CN106845245B - A kind of hot restorative procedure of loophole based on Xen virtual platform - Google Patents
A kind of hot restorative procedure of loophole based on Xen virtual platform Download PDFInfo
- Publication number
- CN106845245B CN106845245B CN201611191813.9A CN201611191813A CN106845245B CN 106845245 B CN106845245 B CN 106845245B CN 201611191813 A CN201611191813 A CN 201611191813A CN 106845245 B CN106845245 B CN 106845245B
- Authority
- CN
- China
- Prior art keywords
- xen
- patch
- dom0
- virtual
- hypercalls
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The present invention relates to a kind of hot restorative procedures of the loophole based on Xen virtual platform.This method repairs Xen platform loophole by privileged domain Dom0, without restarting machine and suspending the operation of virtual machine on platform, realizes the hot repair function of virtual platform loophole based on Xen;This method completes the insertion and application of patch by privileged domain Dom0, ensure that the controllability and safety of patch;The Xen hypercalls operation increased newly in this method, it is communicated between Xen and Dom0 for realizing, flag bit is respectively set before patch insertion and after insertion, the additions and deletions not comprising patch, which change, looks into operation, avoids malicious attacker and destroys Xen kernel function in the way of virtual machine application hypercalls.The present invention can accurately repair virtual platform loophole, without restarting machine, ensure that the normal operation of virtual machine on virtual platform, and be repaired using Dom0 safer.
Description
Technical field
The invention belongs to cloud computing security technology areas, are related to a kind of method of virtual platform loophole reparation, especially relate to
And the hot restorative procedure of loophole based on Xen virtual platform.
Background technique
The calculating mode that cloud computing emerges rapidly as one kind, receives the extensive concern of government, industry, academia,
Entire IT industry is being given to bring thorough change.Cloud computing, which refers to apply, to be delivered for use with service form by internet, and
And the hardware and software of data center is capable of providing these services.Cloud computing helps enterprise, government, public organizations, private sector
The computing system for more effectively, having requirement drive is formed with research institution.Basic module of the virtualization technology as cloud computing be
Support the most important technology foundation stone of cloud computing.
Virtualization brings a degree of property of can customize and controllability, substantially a kind of creation different computing environments
Technology.Three kinds of the most commonly used virtualization technologies are that software-based Full-virtualization, the virtualization of hardware auxiliary and class are virtual
Change technology.Virtualization technology pass through many years development, there is the product of many maturations, using also from initial server to
The broader field such as desktop.The mainstream vendor of virtualization software includes VMware, Xen, KVM and Microsoft.Wherein, as
The open source software project that one community originating from univ cambridge uk drives, Xen have attracted many companies and scientific research institutions
Developer is developed very fast.Xen initial virtualization thinking is class virtualization, by modifying linux kernel, realization processing
The virtualization of device and memory drives framework to realize that the class of equipment virtualizes by introducing input and output front and back end.With the community Xen
Develop, hardware Full-virtualization technology is also added in Xen.Xen is highly developed at present, the void based on Xen
Quasi-ization product is also very much, such as Ctrix, Virtuallron, Redhat and Novell, Ali's cloud have corresponding product.
While virtualization technology develops rapidly, many safety problems are also inevitably brought, it is flat using virtualization
The malicious act that platform loophole is attacked emerges one after another, and seriously compromises the interests of cloud service manufacturer and cloud service user.Leakage
Hole, in order to not influence service security, needs cloud computing company quickly to repair loophole once exposing.Presently, there are cold start-ups
Two kinds of Xen loophole repair modes are answered with hot repair.As its name suggests, it is cold-started mode, is referred to by modifying and compiling Xen source code and restart
The mode of machine repairs Xen plateform system loophole.Cold start-up mode is realized simple and crude, but restarting for server necessarily affects
The normal operation of layer user's business.Hot repair mode, during referring to server operation, change Installed System Memory is inserted into patch.Hot repair
Compound formula does not influence upper layer cloud service user's service operation, and technical threshold is high, while needing to consider a variety of combination thereofs, gives
Cloud computing manufacturer brings great challenge.It is therefore desirable to propose a kind of method that the hot repair of virtual platform loophole is multiple, efficiently
Virtual platform loophole is repaired, the generation of malicious attack is avoided.
Summary of the invention
Problem is repaired for virtual platform loophole, the loophole heat based on Xen virtual platform that the invention proposes a kind of
Restorative procedure.After carrying out environmental structure, use and source code analysis to Xen virtual platform, it can be found that Xen virtual platform
Under there are privileged domain Dom0, the accessible Xen memories of the dma operation of Dom0.The present invention mainly utilizes privileged domain Dom0 to leak Xen
Hole carries out memory reparation.
The technical solution adopted by the invention is as follows:
A kind of hot restorative procedure of loophole based on Xen virtual platform, step include:
1) Xen physical memory initial address is calculated according to the e820 meter of Xen system, wherein the e820 table of Xen system is to be
System physical memory distribution table, generates in Xen start-up course and is output in system log;
2) it is distributed according to calculated physical memory initial address and Xen memory, calculates the virtual address of complex function to be repaired
The physical address be mappeding to, wherein Xen memory is distributed as the memory distribution in system virtual address space, has in Xen source code
Clear stipulaties;
3) patch machine code is obtained by privileged domain Dom0, and memory is written into patch, record patch function physically
Location;
4) privileged domain Dom0 has patch to need to be inserted into using hypercalls notice Xen;
5) Xen handles the hypercalls request of privileged domain Dom0, and flag bit is arranged, and notice Dom0 is inserted into patch;
6) privileged domain Dom0 is inserted into patch, meanwhile, Xen intercepts VMEXIT request, and patch insertion is waited to complete;
7) after patch is inserted into successfully, privileged domain Dom0 is completed using hypercalls notice Xen patch insertion;
8) Xen handles the request of privileged domain Dom0 hypercalls, resets flag bit.
In the above method, patch insertion using privileged domain Dom0 DMA (Direct Memory Access, directly in
Deposit access) operation completion, the physical address that memory virtual address of cache where needing to calculate complex function to be repaired arrives, as DMA behaviour
The physical memory addresses of work.Meanwhile memory is written in all patches in the form of machine code.
In the above method, Xen is communicated by way of hypercalls and event notice with privileged domain Dom0.As the visitor of Xen
When family machine needs to be implemented the operation of higher permission, such as update, the access to physical resource of page table, due to from non-privileged
Domain is unable to complete these operations, then needs to complete by calling hypercalls to give Xen.
In the above method, when fully virtualized lower virtual machine executes privileged instruction, needs to be implemented VMEXIT operation and be trapped in
Xen, Xen execute kernel function and virtual machine are replaced to handle privileged instruction.
The beneficial effects of the present invention are:
1. the present invention repairs Xen platform loophole by privileged domain Dom0, without restarting virtual machine on machine and pause platform
Operation, realize the hot repair function of virtual platform loophole based on Xen.
2. the present invention completes the insertion and application of patch by privileged domain Dom0, the controllability and safety of patch ensure that
Property.
3. the newly-increased Xen hypercalls operation of the present invention, only communicates for realizing between Xen and Dom0, before patch insertion
With flag bit is respectively set after insertion, the additions and deletions not comprising patch, which change, looks into operation, avoids malicious attacker using virtual machine Shen
Please the modes of hypercalls destroy Xen kernel function.
To sum up, the hot restorative procedure of the loophole proposed by the present invention based on Xen virtual platform, can accurately repair void
Quasi-ization platform loophole ensure that the normal operation of virtual machine on virtual platform, and repaired using Dom0 without restarting machine
It is multiple safer.
Detailed description of the invention
Fig. 1 is the flow diagram of the hot restorative procedure of loophole based on Xen virtual platform.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is to be understood that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, those skilled in the art are obtained all without making creative work
Other embodiments shall fall within the protection scope of the present invention.
Realize that a kind of specific embodiment of the invention is as follows, the hot restorative procedure of loophole based on Xen virtual platform,
Step are as follows:
1) Xen physical memory initial address is calculated according to the e820 meter of Xen system;
2) it is distributed according to above-mentioned calculated physical memory initial address and Xen memory, calculates the virtual of complex function to be repaired
The physical address that address is be mapped to;
3) patch machine code is obtained by privileged domain Dom0, and memory, physics where record patch function is written into patch
Memory address;
4) privileged domain Dom0 has patch to need to be inserted into using hypercalls notice Xen;
5) Xen handles the hypercalls request of privileged domain Dom0, and flag bit is arranged, and notice Dom0 is inserted into patch;
6) privileged domain Dom0 is inserted into patch, meanwhile, Xen intercepts VMEXIT request, and patch insertion is waited to complete;
7) after patch is inserted into successfully, privileged domain Dom0 is completed using hypercalls notice Xen patch insertion;
8) Xen handles the request of privileged domain Dom0 hypercalls, resets flag bit.
The virtualized environment that this method uses is Xen virtual platform, and virtual machine is divided into privileged virtual machine under Xen platform
Dom0 and non-privileged virtual machine DomU.Xen Installed System Memory is the memory being strictly isolated, before 4.0 version of Xen, privileged domain
The dma operation of Dom0 is accessible to arrive Xen Installed System Memory.
The e820 table of Xen system refers to current system physical memory distribution table, describes the use feelings of current system physical memory
Condition is generated in Xen start-up course and is output in system log.
Xen physical memory initial address refers to the first address of kernel function after Xen starting.By kernel dynamic after Xen starting
It is remapped to a high-end physical address.
The physical address that the virtual address of complex function to be repaired is be mapped to refers to position of the complex function to be repaired in physical memory
It sets, the present invention accesses Xen Installed System Memory by the dma operation of privileged domain Dom0, and the address that dma operation uses is for physical memory
Location.
It is communicated between privileged domain Dom0 and Xen using hypercalls and event.The user of privileged domain Dom0 from
Program is transferred at lower layer Xen after kernel processes using a special Kernel Driver privcmd application hypercalls
Manage hypercalls request.
Xen sends event notice to privileged domain Dom0, in the form of virtual interrupt, after Dom0 receives event notice, and processing
Process is similar with processing physical discontinuity.
Hypercalls request and VMEXIT, VMENTRY operation can be constantly generated in virtual machine operational process.VMEXIT refers to
When virtual machine executes privileged instruction, needs to be trapped in Xen and handled by Xen.Xen is returned the result to after having executed privileged instruction
In virtual machine, execution VMENTRY operation, which is switched in virtual machine, to be run.Wherein the treatment process of VMEXIT includes saving virtual machine
Buffer status loads host buffer status, executes VMEXIT and handles function, executes VMENTRY and continues scheduling virtual machine
Operation.
Fig. 1 is the flow diagram of the above-mentioned hot restorative procedure of the loophole based on Xen virtual platform, detailed to its each step
It is described as follows:
1. calculating Xen physical memory initial address.
Xen Hypervisor is dynamically loaded into the high-end address xen_phys_start of memory in start-up course.The height
Address is held to determine by following formula:
Xen_phys_start=end-reloc_size;
Wherein end is represented in physical address space, maximum free memory first address within 4G.Reloc_size is Xen's
The size of memory headroom shared by code and data segment, is defaulted as 4M.In one embodiment of this invention, we pass through another
Same version Xen is installed in the compiling of platform host source code, obtains reloc_size sizes values.
2. calculating the memory physical address where complex function to be repaired.
The Xen Hypervisor page is linearly mapped to high-end virtual address, in one embodiment of this invention, by looking into
See that the distribution of Xen memory obtains Xen memory virtual initial address xen_virt_start, separately by checking that Xen-syms file obtains
Complex function virtual address VA to be repaired extrapolates interior store function physics to be repaired according to above-mentioned gained Xen physical memory initial address
The calculation formula of address PA:
1. offset=VA-xen_virt_start
2. PA=xen_phys_start+offset
3. obtaining patch machine code.
Because patch needs to write direct physical memory, to guarantee the lattice of patch machine code Yu memory functional machine code
Formula is consistent.The present invention combines kernel restorative procedure kpatch and kgraft realization principle under existing Linux, on the same host
Kernel function source code is repaired, installation Xen is recompilated, Xen binary file is read finally by privileged domain Dom0 and obtains patch
The machine code of function.Privileged domain Dom0 executes DMA write operation and memory is written in patch machine code.
In other embodiments, can also be by repairing kernel function source code on another host, Xen is installed in recompility,
The machine code of patch function is read finally by the dma operation of privileged domain Dom0.The write-in of patch can pass through privileged domain Dom0's
Read the kernel spacing that machine code write-in kmalloc operation application is arrived in file operation.
4. privileged domain Dom0 request insertion patch.
Privileged domain Dom0 and Xen are communicated by hypercalls and event.System under hypercalls and Linux
Call similar, the special super tune of Kernel Driver privcmd application can be used in the user program of privileged domain Dom0
With.The newly-increased hypercalls of the present invention operate HYPERVISOR_set_worktodo and two sub-operation, are respectively intended to be arranged
Flag bit and clear flag position.
Xen handles the hypercalls request of Dom0, flag bit is arranged, and send event notice, notice to privileged domain Dom0
Dom0 can carry out patch insertion operation.The present invention increases a virtual interrupt newly, for the communication between Xen and Dom0.Xen to
It is virtual interrupt request that Dom0, which sends event notice, and privileged domain Dom0 handles the virtual interrupt, in treatment process and physics
Break similar.
5. privileged domain Dom0 is inserted into patch.
To realize, store function, the present invention pass through privileged domain in dynamic replacement Xen Hypervisor in Xen operational process
A DMA read operation of Dom0, by original function machine code, first five byte is changed to a JMP jump instruction, and original function executes
When, instruction jumps to new function from original function and continues to execute.
It is correctly run for complex function to be repaired during guarantee insertion patch, the present invention passes through setting flag bit livepatch_
Work and works_to_do, being respectively intended to mark currently has patch to need to be inserted into and be carrying out patch insertion operation.
Hypercalls request and VMEXIT, VMENTRY operation can be constantly generated in virtual machine operational process.VMEXIT refers to
When virtual machine executes privileged instruction, needs to be trapped in Xen and handled by Xen.To avoid complex function to be repaired in patch insertion process
Called, the present invention first determines whether livepatch_work flag bit in the VMEXIT processing function of Xen, if being set,
It needs to be inserted into there are patch, continues to judge works_to_do flag bit, if being set, there are CPU to be carrying out patch insertion
Operation suspends the VMEXIT treatment process at this time, and patch insertion operation is waited to complete, while dispatching the operation of other virtual machines.
6. privileged domain Dom0 notifies the insertion of Xen patch to complete.
Patch is inserted into Xen memory by dma operation by privileged domain Dom0, at the end of dma operation, privileged domain Dom0 hair
Hypercalls are sent to request, notice Xen patch insertion is completed, and Xen resets flag bit livepatch_work and works_to_do,
Continue the VMEXIT treatment process being suspended.
Experimental result:
Function validity test, test result table are carried out to the hot restorative procedure of loophole based on Xen virtual platform first
The bright method proposed through the invention can repair Xen virtual platform under the premise of without restarting system and pause virtual machine
Loophole meets design object of the invention.
Secondly it is influenced to measure this method to virtual machine bring performance, the performance in the case of following two is carried out
Analysis and assessment: virtual machine performance during virtual machine performance and hot repair are multiple when not carrying out hot repair again.Memory read-write is can
Reflect the typical operation of system performance, the results showed that, the virtual platform and primary platform of loophole reparation are carried out using this method
Though occurring difference in performance, pause is virtual while guaranteeing to repair Xen virtual platform loophole with existing certain methods
Machine operation is compared, and experimental result of the present invention loses within an acceptable range virtual machine performance, and system performance after the completion of reparation
Restore, the detection effect of the method for the present invention is more preferable.
Claims (5)
1. a kind of hot restorative procedure of loophole based on Xen virtual platform, which comprises the following steps:
1) Xen physical memory initial address is calculated according to the e820 meter of Xen system;
2) it is distributed according to calculated physical memory initial address and Xen memory, the virtual address for calculating complex function to be repaired is reflected
The physical address being mapped to;
3) patch machine code is obtained by privileged domain Dom0, and memory, physical memory where record patch function is written into patch
Address;
4) privileged domain Dom0 has patch to need to be inserted into using hypercalls notice Xen;
5) Xen handles the hypercalls request of privileged domain Dom0, and notice Dom0 is inserted into patch;
6) after patch is inserted into successfully, privileged domain Dom0 is completed using hypercalls notice Xen patch insertion, i.e. completion loophole hot repair
It is multiple;
Hypercalls request and VMEXIT, VMENTRY operation are constantly generated in virtual machine operational process, wherein VMEXIT refers to void
When quasi- machine executes privileged instruction, needs to be trapped in Xen and handled by Xen;Xen returns the result to void after having executed privileged instruction
In quasi- machine, execution VMENTRY operation, which is switched in virtual machine, to be run;
Flag bit is respectively set before patch is inserted into and after insertion, is correctly transported for complex function to be repaired during guarantee insertion patch
Row, it may be assumed that flag bit is arranged in Xen first, then Dom0 is notified to be inserted into patch;After the completion of patch insertion, Xen resets flag bit;
The flag bit includes livepatch_work and works_to_do, and being respectively intended to mark currently has patch to need to be inserted into
Be carrying out patch insertion operation;To avoid complex function to be repaired in patch insertion process called, handled in the VMEXIT of Xen
Livepatch_work flag bit is first determined whether in function, if being set, is needed to be inserted into there are patch, is continued to judge works_
To_do flag bit, if being set, there are CPU to be carrying out patch insertion operation, suspends the VMEXIT treatment process at this time,
It waits patch insertion operation to complete, while dispatching the operation of other virtual machines;After the completion of patch insertion, Xen resets flag bit
Livepatch_work and works_to_do continues the VMEXIT treatment process being suspended.
2. the method as described in claim 1, it is characterised in that: when privileged domain Dom0 is inserted into patch, Xen intercepts VMEXIT and asks
It asks, patch insertion is waited to complete.
3. the method as described in claim 1, it is characterised in that: the insertion of patch is completed using the dma operation of privileged domain Dom0,
The physical address that memory virtual address of cache where complex function to be repaired is arrived is as the physical memory addresses of dma operation.
4. the method as described in claim 1, it is characterised in that: Xen and privileged domain Dom0 is notified by hypercalls and event
Mode communicate, when the client computer of Xen needs to be implemented the operation of higher permission, by call hypercalls give Xen come complete
At.
5. the method as described in claim 1, it is characterised in that: increase a virtual interrupt for logical between Xen and Dom0
Letter, it is virtual interrupt request that Xen, which sends an event notice to Dom0, and privileged domain Dom0 handles the virtual interrupt.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611191813.9A CN106845245B (en) | 2016-12-21 | 2016-12-21 | A kind of hot restorative procedure of loophole based on Xen virtual platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611191813.9A CN106845245B (en) | 2016-12-21 | 2016-12-21 | A kind of hot restorative procedure of loophole based on Xen virtual platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106845245A CN106845245A (en) | 2017-06-13 |
| CN106845245B true CN106845245B (en) | 2019-11-26 |
Family
ID=59135119
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611191813.9A Active CN106845245B (en) | 2016-12-21 | 2016-12-21 | A kind of hot restorative procedure of loophole based on Xen virtual platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106845245B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108121552B (en) * | 2017-11-06 | 2021-01-12 | 广东睿江云计算股份有限公司 | Automatic patching method based on XenServer |
| CN111078262B (en) * | 2018-10-18 | 2023-04-11 | 百度在线网络技术(北京)有限公司 | Application thermal restoration method and device |
| CN117573292B (en) * | 2024-01-15 | 2024-04-09 | 麒麟软件有限公司 | Method for Xen running general RTOS virtual machine |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104915595A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Virtualization bug fixing method and device through cloud platform |
| CN104978532A (en) * | 2011-12-27 | 2015-10-14 | 北京奇虎科技有限公司 | Vulnerability repair client logic testing method and system |
-
2016
- 2016-12-21 CN CN201611191813.9A patent/CN106845245B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104978532A (en) * | 2011-12-27 | 2015-10-14 | 北京奇虎科技有限公司 | Vulnerability repair client logic testing method and system |
| CN104915595A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Virtualization bug fixing method and device through cloud platform |
Non-Patent Citations (3)
| Title |
|---|
| 一个基于虚拟机的日志审计和分析系统;孟江涛等;《计算机应用》;20061230;第2913-2918页 * |
| 一种基于虚拟机的动态内存泄露检测方法;蔡志强等;《计算机应用与软件》;20120930;第10-13页 * |
| 基于监视代理的Iaas平台漏洞扫描框架;姜俊方等;《四川大学学报(工程科学版)》;20140630;第116-121页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106845245A (en) | 2017-06-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tian et al. | A Full {GPU} Virtualization Solution with Mediated {Pass-Through} | |
| US8341369B2 (en) | Providing protected access to critical memory regions | |
| KR101673435B1 (en) | Creating an isolated execution environment in a co-designed processor | |
| TWI509518B (en) | Method, central processing unit apparatus, and system for improving the performance of nested virtualization | |
| US11487523B2 (en) | Updating machine emulator | |
| CN112236752A (en) | Method and system for improving software container performance and isolation | |
| CN106970823B (en) | Efficient nested virtualization-based virtual machine security protection method and system | |
| US20170046185A1 (en) | Page table based dirty page tracking | |
| JP2005528665A (en) | Methods for providing system integrity and legacy environments | |
| CN102214277B (en) | Method and device for establishing trusted environments for virtual machine system of multicore processor | |
| US9697031B2 (en) | Method for implementing inter-virtual processor interrupt by writing register data in a single write operation to a virtual register | |
| US10620985B2 (en) | Transparent code patching using a hypervisor | |
| JP7461694B2 (en) | Program interruption for importing/exporting pages | |
| CN106845245B (en) | A kind of hot restorative procedure of loophole based on Xen virtual platform | |
| Yao et al. | Sugar: Secure GPU acceleration in web browsers | |
| Vahidi et al. | VETE: Virtualizing the Trusted Execution Environment | |
| Shirinbab et al. | Performance comparison of kvm, vmware and xenserver using a large telecommunication application | |
| CN107239696B (en) | A kind of hot restorative procedure of loophole for virtualization hypercalls function | |
| CN112099916A (en) | Virtual machine data migration method and device, computer equipment and storage medium | |
| CN116225765A (en) | Method for executing instruction in virtual machine and virtual machine monitor | |
| US11513825B2 (en) | System and method for implementing trusted execution environment on PCI device | |
| US20210224090A1 (en) | Unified hypercall interface across processors in virtualized computing systems | |
| US20210157601A1 (en) | Exception interception | |
| Liu et al. | Research on Hardware I/O Passthrough in Computer Virtualization | |
| Pratt et al. | The ongoing evolution of xen |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |