CN107479946A - A kind of interbehavior monitoring scheme of kernel module - Google Patents
A kind of interbehavior monitoring scheme of kernel module Download PDFInfo
- Publication number
- CN107479946A CN107479946A CN201710701884.7A CN201710701884A CN107479946A CN 107479946 A CN107479946 A CN 107479946A CN 201710701884 A CN201710701884 A CN 201710701884A CN 107479946 A CN107479946 A CN 107479946A
- Authority
- CN
- China
- Prior art keywords
- kernel
- module
- monitoring
- interbehavior
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Abstract
The present invention relates to a kind of interbehavior monitoring scheme of kernel module, using the VM Func mechanism of hardware virtualization technology, the switching of VMM layer EPT page tables can be completed in the case where not being absorbed in monitor of virtual machine VMM, reduces the number being trapped among VMM;Monitoring programme is placed in the address space in Guest OS so that need not be trapped in again among VMM during monitoring;The unnecessary virtualizations of VMM are removed, allow Guest OS directly to be interacted with hardware, so as to reduce unnecessary performance cost.The method reduces the number being trapped in during system operation in VMM, the isolation performance of kernel module is improved, the security of kernel can be improved.
Description
Technical field
The present invention relates to the isolation monitoring that module is expanded to the insincere kernel of operating system, particular for a kind of kernel module
Interbehavior monitoring scheme.
Background technology
Research shows that kernel module is the main source of kernel leak.In Windows XP operating systems, 85% it is interior
Core leak comes from kernel module;In (SuSE) Linux OS, the error rate of kernel module is main kernel more than 7 times.According to
CVE report, the kernel leak for having 2/3rds are derived from kernel module or driver.Module is expanded without trusted kernel
There is same level of privilege with main kernel, arbitrary kernel function can be called, arbitrary kernel data can be changed, pacify kernel
Full property faces threat.Therefore, expand module to kernel to be isolated and behavior monitoring, be favorably improved kernel or even operating system
Security.Currently, substantially there are two classes to the isolation scheme of kernel module:Based on virtualization technology and non-virtualized technology.Base
Good compatibility and security can be provided in virtualization technology, and based on the isolation scheme of non-virtualized technology, easily quilt
Malware bypasses, thus the more main flow of the isolation scheme based on virtualization technology.However, it is existing based on virtualization technology every
It there are problems that from scheme, such as because the switching between level of privilege is frequent, cause performance cost larger.
The content of the invention
The invention provides a kind of kernel interbehavior monitoring scheme based on virtualization technology so that in system operation
Isolation, the monitoring that module is expanded to insincere kernel are more efficiently and safe.
In order to achieve the above object, the present invention adopts the following technical scheme that:A kind of monitoring system of kernel module interbehavior
System, component include kernel module isolator, kernel interaction monitoring module, kernel module interface.The key operation of this programme is as follows:
(1) initialization of kernel module isolator:In os starting, the configuration work of virtualized environment is carried out.
Action includes:The extension page table EPT mechanism and VM Func mechanism of Intel processor offer are provided, established for supporting that kernel is empty
Between two sets of EPT page tables isolating.The loading of kernel module is waited after initialization.
(2) extraction and rewriting of kernel function:Kernel module for intending monitoring, the kernel letter that extraction kernel module is used
Number, and rewritten, so that kernel interaction monitoring module is monitored to its interbehavior (i.e. the calling of kernel function).
(3) setting of monitoring module:Monitoring module is used to, to whole system implementing monitoring, distribute monitoring module operation first
Shi Suoxu data space, then according to the kernel function for extracting calling, monitoring module is generated in the way of page alignment
Two logical gates, that is, detect program and kernel module interface.Kernel module interface complete kernel expand module and main kernel it
Between controlling stream switching.
(4) setting of kernel and monitoring module protection:When kernel module loads, the kernel set in loading procedure can be triggered
Hook.Kernel hooking can obtain the address layout of kernel spacing first, the kernel that kernel module isolator then can be called to provide
Interface completes the setting of two sets of EPT page tables, and monitoring module and kernel are protected, and realizes isolation.
(5) monitoring of kernel module interbehavior:Rewritten due to have passed through, kernel is expanded module and interacted with kernel
When, kernel interaction monitoring module will be monitored.When kernel expands module calling kernel function, intermediate module can be called first
Function interface, then detected again, finally calling real kernel function.
The present invention has the advantages that compared to prior art:
This method proposes a kind of interbehavior monitoring scheme of kernel module, utilizes the VM Func of hardware virtualization technology
Mechanism, the switching of VMM layer EPT page tables can be completed in the case where not being absorbed in monitor of virtual machine VMM, reduces and is trapped in
Number among VMM;Monitoring programme is placed in the address space in Guest OS so that VMM need not be trapped in during monitoring again
Among;The unnecessary virtualizations of VMM are removed, allow Guest OS directly to be interacted with hardware, so as to reduce unnecessary performance
Expense.
Due to The method reduces the number being trapped in during system operation in VMM, so that kernel module isolation performance obtains
To raising.In addition, this method is in structure design so that insincere kernel is expanded module and can not adjusted by instructions such as call, jmp
With arbitrary kernel code, insincere kernel, which expands module, will meet the calling of kernel function the original that call/ret pairings use
Then.Therefore, this method improves the isolation performance of kernel module, improves the security of kernel.
Brief description of the drawings
The present invention is described in detail below in conjunction with the accompanying drawings.
Fig. 1:The interbehavior monitoring scheme structural representation of kernel module.
Fig. 2:The configuration flow figure of kernel module monitoring structure.
Fig. 3:The initialization flowchart of kernel module isolator.
Fig. 4:The extraction of kernel function is with rewriting flow chart.
Fig. 5:The setting procedure figure of monitoring module.
Fig. 6:Kernel and the setting procedure figure of monitoring module protection.
Fig. 7:Kernel expands interbehavior monitoring flow chart when module calls kernel function.
Fig. 8:Kernel calls kernel expands interbehavior flow chart during module.
Embodiment
With reference to specific embodiment, the invention will be further described.
As shown in Figure 1, the present invention proposes a kind of monitoring system of kernel module interbehavior, and component includes kernel module
Isolator, kernel interaction monitoring module, three parts of kernel module interface.When whole system is run, for turning for controlling stream
Change, monitoring module can be passed through first, monitoring module again hands to controlling stream in the real kernel letter to be called after having detected
Number.
Kernel module isolator is the monitor of virtual machine (VMM) of substantially one lightweight, for realizing to kernel
The isolation and protection of module.In VMM layer, by safeguarding two sets different EPT page tables, realize when different kernel modules are run every
From with protecting work.VMM provides the EPT priority assignation interfaces to Guest OS.When kernel module loads, by setting kernel
Hook calls EPT rights interfaces, the setting to EPT page tables is realized, so as to realize the isolation of kernel module and protection.It is meanwhile interior
Core module isolator enables VM Func mechanism, and need not be just trapped in again when kernel module is run among VMM to complete
The switching of EPT page tables.
Kernel module interface realizes the controlling stream switching that kernel is expanded between module and monitoring module, equally can be by kernel
The protection of module monitors device;When kernel, which expands module, calls kernel function, first pass through kernel module interface and realize EPT pages
The switching of table, the switching of kernel stack is then completed, after the completion of switching, call the detection program in monitoring module to realize and kernel is opened up
Open up the detection of module behavior.When the function in kernel calls kernel module, the switching of EPT page tables is completed first, is then completed
The switching of kernel stack, the function after the completion of switching in kernel module is called.
The function of monitoring module is to realize the monitoring to kernel calls behavior.By information such as analysis kernel call parameters,
Realize the monitoring to kernel or the record of relevant information.If do not noted abnormalities, controlling stream is transferred to real kernel
At function;If it find that there is exception, then report is abnormal.
During system operation, when kernel, which expands module, calls kernel function, due to being rewritten, so can call first
The kernel module interface of intermediate module, kernel module interface complete the switching of EPT page tables and kernel stack, then call kernel detection
Program function calls behavior to be analyzed or recorded, if it find that abnormal then report is abnormal, is called if not noting abnormalities true
The kernel function just called.
The configuration flow figure for kernel module monitoring structure shown in Fig. 2.The flow is whole kernel module monitoring system
The core setting procedure figure of foundation, including the generation for being loaded into monitoring module from isolator and the guarantor of last kernel module
Shield.The setting of the figure is followed, the setting of whole system can be completed.Idiographic flow is as follows.Step 20 is initial state;Step 21
For the initialization of kernel module isolator.The step is completed when kernel starts, as operating system nucleus loads into together,
Just one layer of virtualization layer, specific handling process are as shown in Figure 3 more than the operating system bottom after the completion of the step;Step 22 is interior
The extraction and rewriting of kernel function.The step needs the source code of kernel module, and kernel module tune can be obtained after the completion of the step
The set of kernel function and the operating system module being written over, specific handling process are as shown in Figure 4;Step 23 is monitoring mould
The setting of block.The step is patrolled according to the set of call operation system kernel function obtained in the previous step and the execution of monitoring module
Volume, the generation and loading of monitoring module are completed, specific handling process is as shown in Figure 5;Step 24 is that kernel and monitoring module are protected
Setting.The step will complete the isolation and protection of kernel spacing, and idiographic flow is as shown in Figure 6;Step 25 is done state.This
When kernel module monitoring structure configuration complete.Now, when kernel extension module interacts, monitoring behavior, tool will be triggered
The controlling stream of body performs flow as shown in Figure 7,8.
Fig. 3 is the initialization flowchart of kernel module monitor.Setting according to the flow can create a kernel module
Isolator, the flow pass through the setting to hardware-related aspect so that support isolation and the EPT of kernel module in hardware view
The switching of page table, and eliminate unnecessary virtualization so that Guest OS directly can come into contacts with hardware, ensure
The security and high efficiency of system.Idiographic flow is as follows.Step 30 is initial state;Step 31 is configuration VMCS dependency number
According to structure.After configuring VMCS, Guest OS operationally can directly access hardware without kernel module isolator
Participation, the step ensures among it need not be trapped in VMM again when Guest OS and hardware are come into contacts with, sunken so as to reduce
Enter the number among VMM;Step 32 is to open expansion page table EPT and VM the Func mechanism of processor.Specifically by VMCS
Enable EPT positions and Enable VM Func positions 1, can be to carry out kernel module isolation and high after opening this two
The switching of effect;Step 33 is the establishment and setting of EPT page tables.Whole EPT is set according to Guest OS physical address size
List item, page-size are set to 4KB, initialize READ, WRITE, EXECUTION position 1 of whole EPT list items, ensure Guest
Identical mapping between OS guest-physical addresses and machine physical address, and EPT page tables base address g_eptp is stored in void
Plan machine control block VMCS EPTP fields;Step 34 is the loading enabled with EPT page tables of EPTP handover mechanisms.By in VMCS
The positions 1 of VM-functions control fields bit 0, to enable EPTP handover mechanisms, distribute 4KB size EPTP lists, and by g_
It is at 0 that eptp, which is stored in EPTP list indexs position,;Step 35 is done state.So far, kernel module isolator has initialized
Into waiting the loading of monitored kernel module.
Fig. 4 is the extraction of kernel function with rewriting flow chart.Controlling stream is realized by the rewriting to kernel module source code
Redirection, when code performs again, controlling stream will be redirected to the interface of monitoring module, so as to realize to control
The intercepting and capturing of stream.Idiographic flow is as follows.Step 40 is initial state;The detection function that step 41 is used for extraction kernel module.It is right
The source code that kernel expands module is analyzed, and the method used is the process of a comparison, by kernel module source code
All functions are one by one compared with kernel function, if kernel function then extracts, what is obtained after the completion of the step is
The set SetFunctionName for the kernel function that kernel module calls;Step 42 is that kernel expands in module the kernel used
The rewriting of function.The function expanded according to the naming rule appointed in advance to kernel in module is rewritten, and makes its redirection
The function interface provided to monitoring module, monitoring module will be redirected to by being expanded when kernel when module calls kernel function again
Interface, the step perform after the completion of, what is obtained is amended kernel module code;Step 43 is done state.So far, it is interior
Core is expanded module extraction rewriting and finished, and has obtained new kernel and has expanded module.
Fig. 5 is the setting procedure figure of monitoring module.The purpose of the flow is generation monitoring module, is mainly concerned with monitoring
The code organization of module and the flow of monitoring.Idiographic flow is as follows.Step 50 is original state;Step 51 is distribution monitoring module
Required data space during operation.Some service hours when the space is used between the data recorded when detecting and security domain switch
According to preservation, the data of preservation are mainly kernel stack and function call parameter, if parameter is pointer in pointed by pointer
Appearance is also recorded, and the initial size in space is 4MB, if distribution of redoublining has been expired in the space of distribution;Step 52 is monitoring mould
The tissue of block code.The logical form performed according to code is come the code of tissue monitoring module, the detailed visible figure of execution flow
7th, Fig. 8;Step 53 is the compiling and loading of monitoring module.When kernel expand module according to logical groups above weave code it
Afterwards, to be compiled generation monitoring module after monitoring module generation, monitoring module can be loaded into internal memory, waits and being supervised
Control the loading of module;Step 54 is done state.
Fig. 6 is the setting procedure figure that kernel and monitoring module are protected.The purpose of the flow is to isolate monitored module
Kernel and monitoring module are protected, setting for the isolation of kernel module should be after monitored module loading be completed.Specific stream
Journey is as follows.Step 60 is initial state;Step 61 is the loading that monitoring module and kernel expand module.Loading monitoring mould first
Block, monitoring module is loaded and has reloaded monitored module afterwards, mould is completed using sudo insmod orders when kernel module loads
The loading of block;Step 62 is the acquisition of kernel physical address space.The kernel function provided first according to kernel is with obtaining kernel
The linear address in location space, the form of obtaining are<Addr, len>The array of form, addr be kernel code initial address, len
For the length of kernel code, obtain holding further according to physical address, the step corresponding to the acquisition of client space page table after linear address
What is obtained after having gone is the physical address of kernel address space;Step 63 is the setting of EPT page table authorities.According in acquisition
The layout of core address space, to complete the setting of EPT page table authorities, the isolation between kernel module is realized, after the completion of the step, just
Isolation between virtualization layer realizes kernel module;Step 64 is done state.
Fig. 7 is that kernel expands module calling kernel function interbehavior monitoring flow chart.The flow is that kernel expands module
Flow chart during kernel function is called, when kernel, which expands module, calls kernel function, the controlling stream for first passing through rewriting is adjusted
With the interface function of monitoring module, if kernel expands module and wants to directly invoke kernel function around monitoring module, then can make
Into the exception of EPT page tables, so that controlling stream is intercepted and captured by us;Now, if kernel expands module and directly invokes kernel letter
Number, then the calling behavior of kernel module is inevitable not by monitoring module, therefore can be trapped, so as to ensure that kernel is expanded
Module can be intercepted and captured when calling kernel function by us.On the integrality of kernel code, by setting the authority of EPT page tables,
So that kernel expand module perform when kernel code section not can perform, can not read/write, when kernel expand module directly to perform
The exception of EPT page tables is will result in when kernel function or directly modification kernel code, so as to ensure that the complete of kernel code section
Whole property.When kernel is expanded between module and kernel and is controlled stream switching, the preservation and switching of broker's storehouse, the stack being saved can be entered
Protected by EPT page tables, so as to ensure that the integrality of stack.
Idiographic flow is as follows.Step 70 represents original state;Step 71 is the switching of EPT page tables.0 is assigned to first
Eax registers, show to call EPT handoff functionalities, the EPTP call numbers 1 that then will be loaded are assigned to ecx, held after the completion of assignment
The switching of EPT page tables is completed in row VMFUNC instructions, so as to by loading isolation during different EPT page tables realization operations;Step
72 be the preservation of current kernel stack.By the copy content of the kernel stack pointed by rsp to pre-assigned region;Step 73 is
Complete the switching of kernel stack.Since it is considered that on stack kernel data security, so when kernel is run and kernel expand mould
When block is run, different stacks is used, the stack pointer of two stacks of storage is respectively rsp_stack1 and rsp_stack2, first will
Then rsp_stack1 is assigned to rsp by rsp pointer assignments to rsp_stack2;Step 74 is calling detection function.Detect letter
Several that function call parameter is recorded, whether the address signified to the pointer parameter detection in parameter be legal, if function will
Operation is written and read in the signified address of pointer parameter, then judges whether to cross the border according to other parameters, obtains security
Whether normal result;Step 75 judges whether normally.If it is, going to step 76,78 are otherwise gone to step;Step 76 is called very
Positive kernel function, goes to step 77;Step 78 provides exception reporting, goes to step 77 according to security violations situation;Step 77 is
Done state.
Fig. 8 is the function interbehavior flow chart in kernel calls kernel module.The flow is expanded for kernel calls kernel
Flow chart during module, because it is incredible to assume that kernel expands module in this model, the threat of kernel comes from interior
Module is expanded, therefore, the detection of correlation need not be done when the function that kernel calls kernel is expanded in module, but to complete phase
The safeguard measure of pass, so the switching of EPT page tables is completed, the preservation of stack and the switching of stack.Idiographic flow is as follows.Step 80 table
Show original state;Step 81 is the switching of EPT page tables.The switching of EPT page tables is completed first, eax value is entered as 0, by ecx
Value be entered as 0, then perform the switching that EPT page tables are completed in VMFUNC instructions, operation realized by loading different EPT page tables
When isolation;Step 82 is the preservation of current kernel stack.By the copy content of the stack pointed by rsp to the region of predistribution;Step
Rapid 83 be the switching for completing kernel stack.Rsp value is assigned to rsp_stack1 first, then again assigned rsp_stack2 value
It is worth to rsp, the different stacks used ensure that the security of kernel stack;Step 84 calls real kernel to expand letter in module
Number;Step 85 is done state.
It is described above, only it is presently preferred embodiments of the present invention, any formal limitation not is made to the present invention, it is any ripe
Professional and technical personnel is known, it is without departing from the scope of the present invention, real to more than according to the technical spirit of the present invention
Apply any simple modification, equivalent substitution that example made and improve etc., still fall within technical solution of the present invention protection domain it
It is interior.
Claims (4)
- A kind of 1. interbehavior monitoring scheme of kernel module, it is characterised in that:A kind of monitoring system of kernel module interbehavior System, component include kernel module isolator, kernel interaction monitoring module, kernel module interface.The key operation of this programme is as follows:1) initialization of kernel module isolator:In os starting, the configuration work of virtualized environment is carried out;2) extraction and rewriting of kernel function:Kernel module for intending monitoring, the kernel function that extraction kernel module is used, and Rewritten, so that kernel interaction monitoring module is monitored to the calling that its interbehavior is kernel function;3) setting of monitoring module:Monitoring module is used to, to whole system implementing monitoring, distribute monitoring module operation when institute first The data space needed, then according to the kernel function of calling is extracted, two of monitoring module are generated in the way of page alignment Logical gate, that is, detect program and kernel module interface;4) setting of kernel and monitoring module protection:When kernel module loads, the kernel hooking set in loading procedure can be triggered, Kernel hooking can obtain the address layout of kernel spacing first, and the kernel interface that kernel module isolator then can be called to provide is complete Into the setting of two sets of EPT page tables, monitoring module and kernel are protected, realize isolation;5) monitoring of kernel module interbehavior:Rewritten due to have passed through, when kernel expansion module interacts with kernel, kernel Interaction monitoring module will be monitored.
- 2. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:Kernel module isolator The action of initialization include:The extension page table EPT mechanism and VM Func mechanism of Intel processor offer are provided, establishes and is used for Two sets of EPT page tables of kernel space separation are supported, the loading of kernel module is waited after initialization.
- 3. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:The setting of monitoring module In, kernel module interface completes the controlling stream switching that kernel is expanded between module and main kernel.
- 4. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:Kernel module interacts row For monitoring in, kernel expand module call kernel function when, the function interface of intermediate module can be called first, then carried out again Detection, finally calling real kernel function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710701884.7A CN107479946B (en) | 2017-08-16 | 2017-08-16 | Interactive behavior monitoring scheme of kernel module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710701884.7A CN107479946B (en) | 2017-08-16 | 2017-08-16 | Interactive behavior monitoring scheme of kernel module |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107479946A true CN107479946A (en) | 2017-12-15 |
CN107479946B CN107479946B (en) | 2020-06-16 |
Family
ID=60600537
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710701884.7A Active CN107479946B (en) | 2017-08-16 | 2017-08-16 | Interactive behavior monitoring scheme of kernel module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107479946B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109857677A (en) * | 2018-12-28 | 2019-06-07 | 晶晨半导体(上海)股份有限公司 | The distribution method and device of kernel stack |
CN110058921A (en) * | 2019-03-13 | 2019-07-26 | 上海交通大学 | Guest virtual machine memory dynamic isolation and monitoring method and system |
CN111177726A (en) * | 2019-08-29 | 2020-05-19 | 腾讯科技(深圳)有限公司 | System vulnerability detection method, device, equipment and medium |
CN111177716A (en) * | 2019-06-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
US11099874B2 (en) | 2019-01-28 | 2021-08-24 | Red Hat Israel, Ltd. | Efficient userspace driver isolation by shallow virtual machines |
US11436155B2 (en) | 2018-07-11 | 2022-09-06 | Huawei Technologies Co., Ltd. | Method and apparatus for enhancing isolation of user space from kernel space |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
US8667298B2 (en) * | 2010-03-10 | 2014-03-04 | Red Hat, Inc. | Module signing for unprivileged users to create and load trustworthy kernel modules |
CN104809401A (en) * | 2015-05-08 | 2015-07-29 | 南京大学 | Method for protecting integrity of kernel of operating system |
US20150281267A1 (en) * | 2014-03-27 | 2015-10-01 | Cylent Systems, Inc. | Malicious Software Identification Integrating Behavioral Analytics and Hardware Events |
-
2017
- 2017-08-16 CN CN201710701884.7A patent/CN107479946B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8667298B2 (en) * | 2010-03-10 | 2014-03-04 | Red Hat, Inc. | Module signing for unprivileged users to create and load trustworthy kernel modules |
CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
US20150281267A1 (en) * | 2014-03-27 | 2015-10-01 | Cylent Systems, Inc. | Malicious Software Identification Integrating Behavioral Analytics and Hardware Events |
CN104809401A (en) * | 2015-05-08 | 2015-07-29 | 南京大学 | Method for protecting integrity of kernel of operating system |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11436155B2 (en) | 2018-07-11 | 2022-09-06 | Huawei Technologies Co., Ltd. | Method and apparatus for enhancing isolation of user space from kernel space |
CN109857677A (en) * | 2018-12-28 | 2019-06-07 | 晶晨半导体(上海)股份有限公司 | The distribution method and device of kernel stack |
CN109857677B (en) * | 2018-12-28 | 2023-03-31 | 晶晨半导体(上海)股份有限公司 | Distribution method and device of kernel stack |
US11734048B2 (en) | 2019-01-28 | 2023-08-22 | Red Hat Israel, Ltd. | Efficient user space driver isolation by shallow virtual machines |
US11099874B2 (en) | 2019-01-28 | 2021-08-24 | Red Hat Israel, Ltd. | Efficient userspace driver isolation by shallow virtual machines |
CN110058921A (en) * | 2019-03-13 | 2019-07-26 | 上海交通大学 | Guest virtual machine memory dynamic isolation and monitoring method and system |
CN110058921B (en) * | 2019-03-13 | 2021-06-22 | 上海交通大学 | Dynamic isolation and monitoring method and system for memory of client virtual machine |
CN111177716A (en) * | 2019-06-14 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
CN111177716B (en) * | 2019-06-14 | 2024-04-02 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
CN111177726A (en) * | 2019-08-29 | 2020-05-19 | 腾讯科技(深圳)有限公司 | System vulnerability detection method, device, equipment and medium |
CN111177726B (en) * | 2019-08-29 | 2024-02-06 | 腾讯科技(深圳)有限公司 | System vulnerability detection method, device, equipment and medium |
CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
CN111400702B (en) * | 2020-03-24 | 2023-06-27 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
Also Published As
Publication number | Publication date |
---|---|
CN107479946B (en) | 2020-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107479946A (en) | A kind of interbehavior monitoring scheme of kernel module | |
US11200080B1 (en) | Late load technique for deploying a virtualization layer underneath a running operating system | |
Azab et al. | HIMA: A hypervisor-based integrity measurement agent | |
CN104809401B (en) | A kind of operating system nucleus completeness protection method | |
CN109923546B (en) | Event filtering for virtual machine security applications | |
Srinivasan et al. | Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring | |
Shinagawa et al. | Bitvisor: a thin hypervisor for enforcing i/o device security | |
Shi et al. | Deconstructing Xen. | |
US7818808B1 (en) | Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor | |
CN104021063B (en) | Modular computer forensic system and method based on hardware virtualization | |
Pham et al. | Reliability and security monitoring of virtual machines using hardware architectural invariants | |
US20080244155A1 (en) | Methods and apparatus to protect dynamic memory regions allocated to programming agents | |
CN106970823B (en) | Efficient nested virtualization-based virtual machine security protection method and system | |
CN102096786A (en) | Cross-platform safety protection system based on hardware virtualization | |
CN106203082A (en) | The system and method efficiently isolating kernel module based on virtualization hardware characteristic | |
CN102147843A (en) | Rootkit intrusion detection and system recovery method based on inner core invariant protection | |
WO2018063571A1 (en) | Technologies for object-oriented memory management with extended segmentation | |
Mi et al. | (mostly) exitless {VM} protection from untrusted hypervisor through disaggregated nested virtualization | |
Zhao et al. | Seeing through the same lens: introspecting guest address space at native speed | |
Tuzel et al. | Who watches the watcher? Detecting hypervisor introspection from unprivileged guests | |
Li et al. | A VMM-based system call interposition framework for program monitoring | |
CN107643943A (en) | The management method and device of a kind of task stack | |
Ge et al. | Research on storage virtualization structure in cloud storage environment | |
Lin | Toward guest OS writable virtual machine introspection | |
Luţaş et al. | VE-VMI: high-performance virtual machine introspection based on virtualization exception |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |