CN103345604A - Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system - Google Patents
Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system Download PDFInfo
- Publication number
- CN103345604A CN103345604A CN2013102983760A CN201310298376A CN103345604A CN 103345604 A CN103345604 A CN 103345604A CN 2013102983760 A CN2013102983760 A CN 2013102983760A CN 201310298376 A CN201310298376 A CN 201310298376A CN 103345604 A CN103345604 A CN 103345604A
- Authority
- CN
- China
- Prior art keywords
- sandbox
- module
- virtual machine
- light weight
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a sandbox system based on a light-weight virtual machine monitor and a method for monitoring an OS with the sandbox system. The sandbox system comprises a virtualization management module, a sandbox strategy module, a virtual machine communication module and a light-weight virtualization sandbox module, as shown in the figure 1. According to the sandbox system, a light-weight virtual machine sandbox which is designed for the purpose of sandbox safety can be loaded dynamically according to the protective needs of a user. The light-weight virtual machine sandbox migrates the operation system into the light-weight virtual machine sandbox, system calling of a target course is monitored and intercepted, and suspicious operation on a file system from the target course is redirected under a sandbox protective route. The sandbox system has the advantages of being transparent to the operation system, small in code number, small in virtualization expenditure and the like.
Description
Technical field
The invention belongs to computer safety field, be specifically related to a kind of sandbox system based on the light weight monitor of virtual machine.
Background technology
Along with popularizing of computer system and computer network, the internet has developed into the operation platform of numerous programs, yet because the leak of procotol, computer operating system and browser self, computer system is faced with security challenge.At present, that is that all right is ripe for the active defense mechanism that the fail-safe software of main flow uses, particularly when the behavior of normal software when viral behavior overlaps, the active defense mechanism is manslaughtered generation, causes software normally to move.In the face of the virus behavior that becomes increasingly complex, initiatively the testing process of defence also can greatly reduce the serviceability of computing machine.
Sandbox provides new approaches as novel security model for overcoming the above problems: control a shielded secure resources zone; allow the program that is not subjected to trust move therein; so both guaranteed the normal operation of program, and can not damage real operating system again.When the behavior of program obtained the trust judgement of operating system faith mechanism, the behavior of program in sandbox just can be carried out in operating system.
CN101873318A (State Network Electric Power Research Institute) discloses application and the data security method at application system on the application foundation support platform.The present invention is by taking over also each class interface of simulation application basic framework platform; create to form and real upper layer application phase independently virtual container or sandbox; shielding is to the visit of protected true application system and related data, and all users' visits are all run on independently in the virtual container.By the analysis to user running result state or course of action in the virtual container, detect the vessel safety state, under the situation of confirming safety, carry out the virtual container data again to the importing of true application; Otherwise, empty virtual container, true application is had no effect, realize saving from damage of application and data.
CN102595404A (U.S. Apple) discloses at the main equipment that will use the access control entity and has been deployed the back for described access control entity (for example, the method and apparatus of electronics or virtual subscriber identity module (eSIM) parts) is provided safely.In one embodiment, wireless (for example, honeycomb) subscriber's installation is given unique Device keys and signing certificate, and it can be used for " on the spot " subscriber's installation renewal or new eSIM are provided.Based on the safety certificate transmission of using Device keys, subscriber's installation can be trusted the eSIM that is sent by the unknown third party eSIM seller in fact.On the other hand, operating system (OS) is divided into a plurality of subregions or " sandbox ".During operation, subscriber equipment can activate and carry out the OS in the sandbox corresponding with the current wireless network, and the personalization bag that receives when connecting network only is applied to that sandbox.Similarly, when loading eSIM, OS only need load the tabulation of the necessary software of current runtime environment, and obsolete software can be activated subsequently.
CN102930210A (Nanjing, Jiangsu science and technology group company) discloses a kind of rogue program behavior automated analysis, detection and categorizing system, it is characterized in that, comprise as lower module: (1) static analysis module: before sample file is carried out the sandbox performance analysis, can carry out static analysis to the structure of executable file, to obtain the information relevant with sample as much as possible, the static analysis report and the various report afterwards that are obtained sample file by these information become the most original Data Source of behavior abstract module; (2) sandbox dispatching management module: the sandbox dispatching management module is managed the transmission of each sandbox, concordant sample and data, the flow process of control sample automated analysis; The sandbox dispatching management module is controlled the startup of each sandbox and is withdrawed from, and realizes and message exchange and the file transfer of each sandbox that execution and the hosted environment of control sample are simulated; (3) sandbox monitoring module: the sandbox monitoring module is main target with API Calls and the parameter thereof of catching the specific process initiation, extracts this process load-on module and operating system simultaneously and is its relevant kernel data of its maintenance.
CN1961272A (200580017458.7, Intel company) a kind of method of improving the security of disposal system is disclosed, this method comprises: according to file identification tactical comment file, at least part of based on described file identification strategy, identification will be marked as suspicious file; Mark is described will to be marked as suspicious file so that this document is identified as apocrypha; In described apocrypha is carried out or visited, create sandbox virtual machine, and in described sandbox virtual machine, described apocrypha is carried out or visited.
CN102436508A discloses a kind of method based on sandbox technology browsing page, it is characterized in that, comprising: when receiving the instruction of in sandbox, carrying out web page browsing, outside sandbox, start the framework process, in order to the operation that produces in the described framework process, outside sandbox, handle.Intercept and capture the browser process of framework process creation, described browser process is put into sandbox, in order to the web page access result is kept at assigned catalogue in the sandbox, and/or scripts in web pages operates in the virtual environment of sandbox.
US2007226773A1(or US7725922B2) disclose a kind of about the shell shell script of for example listing order etc. and the security policy enforcement manner of execution of executing method in the Java Virtual Machine for example.This method comprises the safety policy and the security strategy of creating sandbox compulsory execution regulation that judges whether to exist with the wscript.exe association.
US2008127292A1(US8272048B2) method for supervising of having described a kind of computing equipment at for example workstation or in the fail-safe software field, having used.This method relates to the system call of watchdog routine, and monitors the operation of kernel.
US2009241194A1 has described a kind of security system of using a plurality of virtual machines (sandbox) in the physical computer of for example client.Wherein, a virtual machine is as main frame, and other virtual machines are as client computer, and some client computer provide shielded isolation environment, is used for isolating on the main frame or suspicious fileinfo on other client computer.Main frame and client computer can be from the insulation blocking environment access file information.
US8171504B1 has described a kind of by the method that complete operating system provides the driving function is installed in sandbox (for example virtual machine), driving function in this method is to drive counterfoil (driver stub) by use application programming interfaces are provided, thus the driver in the visit sandbox.
Legacy operating system self is dangerous.Existing sandbox technology is divided into: based on the sandbox of operating system with based on the sandbox of general purpose virtual machine watch-dog.Because operating system code is huge, leak is many, be difficult to be guaranteed based on the security of the sandbox of operating system.And the general purpose virtual machine watch-dog designs for resource isolation, and is therefore, big based on the sandbox virtualization overhead of general purpose virtual machine watch-dog.
Summary of the invention
Above-mentioned because operating system code is huge, leak is many, security is difficult to be guaranteed in order to solve, and the general purpose virtual machine watch-dog designs for resource isolation, therefore, based on problem, the method that the invention provides a kind of sandbox system based on the light weight monitor of virtual machine and monitor OS with this sandbox system such as the sandbox virtualization overhead of general purpose virtual machine watch-dog is big.
A kind of sandbox system schema based on the light weight monitor of virtual machine is as follows:
A kind of sandbox system based on the light weight monitor of virtual machine comprises the processor of support hardware virtual (technology), and it also comprises: virtual management module, sandbox security strategy module, virtual machine communication module and the virtual sandbox module of light weight;
Described virtual management module is used for dynamically being written into the virtual sandbox module of described light weight, and/or is used for the virtual sandbox module of the described light weight of dynamic offloading.
Described sandbox security strategy module comprises configuration file, and this configuration file has defined the security strategy of sandbox system, is made up of suspicious process tabulation, redirected protection path and redirection file routing information three parts.
Described virtual machine communication module can pass to the security strategy in the configuration file that comprises in the described sandbox security strategy module the virtual sandbox module of described light weight.
The virtual sandbox module of described light weight refers to that it does not possess the ability that virtual resource apparatus is arranged and create a plurality of virtual machines in order to finish monitoring and to tackle the specific light weight monitor of virtual machine of corresponding target process and system call function.The virtual sandbox module of light weight comprises monitoring blocking module and protection enforcement module.
The suspicious process that described monitoring blocking module obtains in the configuration file by described virtual machine communication module is tabulated, and then, target process and the system call of suspicious process tabulation is monitored; The system call that module receives the interception of monitoring blocking module is implemented in described protection; obtain the complete trails title that target process opens file; from complete trails, obtain filename; its read-write operation is redirected in the file of the same name under the protection path that described configuration file sets, and match information is write in the described redirected path message file.
Described virtual management module, sandbox security strategy module and virtual machine communication module reside in the operating system of user, along with os starting is loaded in the operating system; The virtual sandbox module of described light weight is written into by dynamically being written into of user or dynamic offloading and unloading.
More excellent, whether when the target process during described monitoring blocking module is tabulated to suspicious process and described system call is tabulated and system call are monitored, being referred to as identification with its process name is the main foundation of target process;
As intercept point, identify target process earlier when the CR3 controller that causes with process switching changes, then, target process is tackled at the place at capture point;
Call the foundation of calling as the identification goal systems with system call number when interrupt taking place to skip leaf as the capture point interception system.Earlier all system calls are intercepted and captured, whether identification is that goal systems is called again.If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
More excellent, the virtual machine communication module sends to the virtual sandbox module of described light weight by the mode of shared drive with described configuration file.
More excellent, the user adds to specify distrust process or program and set in configuration file is redirected the protection path, and redirection file routing information record the process or program and setting are redirected the corresponding relation between the protection path, dispose security strategy.
More excellent, protection is implemented module and is only adopted write operation to be redirected mode.
The scheme that the above-mentioned sandbox system of a kind of usefulness monitors the OS method is as follows:
The above-mentioned sandbox system of a kind of usefulness monitors the method for OS, may further comprise the steps:
1) user defines the sandbox security strategy according to its protection demand;
2) startup is based on the sandbox system of light weight virtual machine;
3) light weight virtual machine sandbox is monitored the suspicious process tabulation that defines in the sandbox security strategy;
4) after the process that monitors target program, the system call of tracking target process is redirected to the write operation of target process the catalogue of sandbox security strategy definition;
5) turn back to step 3), up to being unloaded by the user.
More excellent, the sandbox system monitors the method step 1 of OS) described suspicious process tabulation monitoring is comprised following operation:
Definition suspicious process or program listing have namely defined the target that the sandbox system will isolate;
Definition is redirected the protection path;
Definition redirection file routing information namely defines suspicious process or program and is redirected the mapping relations of protecting between the path.
More excellent, the sandbox system monitors the method step 3 of OS) described suspicious process tabulation monitoring is comprised following operation:
When the CR3 controller that causes when process switching changes, be referred to as with its process name earlier and identify target process, then, target process is tackled;
When interrupt taking place when skipping leaf,, earlier all system calls are intercepted and captured number as calling according to interception system that the identification goal systems is called with system call, whether identification is that goal systems is called again;
If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
More excellent, the method step 4 of described monitoring OS) described write operation is redirected to the catalogue of sandbox security strategy definition, comprises following operation:
At first, the one-writing system that described protection enforcement module receives described monitoring blocking module interception calls, and obtains the complete trails title that target process opens file, and obtains filename again from complete trails.
Then, its buffer zone is redirected in the file of protecting under the path of the same name, and match information is write in the redirected path message file.
According to embodiment preferred of the present invention, the invention provides:
1. sandbox system based on the light weight monitor of virtual machine, the processor that comprises the virtual or support hardware Intel Virtualization Technology of support hardware, it is characterized in that it also comprises: virtual management module, sandbox security strategy module, virtual machine communication module and the virtual sandbox module of light weight.
Described virtual management module is used for dynamically being written into the virtual sandbox module of described light weight, and/or is used for the virtual sandbox module of the described light weight of dynamic offloading.
Described sandbox security strategy module comprises configuration file, and this configuration file has defined the security strategy of sandbox system, and it is made up of suspicious process tabulation, redirected protection path and redirection file routing information three parts.
Described virtual machine communication module can pass to the security strategy in the configuration file that comprises in the described sandbox security strategy module the virtual sandbox module of described light weight.
The virtual sandbox module of described light weight refers to that it does not possess the ability that virtual resource apparatus is arranged and create a plurality of virtual machines in order to finish monitoring and to tackle the specific light weight monitor of virtual machine of corresponding target process and system call function.Its (virtual sandbox module of light weight) comprises monitoring blocking module and protection enforcement module;
The suspicious process that described monitoring blocking module obtains in the configuration file by described virtual machine communication module is tabulated, and then, target process and the system call of suspicious process tabulation is monitored.The system call that module receives the interception of monitoring blocking module is implemented in described protection; obtain the complete trails title that target process opens file; from complete trails, obtain filename; its read-write operation is redirected in the file of the same name under the protection path that described configuration file sets, and match information is write in the described redirected path message file.
Described virtual management module, sandbox security strategy module and virtual machine communication module reside in the operating system of user, along with os starting is loaded in the operating system.The virtual sandbox module of described light weight is written into by dynamically being written into of user or dynamic offloading and unloading.
2. according to above 1 described sandbox system, whether when the target process during wherein said monitoring blocking module is tabulated to suspicious process tabulation and described system call and system call are monitored, being referred to as identification with its process name is the main foundation of target process.
As intercept point, identify target process earlier when the CR3 controller that causes with process switching changes, then, target process is tackled at the place at capture point.
Call the foundation of calling as the identification goal systems with system call number when interrupt taking place to skip leaf as the capture point interception system; Earlier all system calls are intercepted and captured, whether identification is that goal systems is called again.If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
3. according to above 1 or 2 described sandbox system; when described protection enforcement module is trusted process according to user configured sandbox strategy determinating processes in the described configuration file; just will protect the file under the path to write original again; then; light weight virtual machine sandbox continues the monitoring client operating system, till unloaded.
4. according to any one sandbox system in above 1 to 3, described virtual machine communication module sends to the virtual sandbox module of described light weight by the mode of shared drive with described configuration file.
5. according to any one described sandbox system in above 1 to 4; the user adds distrust process or the program of specifying in configuration file; be redirected the protection path with setting; redirection file routing information record the process or program and setting are redirected the corresponding relation between the protection path, dispose security strategy.
6. according to any one described sandbox system among the above 1-5, protection is implemented module and is only adopted write operation to be redirected mode.
7. utilize in above 1 to 6 each described sandbox system to monitor the method for OS, it may further comprise the steps:
1) user defines the sandbox security strategy according to its protection demand;
2) startup is based on the sandbox system of light weight virtual machine;
3) light weight virtual machine sandbox is monitored the suspicious process tabulation that defines in the sandbox security strategy;
4) after the process that monitors target program, the system call of tracking target process is redirected to the write operation of target process the catalogue of sandbox security strategy definition;
5) turn back to step 3, up to being unloaded by the user.
8. according to the method for above 7 described monitoring OS, it is characterized in that the fixed described definition sandbox security strategy of step 1) comprises following operation:
Definition suspicious process or program listing have namely defined the target that the sandbox system will isolate;
Definition is redirected the protection path; With
Definition redirection file routing information namely defines suspicious process or program and is redirected the mapping relations of protecting between the path.
9. according to the method for above 7 or 8 described monitoring OS, it is characterized in that step 3) comprises following operation to described suspicious process tabulation monitoring:
When the CR3 controller that causes when process switching changes, be referred to as with its process name earlier and identify target process, then, target process is tackled.
When interrupt taking place when skipping leaf,, earlier all system calls are intercepted and captured number as calling according to interception system that the identification goal systems is called with system call, whether identification is that goal systems is called again.
If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
10. according to the method for each described monitoring OS in above 7 to 9, the described write operation of step 4) is redirected to the catalogue of sandbox security strategy definition, comprises following operation:
At first, the one-writing system that described protection enforcement module receives described monitoring blocking module interception calls, and obtains the complete trails title that target process opens file, and obtains filename again from complete trails;
Then, its buffer zone is redirected in the file of protecting under the path of the same name, and match information is write in the redirected path message file.
Advantage of the present invention and useful technique effect:
Utilize light weight virtual machine sandbox to be positioned at operating system lower floor, have the level of privilege higher than Ring0, behavior that can monitor operating system, size of code is little simultaneously, leak is few, can provide the safety stronger than operating system to isolate, advantages such as simulation special hardware equipment realize the sandbox function, thereby strengthen the security of system.Compare with existing technology: 1, light weight virtual machine sandbox can dynamically load as required, does not influence the performance of system when not loading; 2, light weight virtual machine sandbox adopts specific light weight monitor of virtual machine, and it does not possess the virtual equipment resource is arranged, creates the ability of a plurality of virtual machines, so expense is little; 3, the present invention can realize the sandbox function pellucidly on the basis of not retouching operation system and application program; 4, light weight virtual machine sandbox is positioned at operating system lower floor, and size of code is little, leak makes total system safer less.
Description of drawings
Fig. 1 is the sandbox system construction drawing based on the light weight monitor of virtual machine.
Fig. 2 is write-protect implementing procedure figure.
Fig. 3 is based on the sandbox system works flow process figure of light weight monitor of virtual machine.
Embodiment
In order more clearly to describe the features and advantages of the present invention, below in conjunction with accompanying drawing, be described in detail as follows:
A kind of sandbox system architecture based on the light weight monitor of virtual machine comprises: virtual management module 102, sandbox security strategy module 103, virtual machine communication module 104 and the virtual sandbox module 107 of light weight as shown in Figure 1.The virtual sandbox module 107 of light weight comprises monitoring blocking module 105 and protection enforcement module 106.
Virtual management module 102 is used for dynamically being written into or unloading the virtual sandbox module 107 of light weight.
Sandbox security strategy module 103 comprises configuration file, and this configuration file has defined the security strategy of sandbox system, is made up of suspicious process tabulation, redirected protection path and redirection file routing information three parts.The user can add to specify distrust process or program and set in configuration file is redirected the protection path, and redirection file routing information record the process or program and setting are redirected the corresponding relation between the protection path, dispose security strategy.
Virtual machine communication module 104 can pass to the security strategy in the configuration file that comprises in the described sandbox security strategy module 103 the virtual sandbox module 107 of described light weight.Be specially, virtual machine communication module 104 can send to the virtual sandbox module 107 of described light weight with described configuration file by the mode of shared drive.
The virtual sandbox module 107 of light weight is in order to finish monitoring and to tackle the specific light weight monitor of virtual machine of corresponding target process and system call function, and it does not possess the ability that virtual resource apparatus is arranged and create a plurality of virtual machines.It comprises monitoring blocking module 105 and protection enforcement module 106.
The suspicious process that monitoring blocking module 105 obtains in the configuration file by virtual machine communication module 104 is tabulated, and then, target process and the system call of suspicious process tabulation is monitored.Whether when the target process in 105 pairs of suspicious process tabulations of monitoring blocking module and the described system call tabulation and system call are monitored, being referred to as identification with its process name is the main foundation of target process.Be specially, as intercept point, identify target process earlier when the CR3 controller that causes with process switching changes, then, target process is tackled at the place at capture point.Call the foundation of calling as the identification goal systems with system call number when interrupt taking place to skip leaf as the capture point interception system.Earlier all system calls are intercepted and captured, whether identification is that goal systems is called again.If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
The system call that module 106 receives 105 interceptions of monitoring blocking module is implemented in protection; obtain the complete trails title that target process opens file; from complete trails, obtain filename; its read-write operation is redirected in the file of the same name under the protection path that described configuration file sets, and match information is write in the described redirected path message file.
When protection enforcement module 106 is trusted process according to user configured sandbox strategy determinating processes in the described configuration file; just will protect the file under the path to write original again; then, light weight virtual machine sandbox 107 continues the monitoring client operating system, till unloaded.
Virtual management module 102, sandbox security strategy module 103 and virtual machine communication module 104 reside in the operating system of user, along with os starting is loaded in the operating system; The virtual sandbox module 107 of described light weight is written into by dynamically being written into of user or dynamic offloading and unloading.
How to use light weight virtual machine sandbox system monitoring operating system (OS) with the specific embodiment explanation below:
In the present embodiment, with Intel-VT be example.Support the processor of Intel-VT hardware auxiliary virtual (technology) to introduce two new processor states: VMX(Virtual Machine Extensions) root mode (Root Mode) and the non-root mode of VMX (Non-Root Mode).Monitor of virtual machine (VMM) operates in the VMX root mode, the linux system that client operating system adopts.Client operating system enters the VMX root mode from the non-root mode of VMX and is called virtual machine and withdraws from (VM Exits), enters the non-root mode of VMX from the VMX root mode and is called virtual machine and enters (VM Entrys).
Virtual management module 102 checks system hardware earlier, the situation such as SMX, VMX extended mode that comprises processor, after inspection is passed through, call virtual machine open command VMON, setup code arranges in the CR4 control register corresponding mode bit and starts the VMX pattern, and creating the VMXON zone with the internal memory of 4KByte alignment, transmit the physical address in VMXON zone then, carry out the VMXON instruction.
After the VMXON instruction was carried out, processor was in the VM-Root state.The control of processor is transferred light weight virtual machine sandbox 107 to, and light weight virtual machine sandbox 107 will be created VMCS in the VMON zone.VMCS is the conversion that a data structure is used for control non-attitude of VMX and root attitude.VMCS has six data segments: customer status district (GuestState Area) and host state district (HostState Area) is respectively applied to deposit and enters and treatment state when withdrawing from VM, when processor during in the conversion of non-attitude of VMX and root attitude, corresponding processor state just is written into by these two zones.The client state (GuestState) of light weight virtual machine sandbox 107 initialization VMCS comprises processor context that need load etc. when the root attitude switches to non-attitude.
Virtual machine carries out control zone (VMExecution Control Fields) and virtual machine withdraws from the behavior that processor when non-operation of VMX is controlled in control zone (VMExit Control Fields).They have determined virtual machine to enter root attitude reason by non-attitude.Virtual machine entrance control zone (VMEntry Control Fields) control VM enters.Virtual machine withdraws from reason district (VMExit Information Fields) and describes reason and the characteristic that VM withdraws from.Except the Security Target of realizing self, it is filling and the processing of purpose that light weight virtual machine sandbox 107 does not need these zones are carried out with the sequestered resources.
Next, light weight virtual machine sandbox 107 is created shadow page table and common virtual machine monitoring software class seemingly for client operating system, and light weight virtual machine sandbox 107 is being managed parallel page table for client operating system.The page table that client operating system is safeguarded is called client's page table (GPTs).Light weight virtual machine sandbox 107 is being safeguarded with the parallel page table of GPTs and is being called as shadow page table (SPTs).Actual virtual address is finished by shadow page table to the conversion of machine physical address.In shadow page table, except the memory headroom that light weight virtual machine sandbox 107 and safety function module take, the mapping relations of actual situation address be consistent before OS is moved.
For the memory headroom that light weight virtual machine sandbox 107 takies, light weight virtual machine sandbox 107 uses modification and the synchronous shadow page table of the memory management mechanism tracks client page table of similar Xen.
Last light weight virtual machine sandbox 107 arranges the DMA protection domain, and carries out the VMLAUNCH instruction, and original operating system is by the virtual machine relaying reforwarding row of transparently migrating to LVMM.
Light weight virtual machine sandbox 107 runs on the root attitude, the origin operation system runs on non-attitude, the operating system that runs on non-attitude can be because of the setting (as the system call of process) of VMCS, the non-root mode of VMX enters the VMX root mode, control is transferred to light weight virtual machine sandbox 107, after light weight virtual machine sandbox 107 is handled the event of being absorbed in, carry out particular virtual instruction VMLAUNCH at the place, entrance of presetting for operating system, control is given back operating system, make it continue from the entrance to carry out.After target program has moved, can close the virtual machine function by carrying out privileged instruction VMOFF, unloading light weight virtual machine sandbox 107.
Sandbox security strategy module 103 provides definition sandbox security strategy interface for the user.The user is according to its protection demand, by defining its sandbox security strategy of following content customization.Definition suspicious process or program listing have namely defined the target that the sandbox system will isolate; Definition is redirected the protection path; With definition redirection file routing information, namely define suspicious process or program and be redirected the mapping relations of protecting between the path.
Virtual machine communication module 104 passes to light weight virtual machine sandbox 107 as the communication bridge between sandbox security strategy module 103 and the light weight virtual machine sandbox 107 with user configured security strategy.After light weight virtual machine sandbox 107 loaded, it ran on VMX root attitude, and virtual machine communication module 104 sends to light weight virtual machine sandbox 107 by the mode of shared drive with user configured security strategy.
Monitoring blocking module 105 reads the configuration file in the sandbox security strategy module 103 by the shared drive that virtual machine communication module 104 provides, and need to determine target process and the system call of monitoring, then, enters monitor state.The intercepting and capturing that the interception that goal systems is called is divided into target program and system call two aspects realize.
Whether for target program, being referred to as identification with its process name is the main foundation of target process, as intercept point blip steady process, identifies target process earlier when the CR3 that causes with process switching changes, and then, it is tackled by the place at capture point.For system call, as capture point, with the foundation that system call number is called as the identification goal systems, earlier all system calls are intercepted and captured when interrupt taking place to skip leaf, whether identification is that goal systems is called again.If for goal systems is called, be target process when performed simultaneously, then operation is changed over to protection and implement module 106.
Protection is implemented module 106 and is mainly only adopted write operation to be redirected mode.As shown in Figure 2; the one-writing system that 105 interceptions of module 106 reception monitoring blocking modules are implemented in protection calls; obtain the complete trails title that target process opens file; from complete trails, obtain filename; its buffer zone is redirected in the file of protecting under the path of the same name, and match information is write in the redirected path message file.Protection path and redirected path message file have been set up in the sandbox policy construction and initialization.
Based on the sandbox system works flow process of light weight monitor of virtual machine as shown in Figure 3, may further comprise the steps:
201 dynamic load light weight virtual machine sandboxs;
202 read the sandbox security strategy;
203 monitor operating systems.
Process switching in monitoring operating system is if target process then changes 5 over to), otherwise, change 3 over to);
After the process that monitors target program, the system call of tracking target process, if system call be goal systems call then change 6 over to), otherwise, change 3 over to);
The write operation of target process is redirected to the catalogue of sandbox security strategy definition;
Light weight virtual machine sandbox continues the monitoring client operating system, up to unloaded.
Be the preferred implementation of a kind of sandbox system based on the light weight monitor of virtual machine provided by the invention above; do not constitute protection authority of the present invention; any improvement in the present invention as long as principle is identical, is included within the claim protection domain of the present invention.
Claims (10)
1. sandbox system based on the light weight monitor of virtual machine, the processor that comprises the virtual or support hardware Intel Virtualization Technology of support hardware, it is characterized in that it also comprises: virtual management module, sandbox security strategy module, virtual machine communication module and the virtual sandbox module of light weight;
Described virtual management module is used for dynamically being written into the virtual sandbox module of described light weight, and/or is used for the virtual sandbox module of the described light weight of dynamic offloading;
Described sandbox security strategy module comprises configuration file, and this configuration file has defined the security strategy of sandbox system, and it is made up of suspicious process tabulation, redirected protection path and redirection file routing information three parts;
Described virtual machine communication module can pass to the security strategy in the configuration file that comprises in the described sandbox security strategy module the virtual sandbox module of described light weight;
The virtual sandbox module of described light weight refers to that it does not possess the ability that virtual resource apparatus is arranged and create a plurality of virtual machines in order to finish monitoring and to tackle the specific light weight monitor of virtual machine of corresponding target process and system call function; It comprises monitoring blocking module and protection enforcement module;
The suspicious process that described monitoring blocking module obtains in the configuration file by described virtual machine communication module is tabulated, and then, target process and the system call of suspicious process tabulation is monitored; The system call that module receives the interception of monitoring blocking module is implemented in described protection, obtain the complete trails title that target process opens file, from complete trails, obtain filename, its read-write operation is redirected in the file of the same name under the protection path that described configuration file sets, and match information is write in the described redirected path message file;
Described virtual management module, sandbox security strategy module and virtual machine communication module reside in the operating system of user, along with os starting is loaded in the operating system; The virtual sandbox module of described light weight is written into by dynamically being written into of user or dynamic offloading and unloading.
2. sandbox as claimed in claim 1 system, it is characterized in that, whether when the target process during wherein said monitoring blocking module is tabulated to suspicious process and described system call is tabulated and system call are monitored, being referred to as identification with its process name is the main foundation of target process;
As intercept point, identify target process earlier when the CR3 controller that causes with process switching changes, then, target process is tackled at the place at capture point;
Call the foundation of calling as the identification goal systems with system call number when interrupt taking place to skip leaf as the capture point interception system; Earlier all system calls are intercepted and captured, whether identification is that goal systems is called again; If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
3. sandbox as claimed in claim 1 or 2 system; it is characterized in that; when described protection enforcement module is trusted process according to user configured sandbox strategy determinating processes in the described configuration file; just will protect the file under the path to write original again; then; light weight virtual machine sandbox continues the monitoring client operating system, till unloaded.
4. as any one sandbox system in the claim 1 to 3, it is characterized in that described virtual machine communication module sends to the virtual sandbox module of described light weight by the mode of shared drive with described configuration file.
5. as any one described sandbox system of claim 1 to 4; it is characterized in that; the user adds distrust process or the program of specifying in configuration file; be redirected the protection path with setting; redirection file routing information record the process or program and setting are redirected the corresponding relation between the protection path, dispose security strategy.
6. as any one described sandbox system among the claim 1-5, it is characterized in that protection is implemented module and only adopted write operation to be redirected mode.
7. utilize each described sandbox system of claim 1 to 6 to monitor the method for OS, may further comprise the steps:
1) user defines the sandbox security strategy according to its protection demand;
2) startup is based on the sandbox system of light weight virtual machine;
3) light weight virtual machine sandbox is monitored the suspicious process tabulation that defines in the sandbox security strategy;
4) after the process that monitors target program, the system call of tracking target process is redirected to the write operation of target process the catalogue of sandbox security strategy definition;
5) turn back to step 3, up to being unloaded by the user.
8. the method for monitoring OS as claimed in claim 7 is characterized in that, the fixed described definition sandbox security strategy of step 1) comprises following operation:
Definition suspicious process or program listing have namely defined the target that the sandbox system will isolate;
Definition is redirected the protection path; With
Definition redirection file routing information namely defines suspicious process or program and is redirected the mapping relations of protecting between the path.
9. as the method for claim 7 or 8 described monitoring OS, it is characterized in that step 3) comprises following operation to described suspicious process tabulation monitoring:
When the CR3 controller that causes when process switching changes, be referred to as with its process name earlier and identify target process, then, target process is tackled;
When interrupt taking place when skipping leaf,, earlier all system calls are intercepted and captured number as calling according to interception system that the identification goal systems is called with system call, whether identification is that goal systems is called again;
If it is that target process is performed that goal systems is called, then operation is changed over to light weight virtual machine sandbox.
10. as the method for each described monitoring OS of claim 7 to 9, it is characterized in that the described write operation of step 4) is redirected to the catalogue of sandbox security strategy definition, comprises following operation:
At first, the one-writing system that described protection enforcement module receives described monitoring blocking module interception calls, and obtains the complete trails title that target process opens file, and obtains filename again from complete trails;
Then, its buffer zone is redirected in the file of protecting under the path of the same name, and match information is write in the redirected path message file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102983760A CN103345604A (en) | 2013-07-16 | 2013-07-16 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102983760A CN103345604A (en) | 2013-07-16 | 2013-07-16 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103345604A true CN103345604A (en) | 2013-10-09 |
Family
ID=49280399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013102983760A Pending CN103345604A (en) | 2013-07-16 | 2013-07-16 | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103345604A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN104182684A (en) * | 2014-08-15 | 2014-12-03 | 浪潮电子信息产业股份有限公司 | Design solution of security process operating environment |
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
| CN105518693A (en) * | 2014-12-29 | 2016-04-20 | 华为技术有限公司 | Safety protection method and device |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
| CN106411900A (en) * | 2016-09-30 | 2017-02-15 | 北京奇虎科技有限公司 | Scanning method and device based on virtualization hardware |
| WO2019127399A1 (en) * | 2017-12-29 | 2019-07-04 | 浙江大学 | Fine-grained sandbox policy execution method for linux container |
| CN110515595A (en) * | 2019-08-02 | 2019-11-29 | 中国航空无线电电子研究所 | A kind of Resource Modeling and management method of aviation electronics distributed management system |
| CN113486331A (en) * | 2021-07-21 | 2021-10-08 | 维沃移动通信(杭州)有限公司 | API call request processing method and device, electronic equipment and readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2477132A2 (en) * | 2009-09-10 | 2012-07-18 | Fasoo. Com Co., Ltd | Apparatus and method for managing digital rights using virtualization technique |
-
2013
- 2013-07-16 CN CN2013102983760A patent/CN103345604A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2477132A2 (en) * | 2009-09-10 | 2012-07-18 | Fasoo. Com Co., Ltd | Apparatus and method for managing digital rights using virtualization technique |
Non-Patent Citations (3)
| Title |
|---|
| 程戈: "基于虚拟机架构的可信计算环境构建机制研究", 《中国博士学位论文全文数据库》 * |
| 程戈等: "可信计算环境构建机制研究进展", 《计算机工程与应用》 * |
| 程戈等: "基于可信轻量虚拟机监控器的安全架构", 《计算机应用研究》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN104182684A (en) * | 2014-08-15 | 2014-12-03 | 浪潮电子信息产业股份有限公司 | Design solution of security process operating environment |
| CN105518693B (en) * | 2014-12-29 | 2018-12-07 | 华为技术有限公司 | A kind of safety protecting method and device |
| CN105518693A (en) * | 2014-12-29 | 2016-04-20 | 华为技术有限公司 | Safety protection method and device |
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
| CN105427096B (en) * | 2015-12-25 | 2020-02-07 | 北京奇虎科技有限公司 | Payment security sandbox implementation method and system and application program monitoring method and system |
| CN106055385A (en) * | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
| CN106055385B (en) * | 2016-06-06 | 2019-04-16 | 四川大学 | The system and method for monitoring virtual machine process, the method for filtering page fault exception |
| CN106411900A (en) * | 2016-09-30 | 2017-02-15 | 北京奇虎科技有限公司 | Scanning method and device based on virtualization hardware |
| CN106411900B (en) * | 2016-09-30 | 2020-03-03 | 北京奇虎科技有限公司 | Method and device based on virtualized hardware scanning |
| WO2019127399A1 (en) * | 2017-12-29 | 2019-07-04 | 浙江大学 | Fine-grained sandbox policy execution method for linux container |
| CN110515595A (en) * | 2019-08-02 | 2019-11-29 | 中国航空无线电电子研究所 | A kind of Resource Modeling and management method of aviation electronics distributed management system |
| CN110515595B (en) * | 2019-08-02 | 2024-02-02 | 中国航空无线电电子研究所 | Resource modeling and management method of avionics distributed management system |
| CN113486331A (en) * | 2021-07-21 | 2021-10-08 | 维沃移动通信(杭州)有限公司 | API call request processing method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103345604A (en) | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system | |
| US20210326163A1 (en) | Multi-hypervisor virtual machines that run on multiple co-located hypervisors | |
| Srinivasan et al. | Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring | |
| Bauman et al. | A survey on hypervisor-based monitoring: approaches, applications, and evolutions | |
| CN111651778A (en) | Physical memory isolation method based on RISC-V instruction architecture | |
| Tan | Principles and implementation techniques of software-based fault isolation | |
| KR20180099682A (en) | Systems and Methods for Virtual Machine Auditing | |
| CN103177212B (en) | A kind of computer security input system based on light weight monitor of virtual machine and method | |
| CN102096786A (en) | Cross-platform safety protection system based on hardware virtualization | |
| Studnia et al. | Survey of security problems in cloud computing virtual machines | |
| Jithin et al. | Virtual machine isolation: A survey on the security of virtual machines | |
| CN103886259A (en) | Kernel-level rootkit detecting and processing method based on Xen virtualization environment | |
| CN104573422A (en) | Virtual machine-based application process operation method and device | |
| CN103347027A (en) | Trusted network connecting method and system | |
| Li et al. | SGXPool: Improving the performance of enclave creation in the cloud | |
| Gehrmann et al. | Are there good reasons for protecting mobile phones with hypervisors? | |
| Bousquet et al. | Mandatory access control for the android dalvik virtual machine | |
| Jia et al. | Defending return‐oriented programming based on virtualization techniques | |
| Lombardi et al. | A security management architecture for the protection of kernel virtual machines | |
| Tian et al. | A policy‐centric approach to protecting OS kernel from vulnerable LKMs | |
| Shen et al. | H-binder: A hardened binder framework on android systems | |
| Liang et al. | A lightweight security isolation approach for virtual machines deployment | |
| Nimgaonkar et al. | Ctrust: A framework for secure and trustworthy application execution in cloud computing | |
| Zhang et al. | Super Root: A New Stealthy Rooting Technique on ARM Devices | |
| Shen et al. | TinyVisor: An extensible secure framework on android platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20131009 |