CN106502759B

CN106502759B - A kind of data access method, code call method and virtual machine monitor

Info

Publication number: CN106502759B
Application number: CN201510559382.6A
Authority: CN
Inventors: 李辉; 陈兴蜀; 张相锋
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2015-09-06
Filing date: 2015-09-06
Publication date: 2019-11-15
Anticipated expiration: 2035-09-06
Also published as: CN106502759A; WO2017036376A1

Abstract

The embodiment of the invention discloses a kind of data access methods, code call method and virtual machine monitor VMM, the data access method includes: VMM capture page table interrupt event, judge whether target kernel module has permission to access the kernel data in K-SPACE by the page table interrupt processing function prestored, when VMM, which passes through the page table interrupt processing function prestored, judges that target kernel module has permission to access the kernel data in K-SPACE, VMM creates target kernel module in MPGT and maps the access authority of the kernel data in K-SPACE, so that target kernel module has permission to access the kernel data in K-SPACE.Implement the embodiment of the present invention, is conducive to the safety of the access of lifting system kernel data and code calling.

Description

A kind of data access method, code call method and virtual machine monitor

Technical field

The present invention relates to calculator memory administrative skill field, and in particular to a kind of data access method, code call Method and virtual machine monitor VMM.

Background technique

The dynamic insertion of modern operating system nearly all support module and unloading, this allows operating system nucleus on-demand Expanding function.After target kernel module insertion operation system kernel, behavior is just no longer influenced by monitoring and limitation.It is loaded Target kernel module and operating system nucleus operate in identical level of privilege, and target kernel module can be in any call operation system The code of core offer simultaneously modifies operating system nucleus data, and operating system nucleus integrality is caused to face security threat.

For in operating system nucleus addition driver module, currently, developer is generally by operating system A driving separation layer is added between kernel and driver module, to reach free isolated operation system kernel and driver The purpose of module, still, since the driving separation layer is located in operating system nucleus space, in operating system nucleus space Driver module is located at same level of privilege, and therefore, driver module can be modified in the page table of the driver module Permissions mapping relationship, modified permissions mapping relationship can make the isolation features failure for driving separation layer, so that operating system It, will in unsafe condition, and since driver module of the driving separation layer to each interior nuclear equipment is isolated Seriously affect system performance.

Summary of the invention

The embodiment of the present invention provides a kind of data access method, code call method and VMM, to nucleus number in lifting system The safety called according to access and code.

First aspect of the embodiment of the present invention discloses a kind of data access method, comprising:

Virtual machine monitor VMM captures page table interrupt event, and the page table interrupt event is existed by central processing unit CPU It detects after the access request for the kernel data in kernel spacing K-SPACE that target kernel module is sent and judges The target kernel module is not created in insulating space page table MPGT out to the access authority of the kernel data in the K-SPACE It is generated in the case where mapping, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting in the target The operation of core module；

The VMM passes through the page table interrupt processing function prestored and judges whether the target kernel module has permission to access institute State the kernel data in K-SPACE；

Judge that the target kernel module has permission to access institute when the VMM passes through the page table interrupt processing function prestored When stating the kernel data in K-SPACE, the VMM creates the target kernel module to the K-SPACE in the MPGT In kernel data access authority mapping so that the target kernel module have permission to access it is interior in the K-SPACE Nuclear Data.

In the first possible implementation of first aspect of the embodiment of the present invention, the VMM, which passes through the page table prestored, to be interrupted Processing function judges whether the target kernel module has permission to access the kernel data in the K-SPACE, comprising:

The VMM passes through the corresponding default access of the page table interrupt function acquisition page table interrupt event prestored and judges plan Slightly, and the virtual address distributed intelligence of the kernel data in the K-SPACE is obtained；

The VMM determines the event type of the page table interrupt event；

The VMM is according to the default access determination strategy, the virtual address distributed intelligence and the event type Judge whether the target kernel module has permission to access the kernel data in the K-SPACE.

In conjunction with first aspect of the embodiment of the present invention or first aspect the first possible implementation, in the embodiment of the present invention In second of first aspect possible implementation, before the VMM capture page table interrupt event, the method also includes:

The VMM is according to the space page table in the virtual machine kernel space prestored by the virtual of the target kernel module Address d istribution information MAP is physical address distributed intelligence, wherein the target kernel module is empty from the virtual machine kernel Between middle insertion N number of kernel module in the segregate kernel module of needs chosen, the N is positive integer；

The VMM be based on the physical address distributed intelligence separate the virtual machine kernel space be the M-SPACE and The K-SPACE；

It is kernel spacing page table KPGT that the VMM, which marks the space page table in the virtual machine kernel space, and based on described Physical address distributed intelligence creates the MPGT, wherein the KPGT is used to support the fortune of the kernel module in the K-SPACE It goes, the kernel module in the K-SPACE includes basic kernel module and N number of kernel in the virtual machine kernel space Kernel module in module in addition to the target kernel module.

In conjunction with first aspect of the embodiment of the present invention or first aspect the first or second of possible implementation, in this hair In the third possible implementation of bright embodiment first aspect, creation has the target kernel module to described in the MPGT The access authority of kernel data in M-SPACE maps, so that the target kernel module has permission to access the M-SPACE In kernel data.

Second aspect of the embodiment of the present invention discloses a kind of VMM, comprising:

Event capturing unit, for capturing page table interrupt event, the page table interrupt event is to detect target by CPU After the access request for the kernel data in kernel spacing K-SPACE that kernel module is sent and judge insulating space The case where target kernel module maps the access authority of the kernel data in the K-SPACE is not created in page table MPGT Lower generation, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, institute Stating M-SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the fortune of the target kernel module Row；

Permission judging unit judges whether the target kernel module has for the page table interrupt processing function by prestoring Permission accesses the kernel data in the K-SPACE；

Permission creating unit, for judging institute when the permission judging unit passes through the page table interrupt processing function prestored When stating target kernel module and having permission to access the kernel data in the K-SPACE, created in the MPGT in the target Core module maps the access authority of the kernel data in the K-SPACE, so that the target kernel module has permission visit Ask the kernel data in the K-SPACE.

In the first possible implementation of second aspect of the embodiment of the present invention, the permission judging unit is specifically used for:

The corresponding default access determination strategy of the page table interrupt event is obtained by the page table interrupt function prestored, and is obtained Take the virtual address distributed intelligence of the kernel data in the K-SPACE；

Determine the event type of the page table interrupt event；

According to the judgement of the default access determination strategy, the virtual address distributed intelligence and the event type Whether target kernel module has permission to access the kernel data in the K-SPACE.

In conjunction in second aspect of the embodiment of the present invention or second aspect the first possible implementation, implement in the present invention In second of second aspect possible implementation of example, the VMM further include:

Address mapping unit, for before before the event capturing elements capture page table interrupt event, according to prestoring The space page table in the virtual machine kernel space virtual address distributed intelligence of the target kernel module is mapped as physics Address d istribution information, wherein the target kernel module is from the N number of kernel module being inserted into the virtual machine kernel space The segregate kernel module of the needs of selection, the N are positive integer；

Space separating element is described for separating the virtual machine kernel space based on the physical address distributed intelligence The M-SPACE and K-SPACE；

Page table creating unit is kernel spacing page table KPGT for marking the space page table in the virtual machine kernel space, And the MPGT is created based on the physical address distributed intelligence, wherein the KPGT is interior in the K-SPACE for supporting The operation of core module, the kernel module in the K-SPACE include basic kernel module in the virtual machine kernel space and Kernel module in N number of kernel module in addition to the target kernel module.

In conjunction in second aspect of the embodiment of the present invention or second aspect the first or second of possible implementation, at this In the third possible implementation of inventive embodiments second aspect, creation has the target kernel module to institute in the MPGT The access authority mapping for stating the kernel data in M-SPACE, so that the target kernel module has permission to access the M- Kernel data in SPACE.

In the embodiment of the present invention, VMM captures page table interrupt event first, secondly, VMM passes through the page table interrupt processing prestored Function judges whether target kernel module has permission to access the kernel data in K-SPACE, finally, when VMM passes through the page prestored When table interrupt processing function judges that target kernel module has permission to access the kernel data in K-SPACE, VMM is created in MPGT It builds target kernel module to map the access authority of the kernel data in K-SPACE, so that target kernel module has permission visit Ask the kernel data in K-SPACE.Since above-mentioned page table interrupt event is that CPU is detecting being directed to for target kernel module transmission After the access request of kernel data in kernel spacing K-SPACE and judge not create mesh in insulating space page table MPGT What mark kernel module generated in the case where mapping the access authority of the kernel data in the K-SPACE, it is seen then that target kernel Module lack of competence directly accesses kernel data in the space K-SPACE, so as to avoid target kernel module unknown in safety In the case where access kernel data in K-SPACE wantonly, be conducive to the safety of lifting system kernel data access.

Simultaneously as VMM possesses higher operation permission relative to VME operating system, so in virtualized environment Under, have more high privilege level VMM execute permission between virtual machine it is mutually isolated, not will receive virtual machine directly attack It hits.

Simultaneously as VMM has client platform independence, it can be simultaneously to the client operating system of multiple and different types Kernel module be isolated.

The third aspect of the embodiment of the present invention discloses a kind of code call method, comprising:

Virtual machine monitor VMM captures page table interrupt event, and the page table interrupt event is existed by central processing unit CPU Detect target kernel module for after the call request of the kernel code in kernel spacing K-SPACE and judging to be isolated The target kernel module is not created in the page table MPGT of space to the calling permissions mapping of the kernel code in the K-SPACE In the case of generate, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

The VMM passes through the page table interrupt processing function prestored and judges whether the target kernel module has permission calling institute State the kernel code in K-SPACE；

Judge that the target kernel module has permission calling institute when the VMM passes through the page table interrupt processing function prestored When stating the kernel code in K-SPACE, the VMM is according to the target kernel module to the kernel code in the K-SPACE Calling permissions mapping, execute page table handover operation and storehouse handover operation with by the storehouse in the virtual machine kernel space by every It is switched to kernel spacing storehouse K-STACK from space storehouse M-STACK, so that after the target kernel module is based on switching The K-STACK calls the kernel code in the K-SPACE.

In the first possible implementation of the third aspect of the embodiment of the present invention, the VMM, which passes through the page table prestored, to be interrupted Processing function judges whether the target kernel module has permission the kernel code called in the K-SPACE, comprising:

The VMM passes through the corresponding default access of the page table interrupt function acquisition page table interrupt event prestored and judges plan Slightly, and the virtual address distributed intelligence of the kernel code in the K-SPACE is obtained；

The VMM judges the mesh according to the default access determination strategy and the virtual address distributed intelligence of acquisition Whether mark kernel module has permission to access the kernel code in the K-SPACE.

In conjunction with the third aspect of the embodiment of the present invention or the third aspect the first possible implementation, in the embodiment of the present invention In second of the third aspect possible implementation, the VMM executes page table handover operation, comprising:

The page table that the VMM is currently loaded is switched to kernel spacing page table KPGT by the MPGT by the VMM, wherein The KPGT is used to support the operation of the kernel module in the K-SPACE, includes the virtual machine kernel in the K-SPACE The target kernel mould is removed in the N number of kernel module being inserted into basic kernel module, the virtual machine kernel space in space Kernel module and the KPGT except block, the N are the positive integer greater than 1.

In conjunction with the third aspect of the embodiment of the present invention or the third aspect the first or second of possible implementation, in this hair In the third possible implementation of the bright embodiment third aspect, the VMM execution stack handover operation, comprising:

The code parameter for transmitting the kernel code in the K-SPACE that is stored in VMM copy M-STACK and For calling the return address RIP of the kernel code in the K-SPACE；

The code parameter and the RIP is written in the VMM in the K-STACK；

The currently used storehouse in the virtual machine kernel space is esp-new by esp-old position transition by the VMM It sets, wherein the position esp-old is storage location of the RIP in the M-STACK, and the position esp-new is institute State storage location of the RIP in the K-STACK.

In conjunction with the third aspect of the embodiment of the present invention or the third aspect the first or second or the third possible realization side Formula, in the 4th kind of possible implementation of the third aspect of the embodiment of the present invention, before the VMM capture page table interrupt event, The method also includes:

The VMM is according to the space page table in the virtual machine kernel space prestored by the virtual address of target kernel module Distributed intelligence is mapped as physical address distributed intelligence, wherein the target kernel module is from the virtual machine kernel space The segregate kernel module of needs chosen in N number of kernel module of insertion, the N are the positive integer greater than 1；

It is kernel spacing page table KPGT that the VMM, which marks the space page table in the virtual machine kernel space, and based on described Physical address distributed intelligence creates the MPGT.

In conjunction with the first or second of the third aspect of the embodiment of the present invention or the third aspect or the third or the 4th kind of possibility Implementation, in the 5th kind of possible implementation of the third aspect of the embodiment of the present invention, there is described creation in the MPGT Target kernel module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has Permission calls the kernel code in the M-SPACE.

Fourth aspect of the embodiment of the present invention discloses a kind of VMM, comprising:

Event capturing unit, for capturing page table interrupt event, the page table interrupt event is by central processing unit CPU After detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and judge every From the target kernel module is not created in the page table MPGT of space to the calling permissions mapping of the kernel code in the K-SPACE In the case where generate, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

Permission judging unit judges whether the target kernel module has for the page table interrupt processing function by prestoring Permission calls the kernel code in the K-SPACE；

Switch unit, for judging the mesh when the permission judging unit passes through the page table interrupt processing function prestored When mark kernel module has permission the kernel code in the calling K-SPACE, according to the target kernel module to the K- The calling permissions mapping of kernel code in SPACE executes page table handover operation and storehouse handover operation with by the virtual machine The storehouse of kernel spacing is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that in the target Core module calls the kernel code in the K-SPACE based on the K-STACK after switching.

In the first possible implementation of fourth aspect of the embodiment of the present invention, the permission judging unit is specifically used for:

The corresponding default access determination strategy of the page table interrupt event is obtained by the page table interrupt function prestored, and is obtained Take the virtual address distributed intelligence of the kernel code in the K-SPACE；

The target kernel is judged according to the default access determination strategy of acquisition and the virtual address distributed intelligence Whether module has permission to access the kernel code in the K-SPACE.

In conjunction with fourth aspect of the embodiment of the present invention or fourth aspect the first possible implementation, in the embodiment of the present invention In second of fourth aspect possible implementation, the switch unit is specifically used for:

The page table that the VMM is currently loaded is switched to kernel spacing page table KPGT by the MPGT, wherein the KPGT It include in the virtual machine kernel space in the K-SPACE for supporting the operation of the kernel module in the K-SPACE In the N number of kernel module being inserted into basic kernel module, the virtual machine kernel space in addition to the target kernel module Kernel module and the KPGT, the N are the positive integer greater than 1.

In conjunction with fourth aspect of the embodiment of the present invention or fourth aspect the first or second of possible implementation, in this hair In the third possible implementation of bright embodiment fourth aspect, the switch unit is specifically used for:

Copy the code parameter stored in M-STACK for transmitting the kernel code in the K-SPACE and for adjusting With the return address RIP of the kernel code in the K-SPACE；

The code parameter and the RIP are written in the K-STACK；

By the currently used storehouse in the virtual machine kernel space by esp-old position transition be the position esp-new, In, the position esp-old is storage location of the RIP in the M-STACK, and the position esp-new is the RIP Storage location in the K-STACK.

In conjunction with fourth aspect of the embodiment of the present invention or fourth aspect the first or second or the third possible realization side Formula, in the 4th kind of possible implementation of fourth aspect of the embodiment of the present invention, the VMM further include:

Address mapping unit is used for before the event capturing elements capture page table interrupt event, according to the institute prestored The virtual address distributed intelligence of target kernel module is mapped as physical address distribution by the space page table for stating virtual machine kernel space Information, wherein the target kernel module is the need chosen from the N number of kernel module being inserted into the virtual machine kernel space Segregate kernel module is wanted, the N is the positive integer greater than 1；

Page table creating unit is kernel spacing page table KPGT for marking the space page table in the virtual machine kernel space, And the MPGT is created based on the physical address distributed intelligence.

In conjunction with the first or second of fourth aspect of the embodiment of the present invention or fourth aspect or the third or the 4th kind of possibility Implementation, in the 5th kind of possible implementation of fourth aspect of the embodiment of the present invention, there is described creation in the MPGT Target kernel module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has Permission calls the kernel code in the M-SPACE.

In the embodiment of the present invention, VMM captures page table interrupt event first, secondly, when VMM passes through at the page table interruption prestored When reason function judges that target kernel module has permission the kernel code in calling K-SPACE, VMM is according to target kernel module pair The calling permissions mapping of kernel code in K-SPACE executes page table handover operation and storehouse handover operation with will be in virtual machine The storehouse of nuclear space is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that the target kernel Module calls the kernel code in the K-SPACE based on the K-STACK after switching.Wherein, above-mentioned page table interrupt event It is CPU after detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and judges Target kernel module is not created in insulating space page table MPGT out to the feelings of the calling permissions mapping of the kernel code in K-SPACE It is generated under condition, it is seen then that target kernel module lack of competence calls directly kernel code, can be avoided target kernel module in safety Property it is unknown in the case where call kernel code in K-SPACE wantonly, be conducive to the safety of lifting system kernel code calling.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 .1 is a kind of typical bare machine schema virtualization Platform deployment architecture diagram disclosed by the embodiments of the present invention；

Fig. 1 .2 is a kind of typical sink holotype virtual platform deployment architecture diagram disclosed by the embodiments of the present invention；

Fig. 2 is a kind of flow diagram of data access method disclosed by the embodiments of the present invention；

Fig. 3 is the flow diagram of another data access method disclosed by the embodiments of the present invention；

Fig. 4 is the flow diagram disclosed by the embodiments of the present invention for having a kind of data access method；

Fig. 5 is a kind of flow diagram of code call method disclosed by the embodiments of the present invention；

Fig. 6 is the flow diagram of another code call method disclosed by the embodiments of the present invention；

Fig. 7 is the flow diagram of another code call method disclosed by the embodiments of the present invention；

Fig. 8 is disclosed by the embodiments of the present invention a kind of for controlling the target kernel module in M-SPACE in K-SPACE Kernel data access VMM structural schematic diagram；

Fig. 9 is disclosed by the embodiments of the present invention a kind of for controlling the target kernel module in M-SPACE in K-SPACE Kernel code calling VMM structural schematic diagram；

Figure 10 is the entity apparatus structural schematic diagram of VMM disclosed by the embodiments of the present invention a kind of；

Figure 11 is the entity apparatus structural schematic diagram of VMM disclosed by the embodiments of the present invention a kind of.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that the described embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Base Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its His embodiment, should fall within the scope of the present invention.

The embodiment of the present invention provides a kind of data access method, code call method and virtual machine monitor (Virtual Machine Monitor, VMM), the safety called to the access of lifting system kernel data and code.

Embodiment to facilitate the understanding of the present invention is below first described the network architecture of the embodiment of the present invention.It please join Readding Fig. 1 .1 and Fig. 1 .2, Fig. 1 .1 is a kind of typical bare machine schema virtualization Platform deployment architecture diagram disclosed by the embodiments of the present invention, Fig. 1 .2 is a kind of typical sink holotype virtual platform deployment architecture diagram disclosed by the embodiments of the present invention.Such as Fig. 1 .1 and Fig. 1 .2 Shown, the VME operating system in both of which all operates on VMM, and VMM possesses more higher than VME operating system Permission is executed, and mutually isolated between the two.VME operating system kernel can be further divided into code section, data portion Divide, the kernel module that kernel runs required storehouse and dynamic can load.Typical bare machine virtualization mode shown in attached drawing 1.1 In (such as Xen), VMM is run directly on physical machine, operating physical hardware, provides service to virtual machine upwards.Attached drawing 1.2 Shown in typical sink holotype (such as KVM), VMM is operated on host operating system, and virtualization needs are borrowed Help host realization, host directly controls lower hardware resource.

Referring to Fig.2, Fig. 2 is a kind of flow diagram of data access method disclosed by the embodiments of the present invention, such as Fig. 2 institute Show, the data access method be described from the unilateral side VMM, specifically includes the following steps:

S201, VMM capture page table interrupt event, and the page table interrupt event is to detect target kernel module by CPU After the access request for the kernel data in kernel spacing K-SPACE sent and judge insulating space page table MPGT In do not create the target kernel module to the mapping of the access authority of the kernel data in the K-SPACE in the case where generate , wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, the M- SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the operation of the target kernel module；

In the embodiment of the present invention, creation has the target kernel module to the kernel in the M-SPACE in above-mentioned MPGT The access authority of data maps, so that the target kernel module has permission to access the kernel data in the M-SPACE.

S202, the VMM pass through the page table interrupt processing function prestored and judge whether the target kernel module has permission Access the kernel data in the K-SPACE；

In the embodiment of the present invention, above-mentioned VMM passes through the page table interrupt processing function prestored and judges the target kernel module Whether the concrete mode of kernel data in the K-SPACE is had permission to access are as follows:

The VMM passes through the corresponding default access of the page table interrupt function acquisition page table interrupt event prestored first and sentences Disconnected strategy, and obtain the virtual address distributed intelligence of the kernel data in the K-SPACE；Secondly, VMM is determined in the page table The event type of disconnected event；Finally, VMM is according to the default access determination strategy, the virtual address distributed intelligence and institute It states event type and judges whether the target kernel module has permission to access the kernel data in the K-SPACE.

S203 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When accessing the kernel data in the K-SPACE, the VMM creates the target kernel module to the K- in the MPGT The access authority of kernel data in SPACE maps, so that the target kernel module has permission to access in the K-SPACE Kernel data.

As can be seen that VMM captures page table interrupt event first in the embodiment of the present invention, secondly, VMM passes through the page prestored Table interrupt processing function judges whether target kernel module has permission to access the kernel data in K-SPACE, finally, when VMM is logical Cross the page table interrupt processing function prestored judge target kernel module have permission to access K-SPACE in kernel data when, VMM It creates target kernel module in MPGT to map the access authority of the kernel data in K-SPACE, so that target kernel mould Block has permission to access the kernel data in K-SPACE.Since above-mentioned page table interrupt event is that CPU is detecting target kernel module After the access request for the kernel data in kernel spacing K-SPACE sent and judge insulating space page table MPGT In do not create target kernel module to the mapping of the access authority of the kernel data in the K-SPACE in the case where generate, can See, target kernel module lack of competence directly accesses kernel data in the space K-SPACE, so as to avoid target kernel module from existing The kernel data in K-SPACE is accessed in the case that safety is unknown wantonly, is conducive to the peace of lifting system kernel data access Quan Xing.

Optionally, in the embodiment of the present invention, before above-mentioned VMM capture page table interrupt event, following operation can also be performed To be directed to target kernel module creation kernel space separation mechanism:

It is a kind of flow diagram of data access method disclosed by the embodiments of the present invention refering to Fig. 3, Fig. 3, such as Fig. 3 institute Show, the data access method be described from the unilateral side VMM, specifically includes the following steps:

S301, virtual machine monitor VMM capture page table interrupt event, and the page table interrupt event is by central processing unit CPU after detecting the access request for the kernel data in kernel spacing K-SPACE that target kernel module is sent and Judge not creating access of the target kernel module to the kernel data in the K-SPACE in insulating space page table MPGT It is generated in the case where permissions mapping, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and isolation Space M-SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the mesh Mark the operation of kernel module；

S302, the VMM pass through the page table interrupt function prestored and obtain the corresponding default access of the page table interrupt event Determination strategy, and obtain the virtual address distributed intelligence of the kernel data in the K-SPACE；

S303, the VMM determine the event type of the page table interrupt event；

S304, the VMM are according to the default access determination strategy, the virtual address distributed intelligence and the event Type judges whether the target kernel module has permission to access the kernel data in the K-SPACE；

S305 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When accessing the kernel data in the K-SPACE, the VMM creates the target kernel module to the K- in the MPGT The access authority of kernel data in SPACE maps, so that the target kernel module has permission to access in the K-SPACE Kernel data.

It is a kind of flow diagram of data access method disclosed by the embodiments of the present invention refering to Fig. 4, Fig. 4, such as Fig. 4 institute Show, the data access method be described from the unilateral side VMM, specifically includes the following steps:

S401, VMM are according to the space page table in the virtual machine kernel space prestored by the void of the target kernel module Quasi- Address d istribution information MAP is physical address distributed intelligence, wherein the target kernel module is from the virtual machine kernel The segregate kernel module of needs chosen in the N number of kernel module being inserted into space, the N are positive integer；

S402, the VMM are based on the physical address distributed intelligence to separate the virtual machine kernel space being the M- The SPACE and K-SPACE；

It is kernel spacing page table KPGT that S403, the VMM, which mark the space page table in the virtual machine kernel space, and is based on The physical address distributed intelligence creates the MPGT, wherein the KPGT is used to support the kernel module in the K-SPACE Operation, the kernel module in the K-SPACE includes basic kernel module in the virtual machine kernel space and described N number of Kernel module in kernel module in addition to the target kernel module；

S404, VMM capture page table interrupt event, and the page table interrupt event is to detect target kernel module by CPU After the access request for the kernel data in kernel spacing K-SPACE sent and judge insulating space page table MPGT In do not create the target kernel module to the mapping of the access authority of the kernel data in the K-SPACE in the case where generate , wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, the M- SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the operation of the target kernel module；

S405, the VMM pass through the page table interrupt function prestored and obtain the corresponding default access of the page table interrupt event Determination strategy, and obtain the virtual address distributed intelligence of the kernel data in the K-SPACE；

S406, the VMM determine the event type of the page table interrupt event；

S407, the VMM are according to the default access determination strategy, the virtual address distributed intelligence and the event Type judges whether the target kernel module has permission to access the kernel data in the K-SPACE；

In the embodiment of the present invention, above-mentioned permission determination strategy can be preset by user and is stored in memory headroom, The corresponding event type of above-mentioned page table interrupt event includes reading data type and data write-in type.

As an example it is assumed that reading data type corresponding power of the target kernel module to the kernel data in K-SPACE Limit includes following substrategy in determination strategy: if target kernel module is into the reading of the memory management unit request data of CPU Nuclear Data is the interrupt vector table in K-SPACE, then this reading data of memory management unit refusal target kernel module is asked It asks.

S408 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When accessing the kernel data in the K-SPACE, the VMM creates the target kernel module to the K- in the MPGT The access authority of kernel data in SPACE maps, so that the target kernel module has permission to access in the K-SPACE Kernel data.

Further alternative, in the embodiment of the present invention, above-mentioned VMM is according to the space page table in the virtual machine kernel space prestored Before the virtual address distributed intelligence of target kernel module is mapped as physical address distributed intelligence, VMM can also be performed following Operation:

VMM obtains the target kernel module of the transmission of the Client proxy module in the virtual machine kernel space in virtual machine Virtual address distributed intelligence in nuclear space.

Wherein, which is set in K-SAPCE, needs target kernel module in virtual machine for obtaining Virtual address distributed intelligence in nuclear space, and the above-mentioned virtual address distributed intelligence obtained is sent to VMM, in order to VMM base The isolation address space of above-mentioned target kernel module is established in above-mentioned virtual address distributed intelligence.Wherein, above-mentioned customer's representative obtains The specific implementation for taking virtual address distributed intelligence includes following two:

When detecting that above-mentioned target kernel module not yet brings into operation in virtual machine, above-mentioned Client proxy module is intercepted The relevant system that the target kernel module is called when being inserted into is called, and is called when detecting that target kernel module is inserted into When relevant system is called, it is virtual after being loaded into virtual machine kernel space that Client proxy module obtains target kernel module Address d istribution information { virt1, virt2 }.For example, Windows virtual machine can be obtained by way of registered callbacks function Memory mapping insertion event in virtual machine judges whether it is that target kernel module is loaded into virtual machine according to image name In nuclear space.

When detecting that above-mentioned target kernel module has begun operation in virtual machine, above-mentioned Client proxy module needs Traverse virtual machine kernel space in kernel module chained list, obtain target kernel module in virtual machine kernel space virtually Location distributed intelligence { virt1, virt2 }.

As can be seen that above-mentioned Client proxy module is located in K-SPACE, with the mesh in M-SPACE in the embodiment of the present invention Mark kernel module runs on different kernel spacings, because without by the attack from target kernel module, being conducive to further The safety of lifting system kernel.

Further alternative, in the embodiment of the present invention, it is empty that above-mentioned VMM is based on physical address distributed intelligence creation isolation Between after page table MPGT, following operation can also be performed in above-mentioned VMM:

The VMM deletes the kernel module in the K-SPACE stored in the KPGT in the M-SPACE The access authority of Nuclear Data maps, so that the kernel module in the K-SPACE can not directly access the kernel in M-SPACE Data further enhance the safety of system kernel data access.

Referring to Fig. 5, Fig. 5 is a kind of flow diagram of code call method disclosed by the embodiments of the present invention, such as Fig. 5 institute Show, the code call method be described from the unilateral side VMM, specifically includes the following steps:

S501, virtual machine monitor VMM capture page table interrupt event, and the page table interrupt event is by central processing unit CPU is after detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and judges The target kernel module is not created in insulating space page table MPGT to reflect the calling permission of the kernel code in the K-SPACE It is generated in the case where penetrating, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

In the embodiment of the present invention, creation has the target kernel module to the kernel in the M-SPACE in the MPGT The calling permissions mapping of code, so that the target kernel module has permission the kernel code called in the M-SPACE.

S502, the VMM pass through the page table interrupt processing function prestored and judge whether the target kernel module has permission Call the kernel code in the K-SPACE；

In the embodiment of the present invention, above-mentioned VMM passes through the page table interrupt processing function prestored and judges the target kernel module Whether the specific embodiment of calling kernel code in the K-SPACE is had permission are as follows:

S503 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When calling the kernel code in the K-SPACE, the VMM is according to the target kernel module in the K-SPACE The calling permissions mapping of core code executes page table handover operation and storehouse handover operation with by the heap in the virtual machine kernel space Stack is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that the target kernel module is based on cutting The K-STACK after changing calls the kernel code in the K-SPACE.

In the embodiment of the present invention, above-mentioned VMM executes the specific embodiment of page table handover operation are as follows:

The specific embodiment of above-mentioned VMM execution stack handover operation are as follows:

The code parameter and the RIP is written in the VMM in the K-STACK；

As can be seen that VMM capture page table interrupt event first in the embodiment of the present invention, secondly, when VMM is by prestoring When page table interrupt processing function judges that target kernel module has permission the kernel code in calling K-SPACE, VMM is according to target Kernel module to the calling permissions mapping of the kernel code in K-SPACE, execute page table handover operation and storehouse handover operation with The storehouse in virtual machine kernel space is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that institute It states target kernel module and calls kernel code in the K-SPACE based on the K-STACK after switching.Wherein, above-mentioned page Table interrupt event is that CPU is detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE Later and judge not creating target kernel module in insulating space page table MPGT to the calling of the kernel code in K-SPACE It is generated in the case where permissions mapping, it is seen then that target kernel module lack of competence calls directly the kernel code in K-SPACE, energy It enough avoids target kernel module from calling the kernel code in K-SPACE wantonly in the case where safety is unknown, is conducive to be promoted The safety that system kernel code calls.

Optionally, in the embodiment of the present invention, before above-mentioned VMM capture page table interrupt event, following operation can also be performed To create the isolation mech isolation test for being directed to target kernel module:

Referring to Fig. 6, Fig. 6 is a kind of flow diagram of code call method disclosed by the embodiments of the present invention, such as Fig. 6 institute Show, the code call method be described from the unilateral side VMM, specifically includes the following steps:

S601, virtual machine monitor VMM capture page table interrupt event, and the page table interrupt event is by central processing unit CPU is after detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and judges The target kernel module is not created in insulating space page table MPGT to reflect the calling permission of the kernel code in the K-SPACE It is generated in the case where penetrating, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

S602, the VMM pass through the page table interrupt function prestored and obtain the corresponding default access of the page table interrupt event Determination strategy, and obtain the virtual address distributed intelligence of the kernel code in the K-SPACE；

S603, the VMM judge according to the default access determination strategy of acquisition and the virtual address distributed intelligence Whether the target kernel module has permission to access the kernel code in the K-SPACE；

S604 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When calling the kernel code in the K-SPACE, the VMM is according to the target kernel module in the K-SPACE The calling permissions mapping of core code executes page table handover operation and storehouse handover operation with by the heap in the virtual machine kernel space Stack is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that the target kernel module is based on cutting The K-STACK after changing calls the kernel code in the K-SPACE.

The code parameter and the RIP is written in the VMM in the K-STACK；

As can be seen that VMM capture page table interrupt event first in the embodiment of the present invention, secondly, when VMM is by prestoring When page table interrupt processing function judges that target kernel module has permission the kernel code in calling K-SPACE, VMM is according to target Kernel module to the calling permissions mapping of the kernel code in K-SPACE, execute page table handover operation and storehouse handover operation with The storehouse in virtual machine kernel space is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that institute It states target kernel module and calls kernel code in the K-SPACE based on the K-STACK after switching.Wherein, above-mentioned page Table interrupt event is that CPU is detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE Later and judge not creating target kernel module in insulating space page table MPGT to the calling of the kernel code in K-SPACE It is generated in the case where permissions mapping, it is seen then that target kernel module lack of competence calls directly kernel code, can be avoided in target Core module calls the kernel code in K-SPACE in the case where safety is unknown wantonly, is conducive to lifting system kernel code The safety of calling.

It is a kind of flow diagram of code call method disclosed by the embodiments of the present invention refering to Fig. 7, Fig. 7, such as Fig. 7 institute Show, the code call method be described from the unilateral side VMM, specifically includes the following steps:

S701, the VMM are according to the space page table in the virtual machine kernel space prestored by the void of target kernel module Quasi- Address d istribution information MAP is physical address distributed intelligence, wherein the target kernel module is from the virtual machine kernel The segregate kernel module of needs chosen in the N number of kernel module being inserted into space, the N are the positive integer greater than 1；

S702, the VMM are based on the physical address distributed intelligence to separate the virtual machine kernel space being the M- The SPACE and K-SPACE；

It is kernel spacing page table KPGT that S703, the VMM, which mark the space page table in the virtual machine kernel space, and is based on The physical address distributed intelligence creates the MPGT；

S704, virtual machine monitor VMM capture page table interrupt event, and the page table interrupt event is by central processing unit CPU is after detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and judges The target kernel module is not created in insulating space page table MPGT to reflect the calling permission of the kernel code in the K-SPACE It is generated in the case where penetrating, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

S705, the VMM pass through the page table interrupt processing function prestored and judge whether the target kernel module has permission Call the kernel code in the K-SPACE；

S706 judges that the target kernel module has permission when the VMM passes through the page table interrupt processing function prestored When calling the kernel code in the K-SPACE, the VMM is according to the target kernel module in the K-SPACE The calling permissions mapping of core code executes page table handover operation and storehouse handover operation with by the heap in the virtual machine kernel space Stack is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that the target kernel module is based on cutting The K-STACK after changing calls the kernel code in the K-SPACE.

The code parameter and the RIP is written in the VMM in the K-STACK；

Further alternative, in the embodiment of the present invention, target kernel module described in above-mentioned steps S706 is based on being switched to After the storehouse of K-STACK calls the kernel code in the K-SPACE, above-mentioned code, which calls, executes requirements of process from K- SPACE is returned in target kernel module, specifically includes following process:

Kernel module CPU belonging to kernel code in above-mentioned K-SPACE executes ret instruction, and request returns in target In core module；

Memory management module in CPU detects above-mentioned ret instruction, judges whether create in K-SPACE in KPGT Calling permissions mapping of the kernel module to the kernel code in target kernel module；

Memory management module in CPU judges not creating the kernel module in K-SPACE in KPGT to target kernel The calling permissions mapping of kernel code in module generates page table interrupt event M3,

VMM captures above-mentioned page table interrupt event M3, responds page table interrupt event M3, by the page table interruption that prestores Reason function judges whether the kernel module in K-SPACE has permission the kernel code of invocation target kernel module, if judging to have Permission, then the VMM creates the kernel module in K-SPACE in KPGT and weighs to the calling of the kernel code of target kernel module The page table currently loaded is switched to MPGT and execution stack handover operation by the KPGT with will be in virtual machine by limit mapping The storehouse of nuclear space load switches back into kernel spacing storehouse M-STACK by insulating space storehouse K-STACK, executes process at this time and returns M-SPACE is returned to, can continue to call kernel code in target kernel space.

It is further alternative, in the embodiment of the present invention, after above-mentioned VMM execution stack handover operation, can also be performed with Lower operation: VMM deletes the kernel module in the K-SPACE stored in the KPGT to the kernel generation in the M-SPACE The calling permissions mapping of code.

It is further alternative, in the embodiment of the present invention, the K-SPACE that above-mentioned VMM is stored in deleting the KPGT In kernel module to the calling permissions mapping of the kernel code in the M-SPACE after, the kernel module in K-SPACE is asked The kernel code in invocation target kernel module is sought, specific implementation procedure is as follows:

CPU detects the code for the kernel code in target kernel module that the kernel module in K-SPACE issues Call instruction then judges whether to create kernel module in K-SPACE in KPGT to the kernel code of target kernel module Call permissions mapping；

CPU judges not creating the kernel module in K-SPACE in KPGT to the kernel code of target kernel module Permissions mapping is called, then generates page table interrupt event M1；

VMM captures above-mentioned page table interrupt event M1, judges the K-SPACE by the page table interrupt processing function prestored In kernel module whether have permission the kernel code of invocation target kernel module, if judging to have permission, the VMM according to The VMM is currently added the calling permissions mapping of the kernel code of target kernel module by kernel module in the K-SPACE The page table of load is switched to the storehouse of MPGT and execution stack handover operation to load virtual machine kernel space by the KPGT Kernel spacing storehouse M-STACK is switched to by insulating space storehouse K-STACK, is executed at process at this point, the code of system calls In M-SPACE, the kernel code of performance objective kernel module.

Further alternative, the target kernel module in above-mentioned M-SPACE has executed the kernel module in K-SPACE and has been adjusted After kernel code, virtual machine code calls execution requirements of process to return in K-SPACE from target kernel module, specifically The following steps are included:

CPU detects the return ret instruction that target kernel module issues, and judges target kernel mould whether has been created in MPGT Calling permissions mapping of the block to the kernel code in K-SPACE；

CPU judges the calling permissions mapping for not creating target kernel module in MPGT to the kernel code in K-SPACE, Generate page table interrupt event M2；

VMM captures above-mentioned page table interrupt event M2, is judged in the target by the page table interrupt processing function prestored Whether core module has permission the kernel code called in the kernel module in above-mentioned K-SPACE, above-mentioned if judging to have permission VMM, to the calling permissions mapping of the kernel code in K-SPACE, the VMM is currently loaded according to the target kernel module Page table the heap of the KPGT and execution stack handover operation to load virtual machine kernel space is switched to by the MPGT Stack is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, at this point, the code calling of virtual machine executes stream Journey returns in K-SPACE.

It is the structural schematic diagram of VMM disclosed by the embodiments of the present invention a kind of refering to Fig. 8, Fig. 8, for controlling in M-SPACE Access of the target kernel module to the kernel data in K-SPACE, as shown in figure 8, the VMM include event capturing unit 801, Permission judging unit 802, permission creating unit 803, wherein

The event capturing unit 801, for capturing page table interrupt event, the page table interrupt event is being examined by CPU It measures after the access request for the kernel data in kernel spacing K-SPACE of target kernel module transmission and judges The target kernel module is not created in insulating space page table MPGT to reflect the access authority of the kernel data in the K-SPACE It is generated in the case where penetrating, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

The permission judging unit 802 judges the target kernel mould for the page table interrupt processing function by prestoring Whether block has permission to access the kernel data in the K-SPACE；

The permission creating unit 803, for passing through the page table interrupt processing function prestored when the permission judging unit When judging that the target kernel module has permission to access the kernel data in the K-SPACE, institute is created in the MPGT It states target kernel module to map the access authority of the kernel data in the K-SPACE, so that the target kernel module Have permission to access the kernel data in the K-SPACE.

It is understood that the function of each functional module of the VMM of the embodiment of the present invention can be according to above method embodiment In method specific implementation, specific implementation process is referred to the associated description of above method embodiment, and details are not described herein again.

Optionally, in the embodiment of the present invention, above-mentioned permission judging unit 802 is specifically used for:

Determine the event type of the page table interrupt event；

Optionally, in the embodiment of the present invention, above-mentioned VMM further include:

It is the structural schematic diagram of VMM disclosed by the embodiments of the present invention a kind of refering to Fig. 9, Fig. 9, for controlling in M-SPACE Target kernel module to the calling of the kernel code in K-SPACE, as shown in figure 9, the VMM include event capturing unit 901, Permission judging unit 902, switch unit 903, wherein

The event capturing unit 901, for capturing page table interrupt event, the page table interrupt event is by central processing Unit CPU is after detecting target kernel module for the call request of the kernel code in kernel spacing K-SPACE and sentences The target kernel module is not created in disconnected insulating space page table MPGT out to weigh the calling of the kernel code in the K-SPACE It is generated in the case where limit mapping, wherein the corresponding virtual machine kernel space the VMM includes that the K-SPACE and isolation are empty Between M-SPACE, the M-SPACE includes the target kernel module and the MPGT, and the MPGT is for supporting the target The operation of kernel module；

In the embodiment of the present invention, creation has the target kernel module to the kernel in the M-SPACE in above-mentioned MPGT The calling permissions mapping of code, so that the target kernel module has permission the kernel code called in the M-SPACE.

The permission judging unit 902 judges the target kernel mould for the page table interrupt processing function by prestoring Whether block has permission the kernel code called in the K-SPACE；

The switch unit 903, for judging when the permission judging unit passes through the page table interrupt processing function prestored When the target kernel module has permission the kernel code in the calling K-SPACE out, according to the target kernel module pair The calling permissions mapping of kernel code in the K-SPACE executes page table handover operation and storehouse handover operation with will be described The storehouse in virtual machine kernel space is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that described Target kernel module calls the kernel code in the K-SPACE based on the K-STACK after switching.

Optionally, in the embodiment of the present invention, above-mentioned permission judging unit 902 is specifically used for:

Optionally, in the embodiment of the present invention, above-mentioned switch unit 903 is specifically used for:

The code parameter and the RIP are written in the K-STACK；

0, Figure 10 is the structural schematic diagram of VMM disclosed by the embodiments of the present invention a kind of, as shown in Figure 10, the VMM refering to fig. 1 It may include: at least one processor 1001, such as CPU, at least one processor 1002, at least one communication bus 1003. Communication bus 1003 is for realizing the connection communication between processor 1001 and memory 1002, wherein memory 1002 may Include high speed RAM memory, it is also possible to it further include nonvolatile memory (non-volatile memory), for example, at least one A magnetic disk storage.

In some embodiments, memory 1002 store following element (executable modules or data structures, or Their subset of person or their superset):

Operating system 10021 includes various system programs, hardware based for realizing various basic businesses and processing Task；

Application program 10022 is used comprising various application programs such as equipment control service routine, device identification service programs In the various applied business of realization.

Specifically, processor 1001 is for calling the program stored in memory 1002, the following operation of execution:

Above-mentioned processor 1001 captures page table interrupt event, and the page table interrupt event is being detected in target by CPU After the access request for the kernel data in kernel spacing K-SPACE that core module is sent and judge insulating space page In the case where the target kernel module is not created in table MPGT to the mapping of the access authority of the kernel data in the K-SPACE It generates, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, described M-SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the operation of the target kernel module；

Above-mentioned processor 1001 passes through the page table interrupt processing function prestored and judges whether the target kernel module has the right Limit accesses the kernel data in the K-SPACE；

Above-mentioned processor 1001 judges that the target kernel module is had the right when the page table interrupt processing function by prestoring When limit accesses the kernel data in the K-SPACE, the target kernel module is created in the MPGT to the K-SPACE In kernel data access authority mapping so that the target kernel module have permission to access it is interior in the K-SPACE Nuclear Data.

Optionally, in the embodiment of the present invention, above-mentioned processor 1001 passes through the page table interrupt processing function prestored and judges institute State the concrete mode for the kernel data whether target kernel module has permission to access in the K-SPACE are as follows: processor 1001 is first It first passes through the page table interrupt function prestored and obtains the corresponding default access determination strategy of the page table interrupt event, and described in acquisition The virtual address distributed intelligence of kernel data in K-SPACE；Secondly, processor 1001 determines the thing of the page table interrupt event Part type；Finally, processor 1001 is according to the default access determination strategy, the virtual address distributed intelligence and the thing Part type judges whether the target kernel module has permission to access the kernel data in the K-SPACE.

Optionally, in the embodiment of the present invention, before above-mentioned processor 1001 captures page table interrupt event, can also be performed with Lower operation is to be directed to target kernel module creation kernel space separation mechanism:

Above-mentioned processor 1001 is according to the space page table in the virtual machine kernel space prestored by the target kernel mould The virtual address distributed intelligence of block is mapped as physical address distributed intelligence, wherein the target kernel module is from described virtual The segregate kernel module of needs chosen in the N number of kernel module being inserted into machine kernel spacing, the N are positive integer；

Above-mentioned processor 1001 is based on the physical address distributed intelligence to separate the virtual machine kernel space being the M- The SPACE and K-SPACE；

Above-mentioned processor 1001 marks the space page table in the virtual machine kernel space for kernel spacing page table KPGT, and base The MPGT is created in the physical address distributed intelligence, wherein the KPGT is used to support the kernel mould in the K-SPACE The operation of block, the kernel module in the K-SPACE include basic kernel module and the N in the virtual machine kernel space Kernel module in a kernel module in addition to the target kernel module.

1, Figure 11 is a kind of structural schematic diagram of code calling device disclosed by the embodiments of the present invention, such as Figure 11 refering to fig. 1 Shown, which may include: at least one processor 1001, such as CPU, at least one processor 1002, until A few communication bus 1003.Communication bus 1003 for realizing the connection communication between processor 1001 and memory 1002, Wherein, memory 1002 may include high speed RAM memory, it is also possible to further include nonvolatile memory (non-volatile Memory), a for example, at least magnetic disk storage.

Above-mentioned processor 1001 captures page table interrupt event, and the page table interrupt event is existed by central processing unit CPU Detect target kernel module for after the call request of the kernel code in kernel spacing K-SPACE and judging to be isolated The target kernel module is not created in the page table MPGT of space to the calling permissions mapping of the kernel code in the K-SPACE In the case of generate, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

Above-mentioned processor 1001 passes through the page table interrupt processing function prestored and judges whether the target kernel module has the right Limit calls the kernel code in the K-SPACE；

Above-mentioned processor 1001 judges the target kernel mould when the VMM passes through the page table interrupt processing function prestored When block has permission the kernel code in the calling K-SPACE, the VMM is according to the target kernel module to the K- The calling permissions mapping of kernel code in SPACE executes page table handover operation and storehouse handover operation with by the virtual machine The storehouse of kernel spacing is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that in the target Core module calls the kernel code in the K-SPACE based on the K-STACK after switching.

Optionally, in the embodiment of the present invention, VMM captures page table interrupt event first, secondly, when VMM passes through the page prestored When table interrupt processing function judges that target kernel module has permission the kernel code in calling K-SPACE, VMM is according in target Core module executes page table handover operation and storehouse handover operation to the calling permissions mapping of the kernel code in K-SPACE to incite somebody to action The storehouse in virtual machine kernel space is switched to kernel spacing storehouse K-STACK by insulating space storehouse M-STACK, so that described Target kernel module calls the kernel code in the K-SPACE based on the K-STACK after switching.Wherein, above-mentioned page table Interrupt event be CPU detect target kernel module for the kernel code in kernel spacing K-SPACE call request it Afterwards and judge that not creating target kernel module in insulating space page table MPGT weighs the calling of the kernel code in K-SPACE It is generated in the case where limit mapping, it is seen then that target kernel module lack of competence calls directly the kernel code in K-SPACE, can It avoids target kernel module from calling the kernel code in K-SPACE wantonly in the case where safety is unknown, is conducive to promote system The safety that kernel code of uniting calls.

Optionally, it in the embodiment of the present invention, before above-mentioned processor 1001VMM capture page table interrupt event, can also hold The following operation of row is to create the isolation mech isolation test for being directed to target kernel module:

Above-mentioned processor 1001 is according to the space page table in the virtual machine kernel space prestored by target kernel module Virtual address distributed intelligence is mapped as physical address distributed intelligence, wherein the target kernel module is out of described virtual machine The segregate kernel module of needs chosen in the N number of kernel module being inserted into nuclear space, the N are the positive integer greater than 1；

Above-mentioned processor 1001 marks the space page table in the virtual machine kernel space for kernel spacing page table KPGT, and base The MPGT is created in the physical address distributed intelligence.

Optionally, in the embodiment of the present invention, above-mentioned processor 1001 passes through the page table interrupt processing function prestored and judges institute State whether target kernel module has permission the specific embodiment for calling the kernel code in the K-SPACE are as follows: above-mentioned processing Device 1001 passes through the page table interrupt function prestored and obtains the corresponding default access determination strategy of the page table interrupt event, and obtains The virtual address distributed intelligence of kernel code in the K-SPACE；According to the default access determination strategy of acquisition and institute It states virtual address distributed intelligence and judges whether the target kernel module has permission to access the kernel code in the K-SPACE.

Optionally, in the embodiment of the present invention, above-mentioned processor 1001 executes the specific embodiment of page table handover operation are as follows: The page table that the VMM is currently loaded is switched to kernel spacing page table KPGT by the MPGT by above-mentioned processor 1001, wherein institute It includes that the virtual machine kernel is empty that KPGT, which is stated, for supporting the operation of the kernel module in the K-SPACE, in the K-SPACE Between in basic kernel module, in N number of kernel module for being inserted into the virtual machine kernel space except the target kernel module Except kernel module and the KPGT, the N is positive integer greater than 1.

Optionally, in the embodiment of the present invention, the specific embodiment of above-mentioned 1001 execution stack handover operation of processor are as follows: Above-mentioned processor 1001 copy the code parameter stored in M-STACK for transmitting the kernel code in the K-SPACE and For calling the return address RIP of the kernel code in the K-SPACE；The code parameter is written in the K-STACK With the RIP；By the currently used storehouse in the virtual machine kernel space by esp-old position transition be the position esp-new, In, the position esp-old is storage location of the RIP in the M-STACK, and the position esp-new is the RIP Storage location in the K-STACK.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage Medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

Above to a kind of module isolation disclosed by the embodiments of the present invention, data access, code call method, relevant apparatus and System is described in detail, and used herein a specific example illustrates the principle and implementation of the invention, with The explanation of upper embodiment is merely used to help understand method and its core concept of the invention；Meanwhile for the general of this field Technical staff, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion The contents of this specification are not to be construed as limiting the invention.

Claims

1. a kind of data access method characterized by comprising

Virtual machine monitor VMM captures page table interrupt event, and the page table interrupt event is being detected by central processing unit CPU After the access request for the kernel data in kernel spacing K-SPACE sent to target kernel module and judge every The access authority of the kernel data in the K-SPACE is mapped from the target kernel module is not created in the page table MPGT of space In the case where generate, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M- SPACE, the M-SPACE include the target kernel module and the MPGT, and the MPGT is for supporting the target kernel The operation of module；

The VMM passes through the page table interrupt processing function prestored and judges whether the target kernel module has permission to access the K- Kernel data in SPACE；

Judge that the target kernel module has permission to access the K- when the VMM passes through the page table interrupt processing function prestored When kernel data in SPACE, the VMM creates the target kernel module in the K-SPACE in the MPGT The access authority of kernel data maps, so that the target kernel module has permission to access the interior nucleus number in the K-SPACE According to.

2. data access method according to claim 1, which is characterized in that the VMM passes through at the page table interruption prestored Reason function judges whether the target kernel module has permission to access the kernel data in the K-SPACE, comprising:

The VMM passes through the page table interrupt function prestored and obtains the corresponding default access determination strategy of the page table interrupt event, And obtain the virtual address distributed intelligence of the kernel data in the K-SPACE；

The VMM determines the event type of the page table interrupt event；

The VMM judges according to the default access determination strategy, the virtual address distributed intelligence and the event type Whether the target kernel module has permission to access the kernel data in the K-SPACE.

3. data access method according to claim 1, which is characterized in that before the VMM capture page table interrupt event, The method also includes:

The VMM is according to the space page table in the virtual machine kernel space prestored by the virtual address of the target kernel module Distributed intelligence is mapped as physical address distributed intelligence, wherein the target kernel module is from the virtual machine kernel space The segregate kernel module of needs chosen in N number of kernel module of insertion, the N are positive integer；

The VMM is based on the physical address distributed intelligence to separate the virtual machine kernel space being the M-SPACE and described K-SPACE；

It is kernel spacing page table KPGT that the VMM, which marks the space page table in the virtual machine kernel space, and is based on the physics MPGT described in Address d istribution information creating, wherein the KPGT is used to support the operation of the kernel module in the K-SPACE, Kernel module in the K-SPACE includes basic kernel module and N number of kernel mould in the virtual machine kernel space Kernel module in block in addition to the target kernel module.

4. data access method according to claim 2, which is characterized in that before the VMM capture page table interrupt event, The method also includes:

5. data access method according to claim 1-4, which is characterized in that creation has described in the MPGT Target kernel module maps the access authority of the kernel data in the M-SPACE, so that the target kernel module has Permission accesses the kernel data in the M-SPACE.

6. a kind of virtual machine monitor VMM characterized by comprising

Event capturing unit, for capturing page table interrupt event, the page table interrupt event is to detect target kernel by CPU After the access request for the kernel data in kernel spacing K-SPACE that module is sent and judge insulating space page table It does not create in the case that the target kernel module maps the access authority of the kernel data in the K-SPACE and produces in MPGT It is raw, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, the M- SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the operation of the target kernel module；

Permission judging unit judges whether the target kernel module has permission for the page table interrupt processing function by prestoring Access the kernel data in the K-SPACE；

Permission creating unit, for judging the mesh when the permission judging unit passes through the page table interrupt processing function prestored When mark kernel module has permission to access the kernel data in the K-SPACE, the target kernel mould is created in the MPGT Block maps the access authority of the kernel data in the K-SPACE, so that the target kernel module has permission to access institute State the kernel data in K-SPACE.

7. VMM according to claim 6, which is characterized in that the permission judging unit is specifically used for:

The corresponding default access determination strategy of the page table interrupt event is obtained by the page table interrupt function prestored, and obtains institute State the virtual address distributed intelligence of the kernel data in K-SPACE；

Determine the event type of the page table interrupt event；

The target is judged according to the default access determination strategy, the virtual address distributed intelligence and the event type Whether kernel module has permission to access the kernel data in the K-SPACE.

8. VMM according to claim 6, which is characterized in that the VMM further include:

Address mapping unit is used for before the event capturing elements capture page table interrupt event, according to the void prestored The virtual address distributed intelligence of the target kernel module is mapped as physical address distribution by the space page table of quasi- machine kernel spacing Information, wherein the target kernel module is the need chosen from the N number of kernel module being inserted into the virtual machine kernel space Segregate kernel module is wanted, the N is positive integer；

Space separating element is the M- for separating the virtual machine kernel space based on the physical address distributed intelligence The SPACE and K-SPACE；

Page table creating unit, for marking the space page table in the virtual machine kernel space for kernel spacing page table KPGT, and base The MPGT is created in the physical address distributed intelligence, wherein the KPGT is used to support the kernel mould in the K-SPACE The operation of block, the kernel module in the K-SPACE include basic kernel module and the N in the virtual machine kernel space Kernel module in a kernel module in addition to the target kernel module.

9. VMM according to claim 7, which is characterized in that the VMM further include:

10. according to the described in any item VMM of claim 6-9, which is characterized in that creation has the target kernel in the MPGT Module maps the access authority of the kernel data in the M-SPACE, so that the target kernel module has permission to access Kernel data in the M-SPACE.

11. a kind of code call method characterized by comprising

Virtual machine monitor VMM captures page table interrupt event, and the page table interrupt event is being detected by central processing unit CPU After the call request for the kernel code being directed in kernel spacing K-SPACE to target kernel module and judge insulating space Not the case where calling permissions mapping of the target kernel module to the kernel code in the K-SPACE is not created in page table MPGT Lower generation, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, institute Stating M-SPACE includes the target kernel module and the MPGT, and the MPGT is used to support the fortune of the target kernel module Row；

The VMM passes through the page table interrupt processing function prestored and judges whether the target kernel module has permission the calling K- Kernel code in SPACE；

Judge that the target kernel module has permission the calling K- when the VMM passes through the page table interrupt processing function prestored When kernel code in SPACE, the VMM is according to the target kernel module to the tune of the kernel code in the K-SPACE With permissions mapping, page table handover operation and storehouse handover operation are executed so that the storehouse in the virtual machine kernel space is empty by isolation Between storehouse M-STACK be switched to kernel spacing storehouse K-STACK so that the target kernel module is based on described in after switching K-STACK calls the kernel code in the K-SPACE.

12. code call method according to claim 11, which is characterized in that the VMM, which passes through the page table prestored, to interrupt Processing function judges whether the target kernel module has permission the kernel code called in the K-SPACE, comprising:

The VMM passes through the page table interrupt function prestored and obtains the corresponding default access determination strategy of the page table interrupt event, And obtain the virtual address distributed intelligence of the kernel code in the K-SPACE；

The VMM judges in the target according to the default access determination strategy and the virtual address distributed intelligence of acquisition Whether core module has permission to access the kernel code in the K-SPACE.

13. code call method according to claim 11, which is characterized in that the VMM executes page table handover operation, packet It includes:

The page table that the VMM is currently loaded is switched to kernel spacing page table KPGT by the MPGT by the VMM, wherein described KPGT is used to support the operation of the kernel module in the K-SPACE, includes the virtual machine kernel space in the K-SPACE In basic kernel module, in N number of kernel module for being inserted into the virtual machine kernel space except the target kernel module it Outer kernel module and the KPGT, the N are the positive integer greater than 1.

14. code call method according to claim 12, which is characterized in that the VMM executes page table handover operation, packet It includes:

15. the described in any item code call methods of 1-14 according to claim 1, which is characterized in that the VMM execution stack is cut Change operation, comprising:

The VMM copies the code parameter stored in M-STACK for transmitting the kernel code in the K-SPACE and is used for Call the return address RIP of the kernel code in the K-SPACE；

The code parameter and the RIP is written in the VMM in the K-STACK；

The currently used storehouse in the virtual machine kernel space is the position esp-new by esp-old position transition by the VMM, Wherein, the position esp-old is storage location of the RIP in the M-STACK, and the position esp-new is described Storage location of the RIP in the K-STACK.

16. the described in any item code call methods of 1-14 according to claim 1, which is characterized in that in the VMM capture page table Before disconnected event, the method also includes:

The virtual address of target kernel module is distributed by the VMM according to the space page table in the virtual machine kernel space prestored Information MAP is physical address distributed intelligence, wherein the target kernel module is to be inserted into from the virtual machine kernel space N number of kernel module in the segregate kernel module of needs chosen, the N is the positive integer greater than 1；

It is kernel spacing page table KPGT that the VMM, which marks the space page table in the virtual machine kernel space, and is based on the physics MPGT described in Address d istribution information creating.

17. code call method according to claim 15, which is characterized in that VMM capture page table interrupt event it Before, the method also includes:

18. the described in any item code call methods of 1-14 according to claim 1, which is characterized in that there is creation in the MPGT The target kernel module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel mould Block has permission the kernel code called in the M-SPACE.

19. code call method according to claim 15, which is characterized in that there is in the target creation in the MPGT Core module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has permission tune With the kernel code in the M-SPACE.

20. code call method according to claim 16, which is characterized in that there is in the target creation in the MPGT Core module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has permission tune With the kernel code in the M-SPACE.

21. code call method according to claim 17, which is characterized in that there is in the target creation in the MPGT Core module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has permission tune With the kernel code in the M-SPACE.

22. a kind of virtual machine monitor VMM characterized by comprising

Event capturing unit, for capturing page table interrupt event, the page table interrupt event is being examined by central processing unit CPU Target kernel module is measured for after the call request of the kernel code in kernel spacing K-SPACE and judging that isolation is empty Between do not create the target kernel module to the feelings of the calling permissions mapping of the kernel code in the K-SPACE in page table MPGT It being generated under condition, wherein the corresponding virtual machine kernel space the VMM includes the K-SPACE and insulating space M-SPACE, The M-SPACE includes the target kernel module and the MPGT, and the MPGT is for supporting the target kernel module Operation；

Permission judging unit judges whether the target kernel module has permission for the page table interrupt processing function by prestoring Call the kernel code in the K-SPACE；

Switch unit, for judging in the target when the permission judging unit passes through the page table interrupt processing function prestored When core module has permission the kernel code in the calling K-SPACE, according to the target kernel module in the K-SPACE Kernel code calling permissions mapping, execute page table handover operation and storehouse handover operation with by the virtual machine kernel space Storehouse kernel spacing storehouse K-STACK is switched to by insulating space storehouse M-STACK so that the target kernel module base The K-STACK after switching calls the kernel code in the K-SPACE.

23. VMM according to claim 22, which is characterized in that the permission judging unit is specifically used for:

The corresponding default access determination strategy of the page table interrupt event is obtained by the page table interrupt function prestored, and obtains institute State the virtual address distributed intelligence of the kernel code in K-SPACE；

The target kernel module is judged according to the default access determination strategy of acquisition and the virtual address distributed intelligence Whether kernel code in the K-SPACE is had permission to access.

24. VMM according to claim 22, which is characterized in that the switch unit is specifically used for:

The page table that the VMM is currently loaded is switched to kernel spacing page table KPGT by the MPGT, wherein the KPGT is used for It supports the operation of the kernel module in the K-SPACE, includes the basis in the virtual machine kernel space in the K-SPACE Kernel in the N number of kernel module being inserted into kernel module, the virtual machine kernel space in addition to the target kernel module Module and the KPGT, the N are the positive integer greater than 1.

25. VMM according to claim 23, which is characterized in that the switch unit is specifically used for:

26. according to the described in any item VMM of claim 22 or 25, which is characterized in that the switch unit is specifically used for:

Copy the code parameter stored in M-STACK for transmitting the kernel code in the K-SPACE and for calling State the return address RIP of the kernel code in K-SPACE；

The code parameter and the RIP are written in the K-STACK；

By the currently used storehouse in the virtual machine kernel space by esp-old position transition be the position esp-new, wherein institute Stating the position esp-old is storage location of the RIP in the M-STACK, and the position esp-new is the RIP in institute State the storage location in K-STACK.

27. according to the described in any item VMM of claim 22 or 25, which is characterized in that the VMM further include:

Address mapping unit is used for before the event capturing elements capture page table interrupt event, according to the void prestored The virtual address distributed intelligence of target kernel module is mapped as physical address distributed intelligence by the space page table of quasi- machine kernel spacing, Wherein, the target kernel module be needing of being chosen from the N number of kernel module being inserted into the virtual machine kernel space by The kernel module of isolation, the N are the positive integer greater than 1；

Page table creating unit, for marking the space page table in the virtual machine kernel space for kernel spacing page table KPGT, and base The MPGT is created in the physical address distributed intelligence.

28. VMM according to claim 26, which is characterized in that the VMM further include:

29. according to the described in any item VMM of claim 22-25, which is characterized in that there is in the target creation in the MPGT Core module is to the calling permissions mapping of the kernel code in the M-SPACE, so that the target kernel module has permission tune With the kernel code in the M-SPACE.

30. VMM according to claim 26, which is characterized in that creation has the target kernel module pair in the MPGT The calling permissions mapping of kernel code in the M-SPACE, so that the target kernel module, which has permission, calls the M- Kernel code in SPACE.

31. VMM according to claim 27, which is characterized in that creation has the target kernel module pair in the MPGT The calling permissions mapping of kernel code in the M-SPACE, so that the target kernel module, which has permission, calls the M- Kernel code in SPACE.

32. VMM according to claim 28, which is characterized in that creation has the target kernel module pair in the MPGT The calling permissions mapping of kernel code in the M-SPACE, so that the target kernel module, which has permission, calls the M- Kernel code in SPACE.

33. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer journey Sequence, the computer program is for instructing relevant hardware, to complete method described in claim 1 to 5 any one.

34. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer journey Sequence, the computer program is for instructing relevant hardware, to complete method described in claim 11 to 21 any one.

35. a kind of virtual machine monitor VMM, which is characterized in that including processor and memory, the processor is for calling institute The program stored in memory is stated, perform claim requires method described in 1 to 5 any one.

36. a kind of virtual machine monitor VMM, which is characterized in that including processor and memory, the processor is for calling institute The program stored in memory is stated, perform claim requires method described in 11 to 21 any one.