CN107450962A - Abnormality eliminating method, apparatus and system under a kind of virtualization running environment - Google Patents

Abnormality eliminating method, apparatus and system under a kind of virtualization running environment Download PDF

Info

Publication number
CN107450962A
CN107450962A CN201710554394.9A CN201710554394A CN107450962A CN 107450962 A CN107450962 A CN 107450962A CN 201710554394 A CN201710554394 A CN 201710554394A CN 107450962 A CN107450962 A CN 107450962A
Authority
CN
China
Prior art keywords
guest
virtual machine
abnormal
kernel code
caused
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710554394.9A
Other languages
Chinese (zh)
Other versions
CN107450962B (en
Inventor
邱学强
张朝鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING KEYIN JINGCHENG TECHNOLOGY Co Ltd
Kyland Technology Co Ltd
Original Assignee
BEIJING KEYIN JINGCHENG TECHNOLOGY Co Ltd
Kyland Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING KEYIN JINGCHENG TECHNOLOGY Co Ltd, Kyland Technology Co Ltd filed Critical BEIJING KEYIN JINGCHENG TECHNOLOGY Co Ltd
Priority to CN201710554394.9A priority Critical patent/CN107450962B/en
Publication of CN107450962A publication Critical patent/CN107450962A/en
Application granted granted Critical
Publication of CN107450962B publication Critical patent/CN107450962B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

The application is related to industry internet operation system technology field, more particularly to a kind of abnormality eliminating method virtualized under running environment, apparatus and system, it is poor there is robustness to solve the problems, such as to operate in the Guest OS under virtualized environment in the prior art;Abnormality eliminating method under the virtualization running environment that the embodiment of the present application provides includes:Monitor abnormal caused by the Guest OS run on a virtual machine;If according to the abnormal contextual information of acquisition, it is determined that abnormal is as caused by the out-of-limit operation of the Guest OS kernel codes being limited to operating right in virtual machine, then refuse out-of-limit operations of the Guest OS to kernel code, here, for the important kernel code in virtual machine, operating rights of the Guest OS to the kernel code can be increased, so equivalent to adding one layer of security protection to the kernel code in virtual machine, and the protection to kernel code can effectively improve the security of virtual machine running environment, therefore the Guest OS operated in virtual machine robustness can be strengthened.

Description

Abnormality eliminating method, apparatus and system under a kind of virtualization running environment
Technical field
The application is related to different under industry internet operation system technology field, more particularly to a kind of virtualization running environment Normal processing method, apparatus and system.
Background technology
Virtualization technology is by the hardware resource of physical machine, such as server and internal memory, is carried out after being abstracted for users to use, Its core is that virtual machine manager (Virtual Machine Monitor, VMM) is first built in physical machine, then is created on VMM Multiple virtual machines (Virtual Machine, VM) are built, so, a client operating system can only be run in physical machine originally (Guest Operating System, Guest OS), can run parallel after virtualization in multiple VM, therefore can be maximum Change the hardware resource that ground utilizes physical machine.
In the prior art, VMM is monitored to Guest OS running, and the Guest OS monitored are being transported Caused exception is delivered to the exception processing modules of Guest OS On-premises and handled during row, wherein, exception Manage abnormal exception, page fault, illegal instruction exceptions etc. as caused by except Z-operation of resume module, these are abnormal be all by Caused by Software for Design mistake in Guest OS.VM for providing virtualization running environment for Guest OS, ensures in VM The security of kernel code is the premise that Guest OS and exception processing module are capable of normal work.At present, kernel code in VM Security simply simply by the operating system run on VM, such as Windows, carry out security protection, under normal circumstances, The important kernel code that Guest OS can not be had access in VM, once the security protection of operating system is broken, and it is important in VM Kernel code is easy for being maliciously tampered, this can cause Guest OS can not normal operation, it is serious when may make Guest OS paralyses, and the user application layer face that Guest OS are had been located in virtualization technology, ensures that Guest OS can be transported steadily and surely Row is all particularly significant for client and offer Guest OS businessman.
It can be seen that the Guest OS operated in the prior art under virtualized environment there is robustness it is poor the problem of.
The content of the invention
The embodiment of the present application provides a kind of abnormality eliminating method virtualized under running environment, apparatus and system, to solve The Guest OS certainly operated in the prior art under virtualized environment there is robustness it is poor the problem of.
Abnormality eliminating method under a kind of virtualization running environment that the embodiment of the present application provides, including:
Monitor abnormal caused by the client operating system Guest OS run on a virtual machine;
If according to the abnormal contextual information of acquisition, it is to being grasped in virtual machine by Guest OS to determine the exception Make caused by the out-of-limit operation of the kernel code of limited authority, then refuse out-of-limit operations of the Guest OS to the kernel code.
Alternatively, according to following steps determine the exception be by Guest OS it is limited to operating right in virtual machine in Caused by the out-of-limit operation of core code:
Obtain the memory pages mistake address in the abnormal contextual information;
If the memory pages mistake address is included in ground corresponding to the limited kernel code of the operating right pre-saved In the section of location and Guest OS have access rights to the kernel code in the address field, it is determined that the exception is by Guest Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in virtual machine.
Alternatively, out-of-limit operations of the Guest OS to the kernel code is refused, including:
Judge whether user-defined abnormality processing function;
If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described different Obtained in normal contextual information.
Alternatively, methods described also includes:
Monitor and handle caused during calling the abnormality processing function to handle the out-of-limit operation Secondary exception.
Exception handling device under a kind of virtualization running environment that the embodiment of the present application provides, including:
Monitoring modular, it is abnormal caused by the client operating system Guest OS run on a virtual machine for monitoring;
Processing module, if for the abnormal contextual information according to acquisition, it is by Guest to determine the exception Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in virtual machine, then refuse Guest OS to the kernel generation The out-of-limit operation of code.
Monitoring modular, it is abnormal caused by the client operating system Guest OS run on a virtual machine for monitoring;
Processing module, if for the abnormal contextual information according to acquisition, it is by Guest to determine the exception Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in virtual machine, then refuse Guest OS to the kernel generation The out-of-limit operation of code.
Alternatively, the processing module is specifically used for:
Determine that the exception is by kernel code limited to operating right in virtual machine Guest OS according to following steps Out-of-limit operation caused by:
Obtain the memory pages mistake address in the abnormal contextual information;
If the memory pages mistake address is included in ground corresponding to the limited kernel code of the operating right pre-saved In the section of location and Guest OS have access rights to the kernel code in the address field, it is determined that the exception is by Guest Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in virtual machine.
Alternatively, the processing module is specifically used for:
Judge whether user-defined abnormality processing function;
If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described different Obtained in normal contextual information.
Alternatively, the monitoring modular, be additionally operable to monitoring call the abnormality processing function to it is described it is out-of-limit operate into Caused secondary exception during row processing;
The processing module, it is additionally operable to handle the secondary exception.
Abnormality processing system under a kind of virtualization running environment that the embodiment of the present application provides, including:Virtual Machine Manager Device, at least one first virtual machine and one are used to carry out the second of security protection at least one first virtual machine Virtual machine, wherein:
The virtual machine manager, for each first virtual machine, monitoring the client run on first virtual machine It is abnormal caused by operating system Guest OS;The abnormal contextual information of acquisition is sent to second virtual machine;
Second virtual machine, for receiving the abnormal contextual information;If believed according to the abnormal context Breath, determining the exception is produced by the out-of-limit operation of the Guest OS kernel codes being limited to operating right in first virtual machine Raw, then refuse out-of-limit operations of the Guest OS to the kernel code.
Alternatively, second virtual machine is specifically used for:
Obtain the memory pages mistake address in the abnormal contextual information;
If the memory pages mistake address is included in ground corresponding to the limited kernel code of the operating right pre-saved In the section of location and Guest OS have access rights to the kernel code in the address field, it is determined that the exception is by Guest Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in the first virtual machine.
Alternatively, second virtual machine is specifically used for:
Judge whether user-defined abnormality processing function;
If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described different Obtained in normal contextual information.
Alternatively, the virtual machine manager is additionally operable to:
Monitor and handle caused during calling the abnormality processing function to handle the out-of-limit operation Secondary exception.
The a kind of electronic equipment that the embodiment of the present application provides, including at least one processing unit and at least one storage Unit, wherein, the memory cell has program stored therein code, when described program code is performed by the processing unit so that The processing unit performs the step of abnormality eliminating method under above-mentioned virtualization running environment.
A kind of computer-readable recording medium that the embodiment of the present application provides, including program code, when described program product When running on the computing device, described program code is different under above-mentioned virtualization running environment for performing the electronic equipment The step of normal processing method.
In the embodiment of the present application, exception caused by the Guest OS run on a virtual machine is monitored, if according to the different of acquisition Normal contextual information, it is by the out-of-limit behaviour of the Guest OS kernel codes being limited to operating right in virtual machine to determine the exception Caused by work, then refuse out-of-limit operations of the Guest OS to kernel code.For the important kernel code in virtual machine, compared to Security protection is simply carried out using the operating system run on VM in the prior art, can also be increased in the embodiment of the present application Guest OS prevent the operating right of important kernel code more equivalent to one layer of safety is increased the kernel code in virtual machine Shield, and the security protection to kernel code can effectively improve the security of virtual machine running environment, therefore operation can be strengthened The robustness of Guest OS in virtual machine.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the present invention, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the abnormality eliminating method flow chart under the virtualization running environment that the embodiment of the present application provides;
Fig. 2 is the abnormality processing system schematic diagram under the virtualization running environment that the embodiment of the present application provides;
Fig. 3 is the abnormality processing system schematic diagram under the another virtualization running environment that the embodiment of the present application provides;
Fig. 4 is the flow chart that the health control subsystem that the embodiment of the present application provides is handled exception;
Fig. 5 is the exception handling device structure chart under the virtualization running environment that the embodiment of the present application provides;
Fig. 6 is the hardware configuration signal of the exception handling device under the virtualization running environment that the embodiment of the present application provides Figure.
Embodiment
In the embodiment of the present application, exception caused by the Guest OS run on a virtual machine is monitored, if according to the different of acquisition Normal contextual information, it is by the out-of-limit behaviour of the Guest OS kernel codes being limited to operating right in virtual machine to determine the exception Caused by work, then refuse out-of-limit operations of the Guest OS to kernel code.For the important kernel code in virtual machine, compared to Security protection is simply carried out using the operating system run on VM in the prior art, can also be increased in the embodiment of the present application Guest OS prevent the operating right of important kernel code more equivalent to one layer of safety is increased the kernel code in virtual machine Shield, and the security protection to kernel code can effectively improve the security of virtual machine running environment, therefore operation can be strengthened The robustness of Guest OS in virtual machine.
The preferred embodiments of the present invention are illustrated below in conjunction with Figure of description, it will be appreciated that described herein Preferred embodiment is merely to illustrate and explain the present invention, and is not intended to limit the present invention, and in the case where not conflicting, this hair The feature in embodiment and embodiment in bright can be mutually combined.
Embodiment one
As shown in figure 1, the abnormality eliminating method flow chart under the virtualization running environment provided for the embodiment of the present application, bag Include following steps:
S101:Monitor abnormal caused by the client operating system Guest OS run on a virtual machine.
Wherein, include exception caused by Software for Design mistake in Guest OS caused by Guest OS extremely, also include In virtual machine of the illegal program to running Guest OS kernel code distort etc. it is abnormal caused by operation.
S102:If according to the abnormal contextual information of acquisition, it is determined that abnormal is to being operated in virtual machine by Guest OS Caused by the out-of-limit operation of the kernel code of limited authority, then refuse out-of-limit operations of the Guest OS to kernel code.
Alternatively, after exception is detected, abnormal contextual information can be obtained, is included in the contextual information Pointer information in the address of operational order, operational order when producing abnormal, memory pages mistake address, task stack etc..
In practical application, because the operating system run on VM has served certain security protection to kernel code and made With, therefore under normal circumstances, Guest OS are the important kernel codes that can not be had access in VM, if Guest OS are in VM Important kernel code carried out out-of-limit operation, the safety of kernel code can not have been ensured by illustrating current VM operating system Property, VM running environment may have potential safety hazard, and the application is precisely in order to potential safety hazard as solving.
Specifically, the memory pages mistake address in abnormal contextual information can be obtained, it is internal according to operating system The division rule of middle address field is deposited, memory pages mistake address address field affiliated in depositing inside is determined, if the address field is pre- The limited kernel code of the operating right that first preserves corresponding a certain address field and Guest OS are in the address field in internal memory Kernel code there are access rights, it is determined that there is potential safety hazard in VM running environment, be to virtual extremely by Guest OS In machine caused by the out-of-limit operation of the limited kernel code of operating right.
Wherein, if Guest OS have access rights to the kernel code in the address field, illustrate that the exception should not Occur in Guest OS, and the exception occurred now can only be due to that to kernel code, there is provided access in advance by program designer Authority and it is caused, thus may determine that the exception be by Guest OS to operating right in virtual machine be limited kernel code Caused by out-of-limit operation.
Further, it is determined that operations of the Guest OS to kernel code is after out-of-limit operation, it can be determined that right in system It whether there is user-defined abnormality processing function extremely in this, if in the presence of user-defined exception can be called The out-of-limit operation that reason function pair produces the exception is handled;Otherwise, can refuse to produce this it is abnormal when Guest OS perform Operational order;Wherein, operational order is obtained from the contextual information of exception.
Such as anomaly exist user-defined abnormality processing function for certain in system, the abnormality processing function except The operational order that Guest OS are performed when being not responding to produce exception, can also be by the page jump of user's current accessed to specific page Face, rather than report an error directly to user, better user experience;If it is not present extremely for this in system user-defined different Often processing function, then can directly refuse to produce this it is abnormal when the operational order that performs of Guest OS.
In addition, in above process, it can also monitor and handle and call user-defined abnormality processing function to more Caused secondary exception during limit operation is handled.
For example stack is produced again during calling user-defined abnormality processing function to handle out-of-limit operation Overflow exception, at this point it is possible to the task suspension that out-of-limit operation will be handled, or by the handling out-of-limit operation of the task restarted with It is abnormal to solve stack overflow.
In specific implementation process, if according to the abnormal contextual information of acquisition, it is determined that abnormal is not by Guest OS , then can be by the abnormality processing in Guest OS caused by the out-of-limit operation for the kernel code being limited to operating right in virtual machine Module is handled abnormal.
In the embodiment of the present application, exception caused by the Guest OS run on a virtual machine is monitored, if according to the different of acquisition Normal contextual information, it is by the out-of-limit behaviour of the Guest OS kernel codes being limited to operating right in virtual machine to determine the exception Caused by work, then refuse out-of-limit operations of the Guest OS to kernel code.For the important kernel code in virtual machine, compared to Security protection is simply carried out using the operating system run on VM in the prior art, can also be increased in the embodiment of the present application Guest OS prevent the operating right of important kernel code more equivalent to one layer of safety is increased the kernel code in virtual machine Shield, and the security protection to kernel code can effectively improve the security of virtual machine running environment, therefore operation can be strengthened The robustness of Guest OS in virtual machine.
Embodiment two
As shown in Fig. 2 the abnormality processing system 200 under the virtualization running environment provided for the embodiment of the present application is illustrated Figure, including:Hardware, virtual machine manager 201, at least one first virtual machine 202 and one are used for described at least one First virtual machine carries out the second virtual machine 203 of security protection, wherein:
Virtual machine manager 201, for each first virtual machine 202, monitoring the visitor run on first virtual machine It is abnormal caused by the operating system Guest OS of family, the abnormal contextual information is obtained, then sends out the contextual information of exception Give the second virtual machine;
Second virtual machine 203, for receiving the abnormal contextual information of virtual machine manager transmission;If according to different Normal contextual information, it is determined that abnormal is getting over by the Guest OS kernel codes being limited to operating right in first virtual machine Caused by limit operation, then refuse out-of-limit operations of the Guest OS to kernel code.
In specific implementation process, the second virtual machine is specifically used for:Obtain the memory pages in abnormal contextual information Mistake address, if memory pages mistake address is included in address field corresponding to the limited kernel code of the operating right pre-saved In and Guest OS there are access rights to the kernel code in the address field, it is determined that abnormal is to first by Guest OS In virtual machine caused by the out-of-limit operation of the limited kernel code of operating right.
Further, the second virtual machine judges whether user-defined abnormality processing function, if in the presence of calling Abnormality processing function is handled out-of-limit operation;Otherwise, the operational order that Guest OS are performed when refusal produces abnormal;It is described Operational order is obtained from the contextual information of exception.
In addition, virtual machine manager is additionally operable to:Monitor and handle at calling abnormality processing function is to out-of-limit operation Caused secondary exception during reason.
In the embodiment of the present application, virtual machine manager is monitored and run on first virtual machine to each first virtual machine Client operating system Guest OS caused by it is abnormal, the abnormal contextual information of acquisition is sent to the second virtual machine; After second virtual machine receives abnormal contextual information, if according to the contextual information of exception, it is determined that abnormal is by Guest Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in first virtual machine, then refuse Guest OS to kernel The out-of-limit operation of code.For the important kernel code in the first virtual machine, transported compared to simply using in the prior art on VM Capable operating system carries out security protection, also increases in the embodiment of the present application for carrying out security protection to each first virtual machine The second virtual machine, second virtual machine can control operating rights of the Guest OS to important kernel code in the first virtual machine Limit, one layer of security protection is added equivalent to the kernel code in the first virtual machine more, and to the security protection of kernel code The security of the first virtual machine running environment can be effectively improved, therefore the Guest operated in the first virtual machine can be strengthened OS robustness.
Embodiment three
As shown in figure 3, the abnormality processing system 300 under the virtualization running environment provided for the embodiment of the present application is illustrated Figure, wherein, VMM forms multiple VM after being virtualized to the hardware of bottom, included in VMM between core health control module and domain Communication management module, core health control module are responsible for that the very first time collects abnormal contextual information and to have processing concurrently specific The ability of abnormal (abnormal caused by health control subsystem), inter-domain communication management module are responsible for the communication between multiple VM;It is more One is health monitoring virtual machine in individual VM, and others are client virtual machine, and unsoundness is run in health monitoring virtual machine Subsystem is managed, being run in client virtual machine there are Guest OS, includes exception processing module again in Guest OS, abnormal Processing module to Guest OS in the process of running due to Software for Design mistake and caused exception is handled, such as except zero different Often, illegal instruction exceptions " etc..
In specific implementation process, each client virtual machine provides virtualization running environment, visitor for Guest OS Operating system on the system virtual machine of family carries out security protection to the important kernel code in virtual machine, and peace is provided for Guest OS All risk insurance hinders, but for any one client virtual machine, if virtual machine running environment cannot get safety guarantee, by difficulty To ensure Guest OS normal operation, therefore, the application adds health control subsystem in health monitoring virtual machine, it is good for Kang Guanli subsystems can be arranged between client virtual machine and VMM, and other one layer is provided for each client virtual machine Safety guarantee, it can be analyzed for abnormal caused by Guest OS by health control subsystem, if health control is sub System determines that abnormal is due to caused by the out-of-limit operation for the kernel code that Guest OS are limited to operating right in virtual machine, then Out-of-limit operations of the Guest OS to kernel code can be refused, so as to ensure the security of kernel code in virtual machine, ensured Guest OS robustness.
Specifically, as shown in pointing to the arrow in Fig. 3, caused exception is got by CPU first in Guest OS, CPU The core health control module that will be sent to extremely in VMM again, core health control module obtain abnormal contextual information, if Core health control module according to abnormal contextual information determine the exception be as caused by health control subsystem, then can be right Handled extremely caused by health control subsystem, such as, operate what is handled to out-of-limit for health control subsystem During caused stack overflow it is abnormal, core health control module can will handle appointing for out-of-limit operation in health control subsystem Business is hung up, or task of out-of-limit operation is handled in health control subsystem is restarted.If core health control module root According to abnormal contextual information determine the exception be not as caused by health control subsystem, then can by exception contextual information Health control subsystem is sent to, further, the memory pages that health control subsystem is obtained in abnormal contextual information are wrong Address by mistake, if memory pages mistake address is included in address field corresponding to the limited kernel code of the operating right pre-saved In and Guest OS there are access rights to the kernel code in the address field, it is determined that the exception is to void by Guest OS In plan machine caused by the out-of-limit operation of the limited kernel code of operating right, there is safety in this explanation Guest OS running environment Hidden danger, it can now refuse out-of-limit operations of the Guest OS to kernel code.
Alternatively, when refusing out-of-limit operations of the Guest OS to kernel code, health control subsystem, which may determine that, is It is no user-defined abnormality processing function to be present, if in the presence of, can call user-defined abnormality processing function to more Limit operation is handled;Otherwise, refusal produce this it is abnormal when the operational order that performs of Guest OS.
In addition, in specific implementation process, if health control subsystem determines that abnormal is not to virtual machine by Guest OS Caused by the out-of-limit operation of the limited kernel code of middle operating right, then it can be incited somebody to action by the inter-domain communication management module in VMM Abnormal contextual information, which is sent to, produces abnormal Guest OS, by the exception processing module in Guest OS to abnormal progress Processing.
In specific implementation process, health control subsystem can be handled abnormal according to the flow shown in Fig. 4:
S401:Receive the abnormal contextual information that core health control module is sent.
Wherein, abnormal contextual information is to receive the exception of CPU transmissions by the core health control module in VMM The very first time is collected afterwards, and operational order when producing abnormal, the address, interior of operational order are included in abnormal contextual information Deposit pointer information in page fault address, task stack etc..
S402:Whether the exception for judging to receive is the kernel code being limited by Guest OS to operating right in virtual machine Out-of-limit operation caused by, if so, then entering S404;Otherwise, into S403.
In specific implementation process, the memory pages that health control subsystem can be obtained in abnormal contextual information are wrong Address by mistake, the division rule according to operating system to address field, determines the address field belonging to memory pages mistake address, if the ground Location section is a certain address field corresponding to the limited kernel code of the operating right pre-saved, and Guest OS are in the address field Kernel code but there are access rights, then illustrate that the exception should not occur in Guest OS, and be due to programming Person is caused there is provided access rights to kernel code in advance, thus may determine that the exception is to virtual machine by Guest OS Caused by the out-of-limit operation of the limited kernel code of middle operating right.
S403:Abnormal contextual information is delivered to the exception processing module in Guest OS.
Wherein it is possible to by the inter-domain communication management module in VMM, the contextual information of exception is delivered to Guest OS In exception processing module.
S404:User-defined abnormality processing function is judged whether, if so, then entering S405;Otherwise, enter S406。
S405:User-defined abnormality processing function is called to handle abnormal.
Such as user-defined abnormality processing function be present in certain pathological system, the abnormality processing function except The operational order that Guest OS are performed when being not responding to produce exception, can also be by the page jump of user's current accessed to specific page Face, it is more preferable not directly to user's guarantee, Consumer's Experience.
S406:The operation that Guest OS perform to virtual machine when refusal produces abnormal.
In addition, in above process, core health control module can also monitor and handle health control subsystem and adjust Caused secondary exception during being handled with user-defined abnormality processing function out-of-limit operation, such as, health Management subsystem is during calling user-defined abnormality processing function to handle out-of-limit operation and generation stack overflows Go out exception, now, core health control module can will handle the task suspension of out-of-limit operation in health control subsystem, or Task of out-of-limit operation is handled in health control subsystem is restarted, to ensure that health control subsystem can be transported normally OK.
Example IV
Based on same inventive concept, the exception under a kind of running environment with virtualization is additionally provided in the embodiment of the present application Exception handling device under virtualization running environment corresponding to reason method, because the device solves the principle of problem and the application reality The abnormality eliminating method applied under example virtualization running environment is similar, therefore the implementation of the device may refer to the implementation of method, weight Multiple part repeats no more.
As shown in figure 5, the exception handling device structure chart under the virtualization running environment provided for the embodiment of the present application, bag Include:
Monitoring modular 501, it is abnormal caused by the client operating system Guest OS run on a virtual machine for monitoring;
Processing module 502, if for the abnormal contextual information according to acquisition, determine the exception be by Caused by the out-of-limit operation for the kernel code that Guest OS are limited to operating right in virtual machine, then refuse Guest OS to described The out-of-limit operation of kernel code.
Alternatively, processing module 502 is specifically used for:
Determine that the exception is by kernel code limited to operating right in virtual machine Guest OS according to following steps Out-of-limit operation caused by:
Obtain the memory pages mistake address in the abnormal contextual information;
If the memory pages mistake address is included in ground corresponding to the limited kernel code of the operating right pre-saved In the section of location and Guest OS have access rights to the kernel code in the address field, it is determined that the exception is by Guest Caused by the out-of-limit operation for the kernel code that OS is limited to operating right in virtual machine.
Alternatively, processing module 502 is specifically used for:
Judge whether user-defined abnormality processing function;
If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described different Obtained in normal contextual information.
Alternatively, monitoring modular 501, it is additionally operable to monitoring and is calling the abnormality processing function to carry out the out-of-limit operation Caused secondary exception during processing;
Processing module 502, it is additionally operable to handle the secondary exception.
Embodiment five
As shown in fig. 6, the hardware knot of the exception handling device under the virtualization running environment provided for the embodiment of the present application Structure schematic diagram, including at least one processing unit 601 and at least one memory cell 602, wherein, memory cell is stored with Program code, when program code is performed by the processing unit so that processing unit is performed under above-mentioned virtualization running environment Abnormality eliminating method the step of.
Embodiment six
A kind of computer-readable recording medium that the embodiment of the present application provides, including program code, when program product is being counted When being run in calculation equipment, program code is used for the abnormality eliminating method for making electronic equipment perform under above-mentioned virtualization running environment Step.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, the application can use the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.Moreover, the application can use the computer for wherein including computer usable program code in one or more The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is with reference to according to the method, apparatus (system) of the embodiment of the present application and the flow of computer program product Figure and/or block diagram describe.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processors of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
Although having been described for the preferred embodiment of the application, those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So appended claims be intended to be construed to include it is excellent Select embodiment and fall into having altered and changing for the application scope.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the application to the application God and scope.So, if these modifications and variations of the application belong to the scope of the application claim and its equivalent technologies Within, then the application is also intended to comprising including these changes and modification.

Claims (12)

  1. A kind of 1. abnormality eliminating method virtualized under running environment, it is characterised in that including:
    Monitor abnormal caused by the client operating system Guest OS run on a virtual machine;
    If according to the abnormal contextual information of acquisition, it is to operating rights in virtual machine by Guest OS to determine the exception Caused by the out-of-limit operation of the limited kernel code of limit, then refuse out-of-limit operations of the Guest OS to the kernel code.
  2. 2. the method as described in claim 1, it is characterised in that determine that the exception is by Guest OS couple according to following steps In virtual machine caused by the out-of-limit operation of the limited kernel code of operating right:
    Obtain the memory pages mistake address in the abnormal contextual information;
    If the memory pages mistake address is included in address field corresponding to the limited kernel code of the operating right pre-saved In and Guest OS there are access rights to the kernel code in the address field, it is determined that the exception is by Guest OS couple In virtual machine caused by the out-of-limit operation of the limited kernel code of operating right.
  3. 3. the method as described in claim 1, it is characterised in that out-of-limit operations of the refusal Guest OS to the kernel code, Including:
    Judge whether user-defined abnormality processing function;
    If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
    Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described abnormal Obtained in contextual information.
  4. 4. method as claimed in claim 3, it is characterised in that also include:
    Monitor and handle caused secondary during calling the abnormality processing function to handle the out-of-limit operation It is abnormal.
  5. A kind of 5. exception handling device virtualized under running environment, it is characterised in that including:
    Monitoring modular, it is abnormal caused by the client operating system Guest OS run on a virtual machine for monitoring;
    Processing module, if for the abnormal contextual information according to acquisition, it is by Guest OS couple to determine the exception In virtual machine caused by the out-of-limit operation of the limited kernel code of operating right, then refuse Guest OS to the kernel code Out-of-limit operation.
  6. 6. device as claimed in claim 5, it is characterised in that the processing module is specifically used for:
    Determine that the exception is getting over by the Guest OS kernel codes being limited to operating right in virtual machine according to following steps Caused by limit operation:
    Obtain the memory pages mistake address in the abnormal contextual information;
    If the memory pages mistake address is included in address field corresponding to the limited kernel code of the operating right pre-saved In and Guest OS there are access rights to the kernel code in the address field, it is determined that the exception is by Guest OS couple In virtual machine caused by the out-of-limit operation of the limited kernel code of operating right.
  7. 7. device as claimed in claim 5, it is characterised in that the processing module is specifically used for:
    Judge whether user-defined abnormality processing function;
    If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
    Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described abnormal Obtained in contextual information.
  8. 8. device as claimed in claim 7, it is characterised in that also include:
    The monitoring modular, monitoring is additionally operable in the process for calling the abnormality processing function to handle the out-of-limit operation In caused secondary exception;
    The processing module, it is additionally operable to handle the secondary exception.
  9. A kind of 9. abnormality processing system virtualized under running environment, it is characterised in that including:Virtual machine manager, at least one Individual first virtual machine and second virtual machine for being used to carry out at least one first virtual machine security protection, its In:
    The virtual machine manager, for each first virtual machine, monitoring the guest operation run on first virtual machine It is abnormal caused by system Guest OS;The abnormal contextual information of acquisition is sent to second virtual machine;
    Second virtual machine, for receiving the abnormal contextual information;If according to the abnormal contextual information, really The fixed exception be as caused by the out-of-limit operation of the Guest OS kernel codes being limited to operating right in first virtual machine, Then refuse out-of-limit operations of the Guest OS to the kernel code.
  10. 10. system as claimed in claim 9, it is characterised in that second virtual machine is specifically used for:
    Obtain the memory pages mistake address in the abnormal contextual information;
    If the memory pages mistake address is included in address field corresponding to the limited kernel code of the operating right pre-saved In and Guest OS there are access rights to the kernel code in the address field, it is determined that the exception is by Guest OS couple In first virtual machine caused by the out-of-limit operation of the limited kernel code of operating right.
  11. 11. system as claimed in claim 9, it is characterised in that second virtual machine is specifically used for:
    Judge whether user-defined abnormality processing function;
    If in the presence of, call the abnormality processing function to it is described it is out-of-limit operation handle;
    Otherwise, the operational order that Guest OS are performed when refusal produces described abnormal;The operational order is from described abnormal Obtained in contextual information.
  12. 12. system as claimed in claim 11, it is characterised in that the virtual machine manager is additionally operable to:
    Monitor and handle caused secondary during calling the abnormality processing function to handle the out-of-limit operation It is abnormal.
CN201710554394.9A 2017-07-03 2017-07-03 Exception handling method, device and system in virtualized operation environment Active CN107450962B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710554394.9A CN107450962B (en) 2017-07-03 2017-07-03 Exception handling method, device and system in virtualized operation environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710554394.9A CN107450962B (en) 2017-07-03 2017-07-03 Exception handling method, device and system in virtualized operation environment

Publications (2)

Publication Number Publication Date
CN107450962A true CN107450962A (en) 2017-12-08
CN107450962B CN107450962B (en) 2020-04-24

Family

ID=60487786

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710554394.9A Active CN107450962B (en) 2017-07-03 2017-07-03 Exception handling method, device and system in virtualized operation environment

Country Status (1)

Country Link
CN (1) CN107450962B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109684829A (en) * 2018-12-04 2019-04-26 中国科学院数据与通信保护研究教育中心 Service call monitoring method and system in a kind of virtualized environment
CN109828827A (en) * 2018-11-22 2019-05-31 海光信息技术有限公司 A kind of detection method, device and relevant device
CN111240898A (en) * 2020-01-09 2020-06-05 中瓴智行(成都)科技有限公司 Hypervisor-based black box implementation method and system
CN113268726A (en) * 2020-02-17 2021-08-17 华为技术有限公司 Program code execution behavior monitoring method and computer equipment
CN114327648A (en) * 2021-12-16 2022-04-12 北京安天网络安全技术有限公司 Drive debugging method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231138A (en) * 2011-07-08 2011-11-02 上海交通大学 Accurate memory data acquisition system and method of computer
CN103996004A (en) * 2014-06-12 2014-08-20 浪潮电子信息产业股份有限公司 Highly-available system design method based on virtualization
US20150378633A1 (en) * 2014-06-30 2015-12-31 Intel Corporation Method and apparatus for fine grain memory protection
CN105354155A (en) * 2015-12-03 2016-02-24 上海高性能集成电路设计中心 Memory access authority control method based on page table checking mechanism
CN105740046A (en) * 2016-01-26 2016-07-06 华中科技大学 Virtual machine process behavior monitoring method and system based on dynamic library
CN106203082A (en) * 2016-06-29 2016-12-07 上海交通大学 The system and method efficiently isolating kernel module based on virtualization hardware characteristic

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231138A (en) * 2011-07-08 2011-11-02 上海交通大学 Accurate memory data acquisition system and method of computer
CN103996004A (en) * 2014-06-12 2014-08-20 浪潮电子信息产业股份有限公司 Highly-available system design method based on virtualization
US20150378633A1 (en) * 2014-06-30 2015-12-31 Intel Corporation Method and apparatus for fine grain memory protection
CN105354155A (en) * 2015-12-03 2016-02-24 上海高性能集成电路设计中心 Memory access authority control method based on page table checking mechanism
CN105740046A (en) * 2016-01-26 2016-07-06 华中科技大学 Virtual machine process behavior monitoring method and system based on dynamic library
CN106203082A (en) * 2016-06-29 2016-12-07 上海交通大学 The system and method efficiently isolating kernel module based on virtualization hardware characteristic

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109828827A (en) * 2018-11-22 2019-05-31 海光信息技术有限公司 A kind of detection method, device and relevant device
CN109828827B (en) * 2018-11-22 2023-10-27 海光信息技术股份有限公司 Detection method, detection device and related equipment
CN109684829A (en) * 2018-12-04 2019-04-26 中国科学院数据与通信保护研究教育中心 Service call monitoring method and system in a kind of virtualized environment
CN109684829B (en) * 2018-12-04 2020-12-04 中国科学院数据与通信保护研究教育中心 Service call monitoring method and system in virtualization environment
CN111240898A (en) * 2020-01-09 2020-06-05 中瓴智行(成都)科技有限公司 Hypervisor-based black box implementation method and system
CN111240898B (en) * 2020-01-09 2023-08-15 中瓴智行(成都)科技有限公司 Method and system for realizing black box based on Hypervisor
CN113268726A (en) * 2020-02-17 2021-08-17 华为技术有限公司 Program code execution behavior monitoring method and computer equipment
WO2021164271A1 (en) * 2020-02-17 2021-08-26 华为技术有限公司 Method for monitoring program code execution behavior, and computer device
CN113268726B (en) * 2020-02-17 2023-10-20 华为技术有限公司 Method for monitoring program code execution behavior and computer equipment
CN114327648A (en) * 2021-12-16 2022-04-12 北京安天网络安全技术有限公司 Drive debugging method and device, electronic equipment and storage medium
CN114327648B (en) * 2021-12-16 2024-02-02 北京安天网络安全技术有限公司 Driving debugging method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107450962B (en) 2020-04-24

Similar Documents

Publication Publication Date Title
CN107450962A (en) Abnormality eliminating method, apparatus and system under a kind of virtualization running environment
US9935971B2 (en) Mitigation of virtual machine security breaches
US11652852B2 (en) Intrusion detection and mitigation in data processing
AU2015312382B2 (en) Systems and methods for network analysis and reporting
CN109831420B (en) Method and device for determining kernel process permission
US9129108B2 (en) Systems, methods and computer programs providing impact mitigation of cyber-security failures
CN104321748B (en) For catching the mthods, systems and devices of the error condition in light weight virtual machine manager
CN103902885B (en) Towards multi-security level(MSL) virtual desktop system secure virtual machine shielding system and method
US9594881B2 (en) System and method for passive threat detection using virtual memory inspection
US20140026231A1 (en) Self-generation of virtual machine security clusters
US10412109B2 (en) Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system
US9817970B2 (en) Method for detecting attacks on virtual machines
CN111191226B (en) Method, device, equipment and storage medium for determining program by utilizing right-raising loopholes
CN107580703B (en) Migration service method and module for software module
CN111683047A (en) Unauthorized vulnerability detection method and device, computer equipment and medium
CN104866407A (en) Monitoring system and method in virtual machine environment
CN106650438A (en) Method and device for detecting baleful programs
CN106528415A (en) Software compatibility test method, business platform and system
CN111124615A (en) Virtual machine migration method, device, equipment and computer readable storage medium
US11258816B2 (en) Managing firewall rules based on triggering statistics
CN111181771A (en) Security changing abnormity positioning method and device based on fort machine and electronic equipment
CN102122330A (en) ''In-VM'' malicious code detection system based on virtual machine
US10860712B2 (en) Entropy based security detection system
US20230097770A1 (en) Authorization monitor to detect privilege usage patterns
CN107516039A (en) The safety protecting method and device of virtualization system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20171208

Assignee: Kedong (Guangzhou) Software Technology Co., Ltd

Assignor: Beijing Dongtu Technology Co., Ltd.|Beijing keyin Jingcheng Technology Co., Ltd

Contract record no.: X2020980000255

Denomination of invention: Exception handling method, apparatus and system in virtual operating environment

License type: Exclusive License

Record date: 20200218

EE01 Entry into force of recordation of patent licensing contract
GR01 Patent grant
GR01 Patent grant