CN107479946A - A kind of interbehavior monitoring scheme of kernel module - Google Patents

A kind of interbehavior monitoring scheme of kernel module Download PDF

Info

Publication number
CN107479946A
CN107479946A CN201710701884.7A CN201710701884A CN107479946A CN 107479946 A CN107479946 A CN 107479946A CN 201710701884 A CN201710701884 A CN 201710701884A CN 107479946 A CN107479946 A CN 107479946A
Authority
CN
China
Prior art keywords
kernel
module
monitoring
interbehavior
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710701884.7A
Other languages
Chinese (zh)
Other versions
CN107479946B (en
Inventor
曾庆凯
高敬吾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN201710701884.7A priority Critical patent/CN107479946B/en
Publication of CN107479946A publication Critical patent/CN107479946A/en
Application granted granted Critical
Publication of CN107479946B publication Critical patent/CN107479946B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Abstract

The present invention relates to a kind of interbehavior monitoring scheme of kernel module, using the VM Func mechanism of hardware virtualization technology, the switching of VMM layer EPT page tables can be completed in the case where not being absorbed in monitor of virtual machine VMM, reduces the number being trapped among VMM;Monitoring programme is placed in the address space in Guest OS so that need not be trapped in again among VMM during monitoring;The unnecessary virtualizations of VMM are removed, allow Guest OS directly to be interacted with hardware, so as to reduce unnecessary performance cost.The method reduces the number being trapped in during system operation in VMM, the isolation performance of kernel module is improved, the security of kernel can be improved.

Description

A kind of interbehavior monitoring scheme of kernel module
Technical field
The present invention relates to the isolation monitoring that module is expanded to the insincere kernel of operating system, particular for a kind of kernel module Interbehavior monitoring scheme.
Background technology
Research shows that kernel module is the main source of kernel leak.In Windows XP operating systems, 85% it is interior Core leak comes from kernel module;In (SuSE) Linux OS, the error rate of kernel module is main kernel more than 7 times.According to CVE report, the kernel leak for having 2/3rds are derived from kernel module or driver.Module is expanded without trusted kernel There is same level of privilege with main kernel, arbitrary kernel function can be called, arbitrary kernel data can be changed, pacify kernel Full property faces threat.Therefore, expand module to kernel to be isolated and behavior monitoring, be favorably improved kernel or even operating system Security.Currently, substantially there are two classes to the isolation scheme of kernel module:Based on virtualization technology and non-virtualized technology.Base Good compatibility and security can be provided in virtualization technology, and based on the isolation scheme of non-virtualized technology, easily quilt Malware bypasses, thus the more main flow of the isolation scheme based on virtualization technology.However, it is existing based on virtualization technology every It there are problems that from scheme, such as because the switching between level of privilege is frequent, cause performance cost larger.
The content of the invention
The invention provides a kind of kernel interbehavior monitoring scheme based on virtualization technology so that in system operation Isolation, the monitoring that module is expanded to insincere kernel are more efficiently and safe.
In order to achieve the above object, the present invention adopts the following technical scheme that:A kind of monitoring system of kernel module interbehavior System, component include kernel module isolator, kernel interaction monitoring module, kernel module interface.The key operation of this programme is as follows:
(1) initialization of kernel module isolator:In os starting, the configuration work of virtualized environment is carried out. Action includes:The extension page table EPT mechanism and VM Func mechanism of Intel processor offer are provided, established for supporting that kernel is empty Between two sets of EPT page tables isolating.The loading of kernel module is waited after initialization.
(2) extraction and rewriting of kernel function:Kernel module for intending monitoring, the kernel letter that extraction kernel module is used Number, and rewritten, so that kernel interaction monitoring module is monitored to its interbehavior (i.e. the calling of kernel function).
(3) setting of monitoring module:Monitoring module is used to, to whole system implementing monitoring, distribute monitoring module operation first Shi Suoxu data space, then according to the kernel function for extracting calling, monitoring module is generated in the way of page alignment Two logical gates, that is, detect program and kernel module interface.Kernel module interface complete kernel expand module and main kernel it Between controlling stream switching.
(4) setting of kernel and monitoring module protection:When kernel module loads, the kernel set in loading procedure can be triggered Hook.Kernel hooking can obtain the address layout of kernel spacing first, the kernel that kernel module isolator then can be called to provide Interface completes the setting of two sets of EPT page tables, and monitoring module and kernel are protected, and realizes isolation.
(5) monitoring of kernel module interbehavior:Rewritten due to have passed through, kernel is expanded module and interacted with kernel When, kernel interaction monitoring module will be monitored.When kernel expands module calling kernel function, intermediate module can be called first Function interface, then detected again, finally calling real kernel function.
The present invention has the advantages that compared to prior art:
This method proposes a kind of interbehavior monitoring scheme of kernel module, utilizes the VM Func of hardware virtualization technology Mechanism, the switching of VMM layer EPT page tables can be completed in the case where not being absorbed in monitor of virtual machine VMM, reduces and is trapped in Number among VMM;Monitoring programme is placed in the address space in Guest OS so that VMM need not be trapped in during monitoring again Among;The unnecessary virtualizations of VMM are removed, allow Guest OS directly to be interacted with hardware, so as to reduce unnecessary performance Expense.
Due to The method reduces the number being trapped in during system operation in VMM, so that kernel module isolation performance obtains To raising.In addition, this method is in structure design so that insincere kernel is expanded module and can not adjusted by instructions such as call, jmp With arbitrary kernel code, insincere kernel, which expands module, will meet the calling of kernel function the original that call/ret pairings use Then.Therefore, this method improves the isolation performance of kernel module, improves the security of kernel.
Brief description of the drawings
The present invention is described in detail below in conjunction with the accompanying drawings.
Fig. 1:The interbehavior monitoring scheme structural representation of kernel module.
Fig. 2:The configuration flow figure of kernel module monitoring structure.
Fig. 3:The initialization flowchart of kernel module isolator.
Fig. 4:The extraction of kernel function is with rewriting flow chart.
Fig. 5:The setting procedure figure of monitoring module.
Fig. 6:Kernel and the setting procedure figure of monitoring module protection.
Fig. 7:Kernel expands interbehavior monitoring flow chart when module calls kernel function.
Fig. 8:Kernel calls kernel expands interbehavior flow chart during module.
Embodiment
With reference to specific embodiment, the invention will be further described.
As shown in Figure 1, the present invention proposes a kind of monitoring system of kernel module interbehavior, and component includes kernel module Isolator, kernel interaction monitoring module, three parts of kernel module interface.When whole system is run, for turning for controlling stream Change, monitoring module can be passed through first, monitoring module again hands to controlling stream in the real kernel letter to be called after having detected Number.
Kernel module isolator is the monitor of virtual machine (VMM) of substantially one lightweight, for realizing to kernel The isolation and protection of module.In VMM layer, by safeguarding two sets different EPT page tables, realize when different kernel modules are run every From with protecting work.VMM provides the EPT priority assignation interfaces to Guest OS.When kernel module loads, by setting kernel Hook calls EPT rights interfaces, the setting to EPT page tables is realized, so as to realize the isolation of kernel module and protection.It is meanwhile interior Core module isolator enables VM Func mechanism, and need not be just trapped in again when kernel module is run among VMM to complete The switching of EPT page tables.
Kernel module interface realizes the controlling stream switching that kernel is expanded between module and monitoring module, equally can be by kernel The protection of module monitors device;When kernel, which expands module, calls kernel function, first pass through kernel module interface and realize EPT pages The switching of table, the switching of kernel stack is then completed, after the completion of switching, call the detection program in monitoring module to realize and kernel is opened up Open up the detection of module behavior.When the function in kernel calls kernel module, the switching of EPT page tables is completed first, is then completed The switching of kernel stack, the function after the completion of switching in kernel module is called.
The function of monitoring module is to realize the monitoring to kernel calls behavior.By information such as analysis kernel call parameters, Realize the monitoring to kernel or the record of relevant information.If do not noted abnormalities, controlling stream is transferred to real kernel At function;If it find that there is exception, then report is abnormal.
During system operation, when kernel, which expands module, calls kernel function, due to being rewritten, so can call first The kernel module interface of intermediate module, kernel module interface complete the switching of EPT page tables and kernel stack, then call kernel detection Program function calls behavior to be analyzed or recorded, if it find that abnormal then report is abnormal, is called if not noting abnormalities true The kernel function just called.
The configuration flow figure for kernel module monitoring structure shown in Fig. 2.The flow is whole kernel module monitoring system The core setting procedure figure of foundation, including the generation for being loaded into monitoring module from isolator and the guarantor of last kernel module Shield.The setting of the figure is followed, the setting of whole system can be completed.Idiographic flow is as follows.Step 20 is initial state;Step 21 For the initialization of kernel module isolator.The step is completed when kernel starts, as operating system nucleus loads into together, Just one layer of virtualization layer, specific handling process are as shown in Figure 3 more than the operating system bottom after the completion of the step;Step 22 is interior The extraction and rewriting of kernel function.The step needs the source code of kernel module, and kernel module tune can be obtained after the completion of the step The set of kernel function and the operating system module being written over, specific handling process are as shown in Figure 4;Step 23 is monitoring mould The setting of block.The step is patrolled according to the set of call operation system kernel function obtained in the previous step and the execution of monitoring module Volume, the generation and loading of monitoring module are completed, specific handling process is as shown in Figure 5;Step 24 is that kernel and monitoring module are protected Setting.The step will complete the isolation and protection of kernel spacing, and idiographic flow is as shown in Figure 6;Step 25 is done state.This When kernel module monitoring structure configuration complete.Now, when kernel extension module interacts, monitoring behavior, tool will be triggered The controlling stream of body performs flow as shown in Figure 7,8.
Fig. 3 is the initialization flowchart of kernel module monitor.Setting according to the flow can create a kernel module Isolator, the flow pass through the setting to hardware-related aspect so that support isolation and the EPT of kernel module in hardware view The switching of page table, and eliminate unnecessary virtualization so that Guest OS directly can come into contacts with hardware, ensure The security and high efficiency of system.Idiographic flow is as follows.Step 30 is initial state;Step 31 is configuration VMCS dependency number According to structure.After configuring VMCS, Guest OS operationally can directly access hardware without kernel module isolator Participation, the step ensures among it need not be trapped in VMM again when Guest OS and hardware are come into contacts with, sunken so as to reduce Enter the number among VMM;Step 32 is to open expansion page table EPT and VM the Func mechanism of processor.Specifically by VMCS Enable EPT positions and Enable VM Func positions 1, can be to carry out kernel module isolation and high after opening this two The switching of effect;Step 33 is the establishment and setting of EPT page tables.Whole EPT is set according to Guest OS physical address size List item, page-size are set to 4KB, initialize READ, WRITE, EXECUTION position 1 of whole EPT list items, ensure Guest Identical mapping between OS guest-physical addresses and machine physical address, and EPT page tables base address g_eptp is stored in void Plan machine control block VMCS EPTP fields;Step 34 is the loading enabled with EPT page tables of EPTP handover mechanisms.By in VMCS The positions 1 of VM-functions control fields bit 0, to enable EPTP handover mechanisms, distribute 4KB size EPTP lists, and by g_ It is at 0 that eptp, which is stored in EPTP list indexs position,;Step 35 is done state.So far, kernel module isolator has initialized Into waiting the loading of monitored kernel module.
Fig. 4 is the extraction of kernel function with rewriting flow chart.Controlling stream is realized by the rewriting to kernel module source code Redirection, when code performs again, controlling stream will be redirected to the interface of monitoring module, so as to realize to control The intercepting and capturing of stream.Idiographic flow is as follows.Step 40 is initial state;The detection function that step 41 is used for extraction kernel module.It is right The source code that kernel expands module is analyzed, and the method used is the process of a comparison, by kernel module source code All functions are one by one compared with kernel function, if kernel function then extracts, what is obtained after the completion of the step is The set SetFunctionName for the kernel function that kernel module calls;Step 42 is that kernel expands in module the kernel used The rewriting of function.The function expanded according to the naming rule appointed in advance to kernel in module is rewritten, and makes its redirection The function interface provided to monitoring module, monitoring module will be redirected to by being expanded when kernel when module calls kernel function again Interface, the step perform after the completion of, what is obtained is amended kernel module code;Step 43 is done state.So far, it is interior Core is expanded module extraction rewriting and finished, and has obtained new kernel and has expanded module.
Fig. 5 is the setting procedure figure of monitoring module.The purpose of the flow is generation monitoring module, is mainly concerned with monitoring The code organization of module and the flow of monitoring.Idiographic flow is as follows.Step 50 is original state;Step 51 is distribution monitoring module Required data space during operation.Some service hours when the space is used between the data recorded when detecting and security domain switch According to preservation, the data of preservation are mainly kernel stack and function call parameter, if parameter is pointer in pointed by pointer Appearance is also recorded, and the initial size in space is 4MB, if distribution of redoublining has been expired in the space of distribution;Step 52 is monitoring mould The tissue of block code.The logical form performed according to code is come the code of tissue monitoring module, the detailed visible figure of execution flow 7th, Fig. 8;Step 53 is the compiling and loading of monitoring module.When kernel expand module according to logical groups above weave code it Afterwards, to be compiled generation monitoring module after monitoring module generation, monitoring module can be loaded into internal memory, waits and being supervised Control the loading of module;Step 54 is done state.
Fig. 6 is the setting procedure figure that kernel and monitoring module are protected.The purpose of the flow is to isolate monitored module Kernel and monitoring module are protected, setting for the isolation of kernel module should be after monitored module loading be completed.Specific stream Journey is as follows.Step 60 is initial state;Step 61 is the loading that monitoring module and kernel expand module.Loading monitoring mould first Block, monitoring module is loaded and has reloaded monitored module afterwards, mould is completed using sudo insmod orders when kernel module loads The loading of block;Step 62 is the acquisition of kernel physical address space.The kernel function provided first according to kernel is with obtaining kernel The linear address in location space, the form of obtaining are<Addr, len>The array of form, addr be kernel code initial address, len For the length of kernel code, obtain holding further according to physical address, the step corresponding to the acquisition of client space page table after linear address What is obtained after having gone is the physical address of kernel address space;Step 63 is the setting of EPT page table authorities.According in acquisition The layout of core address space, to complete the setting of EPT page table authorities, the isolation between kernel module is realized, after the completion of the step, just Isolation between virtualization layer realizes kernel module;Step 64 is done state.
Fig. 7 is that kernel expands module calling kernel function interbehavior monitoring flow chart.The flow is that kernel expands module Flow chart during kernel function is called, when kernel, which expands module, calls kernel function, the controlling stream for first passing through rewriting is adjusted With the interface function of monitoring module, if kernel expands module and wants to directly invoke kernel function around monitoring module, then can make Into the exception of EPT page tables, so that controlling stream is intercepted and captured by us;Now, if kernel expands module and directly invokes kernel letter Number, then the calling behavior of kernel module is inevitable not by monitoring module, therefore can be trapped, so as to ensure that kernel is expanded Module can be intercepted and captured when calling kernel function by us.On the integrality of kernel code, by setting the authority of EPT page tables, So that kernel expand module perform when kernel code section not can perform, can not read/write, when kernel expand module directly to perform The exception of EPT page tables is will result in when kernel function or directly modification kernel code, so as to ensure that the complete of kernel code section Whole property.When kernel is expanded between module and kernel and is controlled stream switching, the preservation and switching of broker's storehouse, the stack being saved can be entered Protected by EPT page tables, so as to ensure that the integrality of stack.
Idiographic flow is as follows.Step 70 represents original state;Step 71 is the switching of EPT page tables.0 is assigned to first Eax registers, show to call EPT handoff functionalities, the EPTP call numbers 1 that then will be loaded are assigned to ecx, held after the completion of assignment The switching of EPT page tables is completed in row VMFUNC instructions, so as to by loading isolation during different EPT page tables realization operations;Step 72 be the preservation of current kernel stack.By the copy content of the kernel stack pointed by rsp to pre-assigned region;Step 73 is Complete the switching of kernel stack.Since it is considered that on stack kernel data security, so when kernel is run and kernel expand mould When block is run, different stacks is used, the stack pointer of two stacks of storage is respectively rsp_stack1 and rsp_stack2, first will Then rsp_stack1 is assigned to rsp by rsp pointer assignments to rsp_stack2;Step 74 is calling detection function.Detect letter Several that function call parameter is recorded, whether the address signified to the pointer parameter detection in parameter be legal, if function will Operation is written and read in the signified address of pointer parameter, then judges whether to cross the border according to other parameters, obtains security Whether normal result;Step 75 judges whether normally.If it is, going to step 76,78 are otherwise gone to step;Step 76 is called very Positive kernel function, goes to step 77;Step 78 provides exception reporting, goes to step 77 according to security violations situation;Step 77 is Done state.
Fig. 8 is the function interbehavior flow chart in kernel calls kernel module.The flow is expanded for kernel calls kernel Flow chart during module, because it is incredible to assume that kernel expands module in this model, the threat of kernel comes from interior Module is expanded, therefore, the detection of correlation need not be done when the function that kernel calls kernel is expanded in module, but to complete phase The safeguard measure of pass, so the switching of EPT page tables is completed, the preservation of stack and the switching of stack.Idiographic flow is as follows.Step 80 table Show original state;Step 81 is the switching of EPT page tables.The switching of EPT page tables is completed first, eax value is entered as 0, by ecx Value be entered as 0, then perform the switching that EPT page tables are completed in VMFUNC instructions, operation realized by loading different EPT page tables When isolation;Step 82 is the preservation of current kernel stack.By the copy content of the stack pointed by rsp to the region of predistribution;Step Rapid 83 be the switching for completing kernel stack.Rsp value is assigned to rsp_stack1 first, then again assigned rsp_stack2 value It is worth to rsp, the different stacks used ensure that the security of kernel stack;Step 84 calls real kernel to expand letter in module Number;Step 85 is done state.
It is described above, only it is presently preferred embodiments of the present invention, any formal limitation not is made to the present invention, it is any ripe Professional and technical personnel is known, it is without departing from the scope of the present invention, real to more than according to the technical spirit of the present invention Apply any simple modification, equivalent substitution that example made and improve etc., still fall within technical solution of the present invention protection domain it It is interior.

Claims (4)

  1. A kind of 1. interbehavior monitoring scheme of kernel module, it is characterised in that:A kind of monitoring system of kernel module interbehavior System, component include kernel module isolator, kernel interaction monitoring module, kernel module interface.The key operation of this programme is as follows:
    1) initialization of kernel module isolator:In os starting, the configuration work of virtualized environment is carried out;
    2) extraction and rewriting of kernel function:Kernel module for intending monitoring, the kernel function that extraction kernel module is used, and Rewritten, so that kernel interaction monitoring module is monitored to the calling that its interbehavior is kernel function;
    3) setting of monitoring module:Monitoring module is used to, to whole system implementing monitoring, distribute monitoring module operation when institute first The data space needed, then according to the kernel function of calling is extracted, two of monitoring module are generated in the way of page alignment Logical gate, that is, detect program and kernel module interface;
    4) setting of kernel and monitoring module protection:When kernel module loads, the kernel hooking set in loading procedure can be triggered, Kernel hooking can obtain the address layout of kernel spacing first, and the kernel interface that kernel module isolator then can be called to provide is complete Into the setting of two sets of EPT page tables, monitoring module and kernel are protected, realize isolation;
    5) monitoring of kernel module interbehavior:Rewritten due to have passed through, when kernel expansion module interacts with kernel, kernel Interaction monitoring module will be monitored.
  2. 2. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:Kernel module isolator The action of initialization include:The extension page table EPT mechanism and VM Func mechanism of Intel processor offer are provided, establishes and is used for Two sets of EPT page tables of kernel space separation are supported, the loading of kernel module is waited after initialization.
  3. 3. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:The setting of monitoring module In, kernel module interface completes the controlling stream switching that kernel is expanded between module and main kernel.
  4. 4. the interbehavior monitoring scheme of kernel module according to claim 1, it is characterised in that:Kernel module interacts row For monitoring in, kernel expand module call kernel function when, the function interface of intermediate module can be called first, then carried out again Detection, finally calling real kernel function.
CN201710701884.7A 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module Active CN107479946B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710701884.7A CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710701884.7A CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Publications (2)

Publication Number Publication Date
CN107479946A true CN107479946A (en) 2017-12-15
CN107479946B CN107479946B (en) 2020-06-16

Family

ID=60600537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710701884.7A Active CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Country Status (1)

Country Link
CN (1) CN107479946B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109857677A (en) * 2018-12-28 2019-06-07 晶晨半导体(上海)股份有限公司 The distribution method and device of kernel stack
CN110058921A (en) * 2019-03-13 2019-07-26 上海交通大学 Guest virtual machine memory dynamic isolation and monitoring method and system
CN111177726A (en) * 2019-08-29 2020-05-19 腾讯科技(深圳)有限公司 System vulnerability detection method, device, equipment and medium
CN111177716A (en) * 2019-06-14 2020-05-19 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for acquiring executable file in memory
CN111400702A (en) * 2020-03-24 2020-07-10 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method
US11099874B2 (en) 2019-01-28 2021-08-24 Red Hat Israel, Ltd. Efficient userspace driver isolation by shallow virtual machines
US11436155B2 (en) 2018-07-11 2022-09-06 Huawei Technologies Co., Ltd. Method and apparatus for enhancing isolation of user space from kernel space

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
US8667298B2 (en) * 2010-03-10 2014-03-04 Red Hat, Inc. Module signing for unprivileged users to create and load trustworthy kernel modules
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system
US20150281267A1 (en) * 2014-03-27 2015-10-01 Cylent Systems, Inc. Malicious Software Identification Integrating Behavioral Analytics and Hardware Events

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8667298B2 (en) * 2010-03-10 2014-03-04 Red Hat, Inc. Module signing for unprivileged users to create and load trustworthy kernel modules
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
US20150281267A1 (en) * 2014-03-27 2015-10-01 Cylent Systems, Inc. Malicious Software Identification Integrating Behavioral Analytics and Hardware Events
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11436155B2 (en) 2018-07-11 2022-09-06 Huawei Technologies Co., Ltd. Method and apparatus for enhancing isolation of user space from kernel space
CN109857677A (en) * 2018-12-28 2019-06-07 晶晨半导体(上海)股份有限公司 The distribution method and device of kernel stack
CN109857677B (en) * 2018-12-28 2023-03-31 晶晨半导体(上海)股份有限公司 Distribution method and device of kernel stack
US11734048B2 (en) 2019-01-28 2023-08-22 Red Hat Israel, Ltd. Efficient user space driver isolation by shallow virtual machines
US11099874B2 (en) 2019-01-28 2021-08-24 Red Hat Israel, Ltd. Efficient userspace driver isolation by shallow virtual machines
CN110058921A (en) * 2019-03-13 2019-07-26 上海交通大学 Guest virtual machine memory dynamic isolation and monitoring method and system
CN110058921B (en) * 2019-03-13 2021-06-22 上海交通大学 Dynamic isolation and monitoring method and system for memory of client virtual machine
CN111177716A (en) * 2019-06-14 2020-05-19 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for acquiring executable file in memory
CN111177716B (en) * 2019-06-14 2024-04-02 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for acquiring executable file in memory
CN111177726A (en) * 2019-08-29 2020-05-19 腾讯科技(深圳)有限公司 System vulnerability detection method, device, equipment and medium
CN111177726B (en) * 2019-08-29 2024-02-06 腾讯科技(深圳)有限公司 System vulnerability detection method, device, equipment and medium
CN111400702A (en) * 2020-03-24 2020-07-10 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method
CN111400702B (en) * 2020-03-24 2023-06-27 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method

Also Published As

Publication number Publication date
CN107479946B (en) 2020-06-16

Similar Documents

Publication Publication Date Title
CN107479946A (en) A kind of interbehavior monitoring scheme of kernel module
US11200080B1 (en) Late load technique for deploying a virtualization layer underneath a running operating system
Azab et al. HIMA: A hypervisor-based integrity measurement agent
CN104809401B (en) A kind of operating system nucleus completeness protection method
CN109923546B (en) Event filtering for virtual machine security applications
Srinivasan et al. Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring
Shinagawa et al. Bitvisor: a thin hypervisor for enforcing i/o device security
Shi et al. Deconstructing Xen.
US7818808B1 (en) Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor
CN104021063B (en) Modular computer forensic system and method based on hardware virtualization
Pham et al. Reliability and security monitoring of virtual machines using hardware architectural invariants
US20080244155A1 (en) Methods and apparatus to protect dynamic memory regions allocated to programming agents
CN106970823B (en) Efficient nested virtualization-based virtual machine security protection method and system
CN102096786A (en) Cross-platform safety protection system based on hardware virtualization
CN106203082A (en) The system and method efficiently isolating kernel module based on virtualization hardware characteristic
CN102147843A (en) Rootkit intrusion detection and system recovery method based on inner core invariant protection
WO2018063571A1 (en) Technologies for object-oriented memory management with extended segmentation
Mi et al. (mostly) exitless {VM} protection from untrusted hypervisor through disaggregated nested virtualization
Zhao et al. Seeing through the same lens: introspecting guest address space at native speed
Tuzel et al. Who watches the watcher? Detecting hypervisor introspection from unprivileged guests
Li et al. A VMM-based system call interposition framework for program monitoring
CN107643943A (en) The management method and device of a kind of task stack
Ge et al. Research on storage virtualization structure in cloud storage environment
Lin Toward guest OS writable virtual machine introspection
Luţaş et al. VE-VMI: high-performance virtual machine introspection based on virtualization exception

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant