CN109189558A - A kind of method and device for secure virtual machine protection - Google Patents
A kind of method and device for secure virtual machine protection Download PDFInfo
- Publication number
- CN109189558A CN109189558A CN201811027149.3A CN201811027149A CN109189558A CN 109189558 A CN109189558 A CN 109189558A CN 201811027149 A CN201811027149 A CN 201811027149A CN 109189558 A CN109189558 A CN 109189558A
- Authority
- CN
- China
- Prior art keywords
- cpu instruction
- instruction
- virtual machine
- memory
- cpu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the present application discloses a kind of method and device for secure virtual machine protection, for preventing subsystem call table to be tampered.The embodiment of the present application method includes: the memory address for obtaining subsystem call table;Intercept and capture the cpu instruction of VME operating system;Judge whether the cpu instruction is memory write instruction;If so, obtaining the writing address of the cpu instruction;Judge whether the writing address of the cpu instruction is located at the memory address of the subsystem call table;If so, preventing the write operation of the cpu instruction.
Description
Technical field
This application involves computer hardware virtualization field and operating system security fields, more particularly to one kind is for virtual
The method and device of machine security protection.
Background technique
It is also more next for the security requirement of server and PC with the development of the technologies such as cloud computing, big data
It is higher.Core of the operating system as server and PC is once hacked visitor or illegal user's control and utilizes, consequence
It will be hardly imaginable.In recent years due to linux system stability and high efficiency the characteristics of, application is also more and more common.Subsystem call table
Sys_call_table is the critical component of (SuSE) Linux OS, is the entrance of all User space routine call kernels, therefore is
The safety of system call list is increasingly important.
Hacker often passes through certain systems that Rootkit program is distorted in subsystem call table and calls function address, by some systems
System calls function to be redirected to the system comprising malicious code and calls function, and replaced system will be triggered when user recalls
System call function, with this come achieve the purpose that hide itself, destroy system normal behaviour.
In the Linux hacker attack statistics being currently known, realize that the case of attack is more by distorting subsystem call table.
Therefore subsystem call table safety and integrality, which how is effectively ensured, becomes current technical problem urgently to be solved.
Summary of the invention
The embodiment of the present application provides a kind of method and device for secure virtual machine protection, calls for anti-locking system
Table is tampered.
In a first aspect, the embodiment of the present application provides a kind of method for secure virtual machine protection, this method comprises:
The memory address range of the subsystem call table sys_call_table of VME operating system is obtained, which is
KVM virtual machine, the virtual machine are built based on hardware virtualization technology;
The cpu instruction generated to VME operating system is intercepted and captured;
Judge whether the cpu instruction is memory write instruction;
If the cpu instruction is memory write instruction, the writing address range of the cpu instruction is obtained;
Judge whether the writing address range of the cpu instruction is located at the memory address range of sys_call_table;
If the writing address range of the cpu instruction is located at the memory address range of sys_call_table, the CPU is prevented
The write operation to sys_call_table is instructed, is specifically as follows so that the cpu instruction returns to mistake.
According in a first aspect, preventing the cpu instruction pair in the first embodiment of the embodiment of the present application first aspect
After the write operation of sys_call_table, this method further include:
It is buffered in system log chained list using the relevant information of the cpu instruction as log information has been intercepted, correlation letter
Breath includes the content and temporal information of the cpu instruction.
According to the first embodiment of first aspect, in second of embodiment of the embodiment of the present application first aspect,
Using the relevant information of the cpu instruction as having intercepted after log information is buffered in log chained list, this method further include:
Receive the request that access has intercepted log information;
It is extracted from the log chained list and has intercepted log information, the log information of interception after extraction can pass through user interface
Show user.
According in a first aspect, obtaining subsystem call table in the third embodiment of the embodiment of the present application first aspect
Memory address before, this method further include:
Virtual machine control structure body VMCS is configured, to control the intercepting and capturing behavior to cpu instruction.
Second aspect, the embodiment of the present application provide a kind of device for secure virtual machine protection, which includes:
First acquisition unit, the memory of the subsystem call table sys_call_table for obtaining VME operating system
Location range, the virtual machine are KVM virtual machine, which is built based on hardware virtualization technology;
Unit is intercepted and captured, for intercepting and capturing to the cpu instruction that VME operating system generates;
First judging unit, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit, for obtaining the writing address of the cpu instruction when the cpu instruction is memory write instruction;
Second judgment unit, for judging the writing address of the cpu instruction with whether being located at the memory of the subsystem call table
Location;
Operating unit, when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, preventing should
Write operation of the cpu instruction to sys_call_table.
According to second aspect, in the first embodiment of the embodiment of the present application second aspect, the device further include:
Storage unit, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted,
The relevant information includes the content and temporal information of the cpu instruction.
According to the first embodiment of second aspect, in second of embodiment of the embodiment of the present application second aspect,
The device further include:
Receiving unit has intercepted the request of log information for receiving access;
Extraction unit has intercepted log information for extracting from log chained list, and the log information of interception after extraction can
By user interface presentation to user.
According to second aspect, in the third embodiment of the embodiment of the present application second aspect, the device further include:
Setting unit, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing row to cpu instruction
For.
The third aspect, the embodiment of the present application provide a kind of device for secure virtual machine protection, and described device includes:
Processor and memory are stored with the instruction described in aforementioned first aspect for secure virtual machine protection in the memory,
When run on a computer, so that computer executes the step described in aforementioned first aspect for secure virtual machine protection
Suddenly.
Fourth aspect, the embodiment of the present application provides a kind of computer readable storage medium, including instruction, when it is being calculated
When being run on machine, so that computer executes method as described in relation to the first aspect.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
The embodiment of the present application is by intercepting cpu instruction and judging its type, so that the write-in of all pairs of subsystem call tables refers to
Failure is enabled, to protect subsystem call table not to be tampered.
Detailed description of the invention
Fig. 1 is one embodiment schematic diagram of the method provided by the embodiments of the present application for secure virtual machine protection;
Fig. 2 is one embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection;
Fig. 3 is another embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection;
Fig. 4 is another embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection.
Specific embodiment
The embodiment of the present application provides a kind of method and device for secure virtual machine protection, for by preventing to being
The cpu instruction that system call list carries out write operation is distorted to prevent locking system call list by rogue program, and the embodiment of the present application also provides
Corresponding device and computer readable storage medium for secure virtual machine protection, is described in detail separately below.
In linux system, each system calls function to correspond to a system in kernel and calls function, these letters
Number is usually all started with sys_, and these systems call functional symbol all to be exported by kernel.Operate in kernel spacing
These available systems of Rootkit call functional symbol address and modify the instruction code that these systems call function, so that
In the malicious code that can wherein execute Rootkit offer.
The embodiment of method provided by the embodiments of the present application for secure virtual machine protection is as shown in Figure 1, it is mainly wrapped
7 steps are included, are embodied as follows:
101, the address of subsystem call table is obtained;
The memory address for obtaining virtual machine system core system call list sys_call_table, in the embodiment of the present application and
In subsequent embodiment, virtual machine is KVM virtual machine, is constructed based on hardware virtualization technology, which includes
Intel VT (Intel virtualization technology, Intel virtualization technology) and AMD SVM ((AMD
Secure virtual machine, AMD secure virtual machine).
In the embodiment of the present application, in hardware virtualization technology, operation mode is divided into VMX root mode (VMX root
Operation) and VMX non-root mode (VMX non-root operation), program runlevel is divided into ring0- again
Ring3 rank obtains ring0 of the operation of the memory address of the subsystem call table of virtual machine system kernel under non-root mode
Rank.
102, cpu instruction is intercepted and captured;
During based on hardware virtualization technology building virtual machine, by VMCS (virtual machine
Control structure, virtual machine control structure) data structure configuration, define intercepting and capturing behavior to cpu instruction.
In the embodiment of the present application, by the configuration to VMCS, so that when virtual machine generates cpu instruction, the cpu instruction
Generation falls into and is trapped.
103, judge whether it is memory write instruction;
After cpu instruction is trapped, can first judge whether it is that memory write instruction is then held if memory write instruction
Row step 104, is further judged, if not the cpu instruction is not memory write instruction, thens follow the steps 107, so that should
Instruction is normal to be executed.
104, writing address is obtained;
If judging in step 103, the cpu instruction for memory write instruction, further obtains the CPU in this step
The memory writing address of instruction.
105, judge whether writing address is subsystem call table address;
Judge whether the memory writing address of the cpu instruction is located at the address range of sys_call_table, if the CPU refers to
The memory writing address of order is located at the address range of sys_call_table, thens follow the steps 106, otherwise, executes step 107,
So that the instruction normally executes.
106, write operation is prevented;
If the memory writing address of the cpu instruction is located at the address range of sys_call_table, write the secondary memory
Enter failure, is specifically as follows and enables the returning the result as mistake of the cpu instruction.
In the embodiment of the present application, after preventing the cpu instruction, this can also be prevented to the relevant information of operation, such as
Generation time of the code of cpu instruction, cpu instruction etc. is stored as having intercepted log information, and being specifically as follows will block
It cuts log information to be buffered in linux system log chained list, user can extract from the log chained list and intercept log information
For checking.
107, instruction execution.
Execute ring0 grade of the cpu instruction after being trapped under root mode normally.
In the embodiment of the present application, pass through the virtual machine in the case where the ring0 rank of root mode runs real-time monitoring non-root mode
The program of the cpu instruction of generation limits memory write operation of the cpu instruction to sys_call_table, thus to sys_call_
Table carries out write-protect under system highest permission, to prevent from running on the Rootkit rogue program of kernel state under non-root mode
Virtual machine sys_call_table is distorted.
The method that secure virtual machine protection is used in the embodiment of the present application is described above, below to the application reality
The device for secure virtual machine protection for applying example offer is introduced.It is illustrated in figure 2 provided by the embodiments of the present application be used for
One embodiment schematic diagram of the device 200 of secure virtual machine protection, the device 200 for secure virtual machine protection include:
First acquisition unit 201, for obtaining the memory address of subsystem call table;
Unit 202 is intercepted and captured, for intercepting and capturing the cpu instruction of VME operating system;
First judging unit 203, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit 204 is used for when the cpu instruction is memory write instruction, with obtaining the write-in of the cpu instruction
Location;
Second judgment unit 205, for judging whether the writing address of the cpu instruction is located at the memory of the subsystem call table
Address;
Operating unit 206, when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, resistance
The only write operation of the cpu instruction.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Storage unit 207, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted
In, which includes the content and temporal information of the cpu instruction.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Receiving unit 208 has intercepted the request of log information for receiving access;
Extraction unit 209 has intercepted log information for extracting from the log chained list.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Setting unit 210, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing to cpu instruction
Behavior.
Device for being used for secure virtual machine protection in the embodiment of the present application can also be pressed according to the division of supervisory layers module
It is carried out according to such as Fig. 3, is illustrated in figure 3 another of the device 300 provided by the embodiments of the present application for secure virtual machine protection
Embodiment schematic diagram, the device 300 for secure virtual machine protection include:
CPU virtualizes drive module 301, which is realized by the way of kernel-driven, by main service processes module 303
Installation, with operating system.The code of CPU virtualization drive module 301 runs on the ring0 rank under root mode, with
Host kernel has highest privilege level as virtual machine monitor.After module operation, distribution can be successively executed
Memory needed for virtualization data structures, the flag bit CR4 that CPU register is arranged, filling VMCS intercept and capture cpu instruction behaviour to indicate
Make, the memory address range of sys_call_table is obtained from OS communication module 302 and makes current operating system as empty
In quasi- machine operation and virtual cpu.CPU virtualize drive module 301 by main service processes module 303 create and initialize finish
Afterwards, cpu instruction can be entered and intercepts and captures circulation.After intercepting every cpu instruction, if the cpu instruction is memory write instruction and writes
What is entered is the address range of sys_call_table, then makes the secondary memory write operation failure.
OS communicates drive module 302, which is realized by the way of kernel-driven, is installed by main service processes 303,
Automatic running after operating system.The module runs on the ring0 rank under non-root mode, with the privilege of virtual machine kernel etc.
Grade is identical.The module can first obtain the sys_call_ of VME operating system after following VME operating system to run
The starting memory address and memory address range of table, and the sys_call_table memory address of acquisition is stored, it should
Module is connected with CPU virtualization drive module 301 upwards, is connected with main service processes module 303 downwards.The module is by main clothes
It is engaged in that request message processing cycle can be entered after the creation of scheduler module 303 and initialization, for receiving CPU virtualization driving
The request for the acquisition sys_call_table memory address that module 301 is sent, and CPU virtualization drive module 301 is being prevented
The log information of interception generated after cpu instruction is buffered in system log chained list, is sent out when receiving main service processes module 303
After the acquisition sent has intercepted the request of log information, log information will be intercepted and taken out from system log chained list, and returned to
Main service processes module 303.
Main service processes module 303, the module are realized by the way of Linux background service, and drive can be communicated with OS
Dynamic model block 302 is communicated to obtain and intercepted log information.The module be also used to create CPU virtualization drive module 301 with
And OS communicates drive module 302.By unloading, main service processes module 303 can virtualize drive module 301 to CPU and OS is logical
Letter drive module 302 is unloaded, and is carried out unloading to main service processes 303 and is needed to provide the instruction of a string of fixations, which exists
Main service processes module 303 is supplied to user when being created, or is configured during creation by user, to protect main service
Scheduler module 303 is not unloaded by rogue program.
Fig. 4 is the structural schematic diagram of the device 400 provided by the embodiments of the present application for secure virtual machine protection.The use
Include processor 401, memory 402 and input and output (I/O) interface 403, memory in the device 400 of secure virtual machine protection
402 may include read-only memory and random access memory, and provide operational order and data to processor 401.Memory
402 a part of can also include nonvolatile RAM (NVRAM).
Operation of the processor 401 for the device 400 of secure virtual machine protection, processor 401 can also be known as CPU.It deposits
Reservoir 402 may include read-only memory and random 4 access memory, and provide instruction and data to processor 401.Memory
402 a part of can also include nonvolatile RAM (NVRAM).Secure virtual machine is used in specific application
The various components of the device 400 of protection are coupled by bus system 404, and it includes that data are total that wherein bus system 404, which is removed,
It can also include power bus, control bus and status signal bus in addition etc. except line.But for the sake of clear explanation, scheming
It is middle that various buses are all designated as bus system 404.
The method that above-mentioned the embodiment of the present application discloses can be applied in processor 401, or be realized by processor 401.
Processor 401 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each
Step can be completed by the integrated logic circuit of the hardware in processor 401 or the instruction of software form.Above-mentioned processing
Device 401 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array
(FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or
Person executes disclosed each method, step and logic diagram in the embodiment of the present application.General processor can be microprocessor or
Person's processor is also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present application, can be straight
Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed
At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can
In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 402, and processor 401 is read
Information in access to memory 402, in conjunction with the step of its hardware completion above method.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application
Portion or part steps.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (read-only memory,
ROM), random access memory (random access memory, RAM), magnetic or disk etc. are various can store program
The medium of code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of method for secure virtual machine protection, which is characterized in that the described method includes:
Obtain the memory address of subsystem call table;
Intercept and capture the cpu instruction of VME operating system;
Judge whether the cpu instruction is memory write instruction;
If so, obtaining the writing address of the cpu instruction;
Judge whether the writing address of the cpu instruction is located at the memory address of the subsystem call table;
If so, preventing the write operation of the cpu instruction.
2. the method according to claim 1, wherein after the write operation for preventing the cpu instruction,
The method also includes:
It is buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted, the relevant information packet
Include the content and temporal information of the cpu instruction.
3. according to the method described in claim 2, it is characterized in that, described using the relevant information of the cpu instruction as
After interception log information is buffered in log chained list, the method also includes:
Receive the request that access has intercepted log information;
It is extracted from the log chained list and has intercepted log information.
4. the method according to claim 1, wherein it is described obtain subsystem call table memory address before,
The method also includes:
Virtual machine control structure body VMCS is configured, to control the intercepting and capturing behavior to cpu instruction.
5. a kind of device for secure virtual machine protection, which is characterized in that described device includes:
First acquisition unit, for obtaining the memory address of subsystem call table;
Unit is intercepted and captured, for intercepting and capturing the cpu instruction of VME operating system;
First judging unit, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit, for obtaining the writing address of the cpu instruction when the cpu instruction is memory write instruction;
Second judgment unit, for judging the writing address of the cpu instruction with whether being located at the memory of the subsystem call table
Location;
Operating unit when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, prevents institute
State the write operation of cpu instruction.
6. device according to claim 5, which is characterized in that described device further include:
Storage unit, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted, institute
State the content and temporal information that relevant information includes the cpu instruction.
7. device according to claim 6, which is characterized in that described device further include:
Receiving unit has intercepted the request of log information for receiving access;
Extraction unit has intercepted log information for extracting from the log chained list.
8. device according to claim 5, which is characterized in that described device further include:
Setting unit, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing behavior to cpu instruction.
9. a kind of device for secure virtual machine protection, which is characterized in that described device includes: processor and memory, institute
It states and is stored with any instruction for secure virtual machine protection of claim 1-4 in memory, the processor is used for
The instruction in memory for secure virtual machine protection is executed, pacifying as described in claim 1-4 is any for virtual machine is executed
The step of method of full protection.
10. a kind of computer readable storage medium, which is characterized in that be stored in the computer readable storage medium for void
The instruction of quasi- machine security protection, when run on a computer, so that computer execution the claims 1-4 is any described
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811027149.3A CN109189558A (en) | 2018-09-04 | 2018-09-04 | A kind of method and device for secure virtual machine protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811027149.3A CN109189558A (en) | 2018-09-04 | 2018-09-04 | A kind of method and device for secure virtual machine protection |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109189558A true CN109189558A (en) | 2019-01-11 |
Family
ID=64914463
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811027149.3A Pending CN109189558A (en) | 2018-09-04 | 2018-09-04 | A kind of method and device for secure virtual machine protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109189558A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114968122A (en) * | 2022-06-09 | 2022-08-30 | 北京天融信网络安全技术有限公司 | Virtual machine file tamper-proofing method and private cloud cluster |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080222309A1 (en) * | 2007-03-06 | 2008-09-11 | Vedvyas Shanbhogue | Method and apparatus for network filtering and firewall protection on a secure partition |
CN104899512A (en) * | 2015-05-26 | 2015-09-09 | 浪潮电子信息产业股份有限公司 | Windows system service descriptor table tamper-proofing apparatus and method |
CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
-
2018
- 2018-09-04 CN CN201811027149.3A patent/CN109189558A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080222309A1 (en) * | 2007-03-06 | 2008-09-11 | Vedvyas Shanbhogue | Method and apparatus for network filtering and firewall protection on a secure partition |
CN104899512A (en) * | 2015-05-26 | 2015-09-09 | 浪潮电子信息产业股份有限公司 | Windows system service descriptor table tamper-proofing apparatus and method |
CN106650463A (en) * | 2016-12-16 | 2017-05-10 | 郑州云海信息技术有限公司 | System and method for preventing window system service description table from being tampered |
CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114968122A (en) * | 2022-06-09 | 2022-08-30 | 北京天融信网络安全技术有限公司 | Virtual machine file tamper-proofing method and private cloud cluster |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11163887B2 (en) | Clearance of bare metal resource to trusted state usable in cloud computing | |
CN103500308A (en) | System and method for countering detection of emulation by malware | |
US20170111388A1 (en) | Centralized and Automated Recovery | |
JP2018522359A (en) | System and method for detecting unknown vulnerabilities in computing processes | |
CN108885572B (en) | Secure driver platform | |
CN110334522A (en) | Start the method and device of measurement | |
CN114817105B (en) | Device enumeration method, device, computer device and storage medium | |
US20190294796A1 (en) | Resolving anomalies for network applications using code injection | |
US20230115629A1 (en) | SYSTEM AND METHOD FOR VALIDATING A POWER CYCLE FOR AN EMULATED PCIe BASED STORAGE DEVICE | |
CN111181780A (en) | HA cluster-based host pool switching method, system, terminal and storage medium | |
CN105205391B (en) | A kind of clean room method for real-time monitoring based on integrity verification | |
EP3063692A1 (en) | Virtual machine introspection | |
CN105550574B (en) | Side channel analysis evidence-obtaining system and method based on memory activity | |
CN103425563B (en) | Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology | |
CN111428240B (en) | Method and device for detecting illegal access of memory of software | |
CN109189558A (en) | A kind of method and device for secure virtual machine protection | |
US11210393B2 (en) | Context data control | |
CN107818034B (en) | Method and device for monitoring running space of process in computer equipment | |
CN104731708A (en) | Dynamic detection method of Shellcode | |
US20220391507A1 (en) | Malware identification | |
US20180226136A1 (en) | System management mode test operations | |
US20200342109A1 (en) | Baseboard management controller to convey data | |
EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
CN115033889A (en) | Illegal copyright detection method and device, storage medium and computer equipment | |
CN114722927A (en) | Collapse clustering method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190111 |
|
RJ01 | Rejection of invention patent application after publication |