CN105205391B - A kind of clean room method for real-time monitoring based on integrity verification - Google Patents
A kind of clean room method for real-time monitoring based on integrity verification Download PDFInfo
- Publication number
- CN105205391B CN105205391B CN201510670209.3A CN201510670209A CN105205391B CN 105205391 B CN105205391 B CN 105205391B CN 201510670209 A CN201510670209 A CN 201510670209A CN 105205391 B CN105205391 B CN 105205391B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- program
- server
- absorbed
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of clean room method for real-time monitoring based on integrity verification, by integrity detection to user virtual machine and to the integrity verification of user program, to ensure the safety of virtual machine.To mainly monitoring process, the integrality of kernel module and dynamic base of virtual machine with the monitoring of virtual machine; ensure that virtual machine is not tampered by monitoring the operating status of virtual machine in real time; thoroughly prevent user's unauthorized behavior; ensure the safe operation of the user virtual machine under cloud computing environment, and protects the safety of application program in virtual machine.
Description
Technical field
The invention belongs to Computer Science and Technology field, more particularly to a kind of clean room based on integrity verification is supervised in real time
Prosecutor method.
Background technology
In today of cloud computing rapid development, the safety problem of data is increasingly severe, is ensureing to calculate peace using clean room
While complete, ensure that the safety of user program is also an important task using clean room.The prison of application program is realized at present
The detection technique of control and data is enriched with having developed very much.However it is still inadequate for the running integrity detection of virtual machine
It is perfect.On the remote server, due to application program is difficult to manage and network transmission it is dangerous, user's journey may be caused
Sequence or virtual machine are tampered, once these programs being tampered with enter clean room, will reveal the privacy of user, or even make
At problems such as server crashes, it would be desirable to which a kind of clean room Real-time Monitor Technique can monitor void in real time by the technology
The operating status of quasi- machine, ensures the complete and safe of virtual machine, and on this basis, to entering the application program of virtual machine operation
It is monitored, ensures the legal operation of program, to ensure the safety of virtual machine and user program operation environment.
Clean room Real-time Monitor Technique is implemented on the basis of clean room cloud computing, is calculated in clean room Clouds theory and executes ring
Border is divided into " service state " and " clean room state ", and performing environment will be switched to clean room state, clean room after user signs security service agreement
The performing environment of state is only facing user opening.
The integrity detection of host is usually all based in the monitoring method of virtual machine, this method is utilized on host
Monitoring software is installed, when user program and monitoring software are run simultaneously, by monitoring software come logging program operating status, from
And whether check problem is tampered.Typical technology is integrity measurement framework at present, under technology execution, operating system meeting
Since kernel initialization, to running application program and kernel module progress real-time verification on an operating system.Due to this
Framework cannot prevent attacker to the modification of safe list, need to detect whether list is changed using remote validation, therefore
The problems of this method is integrity measurement software and user program while operating under same environment that this may result in
The exposure of metric software, attacker probably destroy integrity measurement by attacking metric software and measurement list.
Invention content
The present invention provides a kind of clean room method for real-time monitoring to user virtual machine, to prevent the unwarranted row of user
To ensure the safe operation of the user virtual machine under cloud computing environment, and protect the safety of application program in virtual machine.
A kind of clean room method for real-time monitoring based on integrity verification, including following steps:
Step 1:Credible virtual monitor is installed on the server, at the beginning of extracting server using the credible virtual monitor
Beginning data, and the cryptographic Hash of calculation server primary data back up server primary data in the form of its corresponding cryptographic Hash
Into the Trusted List in server;
The server primary data includes the system file and process data of server;The system file includes file
Type, filename and file size;Process data includes process name, number of threads and the thread number of peaks of the process;
The Trusted List is for preserving system data, virtual machine information trusty and use trusty trusty
Family program information;
Step 2:Virtual machine is installed in credible virtual monitor and is absorbed in program, the sh_ of program is absorbed in using virtual machine
Page_fault functions obtain process, kernel module and the dynamic base for the virtual machine for being absorbed in credible virtual monitor;
The installation that the virtual machine is absorbed in program is by by the vmx_vmexit_handler functions in Vmx.c files
It is revised as illegal address completion in return address;
Step 3:Integrity measurement agency is run in credible virtual machine, and the virtual machine integrality that step 2 obtains is carried out
Measure, if virtual machine is complete, enter step 4, otherwise, return to step 2, wait for virtual machine be absorbed in program acquisition be absorbed in it is credible
The virtual machine of virtual monitor;
The integrity measurement agency is the component in credible virtual manager;
Step 4:Calculate process, the cryptographic Hash of kernel module and dynamic base of the virtual machine acquired in step 2, and and step
Hash Value Data in 1 Trusted List is compared;
If the corresponding cryptographic Hash of the virtual machine is present in Trusted List, continue functions modification guest_rip is
Address originally makes virtual machine normal operation, enters step 5, otherwise, kill functions is called to terminate the operation of virtual machine, returns to step
Rapid 2, it waits for virtual machine to be absorbed in program and obtains the virtual machine for being absorbed in credible virtual monitor;
Step 5:Application-monitoring device is installed in terminal, intercepts and captures the system that user program generates and calls, passed to
Whole parameters that system is called;
Step 6:Terminal operating integrity measurement act on behalf of, to the event type of program acquired in step 5, event argument,
The instruction for running program calculates cryptographic Hash;
Step 7:Socket is created using netlink, the Hash Value Data that step 6 obtains is sent to server, with service
Cryptographic Hash in the Trusted List of device is compared;
If the corresponding cryptographic Hash of program that step 5 is intercepted and captured is present in the Trusted List of server, continue is called
Function continues consumer process and executes, and allows consumer process to enter step and run in 2 virtual machines, otherwise calls
The operation of TerminateProcess function terminators.
Advantageous effect
The present invention provides a kind of clean room method for real-time monitoring based on integrity verification, by the complete of user virtual machine
Whole property detection and the integrity verification to user program, to ensure the safety of virtual machine.To mainly being supervised with the monitoring of virtual machine
Process, the integrality of kernel module and dynamic base for controlling virtual machine, are ensured by monitoring the operating status of virtual machine in real time
Virtual machine is not tampered, and thoroughly prevents user's unauthorized behavior, ensures the user virtual machine under cloud computing environment
Safe operation, and protect the safety of application program in virtual machine.
Description of the drawings
Fig. 1 is the flow chart of the method for the invention;
Fig. 2 is server monitoring illustraton of model;
Fig. 3 is terminal monitoring illustraton of model.
Specific implementation mode
With reference to specific example and Figure of description, the present invention is described further.
Remote server uses Ubuntul4.04 as operating system, database MySQL in this example.Client
For the desktop computer of Windows7 operating systems.This instance server is equipped with can be outside the frequency band of long-range departure system management terminal
Channel, using System Management Mode, Intelligent Platform Management Interface and Baseboard Management Controller, client passes through remote authentication
Mode is to the operational process of virtual machine into Mobile state integrity detection.
A kind of clean room method for real-time monitoring based on integrity verification, as shown in Figure 1, including the following steps:
Step 1:Credible virtual monitor is installed on the server, at the beginning of extracting server using the credible virtual monitor
Beginning data, and the cryptographic Hash of calculation server primary data, by server primary data in the form of its corresponding cryptographic Hash backup
Into the Trusted List in server;Server monitoring model is as shown in Figure 2;
The server primary data includes the system file and process data of server;The system file includes file
Type, filename and file size;Process data includes process name, number of threads and the thread number of peaks of the process;
The Trusted List is for preserving system data, virtual machine information trusty and use trusty trusty
Family program information;
Server info is obtained with minor function by calling.
GetDriveType(lpRootPathName:PChar):UINT;Return to the type for specifying driver.
GetDiskFreeSpace(lpRootPathName:PChar;var lpSectorsPerCluster,
lpBytesPerSector,lpNumberOfFreeClusters,lpTotalNumberOfClusters:DWORD):BOOL;
The total number of clusters for specifying driver, remaining number of clusters and every cluster number are returned to, per sector byte number, so as to calculate total capacity
And remaining space.
Step 2:Virtual machine is installed in credible virtual monitor and is absorbed in program, the sh_ of program is absorbed in using virtual machine
Page_fault functions obtain process, kernel module and the dynamic base for the virtual machine for being absorbed in credible virtual monitor;
The installation that the virtual machine is absorbed in program is by by the vmx_vmexit_handler functions in Vmx.c files
It is revised as illegal address completion in return address;
Virtual machine is absorbed in the installation method of program:It opens Vmx.c files and changes in vmx_vmexit_handler functions
Return address be illegal address.Then the process of virtual machine of being absorbed in, kernel module, dynamic is obtained in sh_page_fault functions
State library.
Credible virtual monitor uses Xen, user to obtain the information of virtual machine in this example, it is only necessary to pass through
The two interfaces of Xencontrol and Xenstore can obtain the information of virtual machine.
Xencontrol is the control interface that Xen is provided, which can only be used by Dom0, be used to help Dom0 controls and
Manage others Domain.By Xencontrol, Dom0 can not only create, destroy, Domain, control the fortune of Domain
Row, pause restore and migrate, additionally it is possible to realize and access CPU scheduling, Memory Allocation and the equipment of other Domain.
XenStore is the storage system for the inter-domain sharing that Xen is provided, it houses management journey with character string forms
The configuration information of sequence and front and back ends driver.The storage organization of XenStore is similar to Dom trees:Each node (Node)
There are one string values (Value), and can have multiple child nodes.Xenstored under root (/) there are three subdirectory, vm,
Local (being actually/local/domain) and tool.Vm stores Virtual Machine Manager information.Tool is temporarily without data.And/
Local/domain houses active virtual machine configuration and activation bit.
Step 3:Integrity measurement agency is run in credible virtual machine, and the virtual machine integrality that step 2 obtains is carried out
It measures, if virtual machine is complete, enters step 4, otherwise, return to step 2;
During this example is implemented, it is respectively test0, test1, test2 that server, which runs three virtual machines,;Wherein test0 and
Test1 is complete, and test2 lacks config.xml (hardware configuration of virtual machine), runs three virtual machines, test0 successively
With test1 normal operations, test2 can not be run;
Step 4:Calculate process, the cryptographic Hash of kernel module and dynamic base of the virtual machine acquired in step 2, and and step
Hash Value Data in 1 Trusted List is compared;
If the corresponding cryptographic Hash of the virtual machine is present in Trusted List, continue functions modification guest_rip is
Address originally makes virtual machine normal operation, enters step 5, otherwise, kill functions is called to terminate the operation of virtual machine, returns to step
Rapid 2;
Kill function declarations:
int kill(pid_t pid,int sig);
Kill () can be used for sending the process that the specified signals of parameter sig are specified to parameter pid.Parameter pid has several
Situation:
pid>0 is transmitted to signal the process that progress recognizing code is pid.
Signal is transmitted to all processes with current process same process group by pid=0
Pid=-1 sends signal broadcast to process all in system
pid<0 is transmitted to signal all processes that process group identification code is pid absolute values
Return value runs succeeded, and returns to 0, and -1 is returned if wrong.
Continue function declarations:
Bool Continue (pid_t pid, Adress adress);
Adress is revised as in the process return address that progress recognizing code is pid.
Example implementation in, only test0 in Trusted List, test0 can normal operation, test1 operation be aborted.
Step 6:Terminal operating integrity measurement act on behalf of, to the event type of program acquired in step 5, event argument,
The instruction for running program calculates cryptographic Hash;Terminal monitoring model is as shown in Figure 3;
The application-monitoring device is to use API HOOK mechanism in Windows systems, and global hook is arranged to cut
The system for obtaining user program generation is called.
The system call parameter includes the fullpath of program.
System is will produce after user program operation call CreateProcess functions at Windows.The knot of the function
Structure is as follows:
BOOL CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes。
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATIONlpProcessInformation
);
Due to monitor that the TerminateProcess () and WriteProcessMemory () of all application programs are adjusted
With, it is therefore desirable to global hook is set.
The installation method of global hook:A global hook, hook are installed by calling SetWindowHookEx () first
After son is installed successfully, operating system can be mapped to DLL in the address space of intercepted process.Intercept call instruction with
Afterwards, several bytes go to execute to be redirected in customized api function before instructing concept function body using JMP, to cut
Obtain system calling.
SetWindowHookEx function structures are as follows:
HHOOK SetWindowsHookEx(
IntidHook,
HOOKPROC lpfn,
HINSTANCE hMod,
DWORD dwThreadId
);
Step 7:Socket is created using netlink, the Hash Value Data that step 6 obtains is sent to server, with service
Cryptographic Hash in the Trusted List of device is compared;
If the corresponding cryptographic Hash of program that step 5 is intercepted and captured is present in the Trusted List of server, continue is called
Function continues consumer process and executes, and allows consumer process to enter step and run in 2 virtual machines, otherwise calls
The operation of TerminateProcess function terminators.
TerminateProcess function declarations:
BOOL TerminateProcess(HANDLE hProcess,UINT uExitCode);
Wherein parameter hProcess indicates to terminate the handle of (kill) process.Parameter uExitCode is setting process
Disengaging value.
Return value:If will unsuccessfully return to FALSE (0), and it will successfully return to a nonzero value.
In example implementation, there is mistake in terminal operating organizer program, by the cryptographic Hash update of the program to server
In, organizer program energy normal operation.
Claims (1)
1. a kind of clean room method for real-time monitoring based on integrity verification, which is characterized in that including following steps:
Step 1:Credible virtual monitor is installed on the server, server initial number is extracted using the credible virtual monitor
According to, and the cryptographic Hash of calculation server primary data, the cryptographic Hash of server primary data is backuped to credible in server
In list;
The server primary data includes the system file and process data of server;The system file includes files classes
Type, filename and file size;Process data includes process name, number of threads and the thread number of peaks of the process;
The Trusted List is for preserving system data, virtual machine information trusty and user's journey trusty trusty
Sequence information;
Step 2:Virtual machine is installed in credible virtual monitor and is absorbed in program, the sh_page_ of program is absorbed in using virtual machine
Fault functions obtain process, kernel module and the dynamic base for the virtual machine for being absorbed in credible virtual monitor;
The installation that the virtual machine is absorbed in program is by by the return of the vmx_vmexit_handler functions in Vmx.c files
It is revised as illegal address completion in address;
Step 3:Integrity measurement agency is run in credible virtual machine, the virtual machine integrality obtained to step 2 measures,
If virtual machine is complete, 4 are entered step, otherwise, return to step 2 waits for virtual machine to be absorbed in program acquisition and is absorbed in credible virtual
The virtual machine of monitor;
Step 4:Calculate step 2 acquired in virtual machine process, the cryptographic Hash of kernel module and dynamic base, and with step 1 institute
The Hash Value Data stated in Trusted List is compared;
If the corresponding cryptographic Hash of the virtual machine is present in Trusted List, it is original that continue functions, which change guest_rip,
Address make virtual machine normal operation, enter step 5, otherwise, call kill functions terminate virtual machine operation, return to step 2,
It waits for virtual machine to be absorbed in program and obtains the virtual machine for being absorbed in credible virtual monitor;
Step 5:Application-monitoring device is installed in terminal, intercepts and captures the system that user program generates and calls, obtain passing to system
Whole parameters of calling;
Step 6:It is acted on behalf of in terminal operating integrity measurement, to the event type, event argument, operation of program acquired in step 5
The instruction of program calculates cryptographic Hash;
Step 7:Socket is created using netlink, the Hash Value Data that step 6 obtains is sent to server, with server
Cryptographic Hash in Trusted List is compared;
If the corresponding cryptographic Hash of program that step 5 is intercepted and captured is present in the Trusted List of server, continue functions are called
Continue consumer process to execute, and allow consumer process to enter step and run in 2 virtual machines, otherwise calls
The operation of TerminateProcess function terminators.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510670209.3A CN105205391B (en) | 2015-10-15 | 2015-10-15 | A kind of clean room method for real-time monitoring based on integrity verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510670209.3A CN105205391B (en) | 2015-10-15 | 2015-10-15 | A kind of clean room method for real-time monitoring based on integrity verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105205391A CN105205391A (en) | 2015-12-30 |
| CN105205391B true CN105205391B (en) | 2018-08-07 |
Family
ID=54953065
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510670209.3A Active CN105205391B (en) | 2015-10-15 | 2015-10-15 | A kind of clean room method for real-time monitoring based on integrity verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105205391B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106126116A (en) * | 2016-06-16 | 2016-11-16 | 北京航空航天大学 | A kind of integrity measurement optimization method of virtual machine image file |
| CN106845231B (en) * | 2016-12-30 | 2020-05-19 | 北京瑞星网安技术股份有限公司 | Safety protection method and device based on virtualization environment |
| CN107256368B (en) * | 2017-06-06 | 2020-02-07 | 北京航空航天大学 | Method for measuring file integrity in virtual machine based on copy-on-write characteristic |
| CN107247910B (en) * | 2017-08-11 | 2021-01-15 | 苏州浪潮智能科技有限公司 | File integrity measurement detection method, system and detection equipment |
| CN107919960A (en) * | 2017-12-04 | 2018-04-17 | 北京深思数盾科技股份有限公司 | The authentication method and system of a kind of application program |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103841198A (en) * | 2014-03-07 | 2014-06-04 | 中南大学 | Cleanroom cloud computing data processing method and system |
| CN103984536A (en) * | 2014-02-14 | 2014-08-13 | 中国科学院计算技术研究所 | I/O (input/output) request counting system and method for cloud computing platform |
| CN104751050A (en) * | 2015-04-13 | 2015-07-01 | 成都睿峰科技有限公司 | Client application program management method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8782351B2 (en) * | 2011-10-13 | 2014-07-15 | International Business Machines Corporation | Protecting memory of a virtual guest |
-
2015
- 2015-10-15 CN CN201510670209.3A patent/CN105205391B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103984536A (en) * | 2014-02-14 | 2014-08-13 | 中国科学院计算技术研究所 | I/O (input/output) request counting system and method for cloud computing platform |
| CN103841198A (en) * | 2014-03-07 | 2014-06-04 | 中南大学 | Cleanroom cloud computing data processing method and system |
| CN104751050A (en) * | 2015-04-13 | 2015-07-01 | 成都睿峰科技有限公司 | Client application program management method |
Non-Patent Citations (1)
| Title |
|---|
| 《基于虚拟机监控器的隐私透明保护》;任建宝等;《软件学报》;20150815;第26卷(第8期);第2124-2137页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105205391A (en) | 2015-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105205391B (en) | A kind of clean room method for real-time monitoring based on integrity verification | |
| US10740456B1 (en) | Threat-aware architecture | |
| US9934376B1 (en) | Malware detection appliance architecture | |
| TWI544328B (en) | Method and system for probe insertion via background virtual machine | |
| US10002252B2 (en) | Verification of trusted threat-aware microvisor | |
| US9509553B2 (en) | System and methods for management virtualization | |
| US20180039507A1 (en) | System and method for management of a virtual machine environment | |
| US20170255545A1 (en) | Methods and systems of function-specific tracing | |
| US20160191550A1 (en) | Microvisor-based malware detection endpoint architecture | |
| wook Baek et al. | Cloudvmi: Virtual machine introspection as a cloud service | |
| US9229758B2 (en) | Passive monitoring of virtual systems using extensible indexing | |
| US10140145B1 (en) | Displaying guest operating system statistics in host task manager | |
| WO2006014554A2 (en) | Method and system for monitoring system memory integrity | |
| JP2019527877A (en) | Automatic distribution of PLC virtual patches and security context | |
| US20170083705A1 (en) | Apparatus and method for analyzing malicious code in multi-core environment | |
| US20130111018A1 (en) | Passive monitoring of virtual systems using agent-less, offline indexing | |
| US20180025158A1 (en) | System and method for detecting malware in a stream of bytes | |
| JP2019066995A (en) | System capable of selectively switching between secure mode and non-secure mode | |
| Jiang et al. | CRONUS: Fault-isolated, secure and high-performance heterogeneous computing for trusted execution environment | |
| CN106529284B (en) | Virtual machine monitor security reinforcement method based on security chip | |
| CN113535532A (en) | Fault injection system, method and device | |
| CN107516039A (en) | The safety protecting method and device of virtualization system | |
| Laurén et al. | Virtual machine introspection based cloud monitoring platform | |
| US20240241779A1 (en) | Signaling host kernel crashes to dpu | |
| Sun et al. | A lightweight kernel objects monitoring infrastructure for embedded systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |