Summary of the invention
In view of the above defects of the prior art, a kind of virtual machine process letter for solving above-mentioned technical problem is proposed
The detection method and device of breath.
In a first aspect, the present invention provides a kind of detection devices of virtual machine process information, comprising:
Interception module, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured;
Module is obtained, the parameter called for obtaining the IOCTL system
Detection module, for being detected by preset strategy to the parameter;
Determining module, for according to testing result, it is determined whether execute the IOCTL system and call.
Optionally, described device further include: monitor module, the system for monitoring host is called;
The interception module, when the IOCTL system for initiating in monitoring from Qemu-kvm to kvm is called, described in intercepting and capturing
IOCTL system is called.
Optionally, described device further include: monitor module, the system for monitoring host is called;
The interception module, when the IOCTL system for initiating in monitoring from Privcmd to xen is called, described in intercepting and capturing
IOCTL system is called.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
Optionally, the determining module, is used for: when the testing result is illegal calls, preventing the IOCTL system
It calls;
Sending module, for sending warning message to the monitoring host.
Optionally, the sending module, is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Second aspect, the present invention also provides a kind of detection methods of virtual machine process information, comprising:
The IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured;
The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy;
According to testing result, it is determined whether execute the IOCTL system and call.
Optionally, before the IOCTL system calling that Kernel Driver is initiated in virtual platform is intercepted and captured, institute
State method further include:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Qemu-kvm to kvm, is intercepted and captured institute
State IOCTL system calling.
Optionally, before the IOCTL system calling that Kernel Driver is initiated in virtual platform is intercepted and captured, institute
State method further include:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Privcmd to xen, described in intercepting and capturing
IOCTL system is called.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
Optionally, it is described according to testing result, it is determined whether execute the IOCTL system and call, comprising:
If the testing result is illegal calling, the IOCTL system is prevented to call, and is sent to the monitoring host
Warning message.
It is optionally, described to send warning message to the monitoring host, comprising:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
As shown from the above technical solution, the present invention provides a kind of detection method and device of virtual machine process information, passes through
It intercepts and captures the IOCTL system that Kernel Driver is initiated to call, and the parameter for calling IOCTL system detects, and avoids certain
Virtual machine calls attack or control virtual machine host operating system by IOCTL system, avoids and showing for virtual machine escape occurs
As.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Virtual machine escape refers to is attacked using the loophole of the software run in software virtual machine or virtual machine, to reach
To the purpose for attacking or controlling virtual machine host operating system.
Fig. 1 shows a kind of process signal of the detection method of virtual machine process information of one embodiment of the invention offer
Figure, as shown in Figure 1, method includes the following steps:
101, the IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured.
Kernel Driver, which initiates IOCTL system calling, in the present embodiment can be understood as calling ioctl by Hook
Function.
Currently, since virtual platform includes xen virtual platform and kvm virtual platform, it is virtual in the present embodiment
Change platform and is suitable for above two virtual platform.
102, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
103, according to testing result, it is determined whether execute the IOCTL system and call.
The above method is called by intercepting and capturing the IOCTL system that Kernel Driver is initiated, and to the ginseng that IOCTL system is called
Number is detected, and is avoided certain virtual machine by IOCTL system and is called attack or control virtual machine host operating system, avoids
There is the phenomenon that virtual machine escape.
Since virtual platform includes xen virtual platform and kvm virtual platform, two kinds of platforms pair are combined separately below
The above method is described in detail.
By taking xen virtual platform as an example, Fig. 2 shows the detection methods of virtual machine process information provided in this embodiment
Flow diagram, as shown in Fig. 2, method includes the following steps:
201, the system for monitoring host is called, and is called, is intercepted and captured if monitoring the IOCTL system initiated from Privcmd to xen
The IOCTL system is called.
Currently, the IOCTL interface of xen virtual platform is that it is supplied to Kernel Driver Privcmd and is called,
As shown in Figure 3 and Figure 4, the client computer interception module is responsible for calling IOCTL by intercepting and capturing physical host supersystem, and analysis is cut
It obtains and calls IOCTL title and parameter, the supersystem for intercepting and capturing the application virtual cpu that Kernel Driver Privcmd is initiated is called
IOCTL。
202, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy, obtains inspection
Survey result.
It will be appreciated that the whether legal strategy of parameter that preset strategy can be called for detection IOCTL system, the parameter
Check to include read operation, write operation, the operation for opening some program and the operation for closing some program etc..Preset strategy can also be with
It is interpreted as security rule base, corresponding parameter is matched according to the rule in the security rule base, operating status is carried out
Assessment, the suspicious parameter of mark.
The preset strategy can also periodically update, and the present embodiment is not limited thereof.
203, judge whether the testing result is legal calling, if so, thening follow the steps 204;Otherwise, step is executed
205。
204, the IOCTL system is executed to call.
205, it prevents the IOCTL system from calling, and sends warning message to the monitoring host.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
The above method in the case where not modifying xen virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on xen virtual platform
The source code being completely without modification Privcmd and xen is distinguished, this is a kind of realization for being easier to be easily accepted by a user and portion
Management side formula, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service simultaneously
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompile can
The stability that the basic platform of virtualization can be will cause is affected while being also not easy to be received by user, it is contemplated that usually provides
The service commercial city of cloud service and virtualization will not receive the fact that security firm goes modification virtual platform block code, above-mentioned
Method can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
By taking kvm virtual platform as an example, Fig. 5 shows the detection method of virtual machine process information provided in this embodiment
Flow diagram, as shown in figure 5, method includes the following steps:
501, the system for monitoring host is called, and is called, is cut if monitoring the IOCTL system initiated from Qemu-kvm to kvm
The IOCTL system is obtained to call.
Currently, the IOCTL interface of kvm is that it is supplied to Qemu-kvm module and is called, and as shown in Figure 6 and Figure 7, institute
State client computer interception module be responsible for by intercept and capture physical host supersystem call IOCTL, analysis intercept and capture call IOCTL title and
Parameter, the supersystem for intercepting and capturing the application virtual cpu that Kernel Driver Qemu-kvm is initiated call IOCTL.
502, the parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy, obtains inspection
Survey result.
It will be appreciated that the whether legal strategy of parameter that preset strategy can be called for detection IOCTL system, the parameter
Check to include read operation, write operation, the operation for opening some program and the operation for closing some program etc..Preset strategy can also be with
It is interpreted as security rule base, corresponding parameter is matched according to the rule in the security rule base, operating status is carried out
Assessment, the suspicious parameter of mark.
The preset strategy can also periodically update, and the present embodiment is not limited thereof.
503, judge whether the testing result is legal calling, if so, thening follow the steps 504;Otherwise, step is executed
505。
504, the IOCTL system is executed to call.
505, it prevents the IOCTL system from calling, and sends warning message to the monitoring host.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
The above method in the case where not modifying kvm virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on kvm virtual platform
Distinguish the source code being completely without modification Qemu-kvm and kvm, this be a kind of realization for being easier to be easily accepted by a user and
Deployment way, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompiles
The stability for being likely to result in the basic platform of virtualization is affected while being also not easy to be received by user, it is contemplated that usually mentions
It will not receive the fact that security firm goes modification virtual platform block code for the service commercial city of cloud service and virtualization, on
The method of stating can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
Fig. 8 shows a kind of structural schematic diagram of the detection device of virtual machine process information provided in an embodiment of the present invention,
As shown in figure 8, the device includes:
Interception module 81, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured.
Currently, since virtual platform includes xen virtual platform and kvm virtual platform, it is virtual in the present embodiment
Change platform and is suitable for above two virtual platform.
Module 82 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 83, for being detected by preset strategy to the parameter.
Determining module 84, for according to testing result, it is determined whether execute the IOCTL system and call.
Above-mentioned apparatus is called by intercepting and capturing the IOCTL system that Kernel Driver is initiated, and to the ginseng that IOCTL system is called
Number is detected, and is avoided certain virtual machine by IOCTL system and is called attack or control virtual machine host operating system, avoids
There is the phenomenon that virtual machine escape.
Since virtual platform includes xen virtual platform and kvm virtual platform, two kinds of platforms pair are combined separately below
Above-mentioned apparatus is described in detail.
By taking xen virtual platform as an example, as shown in figure 9, above-mentioned apparatus includes:
Described device further include: monitor module 91, the system for monitoring host is called;
The interception module 92, for monitoring the IOCTL system initiated from Privcmd to xen calling, then described in intercepting and capturing
IOCTL system is called.
Module 93 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 94, for being detected by preset strategy to the parameter.
Determining module 95, for according to testing result, it is determined whether execute the IOCTL system and call, if the detection
As a result it is legal calling, then executes the IOCTL system and call;When the testing result is illegal calls, described in prevention
IOCTL system is called.
Sending module 96, for preventing the IOCTL system from calling, to institute when the testing result is illegal calls
It states and monitors host transmission warning message.
In a preferred embodiment of the present embodiment, the sending module 96 is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
Above-mentioned apparatus in the case where not modifying xen virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on xen virtual platform
The source code being completely without modification Privcmd and xen is distinguished, this is a kind of realization for being easier to be easily accepted by a user and portion
Management side formula, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service simultaneously
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompile can
The stability that the basic platform of virtualization can be will cause is affected while being also not easy to be received by user, it is contemplated that usually provides
The service commercial city of cloud service and virtualization will not receive the fact that security firm goes modification virtual platform block code, above-mentioned
Device can realize the detection to virtual machine process under conditions of security firm does not modify virtual platform block code.
In another achievable mode, by taking kvm virtual platform as an example, as shown in Figure 10, above-mentioned apparatus includes:
Described device further include: monitor module 10, the system for monitoring host is called;
The interception module 11 then intercepts and captures institute for monitoring the IOCTL system initiated from Qemu-kvm to kvm calling
State IOCTL system calling.
Module 12 is obtained, the parameter called for obtaining the IOCTL system.
The parameter that above-mentioned IOCTL system is called may include read operation, write operation, the operation and closing for opening some program
The operation etc. of some program.
Detection module 13, for being detected by preset strategy to the parameter.
Determining module 14, for according to testing result, it is determined whether execute the IOCTL system and call, if the detection
As a result it is legal calling, then executes the IOCTL system and call;When the testing result is illegal calls, described in prevention
IOCTL system is called.
Sending module 15, for preventing the IOCTL system from calling, to institute when the testing result is illegal calls
It states and monitors host transmission warning message.
In a preferred embodiment of the present embodiment, the sending module 15 is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.Pass through
The warning message may include suspicious parameter, by sending the warning message including suspicious parameter to administrator, so that management
Member can check corresponding calling in time, and analyze, and suspicious process is carried out capture interception, avoids the occurrence of virtual machine (vm) migration
Problem.
Above-mentioned apparatus in the case where not modifying kvm virtual platform module completely, all to virtual platform and virtual machine
Fully transparent virtual machine introspection api interface, and realized based on the interface to the process and register information in virtual machine
Scanning and analysis.The master of the system of technical scheme and other offer similar functions realized on kvm virtual platform
Distinguish the source code being completely without modification Qemu-kvm and kvm, this be a kind of realization for being easier to be easily accepted by a user and
Deployment way, because under normal conditions, providing the service provider of cloud computing and virtualization services and providing the service provider of security service
It is not same producer, if security service provider carries out the modification of source-code level to the product of virtualization services provider and recompiles
The stability for being likely to result in the basic platform of virtualization is affected while being also not easy to be received by user, it is contemplated that usually mentions
It will not receive the fact that security firm goes modification virtual platform block code for the service commercial city of cloud service and virtualization, on
Detection to virtual machine process can be realized under conditions of security firm does not modify virtual platform block code by stating device.
Embodiment of the invention discloses:
A1, a kind of detection device of virtual machine process information characterized by comprising
Interception module, the IOCTL system calling for initiating Kernel Driver in virtual platform are intercepted and captured;
Module is obtained, the parameter called for obtaining the IOCTL system
Detection module, for being detected by preset strategy to the parameter;
Determining module, for according to testing result, it is determined whether execute the IOCTL system and call.
A2, device according to a1, which is characterized in that described device further include: module is monitored, for monitoring host
System is called;
The interception module, when the IOCTL system for initiating in monitoring from Qemu-kvm to kvm is called, described in intercepting and capturing
IOCTL system is called.
A3, device according to a1, which is characterized in that described device further include: module is monitored, for monitoring host
System is called;
The interception module, when the IOCTL system for initiating in monitoring from Privcmd to xen is called, described in intercepting and capturing
IOCTL system is called.
A4, the device according to A2 or 3, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
A5, the device according to A2 or 3, which is characterized in that the determining module is used for: it is in the testing result
When illegal calling, the IOCTL system is prevented to call;
Sending module, for sending warning message to the monitoring host.
A6, device according to a5, which is characterized in that the sending module is used for:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
B7, a kind of detection method of virtual machine process information characterized by comprising
The IOCTL system calling that Kernel Driver in virtual platform is initiated is intercepted and captured;
The parameter that the IOCTL system is called is obtained, the parameter is detected by preset strategy;
According to testing result, it is determined whether execute the IOCTL system and call.
B8, the method according to B7, which is characterized in that Kernel Driver is initiated in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Qemu-kvm to kvm, is intercepted and captured institute
State IOCTL system calling.
B9, the method according to B7, which is characterized in that Kernel Driver is initiated in virtual platform
Before IOCTL system calling is intercepted and captured, the method also includes:
The system for monitoring host is called, and is called if monitoring the IOCTL system initiated from Privcmd to xen, described in intercepting and capturing
IOCTL system is called.
B10, the method according to B8 or 9, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is legal calling, executes the IOCTL system and call.
B11, the method according to B8 or 9, which is characterized in that it is described according to testing result, it is determined whether described in execution
IOCTL system is called, comprising:
If the testing result is illegal calling, the IOCTL system is prevented to call, and is sent to the monitoring host
Warning message.
B12, the method according to B11, which is characterized in that described to send warning message to the monitoring host, comprising:
Warning message is sent in the form of a popup window to the monitoring host or warning message is sent in the form of log.
It should be noted that above-mentioned apparatus and the above method are that correspondingly, the specific implementation in the above method is thin
Section is equally applicable to above-mentioned apparatus, and the present embodiment is no longer described in detail the specific implementation details of above-mentioned apparatus.