Agent-free virtual machine monitoring system and monitoring method
Technical Field
The invention belongs to the technical field of virtual machine monitoring, and particularly relates to a virtual machine monitoring system and a virtual machine monitoring method without an agent.
Background
With the deep development and application of cloud computing, security monitoring of virtual machines has been a technical difficulty and a hot spot in cloud computing. The technical implementation methods for security monitoring of virtual machines can be divided into two categories: a traditional host monitoring method and a virtualization-based monitoring method. The traditional host monitoring method directly integrates the traditional physical host monitoring methods such as a virus detection and defense system, a malicious code interception and isolation system and the like into the virtual machine operating system to realize monitoring; the monitoring method based on virtualization realizes the safety monitoring of the virtual machine by means of higher privilege level of the virtualization platform.
The monitoring method based on the traditional host computer has quick real-time response, but in a virtualization scene, the advantage of high-privilege-level transparent monitoring by using a virtualization platform is lost, and malicious codes existing inside the virtual machine can intervene and confront a safety monitoring system; the virtual machine monitoring is completely carried out on the virtualization platform layer, although the security monitoring is transparent to the virtual machine, malicious codes inside the virtual machine cannot damage monitoring codes positioned on the virtualization layer, the virtualization layer is complex in realization due to the fact that the virtualization layer lacks semantics of an operating system of the virtual machine, and the virtual machine frequently sinks into the virtual machine monitor layer to carry out extra checking and monitoring analysis, so that performance loss can be greatly enhanced.
In the prior art, virtual machine monitoring is generally realized by the following method:
as shown in fig. 1, the method intercepts a system call request initiated by all processes inside an operating system by means of a system call interception module located inside a virtual machine, and records information of the process initiating the call. According to the monitoring configuration, if the process initiating the system call is the process needing monitoring, the information of the starting time, the ending time and the like of the system call is recorded, and therefore detailed monitoring of the specific process information in the virtual machine is achieved. The scheme is seriously dependent on a system call interception module in the virtual machine, and the reliability and the safety of monitoring a specific process in the virtual machine cannot be ensured under the condition that malicious codes exist in the virtual machine.
As shown in fig. 2, in the virtualization layer, a monitoring breakpoint is inserted into a special instruction that needs to be executed by the virtualization layer, so as to intercept the execution flow of the virtual machine and obtain the current execution information of the virtual machine. According to the scheme, a special monitoring instruction is forcibly inserted in the translation stage of the instruction, the control flow is jumped, the running expense of the virtual machine is increased, and in addition, on a platform based on hardware virtualization, the privileged instruction is supported by a processor without a translation process.
Disclosure of Invention
The invention aims to: the above-mentioned deficiencies in the prior art are solved, and an agent-free virtual machine monitoring system and a monitoring method are provided, which combine the high security of the virtualization layer monitoring with the real-time performance of the traditional monitoring, on one hand, any agent component does not need to be deployed in the virtual machine, and on the other hand, the monitoring system can be prevented from being damaged by malicious codes inside the virtual machine.
In order to achieve the purpose, the invention adopts the technical scheme that:
an agent-less virtual machine monitoring system, comprising:
the monitoring strategy setting module is used for managing the monitoring strategy of the virtual machine of the user;
the monitoring injection module is deployed in the virtualization layer and used for judging whether the currently started virtual machine meets a monitoring code injection condition and executing monitoring code injection;
and the monitoring function protection module is deployed in the virtualization layer and is used for performing read-only protection on the virtual machine system call table, the monitoring code and the system call entry function execution flow.
An agent-free virtual machine monitoring method is applied to the agent-free virtual machine monitoring system, and comprises the following steps:
the method comprises the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system calling and response actions of the virtual machine system calling monitoring;
step two: when the virtual machine is started, the code injection module executes monitoring code dynamic injection according to the virtual machine identifier to be monitored;
step three: the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code;
step four: and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy.
In the invention, the monitoring code compiled in advance is dynamically injected when the virtual machine is started, any agent component is not required to be deployed in the virtual machine in the whole process, and all operations are implemented by a virtualization layer. After the system call interception monitoring code is injected, the safety real-time monitoring of the virtual machine based on the system call can be transparently implemented in the virtual machine.
Further, the monitoring code dynamic injection in the second step is specifically: the virtual machine platform layer generates executable codes according to the monitoring codes, then applies for memories from the virtual machine kernel layer and writes the executable codes into the applied virtual machine kernel memories.
Further, the generating the executable code specifically includes the following steps:
step 101: when the virtual machine is started, the code injection module judges whether to execute a monitoring code injection logic according to the virtual machine identifier to be monitored, if the monitoring code injection condition is met, the monitoring code file of the virtualization platform layer is read, and the virtual machine kernel symbol table is dynamically analyzed;
step 102: the virtualization platform layer repairs the symbol table of the monitoring code and the relocation data according to the symbol table of the virtual machine and the format of the monitoring code file, and generates an executable code;
further, the third step further includes that the virtualization platform layer obtains a virtual machine system call table address and a system call entry function address according to the virtual machine symbol table, and then sets a read-only attribute for the virtual machine system call table address, the system call entry function address and the EPT page table of the injected monitoring code address.
Further, the monitoring strategy comprises a monitoring object and a response action, wherein the monitoring object comprises a sensitive word stock, a sensitive process, a sensitive file and a directory, and the response action comprises recording, alarming, filtering, blocking and confusing.
Further, the first to fourth steps further include: and dynamically adding and deleting a virtual machine list to be monitored, a system call list to be monitored, a monitoring object and a response action by a user through an API (application programming interface).
The agent-free virtual machine monitoring system does not depend on the specific release version of the monitored virtual machine, has high portability, and meanwhile, the monitoring code positioned in the virtualization layer can be conveniently cut and replaced in various ways, thereby realizing the effect of real-time hot patching for internal monitoring of the virtual machine.
Furthermore, when malicious codes in the virtual machine try to modify the memory of the virtual machine, in the process of finally realizing memory addressing, read-only protection exception is triggered, the virtual machine captures the malicious codes, and then a malicious process, an alarm and/or downtime are killed.
The monitoring code of the invention is positioned in the memory area of the inner core of the virtual machine, except the page table of the virtual machine, no trace exists at any place, the concealment of the code is high, and the system call table, the system call entry function code segment and the dynamically injected monitoring code segment of the virtual machine are read-only protected through a virtualization layer with higher privilege level, thereby preventing the monitoring system from being damaged by malicious codes in the virtual machine.
Further, in the first step, before the user sets the monitoring policy through the monitoring policy setting module, the method further includes pre-reading the monitoring code file of the virtualization platform layer.
Due to the adoption of the technical scheme, the invention has the beneficial effects that:
the agent-free mode virtual machine monitoring method has the advantages that monitoring is realized by dynamically injecting monitoring codes into the virtual machine after the virtual machine is detected to be started in the virtualization layer, the monitoring flexibility is high, and the real-time response is fast. Meanwhile, the monitoring system is guaranteed to be effective all the time by means of the read-only protection of key data and codes related to monitoring through the virtualization layer.
The agent-free virtual machine monitoring method combines the high safety of the virtual layer monitoring with the real-time performance of the traditional monitoring in the virtual layer. When the virtual machine is started, a section of executable monitoring code is transparently injected into a memory area of a kernel of the virtual machine, and a system call table function pointer in the kernel of the virtual machine is rewritten to point to a corresponding function position of the injected monitoring code, so that the system call of the virtual machine is safely monitored, and the method has high monitoring flexibility and quick real-time response.
Aiming at the problem of frequent switching between a root mode and a non-root mode caused by completely utilizing a virtualization platform to monitor and setting hardware trapping to transparently intercept actions in a virtual machine, the invention does not need to set specific hardware trapping conditions by setting actually executed monitoring codes in the virtual machine, does not cause additional switching actions between the virtual machine and a virtualization layer mode, and avoids unnecessary loss caused by frequent context switching.
Drawings
Fig. 1 is a schematic flow chart of a conventional virtual machine monitoring method according to the present invention.
Fig. 2 is a schematic flow chart of a conventional virtual machine monitoring method according to the present invention.
Fig. 3 is a schematic flow chart of a virtual machine monitoring method according to the present invention.
FIG. 4 is a diagram of a monitoring framework of a virtual machine according to the present invention.
FIG. 5 is a schematic diagram of the basic environment for implementing the present invention.
Fig. 6 is a schematic view of the monitoring strategy according to the present invention.
FIG. 7 is a schematic diagram of a monitor code injection module according to the present invention.
FIG. 8 is a diagram illustrating a physical address access of a virtual machine according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail with reference to the accompanying drawings 1 to 8.
As shown in fig. 5, the Virtual Machine architecture of the virtualized layer KVM (Kernel-based Virtual Machine) of the embodiment includes an underlying hardware, a Linux Kernel and a plurality of Virtual machines.
As shown in fig. 3, an agent-less virtual machine monitoring system includes:
the monitoring strategy setting module is used for managing the monitoring strategy of the virtual machine of the user;
the monitoring injection module is deployed in the virtualization layer and used for judging whether the currently started virtual machine meets a monitoring code injection condition and executing monitoring code injection;
and the monitoring function protection module is deployed in the virtualization layer and is used for performing read-only protection on the virtual machine system call table, the monitoring code and the system call entry function execution flow.
An agent-free virtual machine monitoring method is applied to the agent-free virtual machine monitoring system, and comprises the following steps:
the method comprises the following steps: a user sets a monitoring strategy through a monitoring strategy setting module, wherein the monitoring strategy comprises a virtual machine identifier to be monitored, monitored related system calling and response actions of the virtual machine system calling monitoring;
step two: when the virtual machine is started, the code injection module executes monitoring code dynamic injection according to the virtual machine identifier to be monitored;
step three: the virtualization layer dynamically modifies the system call function pointer according to the monitoring code and the monitoring strategy, so that the system call function pointer points to the function address of the monitoring code;
step four: and after the monitoring code intercepts the internal system call of the virtual machine, acquiring a monitoring strategy from the virtualization layer, and finishing the specific response of the virtual machine system call interception according to the monitoring strategy.
In the invention, the monitoring code compiled in advance is dynamically injected when the virtual machine is started, and the whole process does not need to deploy any agent component in the virtual machine, and all operations are implemented by a virtualization layer. After the system call interception monitoring code is injected, the safety real-time monitoring of the virtual machine based on the system call can be transparently implemented in the virtual machine.
Further, the monitoring code dynamic injection in the second step is specifically: the virtual machine platform layer generates executable codes according to the monitoring codes, then applies for memories from the virtual machine kernel layer and writes the executable codes into the applied virtual machine kernel memories.
Further, the generating the executable code specifically includes the following steps:
step 101: when the virtual machine is started, the code injection module judges whether to execute a monitoring code injection logic according to the virtual machine identifier to be monitored, if the monitoring code injection condition is met, the monitoring code file of the virtualization platform layer is read, and the virtual machine kernel symbol table is dynamically analyzed;
step 102: the virtualization platform layer repairs the symbol table of the monitoring code and the relocation data according to the symbol table of the virtual machine and the format of the monitoring code file, and generates an executable code;
further, the third step further includes that the virtualization platform layer obtains a virtual machine system call table address and a system call entry function address according to the virtual machine symbol table, and then sets a read-only attribute for the virtual machine system call table address, the system call entry function address and the EPT page table of the injected monitoring code address.
Further, the monitoring strategy comprises a monitoring object and a response action, wherein the monitoring object comprises a sensitive word stock, a sensitive process, a sensitive file and a directory, and the response action comprises recording, alarming, filtering, blocking and confusing.
Further, the first to fourth steps further include: and dynamically adding and deleting a virtual machine list to be monitored, a system call list to be monitored, a monitoring object and a response action by a user through an API (application programming interface).
The agent-free virtual machine monitoring system does not depend on the specific release version of the monitored virtual machine, has high portability, and meanwhile, the monitoring code positioned in the virtualization layer can be conveniently cut and replaced in various ways, thereby realizing the effect of real-time hot patching for internal monitoring of the virtual machine.
Furthermore, when malicious codes in the virtual machine try to modify the memory of the virtual machine, in the process of finally realizing memory addressing, read-only protection exception is triggered, the virtual machine captures the malicious codes, and then a malicious process, an alarm and/or downtime are killed.
The monitoring code of the invention is positioned in the memory area of the inner core of the virtual machine, except the page table of the virtual machine, no trace exists at any place, the concealment of the code is high, and the system call table, the system call entry function code segment and the dynamically injected monitoring code segment of the virtual machine are read-only protected through a virtualization layer with higher privilege level, thereby preventing the monitoring system from being damaged by malicious codes in the virtual machine.
Further, in the first step, before the user sets the monitoring policy through the monitoring policy setting module, the method further includes pre-reading the monitoring code file of the virtualization platform layer.
The system call interception according to the present embodiment will be described in detail with reference to fig. 7.
When a virtual machine is just started, the KVM detects that the virtual machine is in a starting state, at the moment, a monitoring code file located on a virtualization platform side is loaded, then a symbol table of the current virtual machine is dynamically analyzed, the symbol table repair of the monitoring code is completed in a temporary memory according to the symbol table of the current virtual machine, and when the virtual machine executes a privilege instruction, a function address is allocated to a current instruction register by inserting a memory of the virtual machine, so that a memory area is dynamically applied in a kernel of the virtual machine. And then restoring the relocation data of the monitoring code according to the dynamically applied base address of the kernel memory of the virtual machine, and finally writing the monitoring code segment for completing the restoration of the symbol table and the relocation table into the kernel memory of the virtual machine applied.
The virtualization layer finds the system call table of the current virtual machine by analyzing the symbol table of the virtual machine, and sequentially modifies the corresponding system call table items into function addresses corresponding to the injected monitoring codes according to the system call number list corresponding to the monitoring strategy, so that the system call inside the virtual machine is intercepted by the system call proxy function of the monitored codes.
The following description of the virtual machine physical address access is made with reference to fig. 8.
When the virtual machine is started, the symbol table is analyzed to obtain the base address of the system call function table and the base address of the system call entry function, meanwhile, the code segment base address of the monitoring code can also be obtained by analyzing the monitoring code file, in the KVM, the virtual machine page table is traversed through the virtual machine kernel virtual machine address to find the corresponding virtual machine physical address, then the corresponding EPT table entry is traversed, and the corresponding data and code page EPT table entry are set to be read-only attributes. Thus, as shown in fig. 8, when malicious code in the virtual machine tries to modify its memory, in the process of finally implementing memory addressing, an exception is triggered due to read-only protection, so that the exception is captured by the KVM, and the monitoring system can be prevented from being damaged by the malicious code in time.