud network | |
| CN104200045A (en) | Parallel computing method for distributed hydrodynamic model of large-scale watershed system | |
| CN104794150A (en) | Cloud storage model and management method based on space knowledge cloud environment | |
| CN104537012B (en) | Data processing method and device | |
| CN102508971B (en) | Method for establishing product function model in concept design stage | |
| CN109753819B (en) | Method and device for processing access control policy | |
| CN104299170B (en) | Intermittent energy source mass data processing method | |
| CN113918149A (en) | Interface development method and device, computer equipment and storage medium | |
| CN107257356B (en) | Social user data optimal placement method based on hypergraph segmentation | |
| Cheptsov | HPC in big data age: An evaluation report for java-based data-intensive applications implemented with Hadoop and OpenMPI | |
| CN116015939A (en) | Advanced persistent threat interpretation method based on atomic technology template | |
| CN107145599A (en) | A kind of big data asset management system | |
| CN104715087A (en) | Novel interactive simulation state traveling operating method synthetic system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160420 |