CN106203091B - A kind of virtual machine escape detection method and device - Google Patents
A kind of virtual machine escape detection method and device Download PDFInfo
- Publication number
- CN106203091B CN106203091B CN201610509384.9A CN201610509384A CN106203091B CN 106203091 B CN106203091 B CN 106203091B CN 201610509384 A CN201610509384 A CN 201610509384A CN 106203091 B CN106203091 B CN 106203091B
- Authority
- CN
- China
- Prior art keywords
- read
- detection
- unit
- write
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention discloses a kind of virtual machine escape detection method and device, are related to field of computer technology, judge that the virtual machine with the presence or absence of flight behavior, simplifies virtual machine escape testing process with this, improves detection efficiency by detecting the read-write requests of virtual machine.The main technical solution of the present invention are as follows: when initializing to the virtual unit in virtual machine, obtain the address of the corresponding storage region of the virtual unit;According to the address search read/write function pointer of the storage region, the read-write requests that the read/write function pointer is directed toward the processing virtual unit correspond to the address of program;The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;Whether the read-write requests by virtual unit described in detection Programmable detection are exception request.Present invention is mainly used for detection virtual machine flight behaviors.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of virtual machine escape detection method and device.
Background technique
Virtualization refers to for a physical computer being divided into one or more completely isolated " virtual machines ".For behaviour
For making system, actually they are regarded as the program run on one's body, but they can actually share machine
Physical hardware, such as CPU, memory, disk and the network equipment.The use of virtual machine provides two main benefits: resource
Shared and isolation.In non-virtual environment, all resources are dedicated on physical computer.If system has the memory of 2GB, fortune
Row task has used wherein 1GB, then remaining will be idle, cannot make full use of.
The environment that virtual machine provides, it appears that be like independence and the several computers deposited, and be actually in an object
Manage dry run on host.Although the degree of isolation of virtual machine depends on the virtualization technology of bottom, do not carrying out
It does not allow for exchanging mutually in the case where particular arrangement, between virtual machine.
Virtual machine can share the resource of host and provide isolation.In ideal environment, a program is operated in virtually
In machine, it should other virtual machines can not be influenced.But due to some program bugs of the limitation of technology and virtualization software, this
Kind ecotopia is simultaneously not present.The program run in virtual machine can bypass bottom by these loopholes, to utilize place
Host, this technology is called virtual machine escape technology, and due to the privileged position of host, result will make under entire virtual environment
The safety of all virtual machines is on the hazard.The appearance of virtual machine flight behavior in order to prevent, it is necessary to which virtual machine is run
Program carry out detection judgement, especially the operation requests of shared resource are identified.And current main judgment mode is
By analyzing whether host kernel operational order generated will cause virtual machine escape, but the treatment process of this mode is very
Complexity, and the not implementation of mature and feasible, detection efficiency of the theoretical implementation in actual test application are very low
Under.
Summary of the invention
In view of this, the present invention provides a kind of virtual machine escape detection method and device, it is voluntarily detected by virtual machine
The operation requests of generation judge whether the virtual machine escapes, and simplify virtual machine escape testing process with this, improve detection efficiency.
According to one aspect of the present invention, a kind of virtual machine escape detection method is proposed, this method comprises:
When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;
According to the address search read/write function pointer of the storage region, the read/write function pointer, which is directed toward, handles the void
Propose the address that standby read-write requests correspond to program;
The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer is for void described in direct detection
Propose standby read-write requests whether the address of Yi Chang detection program;
Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request.
According to another aspect of the invention, a kind of virtual machine escape detection device is proposed, which includes:
Acquiring unit, for obtaining when initializing to the virtual unit in virtual machine, the virtual unit is corresponding to be deposited
The address in storage area domain;
Searching unit, it is described for obtaining the address search read/write function pointer of storage region according to the acquiring unit
The read-write requests that read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, institute
State detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit, for passing through void described in the detection Programmable detection after the replacement unit replaces detection pointer
Propose whether standby read-write requests are exception request.
A kind of virtual machine escape detection method and device of the present invention, it is each virtual by being initialized in virtual machine
The address of the storage region of each virtual unit is obtained when equipment, and the processing virtual unit saved in the storage region read-write is asked
The read/write function pointer asked is replaced with for detecting read-write requests with the presence or absence of the detection pointer of abnormal detection program, is come with this
Each virtual unit in the virtual machine is detected with the presence or absence of there is flight behavior.Compared with virtual machine escape detection mode phase
Than, operational order of the detection method of the present invention without analyzing each virtual unit in virtual machine in host kernel,
But the virtual unit in the machine is measured in real time by virtual machine, testing process is simplified, the efficiency of detection is improved.Together
When, due in current open source virtualization solution for the read/write function pointer of the read-write requests of processing virtual unit also without
Method directly acquires, and therefore, the present invention is also to be directed to each virtual unit therein, especially each virtual unit in virtual pusher side
Read-write requests generated give the specific implementation of detection virtual machine escape, and each void can not be obtained by solving virtual machine
The problem of proposing the read/write function pointer of standby processing read-write requests.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of virtual machine escape detection method flow chart of proposition of the embodiment of the present invention;
Fig. 2 shows another virtual machine escape detection method flow charts that the embodiment of the present invention proposes;
Fig. 3 shows a kind of composition block diagram of virtual machine escape detection device of proposition of the embodiment of the present invention;
Fig. 4 shows the composition block diagram of another virtual machine escape detection device of proposition of the embodiment of the present invention.
Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here
It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of virtual machine escape detection method, this method is virtually dissolved based on current open source
Certainly scheme can not obtain the read/write function pointer that each virtual unit read-write operation is handled in virtual machine.And virtual machine flight behavior is more
It is that the read-write operation request initiated by each virtual unit in virtual machine is realized using the loophole in virtual machine machine program.
Therefore method described in the embodiment of the present invention is exactly that whether there is exception in the read-write operation that virtual pusher side monitors each virtual unit,
And then judge whether the virtual machine has flight behavior.This method specific steps are as shown in Figure 1, comprising:
101, when initializing to the virtual unit in virtual machine, the address of the corresponding storage region of virtual unit is obtained.
When creating virtual machine in virtualized environment, need to distribute corresponding process resource, such as storage allocation for virtual machine
Size, determines OS Type etc. at the virtual processor number for configuring virtual machine.Namely to each virtual in the virtual machine
Equipment carries out Initialize installation.When initializing to each virtual unit, the address of the corresponding storage region of each virtual unit is obtained,
The storage region handles the letter such as the title of the virtual unit and the processing function pointer of each operation requests for recording virtual machine
Breath.
102, according to the address search read/write function pointer of storage region.
It is right by being stored with each operation requests institute caused by the virtual unit in storage region corresponding to virtual unit
The processing function pointer answered, and mainly by judging whether read-write operation abnormal in the embodiment of the present invention, therefore, it is necessary to each
The read/write function pointer for handling read-write operation is found out in kind processing function pointer.It should be noted that the read/write function
Pointer, which is divided into, to be read function pointer and writes function pointer, and corresponds respectively to read operation request and write operation requests.Each refers to
To the address of program corresponding to processing read operation request or write operation requests.
103, read/write function pointer is replaced with into corresponding detection pointer.
After obtaining reading function pointer corresponding to virtual unit and writing function pointer, it is respectively right that these pointers are replaced with
The detection pointer answered, wherein whether the read operation request for detecting the detection pointer direct detection virtual unit of read operation is abnormal
The detection program address of request, whether the write operation requests for detecting the detection pointer of write operation then direct detection virtual unit are different
The detection program address often requested.
In embodiments of the present invention, replacement detection pointer purpose be virtual machine processing virtual unit read-write operation it
Before, the read-write requests of the virtual unit are detected, it therefore, can also be according to read-write other than replacing corresponding detection pointer
Before the address of function pointer will test pointer insertion read/write function pointer, and the read-write by detection Programmable detection qualification is set
Operation requests continue to execute processing routine pointed by the read/write function pointer.
It 104, whether is exception request by the read-write requests for detecting Programmable detection virtual unit.
By above three step, so that virtual machine is when executing the read-write operation request of virtual unit, it will to the reading
Write operation requests are detected, i.e., complete when virtual unit initializes at the replacement to the read/write function pointer of the virtual unit
Reason.Later, when virtual unit generates read-write operation request, virtual machine will be examined read-write operation request according to detection program
It surveys, judges whether the request is exception request, wherein exception request refers to by being likely to result in the void to the processing of the request
The operation requests of quasi- machine escape.The specific detection program embodiment of the present invention is not specifically limited, and can be abnormal by establishing
The mode that request library compares is also possible to the mode of the design parameter or characteristic information in judgement request.
Final virtual machine determines the further operating to the request according to the result of detection, normally then continues to execute corresponding
Read-write operation, it is abnormal then stop the operation requests, and send the alarm message reminding operation and be likely to result in virtual machine escape.
A kind of virtual machine provided in an embodiment of the present invention is escaped detection method, each is virtually set by initializing in virtual machine
The address of the storage region of each virtual unit, and the processing virtual unit read-write requests that will be saved in the storage region are obtained when standby
Read/write function pointer replace with for detecting read-write requests with the presence or absence of the detection pointer of abnormal detection program, examined with this
The each virtual unit surveyed in the virtual machine, which whether there is, flight behavior.Compared with virtual machine escape detection mode compare,
Detection method used by the embodiment of the present invention refers to without analyzing the operation of each virtual unit in virtual machine in host kernel
It enables, but the virtual unit in the machine is measured in real time by virtual machine, simplify testing process, improve the effect of detection
Rate.Simultaneously as referring in current open source virtualization solution for the read/write function of the read-write requests of processing virtual unit
Needle can not also directly acquire, and therefore, the present invention is also to be directed to each virtual unit therein, especially each void in virtual pusher side
Standby read-write requests generated are proposed, give the specific implementation of detection virtual machine escape, solving virtual machine can not obtain
The problem of taking the read/write function pointer of each virtual unit processing read-write requests.
Further, the specific reality for the above-mentioned virtual machine escape detection method of more detailed explanation in the application
Existing, the embodiment of the invention also provides a kind of virtual machine escape detection methods, as shown in Fig. 2, the step of this method includes:
201, when initializing to the virtual unit in virtual machine, the address of the corresponding storage region of virtual unit is obtained.
In currently used open source virtualization solution, more mainstream includes: that (full name is Kernel- to KVM
Based Virtual Machine), it is the global function virtualization solution under Linux on x86 hardware platform;Xen is one
A open source code virtual machine monitor, is developed by Cambridge University;OpenVZ is the behaviour based on linux kernel and operating system
Make system-level virtualization technology;VirtualBox is a powerful x86 software virtual machine.The virtual neutralizing of these open sources
Certainly in scheme, Open Source Code for application simultaneously can not get the code that concrete operations request is handled in virtual machine, therefore very
Difficulty gets the operation requests of virtual unit in virtual machine, especially read-write operation request.
The embodiment of the present invention be then emphasis for this problem, by virtual machine virtual unit initialize when, obtain
Take the address of the corresponding storage region of virtual unit.When due to virtual unit initialization, a storage region can be distributed, is simultaneously
System can be named for the storage region, for example, being the memory block by calling function g_strdup for virtual unit in KVM
Domain carries out title assignment.By obtaining the title assignment function, and to the Functional Analysis, the value of the assignment function can be obtained
And the specific location of assignment, i.e., the title of storage region and store the address of the title.In practical applications, due to memory block
Domain is stored in RBX register, and the register belongs to non volatile register, and therefore, the value of g_strdup function can be by
Hook g_strdup is obtained.It may further determine that the first address of the storage region by the address of obtained store name.
202, according to the address search read/write function pointer of storage region.
After the first address for the storage region for determining virtual unit, by being used to handle void in the address search storage region
The address of standby read-write requests is proposed, and corresponding read/write function pointer is determined according to the address, respectively includes reading function pointer
With write function pointer.The embodiment of the present invention does not do specific limit for the method for determination of specific address search mode and pointer
It is fixed.
203, preset detection program, and the detection pointer is generated according to the address of the detection program.
According to the preset corresponding detection pointer of programming generation, wherein detection program is asked according to different operations
Preset different detection programs are sought, detect journey with write operation specific to read operation detection program is then divided into the embodiment of the present invention
Sequence.According to it is preset detection program different address, will generate with detection program corresponding to detection pointer.
Wherein, whether extremely preset detection program for detecting virtual unit operation requests generated, the detection journey
Sequence corresponds to different operation requests by preset different detection program, for example, the detection program and inspection of detection read operation request
Survey the detection program of write operation requests.
204, read/write function pointer is replaced with into corresponding detection pointer.
It will obtain reading function pointer in detection pointer obtained in step 203 respectively correspondingly replacement step 202 and write letter
Number pointer.
It should be noted that the read/write function pointer being replaced in this step can still retain this after completing replacement operation
Pointer is to utilize the pointer to execute subsequent read-write behaviour when the operation requests for determining virtual unit are normal read-write operation
Make.
205, the read-write requests of virtual unit are obtained.
After the replacement for completing detection pointer, for virtual unit once generating the request of read-write operation, which will be according to right
The detection pointer answered is judged by detecting program accordingly.And before carrying out the judgement, in order to ensure the read-write requests be by
The virtual unit is generated.It is necessary to further be verified to the request.Concrete mode employed in the embodiment of the present invention
Be to look for device name included in read-write requests, and match with the title of storage region, if in read-write requests exist with
The identical title of the title of storage region then determines that the read-write requests are generated by virtual unit, and continues subsequent execution
Process, and when title identical with storage region title is not present in read-write requests, then stop the continuation to the read-write requests
Processing, and send the executing subject of the alarm message reminding request there are mistakes.Wherein, the embodiment of the present invention is in matching title
When, traversal queries can be carried out by the content in the register to storage read-write operation request, be searched according to different offsets
With the presence or absence of the field of storage region title.
It 206, whether is exception request by the read-write requests for detecting Programmable detection virtual unit.
Finally, transferring to detection program to carry out identification judgement by detecting pointer the read-write requests after verifying confirmation: working as void
When proposing standby read-write requests and being detected as normal request, illustrates the read-write requests not and will cause virtual machine escape, therefore, by this
Read-write requests transfer to program pointed by the read/write function pointer before replacement to be handled, wherein are sent to the place of read-write requests
Reason program the processing routine can be pointing directly at by detection program, can also by virtual machine return a testing result, by
Read-write requests are executed former read/write function pointer according to the testing result and read-write requests are sent to corresponding processing journey by virtual machine
Sequence is written and read processing.And when the read-write requests of virtual unit are detected as exception request, illustrate that the read-write requests may
Virtual machine is caused to escape, at this point, processing of the virtual machine by stopping to the read-write requests, meanwhile, prompt messages are issued to mention
It is abnormal to show that the virtual machine user operation requests exist, and the prompt messages are generated into corresponding alarm log information.
As realize the above method specific device, the embodiment of the invention provides a kind of virtual machine escape detection device,
As shown in figure 3, the device includes:
Acquiring unit 31, for it is corresponding to obtain the virtual unit when initializing to the virtual unit in virtual machine
The address of storage region;
Searching unit 32, for obtaining the address search read/write function pointer of storage region according to the acquiring unit 31,
The read-write requests that the read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit 33, the read/write function pointer for obtaining the searching unit 32 replace with corresponding detection and refer to
Needle, the detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit 34, for passing through void described in detection Programmable detection after the replacement unit 33 replaces detection pointer
Propose whether standby read-write requests are exception request.
Further, as shown in figure 4, the acquiring unit 31 includes:
Module 311 is obtained, is the corresponding memory block of the virtual unit for obtaining the virtual unit in initialization
The assignment function of domain name;
Parsing module 312, the assignment function obtained for parsing the acquisition module 311, obtains the storage region
The address of title and assignment;
Determining module 313, for determining the address of the storage region according to the address of the assignment.
Further, as shown in figure 4, the searching unit 32 includes:
Determining module 321, for determining the address for handling the read-write requests of the virtual unit in the storage region;
Searching module 322, for searching the corresponding reading of the read-write requests in the address that the determining module 321 determines
Write function pointer.
Further, as shown in figure 4, described device further include:
Generation unit 35, for the replacement unit 33 by read/write function pointer replace with corresponding detection pointer it
Before, preset detection program, and the detection pointer is generated according to the address of the detection program.
Further, as shown in figure 4, described device further include:
Matching unit 36, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit 33, root
According to the read-write requests of the virtual unit, by the title phase of the device name for including in the read-write requests and the storage region
Matching;
Stop unit 37, for stopping to the read-write requests when the 36 matched title difference of matching unit
Processing.
Further, as shown in figure 4, described device further include:
Processing unit 38 is detected as normal request by the detection unit 34 for the read-write requests when the virtual unit
When, read-write requests program as pointed by the read/write function pointer before replacing is handled;
The stop unit 37 is also used to, when the read-write requests of the virtual unit be detected as by the detection unit 34 it is different
Often when request, stop the processing to the read-write requests, and send prompt messages.
In conclusion a kind of virtual machine escape detection method and device provided by the embodiment of the present invention, by virtual
Machine obtains the address of the storage region of each virtual unit, and the place that will be saved in the storage region when initializing each virtual unit
The read/write function pointer of reason virtual unit read-write requests is replaced with for detecting read-write requests with the presence or absence of abnormal detection program
Detection pointer, each virtual unit in the virtual machine is detected with the presence or absence of there is flight behavior with this.Compared with it is virtual
Machine escape detection mode is compared, and detection method used by the embodiment of the present invention is not necessarily to analyze in host kernel each in virtual machine
The operational order of a virtual unit, but the virtual unit in the machine is measured in real time by virtual machine, simplify detection stream
Journey improves the efficiency of detection.Simultaneously as the read-write of processing virtual unit in current open source virtualization solution
The read/write function pointer of request can not also directly acquire, and therefore, the present invention is also to be directed to each void therein in virtual pusher side
Standby, especially each virtual unit read-write requests generated are proposed, the specific implementation of detection virtual machine escape, solution are given
Virtual machine of having determined can not obtain the problem of read/write function pointer of each virtual unit processing read-write requests.Further, since of the invention
Embodiment is that the detection carried out by read-write requests of the preset detection program to virtual unit judges that the detection program can basis
Specific testing conditions are updated in real time, therefore, the update for the examination criteria that the embodiment of the present invention escapes for virtual machine
It is easier, make the timeliness of detection higher by the real-time update to detection program.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in above-mentioned cloud server and device can be referred to mutually.In addition, above-mentioned reality
Applying " first " in example, " second " etc. is and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can be no longer superfluous herein with reference to the corresponding process in aforementioned cloud server embodiment
It states.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known cloud service is not been shown in detail
Device, structure and technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the present invention and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the cloud server of the disclosure should not be construed to reflect an intention that i.e. institute
Claimed invention requires features more more than feature expressly recited in each claim.More precisely,
As reflected in the following claims, inventive aspect is all spies less than single embodiment disclosed above
Sign.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right
It is required that itself is all as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what cloud server or equipment are combined.Unless expressly stated otherwise, this specification (including companion
With the claims, abstract and drawings) disclosed in each feature can be special by providing the substitution of identical, equivalent, or similar purpose
Sign is to replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize the denomination of invention according to an embodiment of the present invention (as determined in website
The device of Hyperlink rank) in some or all components some or all functions.The present invention is also implemented as being used for
Some or all device or device programs of cloud server as described herein are executed (for example, computer program
And computer program product).It is such to realize that program of the invention can store on a computer-readable medium, or can have
There is the form of one or more signal.Such signal can be downloaded from an internet website to obtain, or in carrier signal
Upper offer, or be provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention also discloses following schemes:
A1, a kind of virtual machine escape detection method, which comprises
When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;
According to the address search read/write function pointer of the storage region, the read/write function pointer, which is directed toward, handles the void
Propose the address that standby read-write requests correspond to program;
The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer is for void described in direct detection
Propose standby read-write requests whether the address of Yi Chang detection program;
Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request.
A2, according to A1 the method, the address for obtaining the corresponding storage region of the virtual unit includes:
It is the assignment function of the corresponding storage region name of the virtual unit that the virtual unit, which is obtained, in initialization;
The assignment function is parsed, the title of the storage region and the address of assignment are obtained;
The address of the storage region is determined according to the address of the assignment.
A3, according to A2 the method, include: according to the address search read/write function pointer of the storage region
Determine the address that the read-write requests of the virtual unit are handled in the storage region;
The corresponding read/write function pointer of the read-write requests is searched in the address.
A4, according to A1 the method, before read/write function pointer to be replaced with to corresponding detection pointer, the method is also
Include:
Preset detection program, and the detection pointer is generated according to the address of the detection program.
A5, according to A2 the method, after read/write function pointer to be replaced with to corresponding detection pointer, the method is also
Include:
According to the read-write requests of the virtual unit, by the device name for including in the read-write requests and the memory block
The title in domain matches;
If title is different, stop the processing to the read-write requests.
A6, according to A1 the method, the read-write requests by virtual unit described in the detection Programmable detection whether be
After exception request, the method also includes:
When the read-write requests of the virtual unit are detected as normal request, by the read-write requests by the institute before replacing
Program pointed by read/write function pointer is stated to be handled;
When the read-write requests of the virtual unit are detected as exception request, stop the processing to the read-write requests,
And send prompt messages.
B7, a kind of virtual machine escape detection device, described device include:
Acquiring unit, for obtaining when initializing to the virtual unit in virtual machine, the virtual unit is corresponding to be deposited
The address in storage area domain;
Searching unit, it is described for obtaining the address search read/write function pointer of storage region according to the acquiring unit
The read-write requests that read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, institute
State detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit, for passing through void described in the detection Programmable detection after the replacement unit replaces detection pointer
Propose whether standby read-write requests are exception request.
B8, according to B7 described device, the acquiring unit includes:
Module is obtained, is the corresponding storage region life of the virtual unit in initialization for obtaining the virtual unit
The assignment function of name;
Parsing module, for parse it is described acquisition module obtain assignment function, obtain the title of the storage region with
And the address of assignment;
Determining module, for determining the address of the storage region according to the address of the assignment.
B9, according to B8 described device, the searching unit includes:
Determining module, for determining the address for handling the read-write requests of the virtual unit in the storage region;
Searching module, for searching the corresponding read/write function of the read-write requests in the address that the determining module determines
Pointer.
B10, according to B7 described device, described device further include:
Generation unit, for before read/write function pointer is replaced with corresponding detection pointer by the replacement unit, in advance
Detection program is set, and the detection pointer is generated according to the address of the detection program.
B11, according to B8 described device, described device further include:
Matching unit, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit, according to institute
The read-write requests for stating virtual unit, by the title phase of the device name for including in the read-write requests and the storage region
Match;
Stop unit, for stopping the processing to the read-write requests when the matched title difference of the matching unit.
B12, according to B11 described device, described device further include:
Processing unit, for when the read-write requests of the virtual unit are detected as normal request by the detection unit,
Read-write requests program as pointed by the read/write function pointer before replacing is handled;
The stop unit is also used to, when the read-write requests of the virtual unit are detected as abnormal ask by the detection unit
When asking, stop the processing to the read-write requests, and send prompt messages.
Claims (12)
- The detection method 1. a kind of virtual machine is escaped, which is characterized in that the described method includes:When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;According to the address search read/write function pointer of the storage region, the read/write function pointer direction processing is described virtually to be set Standby read-write requests correspond to the address of program;The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer described in direct detection for virtually setting Standby read-write requests whether the address of Yi Chang detection program;Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request, and the exception request refers to By the operation requests for being likely to result in virtual machine escape to the processing of the request.
- 2. method according to claim 1, which is characterized in that obtain the address packet of the corresponding storage region of the virtual unit It includes:It is the assignment function of the corresponding storage region name of the virtual unit that the virtual unit, which is obtained, in initialization;The assignment function is parsed, the title of the storage region and the address of assignment are obtained;The address of the storage region is determined according to the address of the assignment.
- 3. method according to claim 2, which is characterized in that according to the address search read/write function pointer of the storage region Include:It determines in the storage region for handling the address of the read-write requests of the virtual unit;The corresponding read/write function pointer of the read-write requests is searched in the address.
- 4. method according to claim 1, which is characterized in that by read/write function pointer replace with corresponding detection pointer it Before, the method also includes:Preset detection program, and the detection pointer is generated according to the address of the detection program.
- 5. method according to claim 2, which is characterized in that by read/write function pointer replace with corresponding detection pointer it Afterwards, the method also includes:According to the read-write requests of the virtual unit, by the device name for including in the read-write requests and the storage region Title matches;If title is different, stop the processing to the read-write requests.
- 6. method according to claim 1, which is characterized in that in the reading by virtual unit described in the detection Programmable detection After whether write request is exception request, the method also includes:When the read-write requests of the virtual unit are detected as normal request, by the read-write requests by the reading before replacing Program pointed by function pointer is write to be handled;When the read-write requests of the virtual unit are detected as exception request, stop the processing to the read-write requests, concurrently Send prompt messages.
- The detection device 7. a kind of virtual machine is escaped, which is characterized in that described device includes:Acquiring unit, for obtaining the corresponding memory block of the virtual unit when initializing to the virtual unit in virtual machine The address in domain;Searching unit, for obtaining the address search read/write function pointer of storage region, the read-write according to the acquiring unit The read-write requests that function pointer is directed toward the processing virtual unit correspond to the address of program;Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, the inspection Survey pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;Detection unit is used for after the replacement unit replaces detection pointer, by virtually setting described in the detection Programmable detection Whether standby read-write requests are exception request, and the exception request refers to virtual by being likely to result in this to the processing of the request The operation requests of machine escape.
- 8. device according to claim 7, which is characterized in that the acquiring unit includes:Module is obtained, is the corresponding storage region name of the virtual unit in initialization for obtaining the virtual unit Assignment function;Parsing module, the assignment function obtained for parsing the acquisition module, obtains the title and tax of the storage region The address of value;Determining module, for determining the address of the storage region according to the address of the assignment.
- 9. device according to claim 8, which is characterized in that the searching unit includes:Determining module, for determining in the storage region for handling the address of the read-write requests of the virtual unit;Searching module refers to for searching the corresponding read/write function of the read-write requests in the address that the determining module determines Needle.
- 10. device according to claim 7, which is characterized in that described device further include:Generation unit, for before read/write function pointer is replaced with corresponding detection pointer by the replacement unit, preset inspection Ranging sequence, and the detection pointer is generated according to the address of the detection program.
- 11. device according to claim 8, which is characterized in that described device further include:Matching unit, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit, according to the void Standby read-write requests are proposed, the title of the device name for including in the read-write requests and the storage region is matched;Stop unit, for stopping the processing to the read-write requests when the matched title difference of the matching unit.
- 12. device according to claim 11, which is characterized in that described device further include:Processing unit, for when the read-write requests of the virtual unit are detected as normal request by the detection unit, by institute Read-write requests program as pointed by the read/write function pointer before replacing is stated to be handled;The stop unit is also used to, when the read-write requests of the virtual unit are detected as exception request by the detection unit When, stop the processing to the read-write requests, and send prompt messages.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610509384.9A CN106203091B (en) | 2016-06-30 | 2016-06-30 | A kind of virtual machine escape detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610509384.9A CN106203091B (en) | 2016-06-30 | 2016-06-30 | A kind of virtual machine escape detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106203091A CN106203091A (en) | 2016-12-07 |
CN106203091B true CN106203091B (en) | 2019-02-22 |
Family
ID=57464107
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610509384.9A Active CN106203091B (en) | 2016-06-30 | 2016-06-30 | A kind of virtual machine escape detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106203091B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113849339B (en) * | 2020-06-28 | 2023-07-11 | 华为技术有限公司 | Method, device and storage medium for restoring running state of application program |
CN111508617B (en) * | 2020-07-01 | 2020-09-25 | 智博云信息科技(广州)有限公司 | Epidemic situation data maintenance method and device, computer equipment and readable storage medium |
CN117032874B (en) * | 2023-10-08 | 2024-02-23 | 统信软件技术有限公司 | Remote control method, device, computing equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
CN103577246A (en) * | 2013-11-12 | 2014-02-12 | 浙江云巢科技有限公司 | Method and device for preventing virtual machine from escaping |
CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
CN105426758A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Protection method and device for virtual machine escape |
CN105512553A (en) * | 2015-11-26 | 2016-04-20 | 上海君是信息科技有限公司 | Access control method for preventing virtual machine from escaping and attacking |
CN105590054A (en) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | Virtual machine process monitoring method, device and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8713546B2 (en) * | 2006-12-18 | 2014-04-29 | Oracle International Corporation | System and method for redundant array copy removal in a pointer-free language |
-
2016
- 2016-06-30 CN CN201610509384.9A patent/CN106203091B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
CN103577246A (en) * | 2013-11-12 | 2014-02-12 | 浙江云巢科技有限公司 | Method and device for preventing virtual machine from escaping |
CN105095741A (en) * | 2014-05-13 | 2015-11-25 | 北京奇虎测腾科技有限公司 | Behavior monitoring method and behavior monitoring system of application program |
CN105590054A (en) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | Virtual machine process monitoring method, device and system |
CN105512553A (en) * | 2015-11-26 | 2016-04-20 | 上海君是信息科技有限公司 | Access control method for preventing virtual machine from escaping and attacking |
CN105426758A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Protection method and device for virtual machine escape |
Also Published As
Publication number | Publication date |
---|---|
CN106203091A (en) | 2016-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11232015B2 (en) | Automated software verification service | |
US20190294528A1 (en) | Automated software deployment and testing | |
CN103226485B (en) | Code dissemination method, code issue machine and code delivery system | |
US9678816B2 (en) | System and method for injecting faults into code for testing thereof | |
Plauth et al. | A performance survey of lightweight virtualization techniques | |
US11074154B2 (en) | Identifying a source file for use in debugging compiled code | |
US9038080B2 (en) | Method and system for heterogeneous filtering framework for shared memory data access hazard reports | |
CN106203091B (en) | A kind of virtual machine escape detection method and device | |
CN109784062A (en) | Leak detection method and device | |
US10489124B2 (en) | Method and system for providing software containers supporting executable code created from computational algorithms described in printed publications | |
US8145471B2 (en) | Non-destructive simulation of a failure in a virtualization environment | |
CN104504331B (en) | Virtualize safety detection method and system | |
CN111654495A (en) | Method, apparatus, device and storage medium for determining traffic generation source | |
Campos et al. | Fault injection to generate failure data for failure prediction: A case study | |
US8291401B2 (en) | Processing symbols associated with shared assemblies | |
US9075921B2 (en) | Error simulation | |
Yang et al. | Transparently capturing execution path of service/job request processing | |
US20080115109A1 (en) | Enhanced Hover Help For Software Debuggers | |
US9841960B2 (en) | Dynamic provision of debuggable program code | |
Peng et al. | {GLeeFuzz}: Fuzzing {WebGL} Through Error Message Guided Mutation | |
Cordeiro et al. | Shaker: a tool for detecting more flaky tests faster | |
US11720348B2 (en) | Computing node allocation based on build process specifications in continuous integration environments | |
CN104199774B (en) | Program security testing method and device | |
US10956302B2 (en) | Code coverage collection based on limited select debug information | |
US20120131569A1 (en) | Automated solaris container creation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee after: Qianxin Technology Group Co., Ltd. Patentee after: Beijing Qihu Technology Co., Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Co-patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Patentee before: Beijing Qihu Technology Co., Ltd. |