CN109189558A - A kind of method and device for secure virtual machine protection - Google Patents

A kind of method and device for secure virtual machine protection Download PDF

Info

Publication number
CN109189558A
CN109189558A CN201811027149.3A CN201811027149A CN109189558A CN 109189558 A CN109189558 A CN 109189558A CN 201811027149 A CN201811027149 A CN 201811027149A CN 109189558 A CN109189558 A CN 109189558A
Authority
CN
China
Prior art keywords
cpu instruction
instruction
virtual machine
memory
cpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811027149.3A
Other languages
Chinese (zh)
Inventor
邢希双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201811027149.3A priority Critical patent/CN109189558A/en
Publication of CN109189558A publication Critical patent/CN109189558A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present application discloses a kind of method and device for secure virtual machine protection, for preventing subsystem call table to be tampered.The embodiment of the present application method includes: the memory address for obtaining subsystem call table;Intercept and capture the cpu instruction of VME operating system;Judge whether the cpu instruction is memory write instruction;If so, obtaining the writing address of the cpu instruction;Judge whether the writing address of the cpu instruction is located at the memory address of the subsystem call table;If so, preventing the write operation of the cpu instruction.

Description

A kind of method and device for secure virtual machine protection
Technical field
This application involves computer hardware virtualization field and operating system security fields, more particularly to one kind is for virtual The method and device of machine security protection.
Background technique
It is also more next for the security requirement of server and PC with the development of the technologies such as cloud computing, big data It is higher.Core of the operating system as server and PC is once hacked visitor or illegal user's control and utilizes, consequence It will be hardly imaginable.In recent years due to linux system stability and high efficiency the characteristics of, application is also more and more common.Subsystem call table Sys_call_table is the critical component of (SuSE) Linux OS, is the entrance of all User space routine call kernels, therefore is The safety of system call list is increasingly important.
Hacker often passes through certain systems that Rootkit program is distorted in subsystem call table and calls function address, by some systems System calls function to be redirected to the system comprising malicious code and calls function, and replaced system will be triggered when user recalls System call function, with this come achieve the purpose that hide itself, destroy system normal behaviour.
In the Linux hacker attack statistics being currently known, realize that the case of attack is more by distorting subsystem call table. Therefore subsystem call table safety and integrality, which how is effectively ensured, becomes current technical problem urgently to be solved.
Summary of the invention
The embodiment of the present application provides a kind of method and device for secure virtual machine protection, calls for anti-locking system Table is tampered.
In a first aspect, the embodiment of the present application provides a kind of method for secure virtual machine protection, this method comprises:
The memory address range of the subsystem call table sys_call_table of VME operating system is obtained, which is KVM virtual machine, the virtual machine are built based on hardware virtualization technology;
The cpu instruction generated to VME operating system is intercepted and captured;
Judge whether the cpu instruction is memory write instruction;
If the cpu instruction is memory write instruction, the writing address range of the cpu instruction is obtained;
Judge whether the writing address range of the cpu instruction is located at the memory address range of sys_call_table;
If the writing address range of the cpu instruction is located at the memory address range of sys_call_table, the CPU is prevented The write operation to sys_call_table is instructed, is specifically as follows so that the cpu instruction returns to mistake.
According in a first aspect, preventing the cpu instruction pair in the first embodiment of the embodiment of the present application first aspect After the write operation of sys_call_table, this method further include:
It is buffered in system log chained list using the relevant information of the cpu instruction as log information has been intercepted, correlation letter Breath includes the content and temporal information of the cpu instruction.
According to the first embodiment of first aspect, in second of embodiment of the embodiment of the present application first aspect, Using the relevant information of the cpu instruction as having intercepted after log information is buffered in log chained list, this method further include:
Receive the request that access has intercepted log information;
It is extracted from the log chained list and has intercepted log information, the log information of interception after extraction can pass through user interface Show user.
According in a first aspect, obtaining subsystem call table in the third embodiment of the embodiment of the present application first aspect Memory address before, this method further include:
Virtual machine control structure body VMCS is configured, to control the intercepting and capturing behavior to cpu instruction.
Second aspect, the embodiment of the present application provide a kind of device for secure virtual machine protection, which includes:
First acquisition unit, the memory of the subsystem call table sys_call_table for obtaining VME operating system Location range, the virtual machine are KVM virtual machine, which is built based on hardware virtualization technology;
Unit is intercepted and captured, for intercepting and capturing to the cpu instruction that VME operating system generates;
First judging unit, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit, for obtaining the writing address of the cpu instruction when the cpu instruction is memory write instruction;
Second judgment unit, for judging the writing address of the cpu instruction with whether being located at the memory of the subsystem call table Location;
Operating unit, when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, preventing should Write operation of the cpu instruction to sys_call_table.
According to second aspect, in the first embodiment of the embodiment of the present application second aspect, the device further include:
Storage unit, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted, The relevant information includes the content and temporal information of the cpu instruction.
According to the first embodiment of second aspect, in second of embodiment of the embodiment of the present application second aspect, The device further include:
Receiving unit has intercepted the request of log information for receiving access;
Extraction unit has intercepted log information for extracting from log chained list, and the log information of interception after extraction can By user interface presentation to user.
According to second aspect, in the third embodiment of the embodiment of the present application second aspect, the device further include:
Setting unit, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing row to cpu instruction For.
The third aspect, the embodiment of the present application provide a kind of device for secure virtual machine protection, and described device includes: Processor and memory are stored with the instruction described in aforementioned first aspect for secure virtual machine protection in the memory, When run on a computer, so that computer executes the step described in aforementioned first aspect for secure virtual machine protection Suddenly.
Fourth aspect, the embodiment of the present application provides a kind of computer readable storage medium, including instruction, when it is being calculated When being run on machine, so that computer executes method as described in relation to the first aspect.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
The embodiment of the present application is by intercepting cpu instruction and judging its type, so that the write-in of all pairs of subsystem call tables refers to Failure is enabled, to protect subsystem call table not to be tampered.
Detailed description of the invention
Fig. 1 is one embodiment schematic diagram of the method provided by the embodiments of the present application for secure virtual machine protection;
Fig. 2 is one embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection;
Fig. 3 is another embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection;
Fig. 4 is another embodiment schematic diagram of the device provided by the embodiments of the present application for secure virtual machine protection.
Specific embodiment
The embodiment of the present application provides a kind of method and device for secure virtual machine protection, for by preventing to being The cpu instruction that system call list carries out write operation is distorted to prevent locking system call list by rogue program, and the embodiment of the present application also provides Corresponding device and computer readable storage medium for secure virtual machine protection, is described in detail separately below.
In linux system, each system calls function to correspond to a system in kernel and calls function, these letters Number is usually all started with sys_, and these systems call functional symbol all to be exported by kernel.Operate in kernel spacing These available systems of Rootkit call functional symbol address and modify the instruction code that these systems call function, so that In the malicious code that can wherein execute Rootkit offer.
The embodiment of method provided by the embodiments of the present application for secure virtual machine protection is as shown in Figure 1, it is mainly wrapped 7 steps are included, are embodied as follows:
101, the address of subsystem call table is obtained;
The memory address for obtaining virtual machine system core system call list sys_call_table, in the embodiment of the present application and In subsequent embodiment, virtual machine is KVM virtual machine, is constructed based on hardware virtualization technology, which includes Intel VT (Intel virtualization technology, Intel virtualization technology) and AMD SVM ((AMD Secure virtual machine, AMD secure virtual machine).
In the embodiment of the present application, in hardware virtualization technology, operation mode is divided into VMX root mode (VMX root Operation) and VMX non-root mode (VMX non-root operation), program runlevel is divided into ring0- again Ring3 rank obtains ring0 of the operation of the memory address of the subsystem call table of virtual machine system kernel under non-root mode Rank.
102, cpu instruction is intercepted and captured;
During based on hardware virtualization technology building virtual machine, by VMCS (virtual machine Control structure, virtual machine control structure) data structure configuration, define intercepting and capturing behavior to cpu instruction.
In the embodiment of the present application, by the configuration to VMCS, so that when virtual machine generates cpu instruction, the cpu instruction Generation falls into and is trapped.
103, judge whether it is memory write instruction;
After cpu instruction is trapped, can first judge whether it is that memory write instruction is then held if memory write instruction Row step 104, is further judged, if not the cpu instruction is not memory write instruction, thens follow the steps 107, so that should Instruction is normal to be executed.
104, writing address is obtained;
If judging in step 103, the cpu instruction for memory write instruction, further obtains the CPU in this step The memory writing address of instruction.
105, judge whether writing address is subsystem call table address;
Judge whether the memory writing address of the cpu instruction is located at the address range of sys_call_table, if the CPU refers to The memory writing address of order is located at the address range of sys_call_table, thens follow the steps 106, otherwise, executes step 107, So that the instruction normally executes.
106, write operation is prevented;
If the memory writing address of the cpu instruction is located at the address range of sys_call_table, write the secondary memory Enter failure, is specifically as follows and enables the returning the result as mistake of the cpu instruction.
In the embodiment of the present application, after preventing the cpu instruction, this can also be prevented to the relevant information of operation, such as Generation time of the code of cpu instruction, cpu instruction etc. is stored as having intercepted log information, and being specifically as follows will block It cuts log information to be buffered in linux system log chained list, user can extract from the log chained list and intercept log information For checking.
107, instruction execution.
Execute ring0 grade of the cpu instruction after being trapped under root mode normally.
In the embodiment of the present application, pass through the virtual machine in the case where the ring0 rank of root mode runs real-time monitoring non-root mode The program of the cpu instruction of generation limits memory write operation of the cpu instruction to sys_call_table, thus to sys_call_ Table carries out write-protect under system highest permission, to prevent from running on the Rootkit rogue program of kernel state under non-root mode Virtual machine sys_call_table is distorted.
The method that secure virtual machine protection is used in the embodiment of the present application is described above, below to the application reality The device for secure virtual machine protection for applying example offer is introduced.It is illustrated in figure 2 provided by the embodiments of the present application be used for One embodiment schematic diagram of the device 200 of secure virtual machine protection, the device 200 for secure virtual machine protection include:
First acquisition unit 201, for obtaining the memory address of subsystem call table;
Unit 202 is intercepted and captured, for intercepting and capturing the cpu instruction of VME operating system;
First judging unit 203, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit 204 is used for when the cpu instruction is memory write instruction, with obtaining the write-in of the cpu instruction Location;
Second judgment unit 205, for judging whether the writing address of the cpu instruction is located at the memory of the subsystem call table Address;
Operating unit 206, when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, resistance The only write operation of the cpu instruction.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Storage unit 207, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted In, which includes the content and temporal information of the cpu instruction.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Receiving unit 208 has intercepted the request of log information for receiving access;
Extraction unit 209 has intercepted log information for extracting from the log chained list.
In the present embodiment, the device 200 for secure virtual machine protection further include:
Setting unit 210, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing to cpu instruction Behavior.
Device for being used for secure virtual machine protection in the embodiment of the present application can also be pressed according to the division of supervisory layers module It is carried out according to such as Fig. 3, is illustrated in figure 3 another of the device 300 provided by the embodiments of the present application for secure virtual machine protection Embodiment schematic diagram, the device 300 for secure virtual machine protection include:
CPU virtualizes drive module 301, which is realized by the way of kernel-driven, by main service processes module 303 Installation, with operating system.The code of CPU virtualization drive module 301 runs on the ring0 rank under root mode, with Host kernel has highest privilege level as virtual machine monitor.After module operation, distribution can be successively executed Memory needed for virtualization data structures, the flag bit CR4 that CPU register is arranged, filling VMCS intercept and capture cpu instruction behaviour to indicate Make, the memory address range of sys_call_table is obtained from OS communication module 302 and makes current operating system as empty In quasi- machine operation and virtual cpu.CPU virtualize drive module 301 by main service processes module 303 create and initialize finish Afterwards, cpu instruction can be entered and intercepts and captures circulation.After intercepting every cpu instruction, if the cpu instruction is memory write instruction and writes What is entered is the address range of sys_call_table, then makes the secondary memory write operation failure.
OS communicates drive module 302, which is realized by the way of kernel-driven, is installed by main service processes 303, Automatic running after operating system.The module runs on the ring0 rank under non-root mode, with the privilege of virtual machine kernel etc. Grade is identical.The module can first obtain the sys_call_ of VME operating system after following VME operating system to run The starting memory address and memory address range of table, and the sys_call_table memory address of acquisition is stored, it should Module is connected with CPU virtualization drive module 301 upwards, is connected with main service processes module 303 downwards.The module is by main clothes It is engaged in that request message processing cycle can be entered after the creation of scheduler module 303 and initialization, for receiving CPU virtualization driving The request for the acquisition sys_call_table memory address that module 301 is sent, and CPU virtualization drive module 301 is being prevented The log information of interception generated after cpu instruction is buffered in system log chained list, is sent out when receiving main service processes module 303 After the acquisition sent has intercepted the request of log information, log information will be intercepted and taken out from system log chained list, and returned to Main service processes module 303.
Main service processes module 303, the module are realized by the way of Linux background service, and drive can be communicated with OS Dynamic model block 302 is communicated to obtain and intercepted log information.The module be also used to create CPU virtualization drive module 301 with And OS communicates drive module 302.By unloading, main service processes module 303 can virtualize drive module 301 to CPU and OS is logical Letter drive module 302 is unloaded, and is carried out unloading to main service processes 303 and is needed to provide the instruction of a string of fixations, which exists Main service processes module 303 is supplied to user when being created, or is configured during creation by user, to protect main service Scheduler module 303 is not unloaded by rogue program.
Fig. 4 is the structural schematic diagram of the device 400 provided by the embodiments of the present application for secure virtual machine protection.The use Include processor 401, memory 402 and input and output (I/O) interface 403, memory in the device 400 of secure virtual machine protection 402 may include read-only memory and random access memory, and provide operational order and data to processor 401.Memory 402 a part of can also include nonvolatile RAM (NVRAM).
Operation of the processor 401 for the device 400 of secure virtual machine protection, processor 401 can also be known as CPU.It deposits Reservoir 402 may include read-only memory and random 4 access memory, and provide instruction and data to processor 401.Memory 402 a part of can also include nonvolatile RAM (NVRAM).Secure virtual machine is used in specific application The various components of the device 400 of protection are coupled by bus system 404, and it includes that data are total that wherein bus system 404, which is removed, It can also include power bus, control bus and status signal bus in addition etc. except line.But for the sake of clear explanation, scheming It is middle that various buses are all designated as bus system 404.
The method that above-mentioned the embodiment of the present application discloses can be applied in processor 401, or be realized by processor 401. Processor 401 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each Step can be completed by the integrated logic circuit of the hardware in processor 401 or the instruction of software form.Above-mentioned processing Device 401 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or Person executes disclosed each method, step and logic diagram in the embodiment of the present application.General processor can be microprocessor or Person's processor is also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present application, can be straight Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 402, and processor 401 is read Information in access to memory 402, in conjunction with the step of its hardware completion above method.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application Portion or part steps.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic or disk etc. are various can store program The medium of code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of method for secure virtual machine protection, which is characterized in that the described method includes:
Obtain the memory address of subsystem call table;
Intercept and capture the cpu instruction of VME operating system;
Judge whether the cpu instruction is memory write instruction;
If so, obtaining the writing address of the cpu instruction;
Judge whether the writing address of the cpu instruction is located at the memory address of the subsystem call table;
If so, preventing the write operation of the cpu instruction.
2. the method according to claim 1, wherein after the write operation for preventing the cpu instruction, The method also includes:
It is buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted, the relevant information packet Include the content and temporal information of the cpu instruction.
3. according to the method described in claim 2, it is characterized in that, described using the relevant information of the cpu instruction as After interception log information is buffered in log chained list, the method also includes:
Receive the request that access has intercepted log information;
It is extracted from the log chained list and has intercepted log information.
4. the method according to claim 1, wherein it is described obtain subsystem call table memory address before, The method also includes:
Virtual machine control structure body VMCS is configured, to control the intercepting and capturing behavior to cpu instruction.
5. a kind of device for secure virtual machine protection, which is characterized in that described device includes:
First acquisition unit, for obtaining the memory address of subsystem call table;
Unit is intercepted and captured, for intercepting and capturing the cpu instruction of VME operating system;
First judging unit, for judging whether the cpu instruction is memory write instruction;
Second acquisition unit, for obtaining the writing address of the cpu instruction when the cpu instruction is memory write instruction;
Second judgment unit, for judging the writing address of the cpu instruction with whether being located at the memory of the subsystem call table Location;
Operating unit when for being located at the memory address of the subsystem call table when the writing address of the cpu instruction, prevents institute State the write operation of cpu instruction.
6. device according to claim 5, which is characterized in that described device further include:
Storage unit, for being buffered in log chained list using the relevant information of the cpu instruction as log information has been intercepted, institute State the content and temporal information that relevant information includes the cpu instruction.
7. device according to claim 6, which is characterized in that described device further include:
Receiving unit has intercepted the request of log information for receiving access;
Extraction unit has intercepted log information for extracting from the log chained list.
8. device according to claim 5, which is characterized in that described device further include:
Setting unit, for being configured to virtual machine control structure body VMCS, to control the intercepting and capturing behavior to cpu instruction.
9. a kind of device for secure virtual machine protection, which is characterized in that described device includes: processor and memory, institute It states and is stored with any instruction for secure virtual machine protection of claim 1-4 in memory, the processor is used for The instruction in memory for secure virtual machine protection is executed, pacifying as described in claim 1-4 is any for virtual machine is executed The step of method of full protection.
10. a kind of computer readable storage medium, which is characterized in that be stored in the computer readable storage medium for void The instruction of quasi- machine security protection, when run on a computer, so that computer execution the claims 1-4 is any described Method.
CN201811027149.3A 2018-09-04 2018-09-04 A kind of method and device for secure virtual machine protection Pending CN109189558A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811027149.3A CN109189558A (en) 2018-09-04 2018-09-04 A kind of method and device for secure virtual machine protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811027149.3A CN109189558A (en) 2018-09-04 2018-09-04 A kind of method and device for secure virtual machine protection

Publications (1)

Publication Number Publication Date
CN109189558A true CN109189558A (en) 2019-01-11

Family

ID=64914463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811027149.3A Pending CN109189558A (en) 2018-09-04 2018-09-04 A kind of method and device for secure virtual machine protection

Country Status (1)

Country Link
CN (1) CN109189558A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114968122A (en) * 2022-06-09 2022-08-30 北京天融信网络安全技术有限公司 Virtual machine file tamper-proofing method and private cloud cluster

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080222309A1 (en) * 2007-03-06 2008-09-11 Vedvyas Shanbhogue Method and apparatus for network filtering and firewall protection on a secure partition
CN104899512A (en) * 2015-05-26 2015-09-09 浪潮电子信息产业股份有限公司 Windows system service descriptor table tamper-proofing apparatus and method
CN106650463A (en) * 2016-12-16 2017-05-10 郑州云海信息技术有限公司 System and method for preventing window system service description table from being tampered
CN106685999A (en) * 2017-02-27 2017-05-17 郑州云海信息技术有限公司 Safety protection method for virtual machine, system and safety device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080222309A1 (en) * 2007-03-06 2008-09-11 Vedvyas Shanbhogue Method and apparatus for network filtering and firewall protection on a secure partition
CN104899512A (en) * 2015-05-26 2015-09-09 浪潮电子信息产业股份有限公司 Windows system service descriptor table tamper-proofing apparatus and method
CN106650463A (en) * 2016-12-16 2017-05-10 郑州云海信息技术有限公司 System and method for preventing window system service description table from being tampered
CN106685999A (en) * 2017-02-27 2017-05-17 郑州云海信息技术有限公司 Safety protection method for virtual machine, system and safety device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114968122A (en) * 2022-06-09 2022-08-30 北京天融信网络安全技术有限公司 Virtual machine file tamper-proofing method and private cloud cluster

Similar Documents

Publication Publication Date Title
US11163887B2 (en) Clearance of bare metal resource to trusted state usable in cloud computing
CN103500308A (en) System and method for countering detection of emulation by malware
US20170111388A1 (en) Centralized and Automated Recovery
JP2018522359A (en) System and method for detecting unknown vulnerabilities in computing processes
CN108885572B (en) Secure driver platform
CN110334522A (en) Start the method and device of measurement
CN114817105B (en) Device enumeration method, device, computer device and storage medium
US20190294796A1 (en) Resolving anomalies for network applications using code injection
US20230115629A1 (en) SYSTEM AND METHOD FOR VALIDATING A POWER CYCLE FOR AN EMULATED PCIe BASED STORAGE DEVICE
CN111181780A (en) HA cluster-based host pool switching method, system, terminal and storage medium
CN105205391B (en) A kind of clean room method for real-time monitoring based on integrity verification
EP3063692A1 (en) Virtual machine introspection
CN105550574B (en) Side channel analysis evidence-obtaining system and method based on memory activity
CN103425563B (en) Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology
CN111428240B (en) Method and device for detecting illegal access of memory of software
CN109189558A (en) A kind of method and device for secure virtual machine protection
US11210393B2 (en) Context data control
CN107818034B (en) Method and device for monitoring running space of process in computer equipment
CN104731708A (en) Dynamic detection method of Shellcode
US20220391507A1 (en) Malware identification
US20180226136A1 (en) System management mode test operations
US20200342109A1 (en) Baseboard management controller to convey data
EP3535681B1 (en) System and method for detecting and for alerting of exploits in computerized systems
CN115033889A (en) Illegal copyright detection method and device, storage medium and computer equipment
CN114722927A (en) Collapse clustering method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190111

RJ01 Rejection of invention patent application after publication