CN107479946B - Interactive behavior monitoring scheme of kernel module - Google Patents

Interactive behavior monitoring scheme of kernel module Download PDF

Info

Publication number
CN107479946B
CN107479946B CN201710701884.7A CN201710701884A CN107479946B CN 107479946 B CN107479946 B CN 107479946B CN 201710701884 A CN201710701884 A CN 201710701884A CN 107479946 B CN107479946 B CN 107479946B
Authority
CN
China
Prior art keywords
kernel
module
monitoring
function
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710701884.7A
Other languages
Chinese (zh)
Other versions
CN107479946A (en
Inventor
曾庆凯
高敬吾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN201710701884.7A priority Critical patent/CN107479946B/en
Publication of CN107479946A publication Critical patent/CN107479946A/en
Application granted granted Critical
Publication of CN107479946B publication Critical patent/CN107479946B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an interactive behavior monitoring scheme of a kernel module, which utilizes a VM Func mechanism of a hardware virtualization technology to complete the switching of an EPT page table of a VMM layer under the condition of not trapping in a VMM of a virtual machine monitor, thereby reducing the trapping times in the VMM; the monitoring program is placed in an address space in Guest OS, so that the monitoring program does not need to be trapped in VMM; and unnecessary virtualization functions of the VMM are removed, and Guest OS is directly interacted with hardware, so that unnecessary performance overhead is reduced. The method reduces the time of trapping the system into the VMM during operation, improves the isolation performance of the kernel module and can improve the security of the kernel.

Description

Interactive behavior monitoring scheme of kernel module
Technical Field
The invention relates to isolation monitoring of an untrusted kernel extension module of an operating system, in particular to an interactive behavior monitoring scheme of a kernel module.
Background
Research has shown that kernel modules are a major source of kernel vulnerabilities. In the Windows XP operating system, 85% of kernel vulnerabilities come from the kernel module; in the Linux operating system, the error rate of the kernel module is more than 7 times that of the main kernel. According to the CVE report, two thirds of the kernel vulnerabilities originate from the kernel module or driver. The untrusted kernel extension module has the same privilege level as the main kernel, can call any kernel function, and can modify any kernel data, so that the kernel security faces the threat. Therefore, the kernel expansion module is isolated and behavior monitoring is carried out, and the security of the kernel and even the security of the operating system are improved. Currently, there are roughly two types of isolation schemes for kernel modules: based on virtualization and non-virtualization technologies. The isolation scheme based on the virtualization technology is easy to be bypassed by malicious software, so that the isolation scheme based on the virtualization technology is more mainstream. However, the existing isolation scheme based on the virtualization technology has some problems, such as large performance overhead due to frequent switching between privilege levels.
Disclosure of Invention
The invention provides a kernel interaction behavior monitoring scheme based on a virtualization technology, so that isolation and monitoring of an untrusted kernel extension module are more efficient and safer during system operation.
In order to achieve the purpose, the invention adopts the following technical scheme: a monitoring system for kernel module interaction behavior comprises a kernel module isolator, a kernel interaction monitoring module and a kernel module interface. The key operation of the scheme is as follows:
(1) initialization of the kernel module isolator: when the operating system is started, the configuration work of the virtualization environment is carried out. The actions include: and (3) enabling an extended page table EPT mechanism and a VM Func mechanism provided by the Intel processor to establish two sets of EPT page tables for supporting kernel space isolation. And after the initialization is finished, waiting for the loading of the kernel module.
(2) Extraction and rewriting of kernel functions: for the kernel module to be monitored, the kernel function used by the kernel module is extracted and rewritten, so that the kernel interaction monitoring module can monitor the interaction behavior (namely, the call of the kernel function).
(3) Setting a monitoring module: the monitoring module is used for monitoring the whole system, firstly, a data space required by the monitoring module during operation is distributed, and then two logic parts of the monitoring module, namely a detection program and a kernel module interface, are generated according to the extracted and called kernel function and in a page alignment mode. And the kernel module interface completes control flow switching between the kernel expansion module and the main kernel.
(4) Setting of kernel and monitoring module protection: when the kernel module is loaded, the kernel hook set in the loading process is triggered. The kernel hook firstly obtains the address layout of the kernel space, and then calls a kernel interface provided by the kernel module isolator to complete the setting of two sets of EPT page tables, so as to protect the monitoring module and the kernel and realize isolation.
(5) Monitoring the interaction behavior of the kernel module: due to the rewriting, when the kernel extension module interacts with the kernel, the kernel interaction monitoring module monitors. When the kernel extension module calls the kernel function, the function interface of the middle module is called first, then detection is carried out, and finally the real kernel function is called.
Compared with the prior art, the invention has the following beneficial effects:
the method provides a kernel module interactive behavior monitoring scheme, and by utilizing a VM Func mechanism of a hardware virtualization technology, switching of an EPT page table of a VMM layer can be completed under the condition that the EPT page table is not trapped in a VMM of a virtual machine monitor, so that the trapping times in the VMM are reduced; the monitoring program is placed in an address space in Guest OS, so that the monitoring program does not need to be trapped in VMM; and unnecessary virtualization functions of the VMM are removed, and Guest OS is directly interacted with hardware, so that unnecessary performance overhead is reduced.
The method reduces the time of trapping the system into the VMM during the operation, thereby improving the isolation performance of the kernel module. In addition, in structural design, the method ensures that the untrusted kernel extension module cannot call any kernel code through instructions such as call, jmp and the like, and the call of the untrusted kernel extension module to the kernel function conforms to the principle of call/ret paired use. Therefore, the method improves the isolation performance of the kernel module and improves the security of the kernel.
Drawings
The present invention will be described in detail with reference to the accompanying drawings.
FIG. 1: and the interactive behavior monitoring scheme of the kernel module is in a structural schematic diagram.
FIG. 2: and the kernel module monitors the configuration flow chart of the structure.
FIG. 3: initialization flow diagram of kernel module isolator.
FIG. 4: and extracting and rewriting kernel functions.
FIG. 5: a flow chart of the setting of the monitoring module.
FIG. 6: setting flow chart of kernel and monitoring module protection.
FIG. 7: and the kernel extension module calls an interactive behavior monitoring flow chart when the kernel function is called.
FIG. 8: and the kernel calls an interactive behavior flow chart when the kernel expands the module.
Detailed Description
The present invention will be further described with reference to the following specific examples.
As shown in fig. 1, the present invention provides a kernel module interaction monitoring system, which comprises a kernel module isolator, a kernel interaction monitoring module, and a kernel module interface. When the whole system runs, the conversion of the control flow firstly passes through the monitoring module, and the monitoring module transfers the control flow to the real kernel function to be called after detecting.
The kernel module isolator is essentially a lightweight Virtual Machine Monitor (VMM) for implementing isolation and protection of kernel modules. In the VMM layer, the isolation and protection work of different kernel modules during operation is realized by maintaining two sets of different EPT page tables. The VMM provides an EPT permission setting interface to the Guest OS. When the kernel module is loaded, the EPT permission interface is called by setting the kernel hook, so that the setting of the EPT page table is realized, and the isolation and the protection of the kernel module are realized. Meanwhile, the kernel module isolator enables a VM Func mechanism, and the switching of the EPT page table can be completed without trapping the kernel module into a VMM when the kernel module runs.
The kernel module interface realizes the control flow switching between the kernel expansion module and the monitoring module and is also protected by the kernel module monitor; when the kernel extension module calls a kernel function, the switching of the EPT page table is realized through the kernel module interface, then the switching of the kernel stack is completed, and after the switching is completed, a detection program in the monitoring module is called to realize the detection of the behavior of the kernel extension module. When the kernel calls the function in the kernel module, the switching of the EPT page table is completed firstly, then the switching of the kernel stack is completed, and the function in the kernel module is called after the switching is completed.
The monitoring module has the function of monitoring the calling behavior of the kernel. The monitoring of the kernel or the recording of related information is realized by analyzing the information such as kernel calling parameters and the like. If no exception is found, the control flow is transferred to the real kernel function; if an anomaly is found, an anomaly is reported.
When the system runs, when the kernel extension module calls a kernel function, the kernel extension module is rewritten, so that a kernel module interface of the middle module is called firstly, the kernel module interface completes the switching of an EPT page table and a kernel stack, then the kernel detection program function calling behavior is called for analysis or recording, if the abnormality is found, the abnormality is reported, and if the abnormality is not found, the kernel function which is really called is called.
Fig. 2 is a flow chart illustrating the configuration of the kernel module monitoring architecture. The process sets up a flow chart for the core established by the whole kernel module monitoring system, including the generation from the loading of the isolator to the monitoring module and the protection of the last kernel module. Following the setup of the graph, setup of the entire system can be completed. The specific flow is as follows. Step 20 is the start state; step 21 is the initialization of the kernel module isolator. The step is completed when the kernel is started, and is loaded along with the kernel of the operating system, after the step is completed, a virtualization layer is added on the bottom layer of the operating system, and the specific processing flow is shown in fig. 3; step 22 is the extraction and rewriting of the kernel function. The step needs the source code of the kernel module, and after the step is completed, the set of kernel functions called by the kernel module and the rewritten operating system module can be obtained, and the specific processing flow is shown in fig. 4; step 23 is the setting of the monitoring module. The step completes generation and loading of the monitoring module according to the set of the kernel function of the calling operating system and the execution logic of the monitoring module obtained in the previous step, and the specific processing flow is shown in fig. 5; step 24 is the setting of kernel and supervisor module protection. This step will complete the isolation and protection of kernel space, and the specific flow is shown in fig. 6; step 25 is the end state. At this point the configuration of the kernel module monitoring structure is complete. At this time, when the kernel extension module performs interaction, a monitoring behavior is triggered, and a specific control flow execution flow is shown in fig. 7 and 8.
FIG. 3 is a flow chart of initialization of the kernel module monitor. According to the setting of the process, a kernel module isolator is established, and the process supports the isolation of the kernel module and the switching of an EPT page table on a hardware level through the setting of the relevant aspects of hardware, eliminates unnecessary virtualization functions, enables a Guest OS to directly interact with the hardware, and ensures the safety and the efficiency of the system. The specific flow is as follows. Step 30 is an initial state; step 31 is to configure the relevant data structures of the VMCS. After the VMCS is configured, the Guest OS can directly access hardware during running without the participation of a kernel module isolator, and the step ensures that the Guest OS does not need to be trapped in the VMM when the Guest OS is handed over with the hardware, so that the times of trapping in the VMM are reduced; step 32 is to start the extended page table EPT and VM Func mechanisms of the processor. Specifically, after an Enable EPT bit and an Enable VM Func position 1 in the VMCS are started, kernel module isolation and efficient switching can be realized; step 33 is the creation and setting of EPT page tables. Setting all EPT table entries according to the physical address size of Guest OS, setting the page size to be 4KB, initializing the locations 1 of READ, WRITE and EXECUTION of all EPT table entries, ensuring the identity mapping between the Guest physical address and the machine physical address of Guest OS, and storing the base address g _ EPTP of the EPT page table into the EPTP field of the VMCS; step 34 is the enablement of the EPTP switch mechanism and the loading of the EPT page tables. Position 1 of a VM-functions control field bit 0 in the VMCS is used for starting an EPTP switching mechanism, a 4KB EPTP list is distributed, and g _ EPTP is stored to the position of an EPTP list index position of 0; step 35 is the end state. And finally, the initialization of the kernel module isolator is completed, and the loading of the monitored kernel module is waited.
FIG. 4 is a flow chart of kernel function extraction and rewrite. The redirection of the control flow is realized by rewriting the source code of the kernel module, and when the code is executed again, the control flow can be redirected to the interface of the monitoring module, so that the interception of the control flow is realized. The specific flow is as follows. Step 40 is an initial state; step 41 is to extract the detection function used by the kernel module. Analyzing the source code of the kernel extension module, wherein the used method is a comparison process, comparing all functions in the source code of the kernel module with kernel functions one by one, if the functions are the kernel functions, extracting the functions, and obtaining a set function name of the kernel functions called by the kernel module after the step is completed; step 42 is the rewriting of kernel functions used in the kernel extension module. Rewriting the function in the kernel expansion module according to a preset naming rule to redirect the function to a function interface provided by the monitoring module, and redirecting to the interface of the monitoring module when the kernel expansion module calls the kernel function again, wherein after the step is finished, modified kernel module codes are obtained; step 43 is the end state. And the kernel extension module finishes extraction and rewriting to obtain a new kernel extension module.
Fig. 5 is a flow chart of the setting of the monitoring module. The process aims at generating the monitoring module, and mainly relates to a process of code organization and monitoring of the monitoring module. The specific flow is as follows. Step 50 is an initial state; step 51 is allocating data space required by the monitoring module when running. The space is used for storing data recorded during detection and data during operation when the security domain is switched, the stored data mainly comprises a kernel stack and function call parameters, if the parameters are pointers, the content pointed by the pointers is also recorded, the initial size of the space is 4MB, and if the allocated space is full, the space is doubly allocated again; step 52 is the organization of the monitoring module code. The code of the monitoring module is organized according to the logic form of the code execution, and the detailed execution flow can be shown in fig. 7 and fig. 8; step 53 is the compilation and loading of the monitoring module. After the kernel expansion module organizes codes according to the logic, compiling can be carried out to generate a monitoring module, and after the monitoring module is generated, the monitoring module is loaded into a memory to wait for the loading of the monitored module; step 54 is an end state.
FIG. 6 is a flow diagram of the setup of kernel and supervisor module protection. The purpose of this flow is to isolate the monitored module from the protection kernel and the monitoring module, and the isolated setting of the kernel module should be after the loading of the monitored module is completed. The specific flow is as follows. Step 60 is an initial state; step 61 is the loading of the monitoring module and the kernel extension module. Firstly, loading a monitoring module, loading a monitored module after the monitoring module is loaded, and completing the loading of the module by using a sudo insmod command when a kernel module is loaded; step 62 is the acquisition of the kernel physical address space. Firstly, acquiring a linear address of a kernel address space according to a kernel function provided by a kernel to obtain an array in a form of < addr, len >, wherein addr is a starting address of a kernel code, len is the length of the kernel code, and after the linear address is obtained, a corresponding physical address is acquired according to a client space page table, and after the step is executed, the physical address of the kernel address space is obtained; step 63 is the setting of EPT page table permissions. Setting the authority of the EPT page table is completed according to the obtained layout of the kernel address space, so that the isolation between kernel modules is realized, and after the step is completed, the isolation between the kernel modules is realized in a virtualization layer; step 64 is the end state.
FIG. 7 is a flowchart illustrating the kernel development module invoking kernel function interaction behavior monitoring. The process is a flow chart when the kernel extension module calls a kernel function, when the kernel extension module calls the kernel function, an interface function of the monitoring module is called through rewritten control flow, if the kernel extension module wants to bypass the monitoring module to directly call the kernel function, the exception of an EPT page table is caused, and thus the control flow is intercepted by people; at the moment, if the kernel extension module directly calls the kernel function, the calling behavior of the kernel module does not necessarily pass through the monitoring module, so that the kernel function can be intercepted, and the kernel extension module can be ensured to be intercepted by people when calling the kernel function. Regarding the integrity of the kernel code, the kernel code segment cannot be executed and cannot be read/written when the kernel extension module executes by setting the authority of the EPT page table, and the exception of the EPT page table can be caused when the kernel extension module directly executes the kernel function or directly modifies the kernel code, so that the integrity of the kernel code segment is ensured. When control flow switching is carried out between the kernel expansion module and the kernel, stack saving and switching can be carried out, and the saved stack is protected by the EPT page table, so that the integrity of the stack is ensured.
The specific flow is as follows. Step 70 represents the initial state; step 71 is the switching of the EPT page table. Firstly, assigning 0 to an eax register to indicate that an EPT switching function is called, then assigning an EPTP index number 1 to be loaded to an ecx, and executing a VMFUNC instruction to complete the switching of an EPT page table after the assignment is completed, thereby realizing the isolation in operation by loading different EPT page tables; step 72 is the saving of the current kernel stack. Copying the content of the kernel stack pointed by the rsp to a pre-allocated area; step 73 is to complete the switching of the kernel stack. Because the safety of kernel data on the stack is considered, different stacks are used when the kernel runs and the kernel development module runs, stack pointers for storing the two stacks are rsp _ stack1 and rsp _ stack2 respectively, the rsp pointer is assigned to rsp _ stack2 first, and then rsp _ stack1 is assigned to rsp; step 74 is to call a detection function. The detection function records the function call parameters, detects whether the pointed address is legal or not for the pointer parameters in the parameters, and judges whether the boundary crossing occurs or not according to other parameters if the function needs to perform read-write operation on the pointed address of the pointer parameters, so as to obtain the result of whether the safety is normal or not; step 75 determines if normal. If so, go to step 76, otherwise go to step 78; step 76 calls the real kernel function, and goes to step 77; step 78, according to the security violation condition, giving an exception report, and turning to step 77; step 77 is the end state.
FIG. 8 is a flow chart of function interaction behavior in a kernel calling kernel module. The process is a flow chart when the kernel calls the kernel extension module, and because the kernel extension module is supposed to be untrusted in the model, and the threat of the kernel comes from the inner extension module, when the kernel calls the function in the kernel extension module, relevant detection is not needed, but relevant protection measures are needed to be completed, so that the switching of an EPT page table, the storage of a stack and the switching of the stack are needed to be completed. The specific flow is as follows. Step 80 represents the initial state; step 81 is the switching of the EPT page table. Firstly, completing the switching of an EPT page table, assigning the value of eax to be 0, assigning the value of ecx to be 0, then executing a VMFUNC instruction to complete the switching of the EPT page table, and realizing the isolation in operation by loading different EPT page tables; step 82 is the saving of the core stack in-date. Copying the contents of the stack pointed to by the rsp to a pre-allocated area; step 83 is to complete the switching of the kernel stack. Firstly, assigning the value of the rsp to rsp _ stack1, then assigning the value of the rsp _ stack2 to the rsp, and ensuring the safety of a kernel stack by using different stacks; step 84, calling a function in the real kernel expansion module; step 85 is an end state.
The above description is only a preferred embodiment of the present invention, and should not be taken as limiting the invention in any way, and any person skilled in the art can make any simple modification, equivalent replacement, and improvement on the above embodiment without departing from the technical spirit of the present invention, and still fall within the protection scope of the technical solution of the present invention.

Claims (4)

1. An interactive behavior monitoring scheme for kernel modules, characterized by: a monitoring system for kernel module interactive behavior comprises a kernel module isolator, a kernel interactive monitoring module and a kernel module interface; the key operation of the scheme is as follows:
1) initialization of the kernel module isolator: when an operating system is started, carrying out configuration work of a virtualization environment;
2) extraction and rewriting of kernel functions: for the kernel module to be monitored, extracting a kernel function used by the kernel module, and rewriting so that the kernel interaction monitoring module can monitor the interaction behavior, namely the calling of the kernel function;
3) setting a monitoring module: the monitoring module is used for monitoring the whole system, firstly, a data space required by the operation of the monitoring module is distributed, and then two logic parts of the monitoring module, namely a detection program and a kernel module interface, are generated according to the extracted and called kernel function and in a page alignment mode;
4) setting of kernel and monitoring module protection: when the kernel module is loaded, a kernel hook set in the loading process is triggered, the kernel hook firstly acquires the address layout of a kernel space, then a kernel interface provided by a kernel module isolator is called to complete the setting of two sets of EPT page tables, and the monitoring module and the kernel are protected to realize isolation;
5) monitoring the interaction behavior of the kernel module: when the system runs, when the kernel extension module calls a kernel function, the kernel extension module is rewritten, so that a kernel module interface of the middle module is called firstly, the kernel module interface completes the switching of an EPT page table and a kernel stack, then the kernel detection program function calling behavior is called for analysis or recording, if the abnormality is found, the abnormality is reported, and if the abnormality is not found, the kernel function which is really called is called.
2. An interactive behavior monitoring scheme for kernel modules according to claim 1 wherein: the actions of initialization of the kernel module isolator include: and starting an extended page table EPT mechanism and a VM Func mechanism provided by the Intel processor, establishing two sets of EPT page tables for supporting kernel space isolation, and waiting for loading of the kernel module after initialization is finished.
3. An interactive behavior monitoring scheme for kernel modules according to claim 1 wherein: in the setting of the monitoring module, the kernel module interface completes the control flow switching between the kernel expansion module and the main kernel.
4. An interactive behavior monitoring scheme for kernel modules according to claim 1 wherein: in the monitoring of the kernel module interactive behavior, when the kernel extension module calls the kernel function, the kernel extension module firstly calls the function interface of the middle module, then detects the function interface and finally calls the real kernel function.
CN201710701884.7A 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module Active CN107479946B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710701884.7A CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710701884.7A CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Publications (2)

Publication Number Publication Date
CN107479946A CN107479946A (en) 2017-12-15
CN107479946B true CN107479946B (en) 2020-06-16

Family

ID=60600537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710701884.7A Active CN107479946B (en) 2017-08-16 2017-08-16 Interactive behavior monitoring scheme of kernel module

Country Status (1)

Country Link
CN (1) CN107479946B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110892388B (en) 2018-07-11 2022-07-22 华为技术有限公司 Method and device for enhancing isolation of user space and kernel space
CN109857677B (en) * 2018-12-28 2023-03-31 晶晨半导体(上海)股份有限公司 Distribution method and device of kernel stack
US11099874B2 (en) 2019-01-28 2021-08-24 Red Hat Israel, Ltd. Efficient userspace driver isolation by shallow virtual machines
CN110058921B (en) * 2019-03-13 2021-06-22 上海交通大学 Dynamic isolation and monitoring method and system for memory of client virtual machine
CN111177716B (en) * 2019-06-14 2024-04-02 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for acquiring executable file in memory
CN111177726B (en) * 2019-08-29 2024-02-06 腾讯科技(深圳)有限公司 System vulnerability detection method, device, equipment and medium
CN111400702B (en) * 2020-03-24 2023-06-27 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
US8667298B2 (en) * 2010-03-10 2014-03-04 Red Hat, Inc. Module signing for unprivileged users to create and load trustworthy kernel modules
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2015235840A1 (en) * 2014-03-27 2016-08-18 Alert Logic, Inc. Malicious software identification integrating behavioral analytics and hardware events

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8667298B2 (en) * 2010-03-10 2014-03-04 Red Hat, Inc. Module signing for unprivileged users to create and load trustworthy kernel modules
CN103399812A (en) * 2013-07-22 2013-11-20 西安电子科技大学 Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system

Also Published As

Publication number Publication date
CN107479946A (en) 2017-12-15

Similar Documents

Publication Publication Date Title
CN107479946B (en) Interactive behavior monitoring scheme of kernel module
US11809891B2 (en) Multi-hypervisor virtual machines that run on multiple co-located hypervisors
US11436155B2 (en) Method and apparatus for enhancing isolation of user space from kernel space
US7761674B2 (en) Identifier associated with memory locations for managing memory accesses
US6907600B2 (en) Virtual translation lookaside buffer
US20070006175A1 (en) Intra-partitioning of software components within an execution environment
JP6411494B2 (en) Page fault injection in virtual machines
JP6518015B2 (en) Protection Key Management and Prefix Translation in Virtual Address Space Legacy Emulation System
US9189620B2 (en) Protecting a software component using a transition point wrapper
US8910155B1 (en) Methods and systems for injecting endpoint management agents into virtual machines
CN106970823B (en) Efficient nested virtualization-based virtual machine security protection method and system
Wu et al. Taming hosted hypervisors with (mostly) deprivileged execution.
US9952890B2 (en) Kernel state data collection in a protected kernel environment
US20080244155A1 (en) Methods and apparatus to protect dynamic memory regions allocated to programming agents
US10162657B2 (en) Device and method for address translation setting in nested virtualization environment
CN108920253B (en) Agent-free virtual machine monitoring system and monitoring method
JP2014174998A5 (en)
US20090172346A1 (en) Transitioning between software component partitions using a page table pointer target list
CN109947666B (en) Trusted execution environment cache isolation method and device, electronic equipment and storage medium
CN103345604A (en) Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system
EP4156008A1 (en) Seamless access to trusted domain protected memory by virtual machine manager using transformer key identifier
CN107368739B (en) Kernel drive monitoring method and device
Gopalan et al. {Multi-Hypervisor} Virtual Machines: Enabling an Ecosystem of Hypervisor-level Services
US10649787B2 (en) Exception handling involving emulation of exception triggering data transfer operation using syndrome data store that includes data value to be transferred
Mittal et al. Efficient virtualization on embedded power architecture® platforms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant