CN108563491A - A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself - Google Patents
A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself Download PDFInfo
- Publication number
- CN108563491A CN108563491A CN201810344939.8A CN201810344939A CN108563491A CN 108563491 A CN108563491 A CN 108563491A CN 201810344939 A CN201810344939 A CN 201810344939A CN 108563491 A CN108563491 A CN 108563491A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- puppet
- target virtual
- calling
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Devices For Executing Special Programs (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of automatic management of examining oneself based on virtual machine, configure and method of examining oneself includes 1) according to the calling implementation procedure of the operation process of operating system, the system that filtering out need to be multiplexed is called to form puppet's system calling, and puppet's system calling is executed by target virtual machine;The target virtual machine includes that control module, data exchange module and system call control module;2) 3) injection target virtual machine system, which is called, protects virtual machine system calling to execute, and 4) isolation virutal machine memory, including:Target virtual machine memory is dispatched and operated from the VCPU of target virtual machine external trace target virtual machine;This method can more plus reinforce safety, target virtual machine execute puppet's system call code be derived from safe kernel mirror image, puppet's system of multiplexing needs not rely on the kernel integrity of target virtual machine.
Description
Technical field
The present invention relates to field of computer technology, specifically, being a kind of automatic management of examining oneself based on virtual machine, matching
It sets and method of examining oneself.
Background technology
Virtual machine technology of examining oneself provides safety guarantee means for cloud security in cloud computing.Virtual machine is examined oneself technology
(Virtual Machine Introspection, VMI) is the Typical Representative based on virtual machine architecture monitoring technology.Virtual machine
The architectural framework for technology of examining oneself is by obtaining virtual machine bottom status data (CPU registers, I/O outside target virtual machine
Controller register, memory, mass-memory unit etc.), it can effectively monitor or intervene inside it in secure virtual machine
Operating status.Since Virtual Machine Manager layer (Virtual Machine Monitor, VMM) has highest permission, and virtual machine
Between have a very strong isolation, therefore this monitor mode has higher safety and the transparency.Since this method can
The validity and attack protection for ensureing monitoring tools, in many-sided performances such as intrusion detection, kernel integrity protection, file protections
Important function.
But virtual machine monitoring technology is faced with the challenge of semantic parsing at present.Due to monitor virtual platform only
The binary system execution information that virtual machine can be obtained can not learn that its high-layer semantic information, the difference between this semanteme are known as " language
Adopted wide gap ".Since different virtual machine different operating system and different kernel versions have different semantic knowledges, outside prison
The Universal and scalability of control tool is bad.Although the tool such as Volatility etc. for having had automation parsing semantic, so
And the information that major part VMI programs are merely capable of parsing virtual machine can not accomplish directly to manage virtual machine.This is because often one
A operation can cause virtual numerous memories and disk variation, be difficult all operations of comprehensive simulation kernel in outside.Such as:When
When needing to terminate a process, needs the process list changed in kernel and discharge relevant all memories, this is a system
The operation of systemization ground.
In order to solve the problems, such as that automatic business processing semantic gap, Hypershell [1], EXT [2] and PI [3] are utilized respectively and are
System calls the method for redirecting and analyzing program implantation target virtual machine, to achieve the purpose that management or monitoring.But this
The problem of a little methods are faced with safety, automation, scalability.Hypershell and PI is that virtual machine auxiliary is needed to complete
Management and parsing, safety is problematic with the transparency, can not work if virtual machine kernel is destroyed.EXT is then to utilize peace
Full virtual machine (SVM) replaces the target virtual machine (TVM) to handle data, later copies to result in target virtual machine, still
It is faced with scaling concern.Because the data to be operated that each system is called are different, need to handle respectively, and Linux has
Numerous kinds of calling, therefore, it is difficult to cover function used.
Invention content
The present invention proposes a kind of safe automatic management examined oneself based on virtual machine, configures and examines oneself and method and is
System allows monitoring programme automatically to obtain virtual machine operation information outside virtual machine and intervenes the operation of virtual machine.Core
Thought thinks it is to execute puppet's system that we need using target virtual machine auxiliary to call to which automatically parsing is semantic and dry
Pre- virtual machine.The strategy called using multiplex system is because the most important operation in virtual machine is by system tune
With completion.Therefore semantic gap problem can automatically be handled by using system calling.
Following method may be used to realize in the present invention:
A kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself, including:
1) it according to the calling implementation procedure of the operation process of operating system, filters out multiplexing grade system and calls to form puppet
Puppet system is called, and puppet's system calling is executed by target virtual machine;The target virtual machine includes control module, data friendship
It changes the mold block and system calls control module;
2) injection target virtual machine calls, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait for
It executes;The current calling implementation procedure of control module acquisition and data exchange module is called to transmit current calling data transfer to control
Module simultaneously preserves;
2. control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called is transmitted to mesh
It marks in virtual machine, is assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module will call implementing result to pass to control module, the implementing result be located at kernel spacing or
User's space;
4. the supplemental characteristic that puppet's program was called originally is restored to destination virtual by control module exchanges of operations data module
In machine, call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet
Program;
3) protection virtual machine system, which calls, executes, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. after the page is performed, exception can be triggered, then suspends the operation of target virtual machine;And according to being performed kernel page
The virtual address in face finds corresponding memory pages in the security image of secure virtual machine;Target virtual machine is written into the page
It is performed in the page and protects the page;
3. being to restore target virtual machine operation after can executing by the page setup;
4) virutal machine memory is isolated, including:It dispatches and operates from the VCPU of target virtual machine external trace target virtual machine
Target virtual machine memory;Specially:In injecting target virtual machine calling process, called to puppet's program write-in puppet's system
Supplemental characteristic before, data before region of memory will be written by preserving, and pass through the program tracked in target virtual machine
Context handover information, obtain the scheduling information of VCPU in target virtual machine.
Further, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's journey
When sequence, the memory of puppet's program is the state after injection, after puppet's program is switched, in target virtual machine external trace puppet
The reading writing information of program internal memory.
The automatic management of examining oneself that the present invention also provides a kind of based on virtual machine configures and system of examining oneself, including puppet
System is called and to form module, target virtual machine calls execution module, virtual machine call executes protection module and virutal machine memory
Isolation module;
Puppet's system is called to form the calling implementation procedure for the operation process that module is used for according to operating system, screening
Go out to need the system being multiplexed to call to form puppet's system calling, puppet's system calling is executed by target virtual machine;Institute
It includes that control module, data exchange module and system call control module to state target virtual machine;
The target virtual machine calls execution module to be called for injecting target virtual machine, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait for
It executes;The current calling implementation procedure of control module acquisition and data exchange module is called to transmit current calling data transfer to control
Module simultaneously preserves;
2. control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called is transmitted to mesh
It marks in virtual machine, is assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module will call implementing result to pass to control module, the implementing result be located at kernel spacing or
User's space;
4. the supplemental characteristic that puppet's program was called originally is restored to destination virtual by control module exchanges of operations data module
In machine, call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet
Program;
The virtual machine call executes protection module and is executed for protecting virtual machine system to call, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. after the page is performed, exception can be triggered, then suspends the operation of target virtual machine;And according to being performed kernel page
The virtual address in face finds corresponding memory pages in the security image of secure virtual machine;Target virtual machine is written into the page
It is performed in the page and protects the page;
3. being to restore target virtual machine operation after can executing by the page setup;
Virutal machine memory is isolated in the virutal machine memory isolation module, including:It is empty from target virtual machine external trace target
The VCPU scheduling of quasi- machine and operation target virtual machine memory;Specially:In injecting target virtual machine calling process, to puppet
Program is written before the supplemental characteristic that puppet's system is called, and data before region of memory will be written by preserving, and by with
The context handover information of program in track target virtual machine obtains the scheduling information of VCPU in target virtual machine.
Further, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's journey
When sequence, the memory of puppet's program is the state after injection, after puppet's program is switched, in target virtual machine external trace puppet
The reading writing information of program internal memory.
To sum up, the present invention contains the following:
(1) puppet's system based on tracking calls choosing method, when overseas monitoring programme needs to obtain virtual machine information
Or when intervening virtual machine, the puppet's system being multiplexed can be needed to call with choosing automatically;
(2) transparence virtual machine system call injection, can control virtual machine system call execute by way of, to
Additional puppet's system is injected in the virtual machine of operation to call.
(3) virtual machine system, which calls, executes protection technique, in system calls multiplex process, once virtual machine kernel is attacked
It is broken, the implementing result that the system of injection is called will be caused insincere.Therefore, it is necessary to study virtual machine system to call execution protection skill
Art protect in real time injected system call execute safety.When being multiplexed virtual machine system calling, monitor will be in overseas dynamic
Check that virtual machine executes integrality and the safety of code.
(4) virutal machine memory isolation technology, in virtual machine injects and calls implementation procedure, performed by code and temporary
Data will all be isolated.Segregate memory can not be accessed by other processes, ensure that injection calling will not be by virtual machine
Malicious process is attacked.
It has the beneficial effect that:
(1) the normal service logic of virtual machine will not be interfered by so that the system of injection is called;
(2) when virtual machine executes the system injected and calls, overseas program tracks its implementation procedure in real time, to real
When extract injection call implementing result;
(3) it can find that the code executed is tampered in time, and be restored before its execution in real time.Meanwhile will also
Detect the integrality, including subsystem call table, inner core body of memory etc. relied in protection code implementation;
(4) the system tune of multiplexing can be ensured in the case where virtual machine kernel is tampered and is attacked by executing protection technique
Safe operation;
In addition to the foregoing, this method can more plus reinforce safety, target virtual machine execute puppet's system call
Code is derived from safe kernel mirror image (being stored in secure virtual machine), and puppet's system of multiplexing needs not rely on target virtual machine
Kernel integrity.
Description of the drawings
Fig. 1 is a kind of automatic management of examining oneself based on virtual machine provided by the invention, is configured and embodiment of the method for examining oneself
Flow chart;
Fig. 2 is a kind of automatic management of examining oneself based on virtual machine provided by the invention, is configured and system embodiment of examining oneself
Structure chart;
Fig. 3 is that system provided by the invention calls implementation procedure exemplary graph;
Fig. 4 is that puppet provided by the invention calls injection flow chart;
Fig. 5 is memory multiple view schematic diagram provided by the invention.
Specific implementation mode
The automatic management of examining oneself that The present invention gives a kind of based on virtual machine configures and method and system implementation of examining oneself
Example, in order to make those skilled in the art more fully understand the technical solution in the embodiment of the present invention, and make the present invention it is above-mentioned
Objects, features and advantages can be more obvious and easy to understand, makees below in conjunction with the accompanying drawings to technical solution in the present invention further details of
Explanation:
Present invention firstly provides based on virtual machine automatic management of examining oneself, configure and method of examining oneself, as shown in Figure 1,
Including:
S101,1) according to the calling implementation procedure of the operation process of operating system, filter out multiplexing grade system call to
It forms puppet's system to call, puppet's system calling is executed by target virtual machine;The target virtual machine include control module,
Data exchange module and system call control module;
In more detail:As shown in figure 3, the system of linux system kill orders calls implementation procedure, effect is Kill systems
The process of middle operation.This sequence executed is to be captured by strace inside target virtual machine, and the purpose of system is
These intervention functions are realized outside target virtual machine.The implementation procedure of kill inside operating system is copied in outside, only will
Wherein important calling allows target virtual machine to complete as puppet's system calling.There are many tune in Kill program process
With being performed, only kill calling is really to be used for completing kill operations in these calling, and system can only select semantic correlation
System calling be multiplexed.
S102,2) injection target virtual machine calls, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait for
It executes;Call control module acquisition is current implementation procedure and Switching Module is called to transmit current calling data transfer to control module
And it preserves;
2. control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called is transmitted to mesh
It marks in virtual machine, is assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module will call implementing result to pass to control module, the implementing result be located at kernel spacing or
User's space;
4. the supplemental characteristic that puppet's program was called originally is restored to destination virtual by control module exchanges of operations data module
In machine, call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet
Program;
In more detail:System tray flow chart is as shown in Figure 4.The left side is safe virtual machine, and the right is the target operated
Virtual machine.They all run on Virtual Machine Manager layer (VMM), and VMM provides virtualization services for virtual machine.System has control
Module, data exchange module and system call control module to be located in secure virtual machine and Virtual Machine Manager layer.Wherein control
Molding block is responsible for overall control data exchange and system calls control module.Control module is called to be responsible for monitoring and control in VM
It calls and executes.Data exchange module is responsible for the transmission system between control module and VM and calls the parameter and result executed.System
Flow is as follows:
Step 0:Puppet's program is chosen in TVM, as the program for sending out call request.According to management configuration mistake
The needs of semantic processes in journey choose the system for needing TVM to run and call and prepare required supplemental characteristic.
Step 1:When puppet's program execution system being waited for call, call control module that can obtain currently calling executive condition,
Control module is notified later.Switching Module can call execution data etc. to pass to control module and preserve by current simultaneously.
Step 2:Control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called passes
It is delivered in target virtual machine.It is assisted completing puppet's system calling as desired by target virtual machine later.Calling implementation procedure
In, the code of calling is derived from completely in the security image in secure virtual machine, even if guarantee system is broken in kernel calls
It can also normal operation in the case of bad.
Step 3:After target virtual machine completes puppet's calling, calls control module that will capture calling and executes completion, notify
Control module.
Step 4:Data exchange module will call implementing result to pass to control module.Implementing result is likely located at respectively
Kernel spacing and user's space.When execution be the calling of semantic parsing class when (such as SYS_READ), the result of transmission is then
It needs to call the semantic results for parsing.If what is executed is that (such as SYS_CHOMD) result is exactly to call when management class is called
Execution whether successfully etc. information.
Step 5:First, the supplemental characteristic that control module exchanges of operations data module called puppet's program originally restores
Into target virtual machine.Call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later.
Step 6:After original calling executes, the system calling of completion returns.The control stream of operating system can return to puppet
Program.
S103,3) protection virtual machine system is called and is executed, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. after the page is performed, suspend the operation of target virtual machine;And according to the virtual address for being performed the kernel page
Find corresponding memory pages in the security image of secure virtual machine;By being performed in the page for page write-in target virtual machine
And protect the page;
3. being to restore target virtual machine operation after can executing by the page setup;
It illustrates:In order to ensure target virtual machine puppet's call instruction safety, allow target virtual machine executing
Security code repository of the instruction in secure virtual machine during puppet's calling.In order to realize this target, calls and hold in puppet
The call instruction of safety is dynamically covered in TVM between the departure date.By this dynamic coverage, target virtual machine can be allowed to hold
The instruction of execution between the departure date is all from the security vault in secure virtual machine.In order to improve the efficiency of this overwrite procedure,
The level of replacement is scheduled on page-level.When some page is performed in target virtual machine, taken out from the secure virtual machine page
The corresponding page covers in target virtual machine.It is as follows that flow is replaced in instruction:
Step0, after puppet's system calling starts execution, it is that can not hold that all kernel page permissions in target virtual machine, which are arranged,
Row can trigger VMExit exceptions when the instruction is executed by virtual machine;
Step1 suspends the operation of target virtual machine after the page is performed.It is looked for according to the virtual address for being performed the page
To corresponding memory pages are found in the security image of secure virtual machine, being performed for target virtual machine then is written into the page
In the page.The page is protected later, when this one page is performed there is no need to re-write again, while can also be protected
The memory prevents it to be tampered or attack.
The page setup is to restore target virtual machine operation, such target virtual machine can after can executing by Step2
It is had invoked with continuing to execute.When other pages are performed since its page permissions is not executable to repeat in target virtual machine
Execute Step1.
It is also noted that in target virtual machine calling process the problem of indirect addressing.Jump instruction can change in operating system
Control stream.The jump address of wherein direct addressing instruction writes on instruction area, the method by protecting code
Ensure the correctness of its control stream.In more detail, attacker by CALL 0xc15ac75c, distort by this instruction, can pass through generation
Code covering restores original instruction.And the jump address of the instruction of indirect addressing is stored in other region of memory, only makes sure that generation
Code is completely inadequate.The method that dynamic instruction parses is taken to solve the problems, such as this.It is covered using the security image of secure virtual machine
The region of memory relied on during lid indirect addressing.Target is written into secure page table in secure virtual machine when executing in Step1
When virtual machine, the page is parsed using Distorm, finds wherein all indirect addressing instructions.Then it is replaced with
Int3 is interrupted, thus can be in its execution of external trace.When Int3 causes VMExit, restores corresponding indirect addressing and refer to
It enables, the region of memory address of instruction dependence is then found according to current register and command information.Finally in security image
Safe memory content is found in library according to address to be covered in TVM.
S104,4) virutal machine memory is isolated, including:From the VCPU of target virtual machine external trace target virtual machine scheduling and
Operate target virtual machine memory;Specially:In injecting target virtual machine calling process, puppet's system is being written to puppet's program
Before the supplemental characteristic of calling, the data that will be written into before region of memory are preserved, and by tracking in target virtual machine
The context handover information of program obtains the scheduling information of VCPU in target virtual machine.
In more detail:Safety takes a kind of memory safeguard measure based on multiple view in order to protect data.Make injection
The memory view of calling is different from the view of other programs seen, inject calling data only to puppet's program as it can be seen that its
His program be it is sightless, as shown in Figure 5.By dispatching and operating from the VCPU of target virtual machine external trace target virtual machine
Target virtual machine memory realizes multiple view mechanism.
It is preserved before calling data to puppet's program write-in puppet first in injecting calling process and is written into memory field
Data before domain.By tracking the program context switch instances in target virtual machine, VCPU in target virtual machine is obtained
Dispatch situation.When VCPU is carrying out puppet's program, the memory of puppet's program is the state after injection.And work as puppet's program quilt
After switching is gone down, in the read-write situation of target virtual machine external trace puppet's program internal memory.When the memory of puppet's program is read
When, this shows that other programs need to read the data of puppet's program.Puppet's program internal memory is reset into original unimplanted data
State ensures that other programs read the data needed for original, ensure that the transparency in this way.When the memory quilt of puppet's program
When modification, this shows the memory for having program to be try to modification puppet's program.If these modifications are unrelated with injection calling, no
Do any operation.If it is related, then the puppet that these modifications influence injection cannot be allowed to call.In this regard, first that memory is extensive
It is again original appearance, then allows to be written.Again former internal storage data is preserved after writing.Ensure that read-write in this way is original
Memory view, do not influence injection call view.
Preferably, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's program
When, the memory of puppet's program is the state after injection, after puppet's program is switched, in target virtual machine external trace puppet's journey
The reading writing information of sequence memory.
The automatic management of examining oneself that the present invention also provides a kind of based on virtual machine configures and system of examining oneself, including puppet
System is called and to form module 201, target virtual machine calling executes mould 202, virtual machine call executes protection module 203 and virtual
Machine memory isolation module 204;
Puppet's system is called to form the calling implementation procedure for the operation process that module 201 is used for according to operating system,
It filters out multiplexing grade system to call to form puppet's system calling, puppet's system calling is executed by target virtual machine;Institute
It includes that control module 2011, data exchange module 2012 and system call control module 2013 to state target virtual machine;
The target virtual machine calls execution module 202 to be called for injecting target virtual machine, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait for
It executes;Calling control module 2013 obtains current calling implementation procedure and data exchange module 2012 transmits current calling data biography
It is handed to control module 2011 and preserves;
2. 2011 exchanges of operations data module 2012 of control module, it would be desirable to the supplemental characteristic that puppet's system of execution is called
It is transmitted in target virtual machine, is assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module 2012 will call implementing result to pass to control module 2011, the implementing result is located at interior
Nuclear space or user's space;
4. the supplemental characteristic that puppet's program was called originally is restored to target by 2011 exchanges of operations data module of control module
In virtual machine, call control module 2011 that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet
Program;
The virtual machine call executes protection module and is executed for protecting virtual machine system to call, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. after the page is performed, suspend the operation of target virtual machine;And according to the virtual address for being performed the kernel page
Find corresponding memory pages in the security image of secure virtual machine;By being performed in the page for page write-in target virtual machine
And protect the page;
3. being to restore target virtual machine operation after can executing by the page setup;
Virutal machine memory is isolated in the virutal machine memory isolation module, including:It is empty from target virtual machine external trace target
The VCPU scheduling of quasi- machine and operation target virtual machine memory;Specially:In injecting target virtual machine calling process, to puppet
Program is written before the supplemental characteristic that puppet's system is called, and data before region of memory will be written by preserving, and by with
The context handover information of program in track target virtual machine obtains the scheduling information of VCPU in target virtual machine.
Preferably, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's program
When, the memory of puppet's program is the state after injection, after puppet's program is switched, in target virtual machine external trace puppet's journey
The reading writing information of sequence memory.
The present invention proposes a kind of safe automatic management examined oneself based on virtual machine, configures and examines oneself and method and is
System allows monitoring programme automatically to obtain virtual machine operation information outside virtual machine and intervenes the operation of virtual machine.Core
Thought thinks it is to execute puppet's system that we need using target virtual machine auxiliary to call to which automatically parsing is semantic and dry
Pre- virtual machine.The strategy called using multiplex system is because the most important operation in virtual machine is by system tune
With completion.Therefore semantic gap problem can automatically be handled by using system calling.
Above example is to illustrative and not limiting technical scheme of the present invention.Appointing for spirit and scope of the invention is not departed from
What modification or part are replaced, and are intended to be within the scope of the claims of the invention.
Claims (6)
1. a kind of automatic management of examining oneself based on virtual machine configures and method of examining oneself, which is characterized in that including:
1) according to the calling implementation procedure of the operation process of operating system, the system that filtering out need to be multiplexed is called to form puppet
System is called, and puppet's system calling is executed by target virtual machine;The target virtual machine includes control module, data exchange
Module and system call control module;
2) injection target virtual machine system is called, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait pending;
Call control module acquisition is current implementation procedure and data exchange module is called to transmit current calling data transfer to control module
And it preserves;
2. control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called is transmitted to target void
In quasi- machine, assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module will call implementing result to pass to control module, the implementing result is located at kernel spacing or user
Space;
4. the supplemental characteristic that puppet's program was called originally is restored in target virtual machine by control module exchanges of operations data module,
Call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet's program;
3) protection virtual machine system, which calls, executes, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. after the page is performed, suspend the operation of target virtual machine;And it is found according to the virtual address for being performed the kernel page
Corresponding memory pages in the security image of secure virtual machine;Being performed in the page and protecting for target virtual machine is written into the page
Protect the page;
3. being to restore target virtual machine operation after can executing by the page setup;
4) virutal machine memory is isolated, including:Target is dispatched and operated from the VCPU of target virtual machine external trace target virtual machine
Virutal machine memory;Specially:In injecting target virtual machine calling process, in the ginseng called to puppet's program write-in puppet's system
Before number data, the data that will be written into before region of memory are preserved, and by tracking the upper of the program in target virtual machine
Hereafter handover information, to which the data information for preventing puppet from calling is read or distorted by other processes.
2. a kind of automatic management of examining oneself based on virtual machine as described in claim 1 configures and method of examining oneself, feature exist
In modification register and memory content change operating system outside virtual machine in the calling process that the target virtual machine calls
In control stream.
3. a kind of automatic management of examining oneself based on virtual machine as described in claim 1 configures and method of examining oneself, feature exist
In, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's program, and puppet's program
Memory be injection after state, after puppet's program is switched, in the reading of target virtual machine external trace puppet's program internal memory
Write information.
4. a kind of automatic management of examining oneself based on virtual machine configures and system of examining oneself, which is characterized in that including puppet's system tune
Protection module and virutal machine memory isolation mode are executed with module, target virtual machine calling execution module, virtual machine call is formed
Block;
Puppet's system is called to form the calling implementation procedure for the operation process that module is used for according to operating system, filters out multiple
System is called to form puppet's system calling, and puppet's system calling is executed by target virtual machine;The target is empty
Quasi- machine includes that control module, data exchange module and system call control module;
The target virtual machine calls execution module to be called for injecting target virtual machine, including
1. choosing puppet's program in target virtual machine, and according to pending semanteme, chooses puppet's system and call and wait pending;
Call control module acquisition is current implementation procedure and data exchange module is called to transmit current calling data transfer to control module
And it preserves;
2. control module exchanges of operations data module, it would be desirable to which the supplemental characteristic that puppet's system of execution is called is transmitted to target void
In quasi- machine, assisted completing puppet's system calling as desired by target virtual machine;
3. data exchange module will call implementing result to pass to control module, the implementing result is located at kernel spacing or user
Space;
4. the supplemental characteristic that puppet's program was called originally is restored in target virtual machine by control module exchanges of operations data module,
Call control module that target virtual machine can be allowed to continue to execute the original calling of puppet's program later;
5. after original calling executes, puppet's system calling of completion returns;The control stream of operating system can return to puppet's program;
The virtual machine call executes protection module and is executed for protecting virtual machine system to call, including:
1. after puppet's system calling starts execution, it is that not can perform that all kernel page permissions in target virtual machine, which are arranged,;
2. when the page is performed, exception can be triggered, then suspends the operation of target virtual machine;And according to being performed the kernel page
Virtual address finds corresponding memory pages in the security image of secure virtual machine;Being held for target virtual machine is written into the page
In the row page and protect the page;
3. being to restore target virtual machine operation after can executing by the page setup;
Virutal machine memory is isolated in the virutal machine memory isolation module, including:From target virtual machine external trace target virtual machine
VCPU scheduling and operation target virtual machine memory;Specially:In injecting target virtual machine calling process, to puppet's program
It is written before the supplemental characteristic that puppet's system is called, preserves the data that will be written into before region of memory, and by tracking mesh
The context handover information for marking the program in virtual machine, obtains the scheduling information of VCPU in target virtual machine;When other processes are visited
When asking protected region of memory, data are reverted to original data, prevent puppet from data being called to be read and distort.
5. a kind of automatic management of examining oneself based on virtual machine as claimed in claim 4 configures and system of examining oneself, feature exist
In using the content in modification virtual machine register to change operating system in the calling process that the target virtual machine calls
In control stream.
6. a kind of automatic management of examining oneself based on virtual machine as claimed in claim 4 configures and system of examining oneself, feature exist
In, the injection target virtual machine calls, in injecting calling process, when VCPU is carrying out puppet's program, and puppet's program
Memory be injection after state, after puppet's program is switched, in the reading of target virtual machine external trace puppet's program internal memory
Write information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810344939.8A CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810344939.8A CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108563491A true CN108563491A (en) | 2018-09-21 |
| CN108563491B CN108563491B (en) | 2022-03-29 |
Family
ID=63535241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810344939.8A Active CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108563491B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022228287A1 (en) * | 2021-04-26 | 2022-11-03 | 华为技术有限公司 | Memory data acquisition method and apparatus, and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| US9596261B1 (en) * | 2015-03-23 | 2017-03-14 | Bitdefender IPR Management Ltd. | Systems and methods for delivering context-specific introspection notifications |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107239700A (en) * | 2017-06-28 | 2017-10-10 | 郑州云海信息技术有限公司 | A kind of safety protecting method based on xen virtual platforms |
| CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
-
2018
- 2018-04-17 CN CN201810344939.8A patent/CN108563491B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| US9596261B1 (en) * | 2015-03-23 | 2017-03-14 | Bitdefender IPR Management Ltd. | Systems and methods for delivering context-specific introspection notifications |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107239700A (en) * | 2017-06-28 | 2017-10-10 | 郑州云海信息技术有限公司 | A kind of safety protecting method based on xen virtual platforms |
| CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
Non-Patent Citations (1)
| Title |
|---|
| DONGYANG ZHAN等: "Protecting Critical Files Using Target-Based Virtual Machine", 《IEICE TRANSACTIONS ON INFORMATION AND SYSTEMS》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022228287A1 (en) * | 2021-04-26 | 2022-11-03 | 华为技术有限公司 | Memory data acquisition method and apparatus, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108563491B (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| DE60306952T2 (en) | ALLOCATION OF VIRTUAL TO PHYSICAL MEMORY ADDRESSES IN A SYSTEM WITH A SAFE AREA AND A NON-SAFE AREA | |
| DE60304602T2 (en) | EXCEPTIONAL TYPES WITHIN A SAFE PROCESSING SYSTEM | |
| DE60308215T2 (en) | PROCESSOR SWITCHING BETWEEN SAFE AND UNSAFE MODES | |
| CN109558211B (en) | Method for protecting interaction integrity and confidentiality of trusted application and common application | |
| CN105224864B (en) | A kind of progress of work method of randomization and system for resisting code reuse attack | |
| CN104881596B (en) | Memory permission is modified in secure computing environment | |
| Shi et al. | Deconstructing Xen. | |
| CN105022956B (en) | A method of resisting code reuse attack | |
| CN104021063B (en) | Modular computer forensic system and method based on hardware virtualization | |
| CN107667350A (en) | Platform protection technique based on virtualization | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| US8301856B2 (en) | Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag | |
| US8656222B2 (en) | Method and system for recording a selected computer process for subsequent replay | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| US20070106986A1 (en) | Secure virtual-machine monitor | |
| US7529916B2 (en) | Data processing apparatus and method for controlling access to registers | |
| CN109840410A (en) | The method and system of data isolation and protection in a kind of process | |
| CN103955438A (en) | Process memory protecting method based on auxiliary virtualization technology for hardware | |
| CN102096786A (en) | Cross-platform safety protection system based on hardware virtualization | |
| CN108351935A (en) | The device and method used for controlling bounded pointer | |
| US11347508B2 (en) | Apparatus and method for managing a capability domain | |
| EP1955154A2 (en) | Secure virtual-machine monitor | |
| JP2023038361A (en) | Apparatus and method for controlling change in instruction set | |
| CN103996004B (en) | A kind of high-availability system design method based on virtualization | |
| CN107368739A (en) | A kind of monitoring method and apparatus of kernel-driven |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |