CN106775923A - The kernel address space fine granularity management method that processor is assisted - Google Patents
The kernel address space fine granularity management method that processor is assisted Download PDFInfo
- Publication number
- CN106775923A CN106775923A CN201611030536.3A CN201611030536A CN106775923A CN 106775923 A CN106775923 A CN 106775923A CN 201611030536 A CN201611030536 A CN 201611030536A CN 106775923 A CN106775923 A CN 106775923A
- Authority
- CN
- China
- Prior art keywords
- domain
- common
- management
- security
- address space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 87
- 230000007704 transition Effects 0.000 claims abstract description 61
- 238000000034 method Methods 0.000 claims description 40
- 230000008569 process Effects 0.000 claims description 23
- 238000007689 inspection Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 7
- 235000019580 granularity Nutrition 0.000 description 20
- 230000008859 change Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000009826 distribution Methods 0.000 description 7
- 238000001514 detection method Methods 0.000 description 6
- 239000012634 fragment Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000009897 systematic effect Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the kernel address space fine granularity management method that a kind of processor is assisted, overcome in the prior art, kernel address space conducts interviews the not enough problem of security in computer operating system.Traditional kernel address space is divided into multiple different pieces by the invention:Common domain, the preferential security domain of confidentiality, the preferential security domain of integrality, transition domain, management domain or other domains, security domain refers to other domains in non-generic domain, switching between domain is divided into common domain and switches to security domain, security domain and switches to common domain, system increases multiple special domains, switching between domain is common domain and switches to security domain, and security domain switches to two kinds of common domain.The technology has advantages below:Multiple virtual machine clients are actually increased in computer systems, and for the operating system of user's directly contact, i.e., the address space in virtual machine clients is not changed, is still simply divided into user's space and kernel spacing.
Description
Technical field
The invention is related to a kind of EMS memory management process of computer, the kernel address that more particularly to a kind of processor is assisted
Space fine granularity management method.
Background technology
Internal memory virtualization technology, can be regarded as a kind of method that memory address space is repartitioned.Fig. 2 illustrates a kind of allusion quotation
The virtual machine architecture of type is:Monitor of virtual machine is directly come into contacts with hardware, is run on monitor of virtual machine multiple virtual
Messenger client, runs an operating system in each client computer.So, the ground between monitor of virtual machine, virtual machine clients
Location space is mutually isolated.The address space of Client OS is divided into user's space and kernel spacing again.For computer
For system, the granularity that memory address space is first according to virtual machine clients is divided, then in virtual machine clients
Portion is further divided into user's space and kernel spacing.Certainly, also in the presence of other virtual machine architectures, for example:Multiple virtual passengers
Family machine is run on monitor of virtual machine, and monitor of virtual machine is run on certain operating system;Multiple virtual passengers
Family machine is run on monitor of virtual machine, and certain virtual machine clients manages other virtual machines jointly with monitor of virtual machine
Client computer.No matter any framework, original simple address space is become increasingly complex.
With the present invention closer to be referred to as SIM (Secure In-VM Monitoring) security architecture.SIM is
Proposed by Monirul Sharif, Wenke Lee and Weidong Cui et al., the purpose is to make full use of virtually
While the safe bonus that change technology is brought, under because of system running environment frequent switching systematic function will not being caused obvious
Drop.As shown in figure 3, there is an operating system in virtual machine clients, the system is more traditional in the address space distribution of SIM
Operating system increases a SIM space.SIM spaces are the address spaces that operating system supervisor is located at, and are responsible for monitoring user
Space and the specific monitored object of kernel spacing.In order to reduce the switching of the performing environment between SIM spaces and other spaces institute
The performance cost brought, Monirul Sharif et al. utilize CR3_TARGET_LIST ardware features, realize that different page tables are quick
Switching.Different page tables have recorded the authority of each address space, so as to be disturbed with being limited to monitored object in non-SIM spaces
The monitoring work of supervisor.
Main flow commercial operation system with Linux as representative, its kernel address space can be considered as continuous sheet of ground
Location space, the code in kernel can access other data and the instruction of kernel address space.So, attacker once enters
Enter kernel address space, the data or instruction in kernel address space all suffer from the risk attacked and distorted.It is right to be necessary
Kernel address space is repartitioned, and the data and code of different demands for security are made a distinction, and is strictly controlled different
The changing method of address space so that attacker enters the shielded address space difficulty of kernel and increases, so as to protect safety quick
The data of sense and instruction.
The content of the invention
Instant invention overcomes in the prior art, the kernel address space security that conducts interviews is not enough in computer operating system
Problem, there is provided the kernel address space particulate that a kind of processor for being repartitioned to kernel address space and having been distinguished is assisted
Degree management method.
Technical solution of the invention is to provide the kernel address space that a kind of processor having steps of is assisted
Fine granularity management method:Traditional kernel address space is divided into multiple different pieces:Common domain, the preferential security domain of confidentiality,
The preferential security domain of integrality, transition domain, management domain or other domains, security domain refer to other domains in non-generic domain, cutting between domain
Change to be divided into common domain and switch to security domain, security domain and switch to common domain, system increases multiple special domains, and the switching between domain is equal
For common domain switches to security domain, and security domain switches to two kinds of common domain, wherein common domain switches to the process of security domain
It is divided into following steps:
Step 1:Pattern switching 1, i.e., common domain switches to transition domain, and it contains two links:1. springboard checks source place
The legitimacy of location;2. springboard reads PMC registers, records Current observation value;
Step 2:Safety verification 1, i.e. springboard are responsible for inspection, and it contains two links:1. springboard switches to initiated domain first
Source address carry out legitimacy inspection;2. after legitimacy is checked, springboard switches execution route to source address to implement domain
Integrity check is made approximate assessment and is prepared;
Step 3:Pattern switching 2, i.e. transition domain switches to security domain, and it contains two links:1. springboard modification page table, complete
Into the switching again of mode of operation;2. springboard after completing request validity checking, discovers and seizes the target ground for redirecting according to index value
Location;
Step 4:Safety verification 2, i.e. springboard are responsible for inspection, and it contains two links:1. springboard is by observing execute instruction
Whether quantity and ret branch prediction turkey quantity are complete to judge current execution route, and the course of work is not subject to dry
Disturb;2. the destination address that springboard is obtained according to previous step is implemented to redirect, and completes domain switching;
Wherein security domain switches to common domain includes two big steps:
Step 1:Pattern switching 3, its be responsible for by the safe modes such as management mode be switched to transition mode, i.e. service result with
And reentry point position all writes particular space in common domain in advance;
Step 2:Pattern switching 4, it is responsible for for transition mode being switched to general mode, i.e. switching working mode again, and
Open system is interrupted, and returns to the reentry point in common domain.
The special domain refer in systems newly increase be called domain registration, domain nullify refer to cancel certain special domain domain registration
When, registrant will provide a characteristics of management code, used as the identifying code for operating the domain;When nullifying the domain, cancellation person will provide should
Characteristics of management code, system will verify the legitimacy of condition code to confirm owner's identity in domain, wherein common domain, transition domain and pipe
Domain necessary to domain is system is managed, does not allow domain to register and domain cancellation.
The process of domain registration is as follows:1. instructed in common domain and apply for the registration of one newly to the domain manager in management domain
Domain, submit related parameter to, including domain space size, domain space access authority information, service instruction set, the clothes of opening in domain
Business point, domain characteristics of management code etc.;2. domain manager recording domain characteristics of management code, and the domain space of the specified size of distribution on request,
And the instruction and data in domain to be registered is copied from common domain in new space;3. domain manager is according to open service
Point, fills in concordance list and jump list.
The process that domain is nullified is reciprocal with the process that domain is registered:1. instructed to the domain manager in management domain in common domain
An existing domain is nullified in application, and submits domain characteristics of management code to;2. whether domain manager authentication domain characteristics of management code is noted with domain
What is used during volume is consistent, if inconsistent will terminate domain de-registration request;3. domain manager amendment concordance list and jump list, make this
The service for user that domain and the domain are provided is no longer visible and available;4. domain manager discharges the space shared by domain.
The management domain, transition domain and common domain are referred to as ground field, and under management mode, the instruction in management domain can
To read or write instruction and data in other any domains;In the transition mode, the springboard in transition domain can not be write in management domain
Data, but the instruction and data that can be read and write in common domain;In the normal mode, the instruction and data in management domain is for general
Logical domain is invisible, can only perform the instruction in transition domain.
Compared with prior art, the kernel address space fine granularity management method that processor of the present invention is assisted has following excellent
Point:After introducing traditional internal memory virtualization technology in the prior art, the address space of computer system becomes complicated, but it is managed
Reason granularity is still excessive.In framework as shown in Figure 2, multiple virtual machine clients are actually increased in computer systems,
And do not changed for the address space of the operating system (being located in virtual machine clients) of user's directly contact, still simply
Be divided into user's space and kernel spacing.The change for bringing is in computer system while introducing multiple operation systems
System.
In view of the limitation of traditional virtual technology, researcher's proposition security architecture as shown in Figure 3.Although this framework
Change operating system internal address space framework, but they are still set up on monitor of virtual machine, and this is just unavoidable
Introducing monitor of virtual machine performance cost and the expense of performing environment between monitor of virtual machine and client computer, it is and this
Expense is often very surprising, and this also results in user and is difficult to receive to rely on monitor of virtual machine implement address in operating system
The scheme that space is repartitioned.
This patent proposes a kind of more fine-grained division, not by monitor of virtual machine on the premise of, to operating system
Address space is repartitioned, and is repartitioned rather than the address space with operating system as granularity, to operating system inside
Fine-grained management is carried out to address space.The present invention is proposed by processor PMC ardware features and LBR ardware features, and is tied
Close the method in transition domain to improve the security of address space switching, domain switch method is the flow of core the most of the invention.
Brief description of the drawings
Fig. 1 is the theory structure schematic diagram of the kernel address space fine granularity management method that processor of the present invention is assisted;
Fig. 2 is after introducing monitor of virtual machine in the kernel address space fine granularity management method that processor of the present invention is assisted
A kind of address space distribution schematic diagram;
Fig. 3 is the address space of SIM frameworks in the kernel address space fine granularity management method that processor of the present invention is assisted
The schematic diagram of distribution;
Fig. 4 is that the distribution of address space in the kernel address space fine granularity management method that processor of the present invention is assisted is shown
Meaning;
Fig. 5 is that common domain switches to security domain in the kernel address space fine granularity management method that processor of the present invention is assisted
Schematic diagram;
Fig. 6 is to extract domain switching using LBR in the kernel address space fine granularity management method that processor of the present invention is assisted
Ask the schematic diagram of source address;
Fig. 7 is to perform road using PMC observations in the kernel address space fine granularity management method that processor of the present invention is assisted
The schematic diagram in footpath;
Fig. 8 is that common domain switches to security domain in the kernel address space fine granularity management method that processor of the present invention is assisted
Schematic diagram.
Specific embodiment
The technical terms that this patent is related to is given below is explained:
LBR:The abbreviation of Last Brance Record, is a kind of ardware feature of processor, and in essence, it is place
The reason incidental a kind of specified register of device, for the nearest performed branch's jump information crossed of recording processor.Record information
Quantity it is related with the incidental LBR register numbers of processor, some model processors are able to record that nearest four times and redirect letter
Breath, some model processors can record more.
PMC:The abbreviation of Performance Monitor Counter, is a kind of ardware feature of processor, inherently
Say, it is the incidental special processor of processor for the number of times that some events of recording processor inside occur, such as occur
How many times I-cache failures, complete how many instructions etc..
CR3_TARGET_LIST:It is a kind of ardware feature of processor support internal memory virtualization, its purpose is to realize
Being switched fast for internal memory page table, reduces the performance cost of performing environment switching between monitor of virtual machine and virtual machine clients.
Domain:Kernel address space is divided into multiple regions by the present invention, for accommodating different instruction set, region and region
Between it is mutually isolated, there is also necessary interaction.Region abbreviation domain.
Transition domain:Kernel address space is divided into multiple domains by the present invention, and transition domain is a wherein more special domain,
Switching between any domain is required for switching first to transition domain, after instruction secure in transition domain is checked, then by transition domain
Switch to purpose domain.
Management domain:Kernel address space is divided into multiple domains by the present invention, and management domain is the basis of whole system safety, it
For accommodating domain management instruction.
Common domain:Kernel address space is divided into multiple domains by the present invention, common domain be used to accommodating original kernel, to peace
Full property does not do the instruction and data of particular/special requirement.
Springboard:It is responsible for the instruction set of domain switching, its role is to check whether domain handoff procedure is carried out as expected, with
Ensure the security of domain switching.Springboard is active in transition domain.
Domain manager:It is responsible for the instruction set of the domain management such as domain registration, domain cancellation.Domain manager is active in management domain.Domain
Manager is not the replacer of original Memory Management Subsystem, and main memory management operations are still by Memory Management Subsystem
Complete.
Sensitive instructions:The present invention will create the finger that page table, modification page table access rights etc. change memory pages access rights
Order is referred to as sensitive instructions.
Execution route integrality:In order to complete a certain function, instruction runs according to execution route set in advance.With execution
The related generic concept of path integrity is controlling stream integrality.It is complete that execution route integrality can be considered as coarseness controlling stream
Property, it is to emphasize that larger operating path is not tampered with, and each control transfer is not implemented to check.
The kernel address space fine granularity management assisted to processor of the present invention with reference to the accompanying drawings and detailed description
Method is described further:
The present embodiment combination Fig. 1 illustrates operation principle of the invention.After the present invention is introduced, originally single kernel ground
Location space, is divided into multiple different address spaces.The person institute that is address space menagement of core the most in these address spaces
In address space, represented with S (t).Remaining kernel address space is divided into multiple different zones, with S (l1),S
(l2),...,S(ln) represent.Consider from a safety viewpoint, S (t), S (l1),S(l2),...,S(ln) between should in the absence of hand over
Fork region, but consider there is a small amount of necessary intersection between them from practical and efficiency.
Address space where S (t) is address space menagement person, it be responsible for each address space priority assignation and
The switching of address space.The code in specific address space is operated in, the authority that can only be distributed according to address space menagement person
Activity.Once priority assignation is violated in access activity, internal storage access exception will be triggered, system will sink into address space menagement person, by
Address space menagement person completes safety and judges.Part of the address space menagement person comprising the original memory management of system, also comprising new
Designed system composition.
S(l1),S(l2),...,S(ln) for accommodating kernel other instruction and datas.A kind of situation the simplest is,
Whole kernel address space only exists two address spaces S (t) and S (l1).This structure is closest to existing operating system nucleus
Address space system.In theory, kernel address space can have the address space of multiple level of securitys.But, multistage was set
Other address space, it will usually cause different address space frequent switching, influences system whole efficiency.
It is of the invention focus on address space how handoff-security.The management of address space fine granularityization is system safety
A kind of common approach, for example:Address space between process and process, user address space and kernel address space address
Space separates.Cause kernel address space without having a many-side the reason for further fine granularity is managed, but critically important one
Putting is:Cannot effectively switching with high safety between address space.When causing systematic entirety due to address space frequent switching
Can decline, when system security feature cannot be brought substantially to increase again, people often just use existing this compromise method.With
The optimization of processor performance and the appearance of some ardware features, are that address space handoff-security brings opportunity, are also just address
The further fine granularityization management in space is provided may.
After explanation introduces the present invention on the whole first, the change of system kernel address space and corresponding access rights,
Then illustrate the method for switching between in domain, how to ensure the main points such as the safety that domain switches using processor hardware characteristic.
1. address space is divided and access rights
After introducing the present invention, the distribution of system kernel address space is as shown in Figure 4.Traditional kernel address space is divided into many
Individual different piece:Common domain, the preferential security domain of confidentiality, the preferential security domain of integrality, transition domain, management domain and other safety
Domain.Domain necessary to commonly domain, transition domain and management domain are systems, the preferential security domain of confidentiality, the preferential security domain of integrality etc.
Specific security domain is optional domain, is user's dynamic registration according to demand.
Domain manager is deployed in management domain, and it is responsible for fine granularity management kernel address space, by the original internal memory pipe in part
Manage subsystem and newly increase composition and constituted.Springboard is deployed in transition domain, and it is responsible for different address space in security kernel
Between switching.Common domain is used to accommodating original kernel other compositions.The preferential security domain of confidentiality and the preferential security domain of integrality
Be user according to demand for security, to domain manager application.User can also apply for the security domain of new specified permission demand.
Table 1 summarizes the access rights of ground field.Be referred to as substantially for management domain, transition domain and common domain by the present invention
Domain.Under management mode, the instruction in management domain can read or write instruction and data in other any domains, and management domain is equivalent to most
The address space of Permission Levels high, is the believable basis of system.In the transition mode, the springboard in transition domain can not write pipe
Data in reason domain, but can be the instruction and data in the common domain of read-write.In the normal mode, the instruction sum in management domain
According to invisible for common domain, the instruction in transition domain can only be performed.System allows to increase new security domain, and sets its access
Authority, but its access rights can not run counter to basic principle:The security domain for newly increasing can not be changed in management domain or transition domain
Instruction and data.
The ground field execution pattern of table 1 and domain browsing authority list
2. common domain switches to security domain
Same area is not relatively independent, but unavoidably there is a small amount of interaction again between them.So, system must provide for
The method of address space switching.No matter system increases multiple specific domains, and (such as the preferential security domain of confidentiality, integrality are preferential
Security domain), the switching between domain can be divided into common domain and switch to security domain, and security domain switches to two kinds of common domain.
Here so-called security domain refers to other domains in non-generic domain.
As shown in figure 5, the process that common domain switches to security domain is divided into following steps:Pattern switching 1 (is cut in common domain
Shift to transition domain), safety verification 1 (springboard is responsible for inspection), pattern switching 2 (transition domain switches to security domain) and safety verification
2 (springboard is responsible for inspection).In order to ensure safety, the instruction in common domain can only be according to entry address set in advance and execution road
Footpath jumps to security domain.Concordance list and jump list be used to aid in detection jump instruction legitimacy and execution route it is correct
Property.Four processes are illustrated separately below.
A. pattern switching 1
Pattern switching 1 refers to the process of that system operating mode switches to transition mode from general mode.At the initial stage in this stage,
System is in general mode, and shown in the access rights according to table 1, instruction possesses execution authority in transition domain.So, in common domain
Interior instruction can be jumped directly in transition domain, but now only has execution authority, it is impossible to read and write the data in transition domain.Index
Table is to open to be instructed in common domain, used when being redirected to transition domain for being instructed in common domain.When common domain wants to enter into peace
During universe, the fixed entry address in transition domain can be called (for example:0x12345678), and index value is filled in, springboard can be according to rope
Draw value to judge the service request in common domain.Cut and cross domain and forbid on-fixed entry address to cut transition domain.
The index value of concordance list storage is binary integer group (i, j), and wherein i is referred to as service number, and j is referred to as identification code.i
Record is position of the destination address in jump list:The first address of jump list is addr, and the size per item data is size, that
Destination address is addr+size* (i-1).I will recognize this unique mark for redirecting.J is the identification code of i.Due to system
Allow dynamic registration and nullify the service interface of security domain and security domain, will result in certain i value and be recycled, if not
It is right if being distinguished to service number, it is possible to cause user to wish to call the service of security domain X, but because security domain X is cancelled
The service number answered is assigned to other domains, it is possible to so that what is actually called is the service of security domain Y, and user and must not
Know.So index value is binary integer group.
System checks that initiated domain switches the legitimacy of source address using processor LBR ardware features.As shown in fig. 6, from
From the point of view of compilation aspect, it is a jump instruction that common domain jumps to transition domain, and two general registers of processor record clothes
Business number and identification code.The instruction of transition domain obtains right of execution and prescribes a time limit, and the content of LBR registers is read first.Processor LBR registers
Group forms a ring-type storage region, and is provided with top-of-stack pointer and points to and current newest redirect record.Such as call*
0x12345678 instruction addresses are 0xc0123456, then after the instruction is finished, LBR registers group will record one
Group jump information (0xc0123456,0x12345678).So, springboard will know the source address of initiated domain switching, follow-up
The legitimacy of source address will be checked in work.
The important process of pattern switching is exactly to change page table content.During pattern switching, springboard will be changed in where transition domain
The access rights of the page are deposited, system operating mode is switched under transition mode from general mode.In theory, it should which change is common
The access rights in domain, limit it and perform authority, but from the point of view of system effectiveness, can ignore modification operation, because while now
Instruction still has execution authority in common domain, but springboard will not deliver the execution authority of processor, so not resulting in peace
Full problem.On the other hand, because transition domain is the frequent security domain for using, its memory pages can be with memory-resident, so as to enter one
Step reduces the performance cost caused by page faults.After completing pattern switching, springboard will obtain the finger in read-write transition domain
Order and the authority of data, it is possible to call the instruction and data in management domain.Therefore next step detection work can be carried out accordingly.
From the point of view of summarizing, this stage is largely divided into following link:1. instruction, by concordance list, was jumped in common domain
Cross in domain, springboard starts to perform;2. springboard is closed and interrupted, and forbids domain handoff procedure to be interrupted;3. springboard reads LBR deposits immediately
Device, gathers domain handover request source address;4. springboard reads page table base register (CR3), and based on current page table, repaiies
Correct one's mistakes and cross the authority in space where domain, system operating mode is switched into transition mode from general mode.
B. safety verification 1
In this step, source address of the springboard first to initiated domain switching carries out legitimacy inspection.Initiated domain is switched
Source address test dependence system user preset test stone.In general, what security domain was provided common domain
The particular address that service can limit only common domain can enter.When to common domain issuing service, security domain will be each
Service sets legal address white list.In use, when common domain switches over to security domain, springboard carrys out redirecting for obtaining
Source address is matched with white list, if it find that being illegal address then region of rejection switching.In addition to the form of white list, it is also possible to
Source address is not limited, or source address must is fulfilled for certain feature, for example:Legal address realm, address are last
Two are necessary for zero etc..
Source address after legitimacy is checked, to implement domain switching execution route integrity check prepare by springboard.Sternly
Whether lattice checking execution route meets and is contemplated to be very difficult, assessment execution route integrality that can only be approximate.Such as Fig. 7 institutes
Show, the present invention investigates the situation of some indexs in execution route by the support of PMC, forms benchmark;In examinations, then
It is secondary to observe the situation of these indexs, and contrasted with benchmark, occur to illustrate that execution route there occurs during larger error
Change.Due to PMC recording processor event frequency, in order to obtain the situation of observation index, it is necessary in this link record
The currency b1 of these indexs;When these indexs are observed again, second observation b2 is obtained;So, b2-b1 is observation
As a result.
From the point of view of summarizing, this stage is largely divided into following two links:1. springboard checks the legitimacy of source address;2. springboard
PMC registers are read, Current observation value is recorded.
C. pattern switching 2
Pattern switching 2 refers to the process of that system operating mode is switched to the safe mode specified by transition mode.In this rank
Section, system has been in transition mode, and completes preliminary safety detection, and now instruction also has execution in targeted security domain
Authority, can further switch domain.Springboard will again read off page table base register, and memory pages access right was changed by table 1
Limit, makes system operating mode switch to purpose pattern from transition mode, to jump into aiming field.
After the completion of mode of operation switching, the information that system is submitted to basis in pattern switching 1 jumps to aiming field and specifies
Service.In the step of pattern switching 1, index value (i, j) is submitted to transition by common domain as parameter.In this link, springboard
To check whether index value matches according to service number i and identification code j, its purpose is mainly prevents common domain from have submitted illegal service
Request;Then springboard will search the purpose service entrance address recorded in jump list according to service number i, and preparation skips to target
Address.
From the point of view of summarizing, this stage is largely divided into following two links:1. springboard modification page table, completes mode of operation again
Switching;2. springboard after completing request validity checking, discovers and seizes the destination address for redirecting according to index value.
D. safety verification 2
Safety verification 2 is that springboard is being switched to last step of aiming field, the execution road the purpose is to check springboard
Whether footpath is normal.Its operation principle is using the ardware feature of PMC, the specific indexes of observation processor, with reference in safety verification 1
The observed result of step, judges whether springboard works according to operating path set in advance.If not the switching of then region of rejection,
Return to error message.
The index of observation includes quantity and ret branch predictions the failure quantity of execute instruction.First index is substantially anti-
The length of operating path is reflected.But for attacker, the operating path for forging equal length is relatively easy to.
So present invention introduces second index, i.e. ret branch predictions failure quantity.We are required in system starting process, to springboard
Instruction carries out necessary replacement:Some direct jmp jump instructions are selected at random, are instructed with ret and substituted.Alternative is as follows:jmp
Destination address is changed into two instructions of push destination addresses and ret.So substituting will cause that in execution process instruction ret can be produced
Branch prediction turkey, and generally once substitute a just ret branch prediction turkey of generation.So, when system is opened
During dynamic, alternative point is selected at random, then for attacker, the ret branch predictions produced by certain execution route lose
The event of losing is immesurable, but system is when knowing that alternative point is distributed, and can be to know that the ret produced by each execution route refers to
Make prediction of failure event number.By using the above method, springboard will approximately judge whether current execution route is complete.
From the point of view of summarizing, this stage is largely divided into following two links:1. springboard is by observing execute instruction quantity and ret
Whether branch prediction turkey quantity is complete to judge current execution route, and the course of work is not interfered;2. springboard root
The destination address obtained according to previous step is implemented to redirect, and completes domain switching.
3. security domain switches to common domain
Security domain switches to the process in common domain as shown in figure 8, including two big steps:Pattern switching 3 and pattern are cut
Change 4.Pattern switching 3 is responsible for for the safe modes such as management mode being switched to transition mode.Pattern 4 is responsible for being switched to transition mode
General mode.System is first carried out pattern switching 3, and system operating mode switches to transition mode, service result and reentry point
Position all writes particular space in common domain in advance.The switching working mode again of pattern switching 4, and open system interrupts, and returns
Reentry point in common domain.The process that security domain switches to common domain is relatively easy, declines due to security sensitive program
Reason, this handoff procedure need not do excessive requirement to security, from the overall performance without increasing domain switching.
4. domain registration is nullified with domain
Domain registration refers to newly increase a special domain in systems.It refers to cancel certain internal memory domain that domain is nullified.When domain is registered,
Registrant will provide a characteristics of management code, used as the identifying code for operating the domain;When nullifying the domain, cancellation person will provide the management
Condition code, system will verify the legitimacy of condition code to confirm owner's identity in domain.It should be noted that:Common domain, transition
Domain and management domain be system necessary to domain, do not allow domain register and domain nullify.
The process of domain registration is as follows:1. instructed in common domain and apply for the registration of one newly to the domain manager in management domain
Domain, submit related parameter to, including domain space size, domain space access authority information, service instruction set, the clothes of opening in domain
Business point, domain characteristics of management code etc.;2. domain manager recording domain characteristics of management code, and the domain space of the specified size of distribution on request,
And the instruction and data in domain to be registered is copied from common domain in new space;3. domain manager is according to open service
Point, fills in concordance list and jump list.
The process that domain is nullified is reciprocal with the process that domain is registered:1. instructed to the domain manager in management domain in common domain
An existing domain is nullified in application, and submits domain characteristics of management code to;2. whether domain manager authentication domain characteristics of management code is noted with domain
What is used during volume is consistent, if inconsistent will terminate domain de-registration request;3. domain manager amendment concordance list and jump list, make this
The service for user that domain and the domain are provided is no longer visible and available;4. domain manager discharges the space shared by domain.
5. on sensitive instructions
For the access rights for ensuring each domain are guaranteed, application claims only have domain manager and the springboard can to change page
Table.In order to achieve the above object, it is all load kernel address spaces instruction fragments should all be verified in advance, to ensure it
Inside does not contain sensitive instructions.In order to overhaul the presence of sensitive instructions, particularly to avoid code reuse from attacking, check
Cheng Keneng needs the regular hour.In order to avoid implementing to check at instruction set graftabl space, can in advance in each
Core module or instruction set are implemented to check, and generate integrity fingerprint according to graftabl page-size.So, kernel is being loaded
During address space, domain manager only needs to be accomplished in a simple integrity fingerprint checking, so as to improve systematic entirety energy.
In the present invention, the analysis of sensitive instructions belongs to additional step with detection.There are some technologies can be with complete now
Into the scanning of instruction fragment, the instruction fragment of specific function is found.Certainly, in order to hide specific instruction fragment, there is also finger
Make the technological means such as confusion.The present invention is not required to sensitive instructions discovery technique and concealing technology.But the present invention wishes application
Sensitive instructions discovery technique is interior in the absence of sensitive instructions to ensure specified domain.
Key point of the invention and it is intended to protect and is a little:
(1) elastic kernel address space partition by fine granularities framework:The present invention propose by kernel address space be divided into as
Partition by fine granularities framework shown in Fig. 4, is ensureing that management domain, transition domain and three, common domain are substantially overseas, and the framework allows to use
The self-defined new security domain in family is meeting more demands for security.
(2) LBR characteristics and the illegal method for entering of concordance list limitation are combined:The present invention reviewed using LBR characteristics redirect come
Source address, and coordinate concordance list to complete the detection of jump address legitimacy.
(3) PMC and the code method that dynamically overriding detects execution route integrality are combined:The present invention is being loaded by code
Dynamically override during internal memory, instruction number and ret branch predictions the failure quantity performed using PMC Characteristics Detections, from positive and negative two
Individual aspect investigates execution route integrality.
(4) domain switch method of the double-mode conversion based on springboard:It is real in two stages by the use of springboard as intermediate link
Apply system operating mode conversion, make can be controllable between common domain and security domain realize domain switch.
Claims (5)
1. the kernel address space fine granularity management method that a kind of processor is assisted, it is characterised in that:Traditional kernel address is empty
Between be divided into multiple different pieces:Common domain, the preferential security domain of confidentiality, the preferential security domain of integrality, transition domain, management domain or
Other domains, security domain refers to other domains in non-generic domain, and the switching between domain is divided into common domain and switches to security domain, security domain cuts
Common domain is shifted to, system increases multiple special domains, and the switching between domain is common domain and switches to security domain, and security domain is cut
Two kinds of common domain is shifted to, wherein the process that common domain switches to security domain is divided into following steps:
Step 1:Pattern switching 1, i.e., common domain switches to transition domain, and it contains two links:1. springboard checks source address
Legitimacy;2. springboard reads PMC registers, records Current observation value;
Step 2:Safety verification 1, i.e. springboard are responsible for inspection, and it contains two links:1. springboard comes to initiated domain switching first
Source address carries out legitimacy inspection;2. source address is after legitimacy is checked, and springboard is complete to implement domain switching execution route
Property inspection make approximate assessment and prepare;
Step 3:Pattern switching 2, i.e. transition domain switches to security domain, and it contains two links:1. springboard modification page table, completes work
The switching again of operation mode;2. springboard after completing request validity checking, discovers and seizes the destination address for redirecting according to index value;
Step 4:Safety verification 2, i.e. springboard are responsible for inspection, and it contains two links:1. springboard is by observing execute instruction quantity
And whether ret branch prediction turkey quantity is complete to judge current execution route, the course of work is not interfered;
2. the destination address that springboard is obtained according to previous step is implemented to redirect, and completes domain switching;
Wherein security domain switches to common domain includes two big steps:
Step 1:Pattern switching 3, it is responsible for for the safe modes such as management mode being switched to transition mode, i.e. service result and returns
Go back to point position and all write particular space in common domain in advance;
Step 2:Pattern switching 4, it is responsible for for transition mode being switched to general mode, i.e. switching working mode again, and opens
System break, returns to the reentry point in common domain.
2. the kernel address space fine granularity management method that processor according to claim 1 is assisted, it is characterised in that:Institute
State special domain refer in systems newly increase be called domain registration, domain nullify refer to cancel certain special domain domain register when, registrant
A characteristics of management code will be provided, as the identifying code for operating the domain;When nullifying the domain, cancellation person will provide the characteristics of management
Code, system will verify the legitimacy of condition code to confirm owner's identity in domain, wherein common domain, transition domain and management domain are to be
The required domain of system, does not allow domain to register and domain cancellation.
3. the kernel address space fine granularity management method that processor according to claim 2 is assisted, it is characterised in that:Domain
The process of registration is as follows:1. instructed in common domain to the one new domain of domain manager application for registration in management domain, submitted to
Related parameter, including domain space size, domain space access authority information, service instruction set, the service point of opening, domain pipe in domain
Reason condition code etc.;2. domain manager recording domain characteristics of management code, and the domain space for specifying size is distributed on request, and from common domain
Instruction and data in interior copy domain to be registered is in new space;3. domain manager fills in index according to open service point
Table and jump list.
4. the kernel address space fine granularity management method that processor according to claim 2 is assisted, it is characterised in that:Domain
The process of cancellation is reciprocal with the process that domain is registered:1. instructed in common domain and nullify one to the domain manager application in management domain
Individual existing domain, and submit domain characteristics of management code to;2. used when whether domain manager authentication domain characteristics of management code is registered with domain
It is consistent, if it is inconsistent will terminate domain de-registration request;3. domain manager amendment concordance list and jump list, make the domain and the domain institute
The service for user of offer is no longer visible and available;4. domain manager discharges the space shared by domain.
5. the kernel address space fine granularity management method that processor according to claim 1 is assisted, it is characterised in that:Institute
State management domain, transition domain and common domain and be referred to as ground field, under management mode, the instruction in management domain can read or write it
Instruction and data in its any domain;In the transition mode, the springboard in transition domain can not write the data in management domain, but can
To read and write the instruction and data in common domain;In the normal mode, the instruction and data in management domain is invisible for common domain,
The instruction in transition domain can only be performed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611030536.3A CN106775923B (en) | 2016-11-16 | 2016-11-16 | The kernel address space fine granularity management method that processor is assisted |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611030536.3A CN106775923B (en) | 2016-11-16 | 2016-11-16 | The kernel address space fine granularity management method that processor is assisted |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106775923A true CN106775923A (en) | 2017-05-31 |
CN106775923B CN106775923B (en) | 2019-06-28 |
Family
ID=58971697
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611030536.3A Expired - Fee Related CN106775923B (en) | 2016-11-16 | 2016-11-16 | The kernel address space fine granularity management method that processor is assisted |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106775923B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108021827A (en) * | 2017-12-07 | 2018-05-11 | 中科开元信息技术(北京)有限公司 | A kind of method and system based on area mechanism structure security system |
WO2022100247A1 (en) * | 2020-11-13 | 2022-05-19 | 华为技术有限公司 | Method for switching execution environment and related device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616194A (en) * | 2009-07-23 | 2009-12-30 | 中国科学技术大学 | The optimizing host network performance system and method |
CN102073529A (en) * | 2011-01-30 | 2011-05-25 | 华为技术有限公司 | Method and computer system for upgrading super kernel component |
CN104850787A (en) * | 2015-02-11 | 2015-08-19 | 数据通信科学技术研究所 | Mobile terminal operation system based on high-assurance kernel module and realization method of mobile terminal operation system |
US20160048401A1 (en) * | 2014-08-15 | 2016-02-18 | International Business Machines Corporation | Virtual machine manager initiated page-in of kernel pages |
CN105868626A (en) * | 2016-03-25 | 2016-08-17 | 中国人民解放军信息工程大学 | A method of monitoring software business activity based on control flow coarseness integrity |
-
2016
- 2016-11-16 CN CN201611030536.3A patent/CN106775923B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616194A (en) * | 2009-07-23 | 2009-12-30 | 中国科学技术大学 | The optimizing host network performance system and method |
CN102073529A (en) * | 2011-01-30 | 2011-05-25 | 华为技术有限公司 | Method and computer system for upgrading super kernel component |
US20160048401A1 (en) * | 2014-08-15 | 2016-02-18 | International Business Machines Corporation | Virtual machine manager initiated page-in of kernel pages |
CN104850787A (en) * | 2015-02-11 | 2015-08-19 | 数据通信科学技术研究所 | Mobile terminal operation system based on high-assurance kernel module and realization method of mobile terminal operation system |
CN105868626A (en) * | 2016-03-25 | 2016-08-17 | 中国人民解放军信息工程大学 | A method of monitoring software business activity based on control flow coarseness integrity |
Non-Patent Citations (1)
Title |
---|
董昱,等: "基于netlink机制内核空间与用户空间通信的分析", 《测控技术》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108021827A (en) * | 2017-12-07 | 2018-05-11 | 中科开元信息技术(北京)有限公司 | A kind of method and system based on area mechanism structure security system |
WO2022100247A1 (en) * | 2020-11-13 | 2022-05-19 | 华为技术有限公司 | Method for switching execution environment and related device |
Also Published As
Publication number | Publication date |
---|---|
CN106775923B (en) | 2019-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109558211B (en) | Method for protecting interaction integrity and confidentiality of trusted application and common application | |
CN103620613B (en) | For the system and method for the anti-malware safety based on virtual machine monitor | |
CN109522754B (en) | Core control method for trusted isolation environment of mobile terminal | |
Shi et al. | Deconstructing Xen. | |
EP1966706B1 (en) | Identifier associated with memory locations for managing memory accesses | |
CN103842971B (en) | Monitor for indirect interface and the system and method for vertical line detection | |
KR102189296B1 (en) | Event filtering for virtual machine security applications | |
CN105393255A (en) | Process evaluation for malware detection in virtual machines | |
CN105122260B (en) | To the switching based on context of secure operating system environment | |
CN109086100A (en) | A kind of high safety is credible mobile terminal safety architectural framework and security service method | |
US7529916B2 (en) | Data processing apparatus and method for controlling access to registers | |
CN102667712B (en) | System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies | |
CN103842976A (en) | Input/output memory management unit with protection mode for preventing memory access by i/o devices | |
CN103119601A (en) | Method and apparatus for enforcing a mandatory security policy on an operating system (os) independent anti-virus (av) scanner | |
CN104769604A (en) | Real-time module protection | |
CN105264540B (en) | The safeguard protection of software library in data processing equipment | |
CN103370715A (en) | System and method for securing virtual computing environments | |
CN108292272A (en) | Device and method for managing bounded pointer | |
CN102542208A (en) | Security sandbox | |
CN109074450A (en) | Intimidation defense technology | |
CN102254123B (en) | Method and device for enhancing security of application software | |
CN103902884B (en) | Virtual-machine data protection system and method | |
CN1628284B (en) | Method and system for processing security exceptions | |
US20070056039A1 (en) | Memory filters to aid system remediation | |
CN106775923B (en) | The kernel address space fine granularity management method that processor is assisted |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190628 |