CN104036185B - Virtualization based power and function isolating method for loading module of monolithic kernel operation system - Google Patents
Virtualization based power and function isolating method for loading module of monolithic kernel operation system Download PDFInfo
- Publication number
- CN104036185B CN104036185B CN201410284500.2A CN201410284500A CN104036185B CN 104036185 B CN104036185 B CN 104036185B CN 201410284500 A CN201410284500 A CN 201410284500A CN 104036185 B CN104036185 B CN 104036185B
- Authority
- CN
- China
- Prior art keywords
- page
- virtual machine
- monitor
- nucleus module
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention discloses a virtualization based power and function isolating method for a loading module of a monolithic kernel operation system. The virtualization based power and function isolating method includes steps that a page table for the loading module and a page table for a monolithic kernel are generated in a kernel space of a virtual memory when the system is initialized; the operation system falling into a monitor of a virtual machine sets attributes of the two page tables and returns in the process of loading the loading module; when the loading module applies for a dynamic memory, the operation system falling into the monitor of the virtual machine updates the two page tables and returns; when the loading module directly calls and skips to code pages of the kernel module or directly rectifies data pages of the kernel module, the operation system falling into the monitor of the virtual machine switches the page tables and returns after checking and processing the page tables. By the aid of the monitoring mechanism of the monitor of the virtual machine, an executive body of the system is marked by page directory address register, and power and function of the kernel are isolated. Frequent interference during switching of a kernel mode and a user mode is avoided, and integral performance of system is improved.
Description
Technical field
The present invention relates to a kind of powers and functions partition method of operating system, more particularly to a kind of to be based on virtualized grand kernel
Operating system insmods powers and functions partition method, belongs to computer security technique field.
Background technology
Grand kernel operating system is provided to the support of (including third party's module and driver module) of insmoding, and
Allow the kernel state level of privilege that all operate in that insmods.Due to operating in highest level of privilege, the core to kernel that insmods takes
The access of the key object of business is difficult to obtain the effective control of system, third party's module of malice or the driving journey being infected
Sequence module can easily destroy subsystem call table, page table, interrupt-descriptor table, system register, and the network port etc. is
System key object, so as to destroy the integrality of whole system.
With the development of hardware virtualization technology, on grand kernel platform, using monitor of virtual machine to client
The work that (guest system) is monitored when being run obtains support well.But this method has two aspects
Subject matter:1) granularity is monitored:The granularity for how determining monitoring is an awkward problem, and monitoring granularity is bigger, to client
The performance loss of system is less, but the correctness for monitoring is not high, and monitoring granularity is less, and the correctness of monitoring is bigger, but to client
The loss of system is larger;2) main body sign:During monitoring, it is necessary first to each executive agent in client
(object) is indicated, but due to grand kernel and the kernel state level of privilege that all operate in that insmods, and positioned at same internal memory ground
Location space, thus for monitoring kernel monitor of virtual machine for, it is difficult to be specifically identified current executive agent for kernel still
Insmod.
The content of the invention
For above-mentioned the deficiencies in the prior art, it is an object of the invention to provide a kind of based on virtualized grand kernel operation system
System insmods powers and functions partition method, by the nucleus module of kernel and insmods mutually isolated in powers and functions, solves grand kernel
Operating system is after loading insmods to nucleus module security threat problem that may be present.
The technical scheme is that such:It is a kind of based on virtualized grand kernel operating system insmod powers and functions every
From method, comprise the following steps:
S1, in system initialisation phase, the kernel spacing to be in virtual memory 3GiB~(4GiB-1) is generated and is loaded into mould
Block page table and nucleus module page table, the mapping of linear address to physical address is identical in two parts of page tables;
S2, when insmoding, execution insmods before initialization, and operating system is absorbed in monitor of virtual machine,
It is respectively provided with and insmods with page table and nucleus module page table attribute, operating system is returned from monitor of virtual machine;
S3, insmod application Dram when, operating system is absorbed in monitor of virtual machine, and monitor of virtual machine is called
Function is applied in Dram space, corresponding with Dram to insmod with page table for the distribution Dram that insmods
The data that insmod page attribute is set to readable writeable, and insmod data in nucleus module page table corresponding with Dram
Page attribute be set to it is read-only, operating system from monitor of virtual machine return;
S4, when directly invoking when insmoding, jumping to the code page of nucleus module, operating system is absorbed in virtual machine monitoring
In device, monitor of virtual machine be switched to nucleus module page with page table by changing page directory address register from insmoding
Table;After being checked by watch-dog, monitor of virtual machine is the interface routine for insmoding and calling nucleus module, operating system from
Monitor of virtual machine is returned;When the interface routine of nucleus module is performed to be completed and return, operating system is absorbed in virtual machine monitoring
In device, monitor of virtual machine is switched to insmod and uses page by changing page directory address register from nucleus module page table
Table, operating system is returned to by monitor of virtual machine and insmoded;
S5, when insmod the directly data page of modification nucleus module when, operating system is absorbed in monitor of virtual machine, empty
Intend monitor unit to be processed according to predetermined policy, process terminates back operation system and returns from monitor of virtual machine.
Described being respectively provided with insmods with page table and nucleus module page table attribute, and described insmoding is used with page table
User data page and the data page attribute that insmods are set to readable writeable, personal code work page, nucleus module data page and loading mould
Block code page attribute is set to read-only, and nucleus module code page attribute is set to not map;Use in the nucleus module page table
Family code page, user data page and nucleus module data page attribute be set to it is readable writeable, nucleus module code page and be loaded into mould
Block number is set to read-only according to page attribute, and the code page attribute that insmods is set to not map.
Preferably, it is respectively provided with step S2 before insmoding with page table and nucleus module page table attribute, virtually
Monitor unit obtains first address, the length of the code that insmods, the first address of the data that insmod, the loading of the code that insmods
The length of module data, the first address of nucleus module code, the length of nucleus module code, the first address of nucleus module data and
The length of nucleus module data, calculates and insmods and nucleus module place page.
Preferably, for the distribution Dram that insmods it is to one whole page of kernel application, and at it in step S3
When being received again by the request for insmoding afterwards, the direct allocation space in the page, till not enough distribution, then again to kernel
Ask the space of whole page.
Preferably, monitor of virtual machine is to insmod before the interface routine for calling nucleus module in step S4, empty
Intend monitor unit acquirement and cause the jump address for being absorbed in monitor of virtual machine, check the legitimacy of jump address;Preserve current
Top-of-stack pointer register ESP, ESP is in the kernel stack of nucleus module for switching, press-in before being loaded onto in the kernel stack of module
|input paramete is pressed in the kernel stack of nucleus module, recovers current ESP;Virtualization control in modification monitor of virtual machine
Structure VMCS, by command register EIP therein target jump address is pointed to, and ESP points to the stack top of the kernel stack of nucleus module.
Preferably, before operating system is returned to from monitor of virtual machine and insmoded in step S4, virtual machine monitoring
Device is obtained and causes the jump address for being absorbed in monitor of virtual machine, checks the legitimacy of jump address;Preserve current top-of-stack pointer
Register ESP, ESP is in the kernel stack for insmoding for switching, ejects the |input paramete being pressed in the kernel stack for insmoding, extensive
Multiple current ESP;Virtualization control structure VMCS in modification monitor of virtual machine, command register EIP therein is pointed to
Target return address, ESP points to the stack top of the kernel stack for insmoding.
It is proposed by the present invention be it is a kind of insmoded powers and functions partition method based on virtualized grand kernel operating system, will be interior
The nucleus module of core with insmod it is mutually isolated in powers and functions, although they are in same memory headroom, but are insmoded
The data of oneself definition can only be changed.By the monitoring mechanism of monitor of virtual machine, indicated using page directory address register
The executive agent of system, realizes isolating kernel powers and functions.
It is proposed by the present invention to be insmoded powers and functions partition method based on virtualized grand kernel operating system, by mandatory
Access control reaches following two integrity targets, realizes that kernel powers and functions are isolated:1) kernel code and data and safety-related number
According to integrality:All kernel codes and data, and safety-relevant data do not allow to be written into module by direct internal memory
Access operation modification;2) integrality of system related register:System related register include segment register, control register,
And part flag register, they have indicated the running status of operating system nucleus jointly, and they do not allow to be written into module
Modification.
It is proposed by the present invention to be insmoded powers and functions partition method based on virtualized grand kernel operating system, by kernel
The nucleus module page table different with the setting that insmods, the visit to kernel critical data object is set in its respective page table
Ask authority to play a part of to indicate main body, while during the monitoring of the access to kernel critical data object, it is to avoid frequency
Intervene numerously, improve the overall performance of system.
It is proposed by the present invention to be insmoded powers and functions partition method based on virtualized grand kernel operating system, insmoding
Page table in, the code page of nucleus module does not map, and the data page of nucleus module is for read-only.Insmod directly modification core
The data of module can produce page protection mistake, and directly invoke, jump to nucleus module code and can then produce page fault, operate
System finally all can be trapped in monitor of virtual machine.In addition, the conversion between kernel state and User space need not switch a page mesh
Record address register, because the code that the entrance that system is called is processed with return is in nucleus module, in kernel state and User space
Switching before and after use the page table of nucleus module, so page table need not be switched, so avoid well continually switching page
Table, improves the overall performance of system.
Description of the drawings
Fig. 1 is the inventive method schematic flow sheet;
Fig. 2 is to insmod with page table and nucleus module page table attribute setting figure;
Fig. 3 is process page table exemplary plot;
Specific embodiment
With reference to embodiment, the invention will be further described, but not as a limitation of the invention.
Proposed by the present invention to be insmoded powers and functions partition method based on virtualized grand kernel operating system, grand kernel is subject to
The scene of attack includes:1) attacker obtains superuser right, then adds rogue program and is loaded into operating system nucleus sky
Between;2) attacker loads the Malware of Rootkit etc using existing system vulnerability;3) careless user be loaded with without
The insmoding comprising malicious code of certification.
In grand kernel operating system, insmod in running, with kernel same address space is in, can see
To mutual full memory view.It is proposed by the present invention to be insmoded powers and functions isolation side based on virtualized grand kernel operating system
Method, compares accompanying drawing 1, realizes the isolation to insmoding, including two aspects:Linear address space internal memory is isolated and physical address
Space internal memory isolation, it is embodied in insmod exclusive page table, and from the direct memory access for insmoding
Operation can not destroy the physical memory at kernel place.
In order to identify executive agent, system mode is divided into into three classes:User space, kernel mode, and the run mode that insmods.With
Family state refers to the running status of user program;Kernel mode is the running status of kernel, including the believable kernel that safety certification is crossed
The operation of expansion module;The run mode that insmods refers to the operation shape without the service module and driver of safety certification etc.
State.The foundation of division state is not to lay particular emphasis on code or data, but focuses on powers and functions, i.e., currently run what main body was possessed
Authority.
Transfer process between system mode includes:1) user program in running because interrupt or it is abnormal, with
And system the reason such as calls and enters kernel mode, is processed by kernel;2) kernel is called from interruption or abnormal and system
Processing procedure in return User space;3) kernel calls insmod, or insmod and seize the run time of kernel, so as to
Into the run mode that insmods;4) operation that insmods completes to return kernel mode, or kernel is when seizing the operation for insmoding
Between.
Specific implementation step is as shown in figure 1, comprise the steps:
In system initialisation phase, the kernel spacing to be in virtual memory 3GiB~(4GiB-1) generates the use that insmods
Page table and nucleus module page table, the mapping of linear address to physical address is identical in two parts of page tables, now insmods and uses page
Table and nucleus module page table are blank page table.
Virtualization control structure VMCS in by configuring monitor of virtual machine so that monitor of virtual machine monitoring is absorbed in finger
Make the execution of CPUID.When loading insmods, added by the head called in the initialization system that insmods and be absorbed in instruction
CPUID so that before performing module is initialized, operating system is absorbed in monitor of virtual machine.Monitor of virtual machine according to work as
Before the sign that insmods obtain first address, the length of the code that insmods, the head of the data that insmod of the code that insmods
Address, the length of the data that insmod, the first address of nucleus module code, the length of nucleus module code, nucleus module data
First address and nucleus module data length, calculate insmod with nucleus module be located page, so as to according to attached
Fig. 2 carries out the setting of page attribute with page table and nucleus module page table to insmoding, i.e., for insmoding, be loaded into mould
User data page and the data page attribute that insmods are set to readable writeable, personal code work page, nucleus module number in block page table
It is set to read-only according to page and the code page attribute that insmods, nucleus module code page attribute is set to not map;For core mould
For block, in nucleus module page table personal code work page, user data page and nucleus module data page attribute be set to it is readable can
Write, nucleus module code page and the data page attribute that insmods are set to read-only, and the code page attribute that insmods is set to not reflect
Penetrate.After being provided with, operating system is returned from monitor of virtual machine.
It is two parts of page tables of process creation when operating system creates new process, wherein the user's space of 0~(3GiB-1)
Page table is identical, and the page table of 3GiB~(4GiB-1) kernel spacing then replicate respectively it is above-mentioned set insmod with page table and
Nucleus module page table, as shown in Figure 3.
The resource of one program is also empty including the data of dynamic application except static code, data, storehouse, page table etc.
Between, how these data spaces are carried out with the problem that insulation blocking is also that the present invention needs to consider.By configuring virtual machine monitoring
Virtualization control structure VMCS in device so that monitor of virtual machine monitoring Dram space distribution (kmalloc, vmalloc
Deng) function is called, and single Dram space application function (cmalloc) is write and arranges, when the tune that insmods
During with Dram space partition function application Dram, operating system is absorbed in monitor of virtual machine, monitor of virtual machine
Call cmalloc.The execution flow process of cmalloc functions be to one whole page of kernel application, and be received again by after be loaded into mould
During the request of block, the direct allocation space in the page, till not enough distribution, then again to the space of the whole page of kernel requests.
Whenever a new page is assigned to, then the page table strategy setting with reference to the accompanying drawings shown in 2 insmods with page table and nucleus module page
The page attribute of table, it is corresponding with Dram insmod be set to the data page attribute that insmods in page table it is readable writeable,
The data page attribute that insmods in nucleus module page table corresponding with Dram is set to read-only.Complete dividing for Dram
With after, operating system is returned from monitor of virtual machine.
Virtualization control structure VMCS in by configuring monitor of virtual machine so that monitor of virtual machine monitoring is skipped leaf different
Often.When the code page of nucleus module is directly invoked, jumped to when insmoding, according to the page table facilities of accompanying drawing 2, due to core
Core module code page does not map in module page table is currently loaded, then can trigger page fault, and operating system is absorbed in virtual machine
In watch-dog, monitor of virtual machine is its switching page table by conversion page directory address register, is cut with page table from insmoding
Change to nucleus module page table.After being checked by watch-dog, monitor of virtual machine is obtained to cause and is absorbed in monitor of virtual machine
Jump address, checks the legitimacy of jump address;Current top-of-stack pointer register ESP is preserved, ESP is to nucleus module for switching
In kernel stack, the |input paramete of press-in is pressed in the kernel stack of nucleus module before being loaded onto in the kernel stack of module, is recovered
Current ESP;Virtualization control structure VMCS in modification monitor of virtual machine, by command register EIP therein mesh is pointed to
Mark jump address, ESP points to the stack top of the kernel stack of nucleus module.Then monitor of virtual machine calls core mould to insmod
The interface routine of block, operating system is returned from monitor of virtual machine, and the interface routine of nucleus module is continued executing with.By configuring void
Intend virtualization control structure VMCS in monitor unit so that the return of the interface routine of monitor of virtual machine monitoring core module
Action.When the interface routine of nucleus module is performed to be completed and return, operating system is absorbed in again in monitor of virtual machine, virtually
Monitor unit is switched to insmod from nucleus module page table and uses page table by changing page directory address register, virtual machine
Watch-dog is obtained and causes the jump address for being absorbed in monitor of virtual machine, checks the legitimacy of jump address;Preserve current stack top
Pointer register ESP, ESP is in the kernel stack for insmoding for switching, ejects the input ginseng being pressed in the kernel stack for insmoding
Number, recovers current ESP;Virtualization control structure VMCS in modification monitor of virtual machine, by command register EIP therein
Target return address is pointed to, ESP points to the stack top of the kernel stack for insmoding, and then operating system is returned from monitor of virtual machine
To insmoding.
Virtualization control structure VMCS in by configuring monitor of virtual machine so that monitor of virtual machine monitoring page protection
Mistake.When the data page of the direct modification nucleus module that insmods, according to the page table facilities of accompanying drawing 2, due to core mould
The data page of block is read-only for insmoding, then can trigger page protection mistake, and operating system is absorbed in monitor of virtual machine
In, monitor of virtual machine is processed according to predetermined policy, and process terminates back operation system and returns from monitor of virtual machine.
Claims (5)
1. it is a kind of to be insmoded powers and functions partition method based on virtualized grand kernel operating system, it is characterised in that including following
Step:
S1, in system initialisation phase, the kernel spacing to be in virtual memory 3GiB~(4GiB-1) generates the use that insmods
Page table and nucleus module page table, the mapping of linear address to physical address is identical in two parts of page tables;
S2, when insmoding, execution insmods before initialization, and operating system is absorbed in monitor of virtual machine, respectively
Setting insmods with page table and nucleus module page table attribute, and operating system is returned from monitor of virtual machine;
S3, insmod application Dram when, operating system is absorbed in monitor of virtual machine, and monitor of virtual machine calls dynamic
Memory headroom application function, for the distribution Dram that insmods, insmod corresponding with Dram is loaded into in page table
Module data page attribute is set to readable writeable, the data page that insmods in nucleus module page table corresponding with Dram category
Property be set to it is read-only, operating system from monitor of virtual machine return;
S4, when directly invoking when insmoding, jumping to the code page of nucleus module, operating system is absorbed in monitor of virtual machine
In, monitor of virtual machine be switched to nucleus module page table with page table by changing page directory address register from insmoding;
After being checked by watch-dog, monitor of virtual machine is the interface routine for insmoding and calling nucleus module, and operating system is from void
Intend monitor unit to return;When the interface routine of nucleus module is performed to be completed and return, operating system is absorbed in monitor of virtual machine
In, monitor of virtual machine is switched to insmod and uses page table by changing page directory address register from nucleus module page table,
Operating system is returned to by monitor of virtual machine and insmoded;
S5, when insmod the directly data page of modification nucleus module when, operating system is absorbed in monitor of virtual machine, virtual machine
Watch-dog is processed according to predetermined policy, and process terminates back operation system and returns from monitor of virtual machine;
Described being respectively provided with insmods with page table and nucleus module page table attribute, described to insmod with number of users in page table
It is set to according to page and the data page attribute that insmods readable writeable, personal code work page, nucleus module data page and insmods generation
Code page attribute is set to read-only, and nucleus module code page attribute is set to not map;User's generation in the nucleus module page table
Code page, user data page and nucleus module data page attribute are set to readable writeable, nucleus module code page and the number that insmods
It is set to according to page attribute read-only, the code page attribute that insmods is set to not map.
2. according to claim 1 to be insmoded powers and functions partition method based on virtualized grand kernel operating system, it is special
Levy and be, be respectively provided with step S2 and insmod with before page table and nucleus module page table attribute, monitor of virtual machine
Acquirement insmods the first address of code, the length of the code that insmods, the first address of the data that insmod, the number that insmods
According to length, the first address of nucleus module code, the length of nucleus module code, the first address of nucleus module data and nucleus module
The length of data, calculates and insmods and nucleus module place page.
3. according to claim 1 to be insmoded powers and functions partition method based on virtualized grand kernel operating system, it is special
Levy and be, for the distribution Dram that insmods be, to one whole page of kernel application, and to receive again after in step S3
When the request for insmoding, the direct allocation space in the page, till not enough distribution, then again to the whole page of kernel requests
Space.
4. according to claim 1 to be insmoded powers and functions partition method based on virtualized grand kernel operating system, it is special
Levy and be, monitor of virtual machine is to insmod before the interface routine for calling nucleus module in step S4, virtual machine monitoring
Device is obtained and causes the jump address for being absorbed in monitor of virtual machine, checks the legitimacy of jump address;Preserve current top-of-stack pointer
Register ESP, ESP is in the kernel stack of nucleus module for switching, the |input paramete of press-in before being loaded onto in the kernel stack of module
In being pressed into the kernel stack of nucleus module, recover current ESP;Virtualization control structure in modification monitor of virtual machine
VMCS, by command register EIP therein target jump address is pointed to, and ESP points to the stack top of the kernel stack of nucleus module.
5. according to claim 1 to be insmoded powers and functions partition method based on virtualized grand kernel operating system, it is special
Levy and be, before operating system is returned to from monitor of virtual machine and insmoded in step S4, monitor of virtual machine is obtained and drawn
The jump address for being absorbed in monitor of virtual machine is acted, the legitimacy of jump address is checked;Preserve current top-of-stack pointer register
ESP, ESP is in the kernel stack for insmoding for switching, ejects the |input paramete being pressed in the kernel stack for insmoding, and recovers current
ESP;Virtualization control structure VMCS in modification monitor of virtual machine, command register EIP therein sensings target is returned
Address is gone back to, ESP points to the stack top of the kernel stack for insmoding.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410284500.2A CN104036185B (en) | 2014-06-23 | 2014-06-23 | Virtualization based power and function isolating method for loading module of monolithic kernel operation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410284500.2A CN104036185B (en) | 2014-06-23 | 2014-06-23 | Virtualization based power and function isolating method for loading module of monolithic kernel operation system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104036185A CN104036185A (en) | 2014-09-10 |
| CN104036185B true CN104036185B (en) | 2017-04-12 |
Family
ID=51466953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410284500.2A Active CN104036185B (en) | 2014-06-23 | 2014-06-23 | Virtualization based power and function isolating method for loading module of monolithic kernel operation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104036185B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502759B (en) * | 2015-09-06 | 2019-11-15 | 华为技术有限公司 | A kind of data access method, code call method and virtual machine monitor |
| CN108958879B (en) * | 2017-05-24 | 2021-02-26 | 华为技术有限公司 | Monitoring method and device for virtual machine |
| CN107506638B (en) * | 2017-08-09 | 2020-10-16 | 南京大学 | Kernel control flow abnormity detection method based on hardware mechanism |
| CN108491716B (en) * | 2018-01-29 | 2021-11-12 | 中国电子科技网络信息安全有限公司 | Virtual machine memory isolation detection method based on physical page address analysis |
| CN108491249B (en) * | 2018-03-16 | 2020-11-10 | 中国人民解放军战略支援部队信息工程大学 | Kernel module isolation method and system based on module weight |
| EP3764239A4 (en) * | 2018-07-11 | 2021-05-05 | Huawei Technologies Co., Ltd. | Method and device for enhancing isolation between user space and kernel space |
| CN109684049A (en) * | 2018-11-23 | 2019-04-26 | 上海琪埔维半导体有限公司 | A kind of routine call method |
| CN114090273A (en) * | 2020-07-30 | 2022-02-25 | 华为技术有限公司 | Method and device for interprocess communication and computer storage medium |
| CN114020330B (en) * | 2021-11-04 | 2023-11-03 | 苏州睿芯集成电路科技有限公司 | Method for mode switching in RISC-V processor authentication, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101071387A (en) * | 2006-09-08 | 2007-11-14 | 华南理工大学 | Driving program reinforcing method based on virtual server |
| CN102918035A (en) * | 2010-06-04 | 2013-02-06 | 霍夫曼-拉罗奇有限公司 | 2 -amino- pyrimidine derivatives useful as inhibitors of jnk |
| CN103064784A (en) * | 2012-11-29 | 2013-04-24 | 福建师范大学 | Memory leak detection method facing Xen environment during operation and implement system thereof |
-
2014
- 2014-06-23 CN CN201410284500.2A patent/CN104036185B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101071387A (en) * | 2006-09-08 | 2007-11-14 | 华南理工大学 | Driving program reinforcing method based on virtual server |
| CN102918035A (en) * | 2010-06-04 | 2013-02-06 | 霍夫曼-拉罗奇有限公司 | 2 -amino- pyrimidine derivatives useful as inhibitors of jnk |
| CN103064784A (en) * | 2012-11-29 | 2013-04-24 | 福建师范大学 | Memory leak detection method facing Xen environment during operation and implement system thereof |
Non-Patent Citations (3)
| Title |
|---|
| Cherub:Fine grained application protection with on demand virtualization;Hai Jin等;《Computers & Mathematics with Applications》;20130531;第65卷(第9期);1326-1337 * |
| Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems;Xiaoxin Chen等;《ACM SIGOPS Operating Systems Review》;20080331;第42卷(第2期);全文 * |
| Windows应用程序敏感数据防护研究;陶照平等;《软件导刊》;20120831;第11卷(第8期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104036185A (en) | 2014-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104036185B (en) | Virtualization based power and function isolating method for loading module of monolithic kernel operation system | |
| US11321452B2 (en) | Execution environment virtualization method and apparatus and virtual execution environment access method and apparatus | |
| CN101866408B (en) | Transparent trust chain constructing system based on virtual machine architecture | |
| EP2940615B1 (en) | Method and apparatus for isolating management virtual machine | |
| EP3047419B1 (en) | Virtual secure mode for virtual machines | |
| KR101081907B1 (en) | Apparatus for virtualization | |
| CN106970823B (en) | Efficient nested virtualization-based virtual machine security protection method and system | |
| EP3462671B1 (en) | Virtual network function resource management method and device | |
| CN105393255A (en) | Process evaluation for malware detection in virtual machines | |
| US20180060249A1 (en) | Code loading hardening by hypervisor page table switching | |
| CN113064697B (en) | Method for accelerating communication between microkernel processes by using multiple hardware characteristics | |
| US10666572B2 (en) | Dynamic management of computing platform resources | |
| US20160253193A1 (en) | Dynamic virtual machine function enabling | |
| CN113094700A (en) | System for executing safety operation and method for executing safety operation by system | |
| CN104794395A (en) | Architecture characteristic based lightweight multi-system safety management structure | |
| CN105930199A (en) | Virtual machine monitor local integrity detection system and implementation method | |
| CN111324891A (en) | System and method for container file integrity monitoring | |
| CN107908957B (en) | Safe operation management method and system of intelligent terminal | |
| US20180204016A1 (en) | Mandatory access control method and apparatus, and physical host | |
| JP2006155272A (en) | Control method and program for virtual computer | |
| CN106502759A (en) | A kind of data access method, code call method and virtual machine monitor | |
| CN107203716B (en) | Lightweight structured protection method and device for Linux kernel | |
| US20160062784A1 (en) | Method for implementing virtual secure element | |
| US9600190B2 (en) | Virtual machine functions for multiple privileged pages | |
| CN108241801B (en) | Method and device for processing system call |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220406 Address after: 215500 5th floor, building 4, 68 Lianfeng Road, Changfu street, Changshu City, Suzhou City, Jiangsu Province Patentee after: Changshu intellectual property operation center Co.,Ltd. Address before: 215500 Changshou City South Three Ring Road No. 99, Suzhou, Jiangsu Patentee before: CHANGSHU INSTITUTE OF TECHNOLOGY |