CN105117273A - Method and system for obtaining client process information in xen virtualization platform - Google Patents
Method and system for obtaining client process information in xen virtualization platform Download PDFInfo
- Publication number
- CN105117273A CN105117273A CN201510576345.6A CN201510576345A CN105117273A CN 105117273 A CN105117273 A CN 105117273A CN 201510576345 A CN201510576345 A CN 201510576345A CN 105117273 A CN105117273 A CN 105117273A
- Authority
- CN
- China
- Prior art keywords
- module
- client
- scanning
- information
- super
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 230000008569 process Effects 0.000 title claims abstract description 57
- 230000004044 response Effects 0.000 claims abstract description 38
- 238000012544 monitoring process Methods 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 claims description 5
- 238000011156 evaluation Methods 0.000 claims description 4
- 230000001066 destructive effect Effects 0.000 claims 1
- 238000012552 review Methods 0.000 claims 1
- 230000007547 defect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a system for obtaining client process information in xen virtualization platform. The system comprises a client super calling monitoring module, a response API driving module and an information scanning module. According to the technical scheme, by combining the three modules, on the condition of not changing the xen virtualization platform modules, a virtual machine response API driving module which is completely transparent for the virtualization platform and a virtual machine is achieved, and the process and register information in the virtual machine are scanned and analyzed based on the module. Source codes do not need to be changed compared with other systems providing the similar function on xen virtualization platform, and the achievement and deploying mode can be accepted by users more easily.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for acquiring client process information in a xen virtualization platform.
Background
Xen is an open source code virtual machine monitor that uses the ICA protocol to achieve high performance through a technique called para-virtualization, which performs well even on certain architectures that are extremely hostile to traditional virtualization techniques (x 86). The Xen can safely execute multiple virtual machines on a set of physical hardware, and the Xen virtual machines can be migrated in real time among multiple physical hosts without stopping.
In an actual use process, a client in the Xen virtualization platform needs to be monitored, and in a traditional monitoring technology, a core module in a kernel of the Xen virtualization platform needs to be modified, so that running information in a client system can be queried.
This monitoring mode exists the defect that wastes time and energy, is unfavorable for effectively monitoring the client, and extravagant manpower has improved the control cost again promptly.
Disclosure of Invention
The invention aims to provide a method and a system for acquiring client process information in a xen virtualization platform aiming at the defects of the prior art, and effectively overcomes the technical defects of low information monitoring efficiency and high monitoring cost of a client in the conventional xen virtualization platform.
The system for acquiring the client process information in the xen virtualization platform comprises a client super call monitoring module, a response API driving module and an information scanning module; wherein,
the client super call monitoring module is mainly used for intercepting a super call request IOCTL which is initiated to Xen by a kernel driver Privcmd in the Xen virtualization platform, and transmitting parameters required by the intercepted super call request IOCTL to the response API driver module;
the response API drive module uses the parameter intercepted by the client super call monitoring module to replace a kernel driver privcmd in the Xen system to initiate a super call request IOCTL to Xen, records a file descriptor of a VCPU called by Xen responding to the super call request IOCTL, returns the file descriptor to the kernel driver privcmd in the Xen system to acquire information of a process and a register in the client in operation, performs structuring processing on the acquired information of the process and the register in the client, then exposes the information to the information scanning module through a process scanning interface, receives a scanning command initiated by the information scanning module, and initiates the request to Xen through the file descriptor of the VCPU.
The information scanning module analyzes the client related information acquired by the response API driving module, separates out client process and register information, analyzes in an agreed rule structure and generates a report; and the information scanning module is mainly controlled to issue a scanning command for the process information of the virtual machine through the response API driving module.
In the system, the client super call monitoring module monitors a super system call IOCTL in the host, if the super system call IOCTL for creating the virtual VCPU is initiated by a kernel driver Privcmd, the client super call monitoring module intercepts and captures the super system call IOCTL, constructs a new super system call IOCTL for creating the virtual VCPU according to the intercepted parameters of the super system call IOCTL and calls XEN, returns the return value of the super system call IOCTL executed by XEN to the kernel driver Privcmd, and transmits the file descriptor of the virtual VCPU to the response API driver module.
In the system, the response API driver module encapsulates the returned results corresponding to the 37 system call commands through the received hypersystem call IOCTL interface provided by __ hypersystem _ domctl, and provides an interface for reading the results for the external program in a manner of the hypersystem call IOCTL.
The invention also provides a method for acquiring the client process information in the xen virtualization platform, which comprises the following specific steps:
the method comprises the following steps: a client super system call interception module intercepts a super system call IOCTL initiated by a kernel driver privcmd, and sends the parameters of the intercepted super system call IOCTL to a response API driver module;
step two: the response API drive module uses the parameters sent by the client side super system call interception module to replace a kernel driver Privcmd to send a super system call IOCTL to the XEN virtualization platform, records the file descriptor of a virtual CPU of the XEN virtualization platform responding to the super system call IOCTL and returns the file descriptor to the kernel driver Privcmd, obtains the process and register information in the client machine in operation, and exposes the obtained related information to an external program through a process scanning interface after structural processing;
step three: when the response API driver module receives a scan command initiated by an external program, the scan request is initiated to XEN through the __ HYPERDISOR _ domctl.
The method also comprises the steps of scanning the client process information and the register information acquired by the response API drive module, analyzing according to the scanning result, generating an analysis report, and issuing a scanning command of the client process information to an external program through a super system call IOCTL interface provided by the response API drive module.
The invention has the advantages that: according to the technical scheme, the monitoring and analysis of the process information in the virtual machine running on the xen virtualization platform can be realized transparently on the premise that the core module code in the kernel of the xen virtualization platform is not modified.
Drawings
FIG. 1 is a flowchart illustrating a prior art call for a kernel driver Privcmd to initiate a client via an IOCTL interface;
fig. 2 is a block diagram of a system for acquiring client process information in an XEN virtualization platform in this embodiment;
fig. 3 is a schematic flow chart of transparent obtaining __ HYPERVISOR _ domctl through an IOCTL call request intercepted by a client hypercall in this embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be further described in detail with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments of the present application may be arbitrarily combined with each other without conflict.
Example 1
Currently, the IOCTL interface of the XEN virtualization platform is provided for the kernel driver Privcmd to call, and a specific calling process is shown in FIG. 1. When the XEN virtualization platform is used, the XEN virtualization platform needs to start a kernel system of the XEN through __ start _ XEN, a kernel driver Privcmd applies for vcpu from the XEN virtualization platform, and the XEN virtualization platform returns a context description vcpu _ guest _ context about the vcpu. The vcpu _ guest _ context can monitor the running process on the virtual cpu and the used register information. Under the condition of not modifying any code of the XEN virtualization platform, normally, the operating vcpu _ guest _ context cannot be obtained, namely, the extra system call IOCTL interface externally provided by the XEN virtualization platform cannot be used for monitoring the process and register information in the client operating on the XEN virtualization platform, so that the invention provides a system for obtaining the client process information in the XEN virtualization platform, which comprises a client extra system call interception module, a response API driving module and an information scanning module.
As shown in fig. 2 and 3, the client super call monitoring module is responsible for analyzing the name and parameters of the super system call IOCTL by intercepting the physical host super system call IOCTL, intercepting the super system call IOCTL for the virtual CPU initiated by the kernel driver Privcmd, and sending the parameters of the intercepted super system call IOCTL to the response API driver module, so that the response API driver module constructs a new super system call IOCTL, thereby obtaining vcpu _ guest _ context.
Specifically, the client super call monitoring module monitors a super system call IOCTL of the host, and if the super system call IOCTL for creating vcpu initiated by the kernel driver Privcmd is the super system call IOCTL, intercepts a super system call IOCTL parameter, and constructs a new super system call IOCTL for creating vcpu by using the intercepted parameter and executes the new super system call IOCTL; after the client super system call interception module obtains the return value of the executed super system call IOCTL, namely vcpu _ gauge _ context, the vcpu _ gauge _ context is used as the return value of the super system call IOCTL and is returned to the kernel driver Privcmd and the response API driver module.
The response API driving module replaces a kernel driver Privcmd to initiate a super system call IOCTL to the XEN according to the parameters sent by the super system call IOCTL interception module, records vcpu _ guest _ context returned by the XEN and sends the vcpu _ guest _ context to the kernel driver Privcmd, obtains process and register information in a client machine in operation, and exposes the information to the information scanning module through a process scanning interface after structuralized processing is carried out on the information; the provisioning interface is also responsible for receiving scan commands initiated by the information scan module and initiating the request to XEN through vcpu _ guest _ context.
In the above system, the response AP driver module encapsulates return results corresponding to 37 system call commands through the received super system call IOCTL interface provided by __ HYPERVSOR _ domctl, and provides an interface for reading a scan result to the information scanning module in a manner of the super system call IOCTL, where the encapsulated super system call IOCTL interfaces may also include information such as client vcpu physical memory addresses.
In addition, the system for acquiring client process information based on the XEN virtualization platform may further include a security monitoring module, which is responsible for performing scanning detection on the client process information and the vcpu register information, analyzing security of the client process information and the vcpu register information according to a scanning result, and generating an analysis report. And issuing a scanning command to the client process information by responding to the super system call IOCTL interface provided by the API driving module.
Specifically, the security monitoring module includes a scanning policy configuration module, a scanning execution module, a security analysis report module, and a security rule base.
The scanning strategy configuration module is used for configuring a scanning strategy of security detection and initiating the calling of executing scanning; the scanning execution module calls the super system call IOCTL interface provided by the response API drive module to drive the response API drive module to call the response interface of the XEN to obtain the register information of the current vcpu of the client; the safety analysis report module inquires a safety rule base according to the scanning result and judges the state of the current process information, namely whether an alarm is needed or not; and the safety rule base module is used for maintaining the rules in the safety rule base.
The system architecture of the client process information in the above system is shown in fig. 2.
Example 2
The embodiment provides a security monitoring system for client process information and register information, which includes: the system comprises a scanning strategy configuration module, a scanning execution module, a security analysis report module and a security rule base.
And the scanning execution module is used for calling the IOCTL interface through the super system to obtain a scanning result of the client process and the register information, which is provided by the response API driving module.
The scanning strategy configuration module is used for customizing a scanning plan, and the module provides the customizable scanning plan to ensure that the scanning does not cause resource competition with the operation of a service client machine in consideration of certain resource consumption of a virtualization platform caused by scanning.
And the safety analysis report module is used for carrying out safety analysis on the scanned result, giving the evaluation of the running state of the corresponding client process according to the matching rule given in the safety rule base and marking the suspicious process. The analysis result is formatted and stored in a text mode.
The security rule base module is used for maintaining a simple file type database. The database is used for storing evaluation rules of process and register information scanning results, and the rule base module provides addition and deletion modification and check of items in the database.
It can be seen from the foregoing embodiments that, according to the technical solution of the present application, a virtual machine response API driving module that is completely transparent to both a virtualization platform and a virtual machine is implemented without modifying a xen virtualization platform module, and scanning and analyzing information of processes and registers in the virtual machine is implemented based on the module. The technical scheme of the application is mainly different from other systems which are implemented on xen virtualization platforms and provide similar functions in that source codes are not required to be modified at all, and the implementation and deployment mode is more acceptable to users.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, each module/unit in the above embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present application is not limited to any specific form of hardware or software combination.
The above description is only a preferred example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. A system for acquiring client process information in an xen virtualization platform is characterized by comprising a client super call monitoring module, a response API driving module and an information scanning module; wherein,
the client super call monitoring module is mainly used for intercepting a super call request IOCTL which is initiated to Xen by a kernel driver Privcmd in the Xen virtualization platform, and transmitting parameters required by the intercepted super call request IOCTL to the response API driver module;
the response API drive module uses the parameter intercepted by the client super call monitoring module to replace a kernel driver privcmd in the Xen system to initiate a super call request IOCTL to Xen, records a file descriptor of a VCPU called by Xen responding to the super call request IOCTL, returns the file descriptor to the kernel driver privcmd in the Xen system to acquire information of a process and a register in the client in operation, performs structuring processing on the acquired information of the process and the register in the client, then exposes the information to the information scanning module through a process scanning interface, receives a scanning command initiated by the information scanning module, and initiates the request to Xen through the file descriptor of the VCPU;
the information scanning module analyzes the client related information acquired by the response API driving module, separates out client process and register information, analyzes in an agreed rule structure and generates a report; and the information scanning module is mainly controlled to issue a scanning command for the process information of the virtual machine through the response API driving module.
2. A system for obtaining client process information in a xen virtualization platform as defined in claim 1, wherein: the client super call monitoring module monitors a super system call IOCTL in a host, if the super system call IOCTL for creating the virtual VCPU is initiated by a kernel driver Privcmd, the client super call monitoring module intercepts and captures the super system call IOCTL, constructs a new super system call IOCTL for creating the virtual VCPU according to the parameters of the intercepted super system call IOCTL and calls XEN, returns the return value of the super system call IOCTL executed by XEN to the kernel driver Privcmd, and transmits the file descriptor of the virtual VCPU to a response API driver module.
3. A system for obtaining client process information in a xen virtualization platform as defined in claim 1, wherein: the response API driving module encapsulates return results corresponding to the 37 system call commands through the received super system call IOCTL interface provided by __ HYPERVISOR _ domctl, and provides an interface for reading the results for an external program in a mode of the super system call IOCTL.
4. A method for acquiring client process information in an xen virtualization platform comprises the following specific steps:
the method comprises the following steps: a client super system call interception module intercepts a super system call IOCTL initiated by a kernel driver privcmd, and sends the parameters of the intercepted super system call IOCTL to a response API driver module;
step two: the response API drive module uses the parameters sent by the client side super system call interception module to replace a kernel driver Privcmd to send a super system call IOCTL to the XEN virtualization platform, records the file descriptor of a virtual CPU of the XEN virtualization platform responding to the super system call IOCTL and returns the file descriptor to the kernel driver Privcmd, obtains the process and register information in the client machine in operation, and exposes the obtained related information to an external program through a process scanning interface after structural processing;
step three: when the response API driver module receives a scan command initiated by an external program, the scan request is initiated to XEN through the __ HYPERDISOR _ domctl.
5. A method of obtaining client process information in a xen virtualization platform as defined in claim 4, wherein: and scanning the process information and the register information in the client, which are acquired by the response API drive module, analyzing according to a scanning result to generate an analysis report, and issuing a scanning command of the process information of the client to an external program by calling an IOCTL interface through the super system provided by the response API drive module.
6. A security monitoring system of client process information and register information is characterized in that the security monitoring system comprises a scanning strategy configuration module, a scanning execution module, a security analysis report module and a security rule base; wherein,
the scanning execution module is used for calling an IOCTL interface through the super system to obtain a scanning result of the client process and the register information, which is provided by the response API driving module;
the scanning strategy configuration module is used for customizing a scanning plan, and the module provides the customizable scanning plan to ensure that the scanning does not cause resource competition with the operation of a service client machine in consideration of certain resource consumption of a virtualization platform caused by scanning;
the safety analysis report module is used for carrying out safety analysis on the scanned result, giving the evaluation of the running state of the corresponding client process according to the matching rule given in the safety rule base and marking the suspicious process;
the analysis result is formatted and then stored in a text mode;
the safety rule base module is used for maintaining a simple file type database, and the database is used for storing evaluation rules of process and register information scanning results;
the rule base module provides for the incremental and destructive review of items within the database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510576345.6A CN105117273A (en) | 2015-09-11 | 2015-09-11 | Method and system for obtaining client process information in xen virtualization platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510576345.6A CN105117273A (en) | 2015-09-11 | 2015-09-11 | Method and system for obtaining client process information in xen virtualization platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105117273A true CN105117273A (en) | 2015-12-02 |
Family
ID=54665274
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510576345.6A Pending CN105117273A (en) | 2015-09-11 | 2015-09-11 | Method and system for obtaining client process information in xen virtualization platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105117273A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106708602A (en) * | 2016-12-27 | 2017-05-24 | 郑州云海信息技术有限公司 | Para-virtualization-based general calculation method and system |
| CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| US20120084487A1 (en) * | 2010-10-01 | 2012-04-05 | Futurewei Technologies, Inc. | System and Method for Controlling the Input/Output of a Virtualized Network |
| CN102799491A (en) * | 2012-06-19 | 2012-11-28 | 中国科学院计算技术研究所 | Inter-virtual-machine secure communication method |
| US20130086299A1 (en) * | 2011-10-03 | 2013-04-04 | Cisco Technology, Inc. | Security in virtualized computer programs |
| CN103077071A (en) * | 2012-12-31 | 2013-05-01 | 北京启明星辰信息技术股份有限公司 | Method and system for acquiring process information of KVM (Kernel-based Virtual Machine) |
-
2015
- 2015-09-11 CN CN201510576345.6A patent/CN105117273A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| US20120084487A1 (en) * | 2010-10-01 | 2012-04-05 | Futurewei Technologies, Inc. | System and Method for Controlling the Input/Output of a Virtualized Network |
| US20130086299A1 (en) * | 2011-10-03 | 2013-04-04 | Cisco Technology, Inc. | Security in virtualized computer programs |
| CN102799491A (en) * | 2012-06-19 | 2012-11-28 | 中国科学院计算技术研究所 | Inter-virtual-machine secure communication method |
| CN103077071A (en) * | 2012-12-31 | 2013-05-01 | 北京启明星辰信息技术股份有限公司 | Method and system for acquiring process information of KVM (Kernel-based Virtual Machine) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106708602A (en) * | 2016-12-27 | 2017-05-24 | 郑州云海信息技术有限公司 | Para-virtualization-based general calculation method and system |
| CN106708602B (en) * | 2016-12-27 | 2021-02-02 | 苏州浪潮智能科技有限公司 | General computing method and system based on paravirtualization |
| CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
| CN106897121B (en) * | 2017-03-01 | 2019-06-25 | 四川大学 | It is a kind of based on virtualization technology without proxy client process protection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10871980B2 (en) | Execution of a script based on properties of a virtual device associated with a virtual machine | |
| US9898609B2 (en) | Trusted boot of a virtual machine | |
| US10324748B2 (en) | Augmented tracking of modified memory pages during live migration of virtual machines from/to host computers with graphics processors | |
| CN104598513B (en) | A kind of method of data flow control and system based on web page frame | |
| US11269663B2 (en) | Method and apparatus for adapting handle device to third-party application, and storage medium | |
| US20170286644A1 (en) | Protection Method and Device for Application Data | |
| CN103077071B (en) | The acquisition methods of a kind of KVM virtual machine progress information and system | |
| CN105740139B (en) | A kind of debugging embedded software method based on virtual environment | |
| US10185548B2 (en) | Configuring dependent services associated with a software package on a host system | |
| US20130312096A1 (en) | On-demand data scan in a virtual machine | |
| US20090300613A1 (en) | Input/output emulation system for virtual machine | |
| EP2737395A2 (en) | System and method for virtual partition monitoring | |
| WO2018188380A1 (en) | Method and device for adding control identification | |
| US20150324580A1 (en) | Apparatus and method for analyzing malicious code in real environment | |
| US10372472B2 (en) | System, method, and computer program product for conditionally preventing use of hardware virtualization | |
| KR101974989B1 (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| CN112286633A (en) | Virtual machine creating method, device, equipment and storage medium based on CloudStack platform | |
| CN105117273A (en) | Method and system for obtaining client process information in xen virtualization platform | |
| CN102831334B (en) | Positioning method and positioning system for target address | |
| CN107203410B (en) | VMI method and system based on system call redirection | |
| CN111708553A (en) | Terminal and system for background updating of desktop mirror image | |
| CN104462955A (en) | Host behavior active detection system and method based on virtualization | |
| CN111596962A (en) | Real-time microkernel system based on high-speed protocol channel and initialization method thereof | |
| CN112306633B (en) | System and method for acquiring different virtualized resources | |
| CN113326098B (en) | Cloud management platform supporting KVM virtualization and container virtualization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20151202 |
|
| WD01 | Invention patent application deemed withdrawn after publication |