CN108563491B - Virtual machine-based introspection automation management, configuration and introspection method - Google Patents
Virtual machine-based introspection automation management, configuration and introspection method Download PDFInfo
- Publication number
- CN108563491B CN108563491B CN201810344939.8A CN201810344939A CN108563491B CN 108563491 B CN108563491 B CN 108563491B CN 201810344939 A CN201810344939 A CN 201810344939A CN 108563491 B CN108563491 B CN 108563491B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- puppet
- call
- target virtual
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Abstract
The invention provides a virtual machine-based introspection automatic management, configuration and introspection method, comprising 1) screening out a system call to be multiplexed according to a call execution process of an operating system to form a puppet system call, wherein the puppet system call is executed by a target virtual machine; the target virtual machine comprises a control module, a data exchange module and a system calling control module; 2) injecting a target virtual machine system call 3) protecting virtual machine system call execution, 4) isolating virtual machine memory, comprising: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method can enhance the security, the puppet system call code executed by the target virtual machine is taken from a secure kernel image, and the multiplexed puppet system does not need to rely on the kernel integrity of the target virtual machine.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a virtual machine-based introspection automatic management, configuration and introspection method.
Background
The virtual machine introspection technology in cloud computing provides a safety guarantee means for cloud safety. Virtual Machine Introspection (VMI) is a typical representative of Virtual Machine architecture-based monitoring technologies. The architecture of the virtual machine introspection technology is that the internal running state of a safety virtual machine can be effectively monitored or intervened by acquiring the bottom layer state data (CPU register, I/O controller register, memory, mass storage device and the like) of the virtual machine outside a target virtual machine. Because the Virtual Machine management layer (VMM) has the highest authority and the Virtual machines have strong isolation, the monitoring mode has higher security and transparency. The method can ensure the effectiveness and the attack resistance of the monitoring tool, and plays an important role in various aspects such as intrusion detection, kernel integrity protection, file protection and the like.
However, the current virtual machine monitoring technology faces the challenge of semantic parsing. Since the monitor can only obtain the binary execution information of the virtual machine in the virtualization platform, the monitor cannot learn the high-level semantic information of the virtual machine, and the difference between the semantics is called a "semantic gap". Because different operating systems and different kernel versions of different virtual machines have different semantic knowledge, the universality and expandability of the external monitoring tool are poor. Although there are tools for automatically parsing semantics, such as vollatity, most VMI programs can only parse information of a virtual machine, and cannot directly manage the virtual machine. This is because often one operation causes many virtual memory and disk changes, making it difficult to fully simulate all operations of the kernel externally. Such as: when a process needs to be finished, the process list in the kernel needs to be changed and all relevant memory needs to be released, which is a systematic operation.
In order to solve the problem of semantic gap of automatic processing, Hypershell [1], EXT [2] and PI [3] respectively use the method of system call redirection and embedding the analysis program into the target virtual machine, thereby achieving the purpose of management or monitoring. But these approaches face security, automation, and scalability issues. Hypershell and PI both require a virtual machine to assist in completing management and analysis, have problems in security and transparency, and cannot work once a kernel of the virtual machine is damaged. The EXT uses a Secure Virtual Machine (SVM) to process data instead of a Target Virtual Machine (TVM), and then copies the result to the target virtual machine, but faces the problem of scalability. Since the data to be operated of each system call is different and needs to be processed respectively, Linux has a plurality of calls, and therefore it is difficult to cover the functions used.
Disclosure of Invention
The invention provides a safe automatic management, configuration and introspection method and system based on virtual machine introspection, which enables a monitoring program to automatically acquire virtual machine operation information and intervene in the operation of a virtual machine outside the virtual machine. The core idea is to utilize the target virtual machine to assist in executing the puppet system call that we need to automatically parse semantics and intervene in the virtual machine. The strategy of multiplexing system calls is employed because most of the important operations in the virtual machine are done through system calls. Semantic gap problems can be handled automatically by using system calls.
The invention can be realized by adopting the following method:
a virtual machine-based introspection automation management, configuration and introspection method comprises the following steps:
1) screening out a multiplexing-level system call according to a call execution process of an operating system to form a puppet system call, wherein the puppet system call is executed by a target virtual machine; the target virtual machine comprises a control module, a data exchange module and a system calling control module;
2) injecting target virtual machine calls, including
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the calling control module obtains the current calling execution process and the data exchange module transmits the current calling data to the control module and stores the current calling data;
a control module operating a data exchange module to transfer parameter data of a puppet system call to be executed to a target virtual machine, and the target virtual machine assists to complete the puppet system call as required;
the data exchange module transmits the calling execution result to the control module, and the execution result is positioned in the kernel space or the user space;
the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program;
3) securing virtual machine system call execution, comprising:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the abnormity can be triggered, and the running of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
4) isolating virtual machine memory, comprising: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine call, before writing parameter data called by the puppet system into the puppet program, data to be written into the memory region is saved, and scheduling information of the VCPU in the target virtual machine is obtained by tracking context switching information of the program in the target virtual machine.
Further, the injection target virtual machine call is performed, during the injection call, when the VCPU is executing the puppet program, the memory of the puppet program is in an injected state, and after the puppet program is switched, the read/write information of the puppet program memory is tracked outside the target virtual machine.
The invention also provides a virtual machine-based introspection automation management, configuration and introspection system, which comprises a puppet system call forming module, a target virtual machine call execution module, a virtual machine call execution protection module and a virtual machine memory isolation module;
the puppet system call forming module is configured to screen out a system call that needs to be multiplexed according to a call execution process of an operating system, so as to form a puppet system call, where the puppet system call is executed by a target virtual machine; the target virtual machine comprises a control module, a data exchange module and a system calling control module;
the target virtual machine call execution module is used for injecting target virtual machine calls and comprises
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the calling control module obtains the current calling execution process and the data exchange module transmits the current calling data to the control module and stores the current calling data;
a control module operating a data exchange module to transfer parameter data of a puppet system call to be executed to a target virtual machine, and the target virtual machine assists to complete the puppet system call as required;
the data exchange module transmits the calling execution result to the control module, and the execution result is positioned in the kernel space or the user space;
the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program;
the virtual machine call execution protection module is used for protecting the virtual machine system call execution, and comprises:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the abnormity can be triggered, and the running of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
the virtual machine memory isolation module isolates a virtual machine memory, and comprises: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine call, before writing parameter data called by the puppet system into the puppet program, data to be written into the memory region is saved, and scheduling information of the VCPU in the target virtual machine is obtained by tracking context switching information of the program in the target virtual machine.
Further, the injection target virtual machine call is performed, during the injection call, when the VCPU is executing the puppet program, the memory of the puppet program is in an injected state, and after the puppet program is switched, the read/write information of the puppet program memory is tracked outside the target virtual machine.
In summary, the present invention includes the following points:
(1) the puppet system call selection method based on tracking can automatically select the puppet system call to be reused when a monitoring program outside the domain needs to acquire virtual machine information or intervene the virtual machine;
(2) the injection of the transparent virtual machine system call can inject an additional puppet system call into the running virtual machine by controlling the execution of the virtual machine system call.
(3) In the system call multiplexing process, once a virtual machine kernel is broken, the execution result of the injected system call is not credible. Therefore, there is a need to investigate virtual machine system call execution protection techniques to protect the execution security of injected system calls in real time. When multiplexing virtual machine system calls, the monitor will dynamically check the integrity and security of the virtual machine executing code outside the domain.
(4) In the virtual machine memory isolation technology, in the injection and calling execution process of the virtual machine, the executed code and the temporarily stored data are isolated. The isolated memory can not be accessed by other processes, and the injection call can not be attacked by the malicious process in the virtual machine.
The beneficial effects are that:
(1) the injected system call does not interfere the normal service logic of the virtual machine;
(2) when the virtual machine executes the injected system call, the out-of-domain program tracks the execution process of the system call in real time, so that the execution result of the injected call is extracted in real time;
(3) the code executed can be found in time to be tampered, and can be recovered in real time before the code is executed. Meanwhile, the integrity of a memory which is depended on in the execution process of the protected code is detected, wherein the memory comprises a system call table, a kernel structure body and the like;
(4) the execution protection technology can ensure the safe operation of the multiplexed system call under the condition that the kernel of the virtual machine is tampered and attacked;
in addition to the above, the method can further enhance security, the puppet system call code executed by the target virtual machine is obtained from a secure kernel image (stored in the secure virtual machine), and the multiplexed puppet system does not need to rely on the kernel integrity of the target virtual machine.
Drawings
FIG. 1 is a flowchart of an embodiment of a virtual machine-based introspection automation management, configuration and introspection method according to the present invention;
FIG. 2 is a block diagram of an embodiment of a virtual machine-based introspection automation management, configuration and introspection system of the present invention;
FIG. 3 is a diagram illustrating an example of a system call execution process according to the present invention;
fig. 4 is a puppet call injection flowchart provided in the present invention;
fig. 5 is a multi-view diagram of the memory provided by the present invention.
Detailed Description
The present invention provides an embodiment of a virtual machine-based introspection automation management, configuration and introspection method and system, and in order to make those skilled in the art better understand the technical solution in the embodiment of the present invention and make the above objects, features and advantages of the present invention more obvious and understandable, the following will explain the technical solution of the present invention in detail with reference to the attached drawings:
the invention firstly provides a virtual machine-based introspection automation management, configuration and introspection method, as shown in fig. 1, comprising:
s101, 1) screening out a multiplexing system call according to a call execution process of an operating system to form a puppet system call, wherein the puppet system call is executed by a target virtual machine; the target virtual machine comprises a control module, a data exchange module and a system calling control module;
in more detail: as shown in FIG. 3, the system call execution process of the Linux system Kill command is used as a process running in the Kill system. This sequence of execution is captured by the strand inside the target virtual machine, and the purpose of the system is to implement these intervening functions outside the target virtual machine. The execution process externally follows the internal kill of the operating system, and only important calls in the internal kill are called by the target virtual machine as puppet system calls. During the execution of the Kill program, a plurality of calls are executed, only the Kill call is actually used for completing the Kill operation, and the system only selects the semantically related system call for multiplexing.
S102, 2) injecting target virtual machine call, including
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the calling control module obtains the current calling execution process and the switching module transmits the current calling data to the control module and stores the current calling data;
a control module operating a data exchange module to transfer parameter data of a puppet system call to be executed to a target virtual machine, and the target virtual machine assists to complete the puppet system call as required;
the data exchange module transmits the calling execution result to the control module, and the execution result is positioned in the kernel space or the user space;
the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program;
in more detail: the system architecture flow diagram is shown in fig. 4. On the left is the secure virtual machine and on the right is the target virtual machine that is operated. They all run on top of a virtual machine management layer (VMM) that provides virtualization services for virtual machines. The system comprises a control module, a data exchange module and a system calling control module which are respectively positioned in a safety virtual machine and a virtual machine management layer. Wherein the control module is responsible for overall control data exchange and system call control module. The call control module is responsible for monitoring and controlling call execution in the VM. The data exchange module is responsible for passing parameters and results of the execution of the system call between the control module and the VM. The system flow is as follows:
step 0: a puppet program is selected from the TVM as a program for issuing a call request. According to the requirement of semantic processing in the management configuration process, selecting a system call needing TVM operation and preparing required parameter data.
Step 1: when waiting for the puppet program to execute the system call, the call control module obtains the current call execution status and then notifies the control module. Meanwhile, the switching module transmits the current calling execution data and the like to the control module and stores the data.
Step 2: the control module operates the data exchange module to transfer the parameter data of the puppet system call to be executed to the target virtual machine. And then the target virtual machine assists to complete puppet system call as required. In the calling execution process, the called code is completely taken from a security mirror image in a security virtual machine, so that the system can normally run even if the kernel calling is damaged.
Step 3: after the target virtual machine completes the puppet call, the call control module captures the completion of the call execution and notifies the control module.
Step 4: the data exchange module transmits the calling execution result to the control module. The execution results may be in kernel space and user space, respectively. When a call to a semantic parse class is performed (e.g., SYS _ READ), the passed result is the semantic result that needs to be called as a parse. If the management class call is executed (such as SYS _ CHOMD) the result is information such as whether the execution of the call is successful.
Step 5: first, the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine. Then, the call control module allows the target virtual machine to continue executing the original call of the puppet program.
Step 6: and after the original call is executed, completing the return of the system call. The control flow of the operating system returns to the puppet program.
S103, 3) protecting the system call execution of the virtual machine, wherein the method comprises the following steps:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the operation of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
for example, the following steps are carried out: in order to ensure the security of the puppet call instruction of the target virtual machine, the instruction of the target virtual machine during the execution of the puppet call comes from the secure code library in the secure virtual machine. To achieve this goal, a secure call instruction is dynamically overlaid into the TVM during puppet call execution. With such dynamic overlays, the instructions executed by the target virtual machine during execution can all come from a secure library in the secure virtual machine. To improve the efficiency of this overlay process, the hierarchy of the replacement is targeted at the page level. When a certain page in the target virtual machine is executed, the page corresponding to the certain page is taken out from the page of the safe virtual machine and covered in the target virtual machine. The instruction replacement flow is as follows:
step0, after the puppet system call starts execution, setting all kernel page permissions in the target virtual machine as unexecutable, and triggering VMExit exception when the instruction is executed by the virtual machine;
step1, when the page is executed, the operation of the target virtual machine is suspended. And finding a corresponding memory page in the security mirror image of the security virtual machine according to the virtual address of the executed page, and then writing the page into the executed page of the target virtual machine. The memory page is protected afterwards, when the page is executed again, the page does not need to be rewritten, and meanwhile, the memory can be protected from being tampered or attacked.
Step2, after setting the page as executable, the target virtual machine is resumed, so that the target virtual machine can continue to execute the call. Step1 is repeatedly executed when other pages in the target virtual machine are executed because their page permissions are not executable.
Attention is also needed to the problem of indirect addressing during target virtual machine calls. Jump instructions change the control flow in the operating system. The jump address of the direct addressing instruction is written in the instruction area, and the correctness of the control flow can be ensured by a method of protecting codes. In more detail, an attacker tampers with the instruction CALL 0xc15ac75c and can restore the original instruction through code overwriting. While the jump address of an indirectly addressed instruction is stored in other memory areas, it is not sufficient to just ensure that the code is complete. The problem is solved by adopting a dynamic instruction analysis method. And covering the memory area depended on in the indirect addressing process by using the security mirror image of the security virtual machine. When Step1 is executed to write the security page in the security virtual machine into the target virtual machine, the memory page is parsed by distrom to find all indirect addressing commands therein. And then replaces it with an Int3 interrupt so that its execution can be tracked externally. When Int3 triggers VMExit, the corresponding indirect addressing instruction is restored, and then the memory region address on which the instruction depends is found according to the current register and instruction information. And finally, finding out safe memory content in the safe mirror image library according to the address and covering the safe memory content in the TVM.
S104, 4) isolating the memory of the virtual machine, comprising the following steps: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine call, before writing parameter data called by the puppet system into the puppet program, data to be written into the memory region is saved, and scheduling information of the VCPU in the target virtual machine is obtained by tracking context switching information of the program in the target virtual machine.
In more detail: in order to protect data security, a memory protection measure based on multiple views is adopted. The memory view of the injected call is different from the view seen by other programs, the data of the injected call is only visible to the puppet program, and the other programs are not visible, as shown in fig. 5. The multi-view mechanism is implemented by tracking the VCPU schedule of the target virtual machine from outside the target virtual machine and operating the target virtual machine memory.
First, in the injection call process, data before being written into the memory region is saved before the puppet call data is written into the puppet program. And tracking the program context switching condition in the target virtual machine to obtain the dispatching condition of the VCPU in the target virtual machine. When the VCPU is executing the puppet program, the memory of the puppet program is in an injected state. When the puppet program is switched on, the read/write conditions of the puppet program memory are tracked outside the target virtual machine. When the memory of the puppet program is read, this indicates that other programs need to read data of the puppet program. The puppet program memory is reset to the state of the original un-injected data, so that other programs are ensured to read the originally required data, and the transparency is ensured. When the memory of the puppet program is modified, this indicates that there is a program attempting to modify the memory of the puppet program. If these modifications are not related to the injected call, no action is done. If so, these modifications cannot be made to affect the injected puppet call. For this, the memory is restored to the original state and then the write is allowed. And after the writing is finished, the original memory data is restored. Therefore, the read and write are ensured to be the original memory view, and the view of injection calling is not influenced.
Preferably, the injection target virtual machine call is performed, during the injection call, when the VCPU is executing the puppet program, the memory of the puppet program is in an injected state, and after the puppet program is switched, the read/write information of the puppet program memory is tracked outside the target virtual machine.
The present invention further provides a virtual machine-based introspection automation management, configuration, and introspection system, which includes a puppet system call forming module 201, a target virtual machine call execution module 202, a virtual machine call execution protection module 203, and a virtual machine memory isolation module 204;
the puppet system call forming module 201 is configured to screen out a multiplexing system call according to a call execution process of an operating system, so as to form a puppet system call, where the puppet system call is executed by a target virtual machine; the target virtual machine comprises a control module 2011, a data exchange module 2012 and a system call control module 2013;
the target vm call execution module 202 is configured to inject target vm calls, including
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the call control module 2013 obtains the current call execution process, and the data exchange module 2012 transfers the current call data to the control module 2011 and stores the current call data;
second, the control module 2011 operates the data exchange module 2012 to transfer the parameter data of the puppet system call to be executed to the target virtual machine, and the target virtual machine assists to complete the puppet system call as needed;
the data exchange module 2012 transmits the call execution result to the control module 2011, and the execution result is located in the kernel space or the user space;
the control module 2011 operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module 2011 allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program;
the virtual machine call execution protection module is used for protecting the virtual machine system call execution, and comprises:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the operation of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
the virtual machine memory isolation module isolates a virtual machine memory, and comprises: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine call, before writing parameter data called by the puppet system into the puppet program, data to be written into the memory region is saved, and scheduling information of the VCPU in the target virtual machine is obtained by tracking context switching information of the program in the target virtual machine.
Preferably, the injection target virtual machine call is performed, during the injection call, when the VCPU is executing the puppet program, the memory of the puppet program is in an injected state, and after the puppet program is switched, the read/write information of the puppet program memory is tracked outside the target virtual machine.
The invention provides a safe automatic management, configuration and introspection method and system based on virtual machine introspection, which enables a monitoring program to automatically acquire virtual machine operation information and intervene in the operation of a virtual machine outside the virtual machine. The core idea is to utilize the target virtual machine to assist in executing the puppet system call that we need to automatically parse semantics and intervene in the virtual machine. The strategy of multiplexing system calls is employed because most of the important operations in the virtual machine are done through system calls. Semantic gap problems can be handled automatically by using system calls.
The above examples are intended to illustrate but not to limit the technical solutions of the present invention. Any modification or partial replacement without departing from the spirit and scope of the present invention should be covered in the claims of the present invention.
Claims (6)
1. A introspection automation management, configuration and introspection method based on a virtual machine is characterized by comprising the following steps:
1) screening out a system call to be multiplexed according to a call execution process of an operating system to form a puppet system call, wherein the puppet system call is executed by a target virtual machine; the control module, the data exchange module and the system calling control module are respectively positioned in a safety virtual machine and a virtual machine management layer;
2) injecting target virtual machine system calls, including
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the calling control module obtains the current calling execution process and the data exchange module transmits the current calling data to the control module and stores the current calling data;
a control module operating a data exchange module to transfer parameter data of a puppet system call to be executed to a target virtual machine, and the target virtual machine assists to complete the puppet system call as required;
the data exchange module transmits the calling execution result to the control module, and the execution result is positioned in the kernel space or the user space;
the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program;
3) securing virtual machine system call execution, comprising:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the operation of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
4) isolating virtual machine memory, comprising: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine call, before writing the parameter data for the puppet system call into the puppet program, data just before being written into the memory region is saved, and by tracking the context switching information of the program in the target virtual machine, the data information for the puppet call is prevented from being read or tampered by other processes.
2. The virtual machine-based introspection automation management, configuration and introspection method of claim 1 in which the call invoked by the target virtual machine changes the control flow in the operating system from outside the virtual machine to modify registers and memory contents.
3. The method of claim 1, wherein during the injection target virtual machine call, when the VCPU is executing the puppet program, the memory of the puppet program is in an injected state, and when the puppet program is switched, the read/write information of the memory of the puppet program is tracked outside the target virtual machine.
4. A introspection automation management, configuration and introspection system based on a virtual machine is characterized by comprising a puppet system call forming module, a target virtual machine call execution module, a virtual machine call execution protection module and a virtual machine memory isolation module;
the puppet system call forming module is configured to screen out a multiplexed system call according to a call execution process of an operating system, so as to form a puppet system call, where the puppet system call is executed by a target virtual machine; the control module, the data exchange module and the system calling control module are respectively positioned in a safety virtual machine and a virtual machine management layer;
the target virtual machine call execution module is used for injecting target virtual machine calls and comprises
Selecting a puppet program from a target virtual machine, and selecting a puppet system to call and wait for execution according to the to-be-processed semantics; the calling control module obtains the current calling execution process and the data exchange module transmits the current calling data to the control module and stores the current calling data;
a control module operating a data exchange module to transfer parameter data of a puppet system call to be executed to a target virtual machine, and the target virtual machine assists to complete the puppet system call as required;
the data exchange module transmits the calling execution result to the control module, and the execution result is positioned in the kernel space or the user space;
the control module operates the data exchange module to restore the parameter data originally called by the puppet program into the target virtual machine, and then the call control module allows the target virtual machine to continue executing the original call of the puppet program;
completing the puppet system call return after the original call execution; the control flow of the operating system returns to the puppet program; the virtual machine call execution protection module is used for protecting the virtual machine system call execution, and comprises:
after a puppet system call starts to be executed, setting all kernel page permissions in a target virtual machine as unexecutable;
when the page is executed, the abnormity can be triggered, and the running of the target virtual machine is suspended; finding a corresponding memory page in a security mirror image of the security virtual machine according to the virtual address of the executed kernel page; writing the page into an executed page of a target virtual machine and protecting the memory page;
after the page is set to be executable, the operation of the target virtual machine is recovered;
the virtual machine memory isolation module isolates a virtual machine memory, and comprises: tracking the VCPU scheduling and operating the memory of the target virtual machine from the outside of the target virtual machine; the method specifically comprises the following steps: in the process of injecting the target virtual machine for calling, before writing parameter data called by a puppet system into a puppet program, storing data to be written into a memory region, and obtaining scheduling information of a VCPU in the target virtual machine by tracking context switching information of a program in the target virtual machine; when other processes access the protected memory area, the data is restored to the original data, so that the puppet call data is prevented from being read and tampered.
5. The virtual machine-based introspection automation management, configuration and introspection system of claim 4 in which the invocation of the target virtual machine call uses modification of the contents of the virtual machine registers to change the control flow in the operating system.
6. The system of claim 4, wherein the injection target virtual machine call is performed during an injection call, when the VCPU is executing a puppet program, the memory of the puppet program is in an injected state, and when the puppet program is switched, the read/write information of the memory of the puppet program is tracked outside the target virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810344939.8A CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810344939.8A CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108563491A CN108563491A (en) | 2018-09-21 |
| CN108563491B true CN108563491B (en) | 2022-03-29 |
Family
ID=63535241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810344939.8A Active CN108563491B (en) | 2018-04-17 | 2018-04-17 | Virtual machine-based introspection automation management, configuration and introspection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108563491B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115248718A (en) * | 2021-04-26 | 2022-10-28 | 华为技术有限公司 | Memory data acquisition method and device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| US9596261B1 (en) * | 2015-03-23 | 2017-03-14 | Bitdefender IPR Management Ltd. | Systems and methods for delivering context-specific introspection notifications |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107239700A (en) * | 2017-06-28 | 2017-10-10 | 郑州云海信息技术有限公司 | A kind of safety protecting method based on xen virtual platforms |
| CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
-
2018
- 2018-04-17 CN CN201810344939.8A patent/CN108563491B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| US9596261B1 (en) * | 2015-03-23 | 2017-03-14 | Bitdefender IPR Management Ltd. | Systems and methods for delivering context-specific introspection notifications |
| CN107203410A (en) * | 2017-04-14 | 2017-09-26 | 华中科技大学 | A kind of VMI method and system based on redirection of system call |
| CN107239700A (en) * | 2017-06-28 | 2017-10-10 | 郑州云海信息技术有限公司 | A kind of safety protecting method based on xen virtual platforms |
| CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
Non-Patent Citations (1)
| Title |
|---|
| Protecting Critical Files Using Target-Based Virtual Machine;Dongyang ZHAN等;《IEICE Transactions on Information and Systems》;20171001;第E100.D卷(第10期);2307-2318 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108563491A (en) | 2018-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| CN109558211B (en) | Method for protecting interaction integrity and confidentiality of trusted application and common application | |
| US8595487B2 (en) | Virtualization hardware for device driver isolation | |
| CN105022956B (en) | A method of resisting code reuse attack | |
| US10296470B2 (en) | Systems and methods for dynamically protecting a stack from below the operating system | |
| US9507727B2 (en) | Page fault injection in virtual machines | |
| CN108292272A (en) | Device and method for managing bounded pointer | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| US8910155B1 (en) | Methods and systems for injecting endpoint management agents into virtual machines | |
| KR20170042602A (en) | Systems And Methods for Exposing A Current Processor Instruction Upon Exiting A Virtual Machine | |
| KR20160019454A (en) | Security protection of software libraries in a data processing apparatus | |
| JP2023038361A (en) | Apparatus and method for controlling change in instruction set | |
| TW202030634A (en) | Transition disable indicator | |
| US20150379265A1 (en) | Systems And Methods For Preventing Code Injection In Virtualized Environments | |
| CN108563491B (en) | Virtual machine-based introspection automation management, configuration and introspection method | |
| CN107203410B (en) | VMI method and system based on system call redirection | |
| JP2009009232A (en) | Computer, kernel protection method, and computer software | |
| KR20180067581A (en) | exception handling | |
| US10019576B1 (en) | Security control system for protection of multi-core processors | |
| EP4073635B1 (en) | Intermodal calling branch instruction | |
| CN113268726A (en) | Program code execution behavior monitoring method and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |