CN106203091B - A kind of virtual machine escape detection method and device - Google Patents

A kind of virtual machine escape detection method and device Download PDF

Info

Publication number
CN106203091B
CN106203091B CN201610509384.9A CN201610509384A CN106203091B CN 106203091 B CN106203091 B CN 106203091B CN 201610509384 A CN201610509384 A CN 201610509384A CN 106203091 B CN106203091 B CN 106203091B
Authority
CN
China
Prior art keywords
read
detection
unit
write
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610509384.9A
Other languages
Chinese (zh)
Other versions
CN106203091A (en
Inventor
李常坤
汤迪斌
栾建海
杜少博
谭元蕊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qianxin Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201610509384.9A priority Critical patent/CN106203091B/en
Publication of CN106203091A publication Critical patent/CN106203091A/en
Application granted granted Critical
Publication of CN106203091B publication Critical patent/CN106203091B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The invention discloses a kind of virtual machine escape detection method and device, are related to field of computer technology, judge that the virtual machine with the presence or absence of flight behavior, simplifies virtual machine escape testing process with this, improves detection efficiency by detecting the read-write requests of virtual machine.The main technical solution of the present invention are as follows: when initializing to the virtual unit in virtual machine, obtain the address of the corresponding storage region of the virtual unit;According to the address search read/write function pointer of the storage region, the read-write requests that the read/write function pointer is directed toward the processing virtual unit correspond to the address of program;The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;Whether the read-write requests by virtual unit described in detection Programmable detection are exception request.Present invention is mainly used for detection virtual machine flight behaviors.

Description

A kind of virtual machine escape detection method and device
Technical field
The present invention relates to field of computer technology more particularly to a kind of virtual machine escape detection method and device.
Background technique
Virtualization refers to for a physical computer being divided into one or more completely isolated " virtual machines ".For behaviour For making system, actually they are regarded as the program run on one's body, but they can actually share machine Physical hardware, such as CPU, memory, disk and the network equipment.The use of virtual machine provides two main benefits: resource Shared and isolation.In non-virtual environment, all resources are dedicated on physical computer.If system has the memory of 2GB, fortune Row task has used wherein 1GB, then remaining will be idle, cannot make full use of.
The environment that virtual machine provides, it appears that be like independence and the several computers deposited, and be actually in an object Manage dry run on host.Although the degree of isolation of virtual machine depends on the virtualization technology of bottom, do not carrying out It does not allow for exchanging mutually in the case where particular arrangement, between virtual machine.
Virtual machine can share the resource of host and provide isolation.In ideal environment, a program is operated in virtually In machine, it should other virtual machines can not be influenced.But due to some program bugs of the limitation of technology and virtualization software, this Kind ecotopia is simultaneously not present.The program run in virtual machine can bypass bottom by these loopholes, to utilize place Host, this technology is called virtual machine escape technology, and due to the privileged position of host, result will make under entire virtual environment The safety of all virtual machines is on the hazard.The appearance of virtual machine flight behavior in order to prevent, it is necessary to which virtual machine is run Program carry out detection judgement, especially the operation requests of shared resource are identified.And current main judgment mode is By analyzing whether host kernel operational order generated will cause virtual machine escape, but the treatment process of this mode is very Complexity, and the not implementation of mature and feasible, detection efficiency of the theoretical implementation in actual test application are very low Under.
Summary of the invention
In view of this, the present invention provides a kind of virtual machine escape detection method and device, it is voluntarily detected by virtual machine The operation requests of generation judge whether the virtual machine escapes, and simplify virtual machine escape testing process with this, improve detection efficiency.
According to one aspect of the present invention, a kind of virtual machine escape detection method is proposed, this method comprises:
When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;
According to the address search read/write function pointer of the storage region, the read/write function pointer, which is directed toward, handles the void Propose the address that standby read-write requests correspond to program;
The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer is for void described in direct detection Propose standby read-write requests whether the address of Yi Chang detection program;
Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request.
According to another aspect of the invention, a kind of virtual machine escape detection device is proposed, which includes:
Acquiring unit, for obtaining when initializing to the virtual unit in virtual machine, the virtual unit is corresponding to be deposited The address in storage area domain;
Searching unit, it is described for obtaining the address search read/write function pointer of storage region according to the acquiring unit The read-write requests that read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, institute State detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit, for passing through void described in the detection Programmable detection after the replacement unit replaces detection pointer Propose whether standby read-write requests are exception request.
A kind of virtual machine escape detection method and device of the present invention, it is each virtual by being initialized in virtual machine The address of the storage region of each virtual unit is obtained when equipment, and the processing virtual unit saved in the storage region read-write is asked The read/write function pointer asked is replaced with for detecting read-write requests with the presence or absence of the detection pointer of abnormal detection program, is come with this Each virtual unit in the virtual machine is detected with the presence or absence of there is flight behavior.Compared with virtual machine escape detection mode phase Than, operational order of the detection method of the present invention without analyzing each virtual unit in virtual machine in host kernel, But the virtual unit in the machine is measured in real time by virtual machine, testing process is simplified, the efficiency of detection is improved.Together When, due in current open source virtualization solution for the read/write function pointer of the read-write requests of processing virtual unit also without Method directly acquires, and therefore, the present invention is also to be directed to each virtual unit therein, especially each virtual unit in virtual pusher side Read-write requests generated give the specific implementation of detection virtual machine escape, and each void can not be obtained by solving virtual machine The problem of proposing the read/write function pointer of standby processing read-write requests.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of virtual machine escape detection method flow chart of proposition of the embodiment of the present invention;
Fig. 2 shows another virtual machine escape detection method flow charts that the embodiment of the present invention proposes;
Fig. 3 shows a kind of composition block diagram of virtual machine escape detection device of proposition of the embodiment of the present invention;
Fig. 4 shows the composition block diagram of another virtual machine escape detection device of proposition of the embodiment of the present invention.
Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of virtual machine escape detection method, this method is virtually dissolved based on current open source Certainly scheme can not obtain the read/write function pointer that each virtual unit read-write operation is handled in virtual machine.And virtual machine flight behavior is more It is that the read-write operation request initiated by each virtual unit in virtual machine is realized using the loophole in virtual machine machine program. Therefore method described in the embodiment of the present invention is exactly that whether there is exception in the read-write operation that virtual pusher side monitors each virtual unit, And then judge whether the virtual machine has flight behavior.This method specific steps are as shown in Figure 1, comprising:
101, when initializing to the virtual unit in virtual machine, the address of the corresponding storage region of virtual unit is obtained.
When creating virtual machine in virtualized environment, need to distribute corresponding process resource, such as storage allocation for virtual machine Size, determines OS Type etc. at the virtual processor number for configuring virtual machine.Namely to each virtual in the virtual machine Equipment carries out Initialize installation.When initializing to each virtual unit, the address of the corresponding storage region of each virtual unit is obtained, The storage region handles the letter such as the title of the virtual unit and the processing function pointer of each operation requests for recording virtual machine Breath.
102, according to the address search read/write function pointer of storage region.
It is right by being stored with each operation requests institute caused by the virtual unit in storage region corresponding to virtual unit The processing function pointer answered, and mainly by judging whether read-write operation abnormal in the embodiment of the present invention, therefore, it is necessary to each The read/write function pointer for handling read-write operation is found out in kind processing function pointer.It should be noted that the read/write function Pointer, which is divided into, to be read function pointer and writes function pointer, and corresponds respectively to read operation request and write operation requests.Each refers to To the address of program corresponding to processing read operation request or write operation requests.
103, read/write function pointer is replaced with into corresponding detection pointer.
After obtaining reading function pointer corresponding to virtual unit and writing function pointer, it is respectively right that these pointers are replaced with The detection pointer answered, wherein whether the read operation request for detecting the detection pointer direct detection virtual unit of read operation is abnormal The detection program address of request, whether the write operation requests for detecting the detection pointer of write operation then direct detection virtual unit are different The detection program address often requested.
In embodiments of the present invention, replacement detection pointer purpose be virtual machine processing virtual unit read-write operation it Before, the read-write requests of the virtual unit are detected, it therefore, can also be according to read-write other than replacing corresponding detection pointer Before the address of function pointer will test pointer insertion read/write function pointer, and the read-write by detection Programmable detection qualification is set Operation requests continue to execute processing routine pointed by the read/write function pointer.
It 104, whether is exception request by the read-write requests for detecting Programmable detection virtual unit.
By above three step, so that virtual machine is when executing the read-write operation request of virtual unit, it will to the reading Write operation requests are detected, i.e., complete when virtual unit initializes at the replacement to the read/write function pointer of the virtual unit Reason.Later, when virtual unit generates read-write operation request, virtual machine will be examined read-write operation request according to detection program It surveys, judges whether the request is exception request, wherein exception request refers to by being likely to result in the void to the processing of the request The operation requests of quasi- machine escape.The specific detection program embodiment of the present invention is not specifically limited, and can be abnormal by establishing The mode that request library compares is also possible to the mode of the design parameter or characteristic information in judgement request.
Final virtual machine determines the further operating to the request according to the result of detection, normally then continues to execute corresponding Read-write operation, it is abnormal then stop the operation requests, and send the alarm message reminding operation and be likely to result in virtual machine escape.
A kind of virtual machine provided in an embodiment of the present invention is escaped detection method, each is virtually set by initializing in virtual machine The address of the storage region of each virtual unit, and the processing virtual unit read-write requests that will be saved in the storage region are obtained when standby Read/write function pointer replace with for detecting read-write requests with the presence or absence of the detection pointer of abnormal detection program, examined with this The each virtual unit surveyed in the virtual machine, which whether there is, flight behavior.Compared with virtual machine escape detection mode compare, Detection method used by the embodiment of the present invention refers to without analyzing the operation of each virtual unit in virtual machine in host kernel It enables, but the virtual unit in the machine is measured in real time by virtual machine, simplify testing process, improve the effect of detection Rate.Simultaneously as referring in current open source virtualization solution for the read/write function of the read-write requests of processing virtual unit Needle can not also directly acquire, and therefore, the present invention is also to be directed to each virtual unit therein, especially each void in virtual pusher side Standby read-write requests generated are proposed, give the specific implementation of detection virtual machine escape, solving virtual machine can not obtain The problem of taking the read/write function pointer of each virtual unit processing read-write requests.
Further, the specific reality for the above-mentioned virtual machine escape detection method of more detailed explanation in the application Existing, the embodiment of the invention also provides a kind of virtual machine escape detection methods, as shown in Fig. 2, the step of this method includes:
201, when initializing to the virtual unit in virtual machine, the address of the corresponding storage region of virtual unit is obtained.
In currently used open source virtualization solution, more mainstream includes: that (full name is Kernel- to KVM Based Virtual Machine), it is the global function virtualization solution under Linux on x86 hardware platform;Xen is one A open source code virtual machine monitor, is developed by Cambridge University;OpenVZ is the behaviour based on linux kernel and operating system Make system-level virtualization technology;VirtualBox is a powerful x86 software virtual machine.The virtual neutralizing of these open sources Certainly in scheme, Open Source Code for application simultaneously can not get the code that concrete operations request is handled in virtual machine, therefore very Difficulty gets the operation requests of virtual unit in virtual machine, especially read-write operation request.
The embodiment of the present invention be then emphasis for this problem, by virtual machine virtual unit initialize when, obtain Take the address of the corresponding storage region of virtual unit.When due to virtual unit initialization, a storage region can be distributed, is simultaneously System can be named for the storage region, for example, being the memory block by calling function g_strdup for virtual unit in KVM Domain carries out title assignment.By obtaining the title assignment function, and to the Functional Analysis, the value of the assignment function can be obtained And the specific location of assignment, i.e., the title of storage region and store the address of the title.In practical applications, due to memory block Domain is stored in RBX register, and the register belongs to non volatile register, and therefore, the value of g_strdup function can be by Hook g_strdup is obtained.It may further determine that the first address of the storage region by the address of obtained store name.
202, according to the address search read/write function pointer of storage region.
After the first address for the storage region for determining virtual unit, by being used to handle void in the address search storage region The address of standby read-write requests is proposed, and corresponding read/write function pointer is determined according to the address, respectively includes reading function pointer With write function pointer.The embodiment of the present invention does not do specific limit for the method for determination of specific address search mode and pointer It is fixed.
203, preset detection program, and the detection pointer is generated according to the address of the detection program.
According to the preset corresponding detection pointer of programming generation, wherein detection program is asked according to different operations Preset different detection programs are sought, detect journey with write operation specific to read operation detection program is then divided into the embodiment of the present invention Sequence.According to it is preset detection program different address, will generate with detection program corresponding to detection pointer.
Wherein, whether extremely preset detection program for detecting virtual unit operation requests generated, the detection journey Sequence corresponds to different operation requests by preset different detection program, for example, the detection program and inspection of detection read operation request Survey the detection program of write operation requests.
204, read/write function pointer is replaced with into corresponding detection pointer.
It will obtain reading function pointer in detection pointer obtained in step 203 respectively correspondingly replacement step 202 and write letter Number pointer.
It should be noted that the read/write function pointer being replaced in this step can still retain this after completing replacement operation Pointer is to utilize the pointer to execute subsequent read-write behaviour when the operation requests for determining virtual unit are normal read-write operation Make.
205, the read-write requests of virtual unit are obtained.
After the replacement for completing detection pointer, for virtual unit once generating the request of read-write operation, which will be according to right The detection pointer answered is judged by detecting program accordingly.And before carrying out the judgement, in order to ensure the read-write requests be by The virtual unit is generated.It is necessary to further be verified to the request.Concrete mode employed in the embodiment of the present invention Be to look for device name included in read-write requests, and match with the title of storage region, if in read-write requests exist with The identical title of the title of storage region then determines that the read-write requests are generated by virtual unit, and continues subsequent execution Process, and when title identical with storage region title is not present in read-write requests, then stop the continuation to the read-write requests Processing, and send the executing subject of the alarm message reminding request there are mistakes.Wherein, the embodiment of the present invention is in matching title When, traversal queries can be carried out by the content in the register to storage read-write operation request, be searched according to different offsets With the presence or absence of the field of storage region title.
It 206, whether is exception request by the read-write requests for detecting Programmable detection virtual unit.
Finally, transferring to detection program to carry out identification judgement by detecting pointer the read-write requests after verifying confirmation: working as void When proposing standby read-write requests and being detected as normal request, illustrates the read-write requests not and will cause virtual machine escape, therefore, by this Read-write requests transfer to program pointed by the read/write function pointer before replacement to be handled, wherein are sent to the place of read-write requests Reason program the processing routine can be pointing directly at by detection program, can also by virtual machine return a testing result, by Read-write requests are executed former read/write function pointer according to the testing result and read-write requests are sent to corresponding processing journey by virtual machine Sequence is written and read processing.And when the read-write requests of virtual unit are detected as exception request, illustrate that the read-write requests may Virtual machine is caused to escape, at this point, processing of the virtual machine by stopping to the read-write requests, meanwhile, prompt messages are issued to mention It is abnormal to show that the virtual machine user operation requests exist, and the prompt messages are generated into corresponding alarm log information.
As realize the above method specific device, the embodiment of the invention provides a kind of virtual machine escape detection device, As shown in figure 3, the device includes:
Acquiring unit 31, for it is corresponding to obtain the virtual unit when initializing to the virtual unit in virtual machine The address of storage region;
Searching unit 32, for obtaining the address search read/write function pointer of storage region according to the acquiring unit 31, The read-write requests that the read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit 33, the read/write function pointer for obtaining the searching unit 32 replace with corresponding detection and refer to Needle, the detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit 34, for passing through void described in detection Programmable detection after the replacement unit 33 replaces detection pointer Propose whether standby read-write requests are exception request.
Further, as shown in figure 4, the acquiring unit 31 includes:
Module 311 is obtained, is the corresponding memory block of the virtual unit for obtaining the virtual unit in initialization The assignment function of domain name;
Parsing module 312, the assignment function obtained for parsing the acquisition module 311, obtains the storage region The address of title and assignment;
Determining module 313, for determining the address of the storage region according to the address of the assignment.
Further, as shown in figure 4, the searching unit 32 includes:
Determining module 321, for determining the address for handling the read-write requests of the virtual unit in the storage region;
Searching module 322, for searching the corresponding reading of the read-write requests in the address that the determining module 321 determines Write function pointer.
Further, as shown in figure 4, described device further include:
Generation unit 35, for the replacement unit 33 by read/write function pointer replace with corresponding detection pointer it Before, preset detection program, and the detection pointer is generated according to the address of the detection program.
Further, as shown in figure 4, described device further include:
Matching unit 36, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit 33, root According to the read-write requests of the virtual unit, by the title phase of the device name for including in the read-write requests and the storage region Matching;
Stop unit 37, for stopping to the read-write requests when the 36 matched title difference of matching unit Processing.
Further, as shown in figure 4, described device further include:
Processing unit 38 is detected as normal request by the detection unit 34 for the read-write requests when the virtual unit When, read-write requests program as pointed by the read/write function pointer before replacing is handled;
The stop unit 37 is also used to, when the read-write requests of the virtual unit be detected as by the detection unit 34 it is different Often when request, stop the processing to the read-write requests, and send prompt messages.
In conclusion a kind of virtual machine escape detection method and device provided by the embodiment of the present invention, by virtual Machine obtains the address of the storage region of each virtual unit, and the place that will be saved in the storage region when initializing each virtual unit The read/write function pointer of reason virtual unit read-write requests is replaced with for detecting read-write requests with the presence or absence of abnormal detection program Detection pointer, each virtual unit in the virtual machine is detected with the presence or absence of there is flight behavior with this.Compared with it is virtual Machine escape detection mode is compared, and detection method used by the embodiment of the present invention is not necessarily to analyze in host kernel each in virtual machine The operational order of a virtual unit, but the virtual unit in the machine is measured in real time by virtual machine, simplify detection stream Journey improves the efficiency of detection.Simultaneously as the read-write of processing virtual unit in current open source virtualization solution The read/write function pointer of request can not also directly acquire, and therefore, the present invention is also to be directed to each void therein in virtual pusher side Standby, especially each virtual unit read-write requests generated are proposed, the specific implementation of detection virtual machine escape, solution are given Virtual machine of having determined can not obtain the problem of read/write function pointer of each virtual unit processing read-write requests.Further, since of the invention Embodiment is that the detection carried out by read-write requests of the preset detection program to virtual unit judges that the detection program can basis Specific testing conditions are updated in real time, therefore, the update for the examination criteria that the embodiment of the present invention escapes for virtual machine It is easier, make the timeliness of detection higher by the real-time update to detection program.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in above-mentioned cloud server and device can be referred to mutually.In addition, above-mentioned reality Applying " first " in example, " second " etc. is and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can be no longer superfluous herein with reference to the corresponding process in aforementioned cloud server embodiment It states.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known cloud service is not been shown in detail Device, structure and technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the present invention and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the cloud server of the disclosure should not be construed to reflect an intention that i.e. institute Claimed invention requires features more more than feature expressly recited in each claim.More precisely, As reflected in the following claims, inventive aspect is all spies less than single embodiment disclosed above Sign.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right It is required that itself is all as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what cloud server or equipment are combined.Unless expressly stated otherwise, this specification (including companion With the claims, abstract and drawings) disclosed in each feature can be special by providing the substitution of identical, equivalent, or similar purpose Sign is to replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) realize the denomination of invention according to an embodiment of the present invention (as determined in website The device of Hyperlink rank) in some or all components some or all functions.The present invention is also implemented as being used for Some or all device or device programs of cloud server as described herein are executed (for example, computer program And computer program product).It is such to realize that program of the invention can store on a computer-readable medium, or can have There is the form of one or more signal.Such signal can be downloaded from an internet website to obtain, or in carrier signal Upper offer, or be provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.
The invention also discloses following schemes:
A1, a kind of virtual machine escape detection method, which comprises
When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;
According to the address search read/write function pointer of the storage region, the read/write function pointer, which is directed toward, handles the void Propose the address that standby read-write requests correspond to program;
The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer is for void described in direct detection Propose standby read-write requests whether the address of Yi Chang detection program;
Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request.
A2, according to A1 the method, the address for obtaining the corresponding storage region of the virtual unit includes:
It is the assignment function of the corresponding storage region name of the virtual unit that the virtual unit, which is obtained, in initialization;
The assignment function is parsed, the title of the storage region and the address of assignment are obtained;
The address of the storage region is determined according to the address of the assignment.
A3, according to A2 the method, include: according to the address search read/write function pointer of the storage region
Determine the address that the read-write requests of the virtual unit are handled in the storage region;
The corresponding read/write function pointer of the read-write requests is searched in the address.
A4, according to A1 the method, before read/write function pointer to be replaced with to corresponding detection pointer, the method is also Include:
Preset detection program, and the detection pointer is generated according to the address of the detection program.
A5, according to A2 the method, after read/write function pointer to be replaced with to corresponding detection pointer, the method is also Include:
According to the read-write requests of the virtual unit, by the device name for including in the read-write requests and the memory block The title in domain matches;
If title is different, stop the processing to the read-write requests.
A6, according to A1 the method, the read-write requests by virtual unit described in the detection Programmable detection whether be After exception request, the method also includes:
When the read-write requests of the virtual unit are detected as normal request, by the read-write requests by the institute before replacing Program pointed by read/write function pointer is stated to be handled;
When the read-write requests of the virtual unit are detected as exception request, stop the processing to the read-write requests, And send prompt messages.
B7, a kind of virtual machine escape detection device, described device include:
Acquiring unit, for obtaining when initializing to the virtual unit in virtual machine, the virtual unit is corresponding to be deposited The address in storage area domain;
Searching unit, it is described for obtaining the address search read/write function pointer of storage region according to the acquiring unit The read-write requests that read/write function pointer is directed toward the processing virtual unit correspond to the address of program;
Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, institute State detection pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
Detection unit, for passing through void described in the detection Programmable detection after the replacement unit replaces detection pointer Propose whether standby read-write requests are exception request.
B8, according to B7 described device, the acquiring unit includes:
Module is obtained, is the corresponding storage region life of the virtual unit in initialization for obtaining the virtual unit The assignment function of name;
Parsing module, for parse it is described acquisition module obtain assignment function, obtain the title of the storage region with And the address of assignment;
Determining module, for determining the address of the storage region according to the address of the assignment.
B9, according to B8 described device, the searching unit includes:
Determining module, for determining the address for handling the read-write requests of the virtual unit in the storage region;
Searching module, for searching the corresponding read/write function of the read-write requests in the address that the determining module determines Pointer.
B10, according to B7 described device, described device further include:
Generation unit, for before read/write function pointer is replaced with corresponding detection pointer by the replacement unit, in advance Detection program is set, and the detection pointer is generated according to the address of the detection program.
B11, according to B8 described device, described device further include:
Matching unit, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit, according to institute The read-write requests for stating virtual unit, by the title phase of the device name for including in the read-write requests and the storage region Match;
Stop unit, for stopping the processing to the read-write requests when the matched title difference of the matching unit.
B12, according to B11 described device, described device further include:
Processing unit, for when the read-write requests of the virtual unit are detected as normal request by the detection unit, Read-write requests program as pointed by the read/write function pointer before replacing is handled;
The stop unit is also used to, when the read-write requests of the virtual unit are detected as abnormal ask by the detection unit When asking, stop the processing to the read-write requests, and send prompt messages.

Claims (12)

  1. The detection method 1. a kind of virtual machine is escaped, which is characterized in that the described method includes:
    When initializing to the virtual unit in virtual machine, the address of the corresponding storage region of the virtual unit is obtained;
    According to the address search read/write function pointer of the storage region, the read/write function pointer direction processing is described virtually to be set Standby read-write requests correspond to the address of program;
    The read/write function pointer is replaced with into corresponding detection pointer, the detection pointer described in direct detection for virtually setting Standby read-write requests whether the address of Yi Chang detection program;
    Whether the read-write requests by virtual unit described in the detection Programmable detection are exception request, and the exception request refers to By the operation requests for being likely to result in virtual machine escape to the processing of the request.
  2. 2. method according to claim 1, which is characterized in that obtain the address packet of the corresponding storage region of the virtual unit It includes:
    It is the assignment function of the corresponding storage region name of the virtual unit that the virtual unit, which is obtained, in initialization;
    The assignment function is parsed, the title of the storage region and the address of assignment are obtained;
    The address of the storage region is determined according to the address of the assignment.
  3. 3. method according to claim 2, which is characterized in that according to the address search read/write function pointer of the storage region Include:
    It determines in the storage region for handling the address of the read-write requests of the virtual unit;
    The corresponding read/write function pointer of the read-write requests is searched in the address.
  4. 4. method according to claim 1, which is characterized in that by read/write function pointer replace with corresponding detection pointer it Before, the method also includes:
    Preset detection program, and the detection pointer is generated according to the address of the detection program.
  5. 5. method according to claim 2, which is characterized in that by read/write function pointer replace with corresponding detection pointer it Afterwards, the method also includes:
    According to the read-write requests of the virtual unit, by the device name for including in the read-write requests and the storage region Title matches;
    If title is different, stop the processing to the read-write requests.
  6. 6. method according to claim 1, which is characterized in that in the reading by virtual unit described in the detection Programmable detection After whether write request is exception request, the method also includes:
    When the read-write requests of the virtual unit are detected as normal request, by the read-write requests by the reading before replacing Program pointed by function pointer is write to be handled;
    When the read-write requests of the virtual unit are detected as exception request, stop the processing to the read-write requests, concurrently Send prompt messages.
  7. The detection device 7. a kind of virtual machine is escaped, which is characterized in that described device includes:
    Acquiring unit, for obtaining the corresponding memory block of the virtual unit when initializing to the virtual unit in virtual machine The address in domain;
    Searching unit, for obtaining the address search read/write function pointer of storage region, the read-write according to the acquiring unit The read-write requests that function pointer is directed toward the processing virtual unit correspond to the address of program;
    Replacement unit, the read/write function pointer for obtaining the searching unit replace with corresponding detection pointer, the inspection Survey pointer for virtual unit described in direct detection read-write requests whether the address of Yi Chang detection program;
    Detection unit is used for after the replacement unit replaces detection pointer, by virtually setting described in the detection Programmable detection Whether standby read-write requests are exception request, and the exception request refers to virtual by being likely to result in this to the processing of the request The operation requests of machine escape.
  8. 8. device according to claim 7, which is characterized in that the acquiring unit includes:
    Module is obtained, is the corresponding storage region name of the virtual unit in initialization for obtaining the virtual unit Assignment function;
    Parsing module, the assignment function obtained for parsing the acquisition module, obtains the title and tax of the storage region The address of value;
    Determining module, for determining the address of the storage region according to the address of the assignment.
  9. 9. device according to claim 8, which is characterized in that the searching unit includes:
    Determining module, for determining in the storage region for handling the address of the read-write requests of the virtual unit;
    Searching module refers to for searching the corresponding read/write function of the read-write requests in the address that the determining module determines Needle.
  10. 10. device according to claim 7, which is characterized in that described device further include:
    Generation unit, for before read/write function pointer is replaced with corresponding detection pointer by the replacement unit, preset inspection Ranging sequence, and the detection pointer is generated according to the address of the detection program.
  11. 11. device according to claim 8, which is characterized in that described device further include:
    Matching unit, for after read/write function pointer is replaced with corresponding detection pointer by replacement unit, according to the void Standby read-write requests are proposed, the title of the device name for including in the read-write requests and the storage region is matched;
    Stop unit, for stopping the processing to the read-write requests when the matched title difference of the matching unit.
  12. 12. device according to claim 11, which is characterized in that described device further include:
    Processing unit, for when the read-write requests of the virtual unit are detected as normal request by the detection unit, by institute Read-write requests program as pointed by the read/write function pointer before replacing is stated to be handled;
    The stop unit is also used to, when the read-write requests of the virtual unit are detected as exception request by the detection unit When, stop the processing to the read-write requests, and send prompt messages.
CN201610509384.9A 2016-06-30 2016-06-30 A kind of virtual machine escape detection method and device Active CN106203091B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610509384.9A CN106203091B (en) 2016-06-30 2016-06-30 A kind of virtual machine escape detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610509384.9A CN106203091B (en) 2016-06-30 2016-06-30 A kind of virtual machine escape detection method and device

Publications (2)

Publication Number Publication Date
CN106203091A CN106203091A (en) 2016-12-07
CN106203091B true CN106203091B (en) 2019-02-22

Family

ID=57464107

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610509384.9A Active CN106203091B (en) 2016-06-30 2016-06-30 A kind of virtual machine escape detection method and device

Country Status (1)

Country Link
CN (1) CN106203091B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113849339B (en) * 2020-06-28 2023-07-11 华为技术有限公司 Method, device and storage medium for restoring running state of application program
CN111508617B (en) * 2020-07-01 2020-09-25 智博云信息科技(广州)有限公司 Epidemic situation data maintenance method and device, computer equipment and readable storage medium
CN117032874B (en) * 2023-10-08 2024-02-23 统信软件技术有限公司 Remote control method, device, computing equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN103577246A (en) * 2013-11-12 2014-02-12 浙江云巢科技有限公司 Method and device for preventing virtual machine from escaping
CN105095741A (en) * 2014-05-13 2015-11-25 北京奇虎测腾科技有限公司 Behavior monitoring method and behavior monitoring system of application program
CN105426758A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Protection method and device for virtual machine escape
CN105512553A (en) * 2015-11-26 2016-04-20 上海君是信息科技有限公司 Access control method for preventing virtual machine from escaping and attacking
CN105590054A (en) * 2014-11-11 2016-05-18 航天恒星科技有限公司 Virtual machine process monitoring method, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8713546B2 (en) * 2006-12-18 2014-04-29 Oracle International Corporation System and method for redundant array copy removal in a pointer-free language

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN103577246A (en) * 2013-11-12 2014-02-12 浙江云巢科技有限公司 Method and device for preventing virtual machine from escaping
CN105095741A (en) * 2014-05-13 2015-11-25 北京奇虎测腾科技有限公司 Behavior monitoring method and behavior monitoring system of application program
CN105590054A (en) * 2014-11-11 2016-05-18 航天恒星科技有限公司 Virtual machine process monitoring method, device and system
CN105512553A (en) * 2015-11-26 2016-04-20 上海君是信息科技有限公司 Access control method for preventing virtual machine from escaping and attacking
CN105426758A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Protection method and device for virtual machine escape

Also Published As

Publication number Publication date
CN106203091A (en) 2016-12-07

Similar Documents

Publication Publication Date Title
US11232015B2 (en) Automated software verification service
US20190294528A1 (en) Automated software deployment and testing
CN103226485B (en) Code dissemination method, code issue machine and code delivery system
US9678816B2 (en) System and method for injecting faults into code for testing thereof
Plauth et al. A performance survey of lightweight virtualization techniques
US11074154B2 (en) Identifying a source file for use in debugging compiled code
US9038080B2 (en) Method and system for heterogeneous filtering framework for shared memory data access hazard reports
CN106203091B (en) A kind of virtual machine escape detection method and device
CN109784062A (en) Leak detection method and device
US10489124B2 (en) Method and system for providing software containers supporting executable code created from computational algorithms described in printed publications
US8145471B2 (en) Non-destructive simulation of a failure in a virtualization environment
CN104504331B (en) Virtualize safety detection method and system
CN111654495A (en) Method, apparatus, device and storage medium for determining traffic generation source
Campos et al. Fault injection to generate failure data for failure prediction: A case study
US8291401B2 (en) Processing symbols associated with shared assemblies
US9075921B2 (en) Error simulation
Yang et al. Transparently capturing execution path of service/job request processing
US20080115109A1 (en) Enhanced Hover Help For Software Debuggers
US9841960B2 (en) Dynamic provision of debuggable program code
Peng et al. {GLeeFuzz}: Fuzzing {WebGL} Through Error Message Guided Mutation
Cordeiro et al. Shaker: a tool for detecting more flaky tests faster
US11720348B2 (en) Computing node allocation based on build process specifications in continuous integration environments
CN104199774B (en) Program security testing method and device
US10956302B2 (en) Code coverage collection based on limited select debug information
US20120131569A1 (en) Automated solaris container creation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Co-patentee after: Qianxin Technology Group Co., Ltd.

Patentee after: Beijing Qihu Technology Co., Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Co-patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

Patentee before: Beijing Qihu Technology Co., Ltd.