CN109684829A - Service call monitoring method and system in a kind of virtualized environment - Google Patents

Service call monitoring method and system in a kind of virtualized environment Download PDF

Info

Publication number
CN109684829A
CN109684829A CN201811471745.0A CN201811471745A CN109684829A CN 109684829 A CN109684829 A CN 109684829A CN 201811471745 A CN201811471745 A CN 201811471745A CN 109684829 A CN109684829 A CN 109684829A
Authority
CN
China
Prior art keywords
page
service
virtual machine
service call
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811471745.0A
Other languages
Chinese (zh)
Other versions
CN109684829B (en
Inventor
蔡权伟
林璟锵
江芳杰
王琼霄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Data Assurance and Communication Security Research Center of CAS
Original Assignee
Institute of Information Engineering of CAS
Data Assurance and Communication Security Research Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS, Data Assurance and Communication Security Research Center of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811471745.0A priority Critical patent/CN109684829B/en
Publication of CN109684829A publication Critical patent/CN109684829A/en
Application granted granted Critical
Publication of CN109684829B publication Critical patent/CN109684829B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种虚拟化环境中服务调用监控方法和系统。本方法为:1)云端根据租户设置的被授权访问服务程序及相关源文件生成被监控客户虚拟机中的关键代码段的哈希库;2)该被监控客户虚拟机启动后,服务调用监控器对该被监控客户虚拟机加载的内存页权限位进行设置,使内存页上的代码在执行前,对内存中关键代码段的完整性进行校验;3)服务调用监控器检测到服务调用发生时,根据该服务调用的特征获取调用进程的页目录地址,当该调用进程的页目录地址在白名单进程链表中时,允许执行该服务调用;当检测到服务调用的返回结果事件发生时,根据返回结果事件的特征获取调用进程的信息,当调用进程在白名单进程链表中时,允许该返回结果通过。

The invention discloses a method and system for monitoring service invocation in a virtualized environment. The method is: 1) the cloud generates a hash library of key code segments in the monitored guest virtual machine according to the authorized access service program and related source files set by the tenant; 2) after the monitored guest virtual machine is started, the service calls monitoring The monitor sets the permission bits of the memory page loaded by the monitored guest virtual machine, so that the code on the memory page can check the integrity of the key code segment in the memory before execution; 3) The service call monitor detects the service call When it occurs, the page directory address of the calling process is obtained according to the characteristics of the service call. When the page directory address of the calling process is in the whitelist process list, the service call is allowed to be executed; when the return result event of the service call is detected. , obtain the information of the calling process according to the characteristics of the returned result event, and allow the returned result to pass when the calling process is in the whitelisted process list.

Description

一种虚拟化环境中服务调用监控方法和系统A service call monitoring method and system in a virtualized environment

技术领域technical field

本发明属于计算机安全技术领域,特别涉及一种在虚拟化环境提供服务调用监控的方法和系统。The invention belongs to the technical field of computer security, and in particular relates to a method and a system for providing service call monitoring in a virtualized environment.

背景技术Background technique

基于虚拟化技术的云计算应用发展迅速,随着云计算应用的推广,所有的服务都在从本地迁移到云端。根据RightScale公司报告,受访的IT从业者中95%表示其所在公司正在使用云计算服务。同时为了吸引更多的租户,云服务商提供了很多附加服务,以便租户可以将精力放在自己的核心业务上。但是目前云服务商提供的附加服务的调用安全依赖的是用户的ID和口令,一旦用户的ID和口令泄露,那么租户订购的附加服务可能被敌手恶意调用以达到其恶意目的。例如,目前云服务商都开始在云端部署密钥管理服务和加密服务。密钥管理服务将用户的密钥同客户虚拟机进行了隔离,即使在客户虚拟机被敌手攻破的情况下,敌手也无法获取用户的密钥。但是目前对于密码运算服务的调用安全依赖于用户的ID和口令,一旦敌手获取了用户的ID和口令就可以在客户虚拟机中恶意的调用密码运算服务,以达到敌手的恶意目的。通常为了保证服务自动化的服务,还需要将用户的ID和口令写在客户虚拟机的配置文件中,这样大大增加了安全威胁,一旦客户虚拟机被敌手攻破,即使密钥是安全的,密码运算服务也不再安全。Cloud computing applications based on virtualization technology are developing rapidly. With the popularization of cloud computing applications, all services are migrating from local to cloud. According to the RightScale report, 95% of the IT practitioners surveyed said their companies are using cloud computing services. At the same time, in order to attract more tenants, cloud service providers provide many additional services so that tenants can focus on their core business. However, the security of calling additional services provided by cloud service providers currently relies on the user's ID and password. Once the user's ID and password are leaked, the additional services ordered by tenants may be maliciously invoked by adversaries to achieve their malicious purposes. For example, cloud service providers are now deploying key management services and encryption services in the cloud. The key management service isolates the user's key from the guest virtual machine. Even if the guest virtual machine is compromised by an adversary, the adversary cannot obtain the user's key. However, the security of calling cryptographic computing services currently depends on the user's ID and password. Once the adversary obtains the user's ID and password, the cryptographic computing service can be maliciously invoked in the guest virtual machine to achieve the adversary's malicious purpose. Usually, in order to ensure the automatic service of the service, it is also necessary to write the user's ID and password in the configuration file of the customer virtual machine, which greatly increases the security threat. Services are also no longer secure.

虚拟机监控器是虚拟化平台的重要组件,负责分配管理宿主机的资源,以使在其上运行的客户虚拟机可以分享宿主机上的物理资源。一般情况下,客户虚拟机使用的硬件设备由虚拟机监控器负责模拟,并且虚拟机监控器处理所有的客户虚拟机退出事件。The virtual machine monitor is an important component of the virtualization platform, which is responsible for allocating and managing the resources of the host machine, so that the guest virtual machines running on it can share the physical resources on the host machine. Generally, the hardware device used by the guest virtual machine is simulated by the virtual machine monitor, and the virtual machine monitor handles all the exit events of the guest virtual machine.

虚拟机自省技术(VMI),是一种在虚拟机外部监视虚拟机运行状态的技术。该技术的监视功能是由观察内存细节,陷入硬件事件和读取CPU寄存器来完成的。大部分的VMI的实现需要提前了解客户虚拟机的操作系统知识,并利用操作系统知识和客户虚拟机的内存信息,对客户虚拟机的状态进行解析。然而当前的VMI工具在对客户虚拟机进行自省时,需要将客户虚拟机暂停,这样引入了较大的性能开销,并且VMI工具依赖客户虚拟机操作系统的知识解析出语义上可读的信息,一旦客户虚拟机的操作系统被破坏,那么解析出来的信息将不再可信。目前基于虚拟机自省技术的检测方案,为了减轻由于虚拟机自省造成的性能损失,需要客户虚拟机的辅助模块去触发安全检测。然而一旦客户虚拟机被敌手攻破,安装在客户虚拟机中的辅助模块也不再可信。Virtual Machine Introspection (VMI) is a technology that monitors the running status of a virtual machine outside the virtual machine. The monitoring function of this technology is done by observing memory details, trapping in hardware events and reading CPU registers. Most VMI implementations need to know the operating system knowledge of the guest virtual machine in advance, and use the operating system knowledge and the memory information of the guest virtual machine to analyze the state of the guest virtual machine. However, when the current VMI tool performs introspection on the guest virtual machine, it needs to suspend the guest virtual machine, which introduces a large performance overhead, and the VMI tool relies on the knowledge of the guest virtual machine operating system to parse the semantically readable information. Once the operating system of the guest virtual machine is damaged, the parsed information will no longer be trusted. In the current detection scheme based on virtual machine introspection technology, in order to reduce the performance loss caused by virtual machine introspection, an auxiliary module of the guest virtual machine is required to trigger security detection. However, once the guest virtual machine is compromised by the adversary, the auxiliary modules installed in the guest virtual machine are no longer trusted.

AMD和Intel推出的CPU芯片大部分支持嵌套页表技术,通过嵌套页表技术大大提高了客户虚拟机的虚拟地址转化为宿主机物理地址的速度。在提高性能的同时,嵌套页表上都带有权限位标志,一般权限位有三种:可读,可写和可执行。一旦有违反权限的行为发生就会触发异常,造成客户虚拟机退出,并且由虚拟机监控器处理虚拟机退出事件。其中若某个内存页的权限被设置为不可知性,当该内存页上的代码要执行时,会触发取指错误。利用嵌套页表进行地址转换及其权限位设置的示意图如图5所示。Most of the CPU chips introduced by AMD and Intel support the nested page table technology, which greatly improves the speed of converting the virtual address of the guest virtual machine into the physical address of the host machine through the nested page table technology. While improving performance, the nested page table has permission bit flags. Generally, there are three permission bits: readable, writable and executable. Once a permission violation occurs, an exception is triggered, causing the guest virtual machine to exit, and the virtual machine monitor handles the virtual machine exit event. Among them, if the permission of a memory page is set to agnostic, when the code on the memory page is to be executed, an instruction fetch error will be triggered. Figure 5 shows a schematic diagram of address translation and permission bit setting using nested page tables.

发明内容SUMMARY OF THE INVENTION

本发明针对上述的服务调用安全仅仅依靠用户ID和口令的安全问题,提出一种在虚拟化环境提供服务调用监控的方法和系统。该方案设计一个服务调用监控器,用于实时检测客户虚拟机中发生的服务调用发生事件,并对客户虚拟机中的关键代码完整性进行实时的检测,只允许完整性良好的、被授权的程序调用服务,同时提供审计功能。该服务调用监控系统作为一个虚拟机监控器的组件实现,服务调用监控系统的架构如图1所示。Aiming at the above-mentioned security problem that service invocation security only depends on user ID and password, the present invention proposes a method and system for providing service invocation monitoring in a virtualized environment. This solution designs a service invocation monitor to detect service invocation events in the guest virtual machine in real time, and to perform real-time detection on the integrity of key codes in the guest virtual machine. Only those with good integrity and authorized are allowed. The program invokes the service and provides the audit function at the same time. The service call monitoring system is implemented as a component of a virtual machine monitor, and the architecture of the service call monitoring system is shown in Figure 1.

具体来说,本发明采用的技术方案如下:Specifically, the technical scheme adopted in the present invention is as follows:

一种提供服务调用监控的方法,该方案在虚拟化环境中提供服务,其具体步骤包括:A method for providing service invocation monitoring, the solution provides services in a virtualized environment, and the specific steps include:

1)生成被监控客户虚拟机的操作系统指纹信息,供监控系统解决部分语义间隙问题;利用指纹信息中的进程结构体和系统符号表构建进程链信息,并遍历进程链中的所有进程获取调用进程的页目录地址信息;1) Generate the operating system fingerprint information of the monitored guest virtual machine for the monitoring system to solve some semantic gap problems; use the process structure and system symbol table in the fingerprint information to construct the process chain information, and traverse all the processes in the process chain to obtain the call The page directory address information of the process;

2)租户在安全的环境中设置被授权访问服务的程序,并通过安全的网络传输将被授权访问服务的程序源文件传输到云端,云端利用这些二进制源文件,生成被监控客户虚拟机中的关键代码段的哈希库,供服务调用监控系统校验关键代码段的完整性;2) The tenant sets up the programs authorized to access the service in a secure environment, and transmits the program source files authorized to access the service to the cloud through secure network transmission, and the cloud uses these binary source files to generate the monitored client virtual machine. The hash library of key code segments is used by the service call monitoring system to verify the integrity of key code segments;

3)客户虚拟机启动时开始,服务调用监控器利用CPU芯片中提供的嵌套页表技术,对客户虚拟机加载的内存页权限位进行设置,使内存页上的代码在执行前,实时的对内存中关键代码段的完整性进行校验,并维护一个白名单进程列表,白名单进程链表中存放的是白名单进程的页目录地址;其中,白名单进程为被授权的且代码段完整性经过校验的进程;3) When the guest virtual machine starts, the service call monitor uses the nested page table technology provided in the CPU chip to set the permission bits of the memory page loaded by the guest virtual machine, so that the code on the memory page can be executed in real time before execution. Verify the integrity of key code segments in memory, and maintain a list of whitelisted processes. The whitelisted process linked list stores the page directory address of the whitelisted process; among them, the whitelisted process is authorized and the code segment is complete Sexually verified processes;

4)服务调用监控器在虚拟机监控器VMM中对服务调用进行检测,检测到服务调用事件发生时,调用虚拟机状态检测模块,根据该服务调用的特征获取调用进程的信息,例如通过网络调用KMS服务,可以通过对网络数据包的过滤发现其发送到KMS的数据包,以断定VM中发生了密码运算调用事件,该网络连接的IP和端口既是该服务调用的特征,然后对虚拟机的内存进行自省,获取调用进程的页目录地址,只有当该调用进程的页目录地址在白名单进程列表中时,才允许本次服务调用通过(即允许本次调用发送到服务端);4) The service invocation monitor detects the service invocation in the virtual machine monitor VMM, and when it detects the occurrence of a service invocation event, invokes the virtual machine state detection module, and obtains the information of the invoking process according to the characteristics of the service invocation, such as calling through the network. KMS service, the data packets sent to KMS can be found by filtering network data packets to determine that a cryptographic operation invocation event has occurred in the VM. The IP and port of the network connection are both characteristics of the service invocation. The memory performs introspection and obtains the page directory address of the calling process. Only when the page directory address of the calling process is in the whitelist process list, the service call is allowed to pass (that is, the call is allowed to be sent to the server);

5)对于有返回结果的服务调用,服务调用监控器在VMM中对该服务调用的返回结果事件进行检测,检测到服务调用的返回结果事件发生时,调用虚拟机状态检测模块,根据返回结果事件的特征获取调用进程的信息,只有当该调用进程在白名单进程列表中时,才允许本次服务调用返回结果通过(即允许服务端返回的结果返回到被监控虚拟机中)。5) For a service call with a return result, the service call monitor detects the return result event of the service call in the VMM, and when it detects that the return result event of the service call occurs, it calls the virtual machine state detection module, and according to the return result event Only when the calling process is in the whitelist process list, the result returned by this service call is allowed to pass (that is, the result returned by the server is allowed to be returned to the monitored virtual machine).

进一步的,所述服务调用监控系统可以在基于Xen的虚拟化系统实现,也可以在基于VMware ESX/ESXi和Hyper-V的虚拟化系统实现,还可以在基于KVM-QEMU的虚拟化系统中实现。Further, the service call monitoring system can be implemented in a Xen-based virtualization system, or in a virtualization system based on VMware ESX/ESXi and Hyper-V, or in a KVM-QEMU-based virtualization system. .

进一步的在步骤1)中,用户在安全的环境下生成被监控客户虚拟机的操作系统指纹信息,客户虚拟机的指纹信息包括客户虚拟机操作系统的内核结构信息及系统符号表信息。Further in step 1), the user generates operating system fingerprint information of the monitored guest virtual machine in a safe environment, and the fingerprint information of the guest virtual machine includes kernel structure information and system symbol table information of the guest virtual machine operating system.

进一步的在步骤2)中,用户设置被授权调用服务的白名单程序,并在安全的环境中将包含关键代码段的源文件传输到云端,供云端生成被监控客户虚拟机中的关键代码段的哈希库,关键代码段包含内核镜像代码段,内核模块代码段,授权调用密码运算服务的可执行程序的代码段,授权调用密码运算服务的可执行程序相关的动态链接库代码段。哈希库中包含这些关键代码段的入口点信息,代码段的偏移量,代码段加载到内存中的虚拟地址及将关键代码段以页为单位计算的哈希值。Further in step 2), the user sets a whitelist program that is authorized to call the service, and transmits the source file containing the key code segment to the cloud in a safe environment, so that the cloud can generate the key code segment in the monitored client virtual machine. The key code segment includes the kernel image code segment, the kernel module code segment, the code segment of the executable program authorized to call the cryptographic operation service, and the dynamic link library code segment related to the executable program authorized to call the cryptographic operation service. The hash library contains the entry point information of these key code segments, the offset of the code segment, the virtual address where the code segment is loaded into memory, and the hash value of the key code segment calculated in page units.

进一步的在步骤3)中,所述的利用CPU芯片中支持的嵌套页表技术实时的对加载到内存中的关键代码段进行完整性校验,可以基于Intel EPT和AMD RVI的CPU芯片实现。Further in step 3), the described utilization of the nested page table technology supported in the CPU chip carries out the integrity check to the key code segment loaded in the memory in real time, which can be realized based on the CPU chip of Intel EPT and AMD RVI. .

进一步的在步骤3)中,通过对CPU芯片支持的嵌套页表中权限位的设置,保证被监控客户虚拟机中的代码在执行前,对其进行完整性校验,具体步骤如下:Further in step 3), through the setting of the permission bit in the nested page table supported by the CPU chip, it is guaranteed that the code in the monitored guest virtual machine is checked for integrity before execution, and the specific steps are as follows:

a)将客户虚拟机加载的所有的内存页的可执行权限位设置为不可执行;a) Set the executable permission bit of all memory pages loaded by the guest virtual machine to non-executable;

b)如果发生页错误异常,VMM处理该异常,如果页错误异常原因为取指错误,执行步骤c);如果页错误异常原因为写错误执行步骤d);b) If a page fault exception occurs, VMM handles the exception, if the abnormal cause of the page fault is an instruction fetch error, execute step c); if the cause of the page fault exception is a write error, execute step d);

c)对导致取指异常的内存进行完整性校验,并根据校验结果维护白名单进程列表;对于校验通过的内存页(即属于关键代码段),将其页权限设置为可执行,不可写;对于校验不通过的内存页(即不属于关键代码页或遭破坏的关键代码段),将发生页错误异常的内存页的权限设置为可执行,可写;c) Perform an integrity check on the memory that caused the abnormal instruction fetch, and maintain the whitelist process list according to the check result; for the memory page that passes the check (that is, it belongs to the key code segment), set its page permission to executable, Not writable; for the memory page that fails the verification (that is, it does not belong to the key code page or the key code segment that is damaged), set the permission of the memory page where the page fault exception occurs to executable and writable;

d)将该内存页的可写权限位设置为可写,同时将可执行权限位设置为不可执行。d) Set the writable permission bit of the memory page to writable, and set the executable permission bit to non-executable.

进一步的,在处理取指异常时,利用局部性原理,对代码段进行完整性校验,并根据校验结果维护白名单进程列表,步骤如下:Further, when dealing with an abnormal instruction fetch, the locality principle is used to check the integrity of the code segment, and the whitelist process list is maintained according to the check result. The steps are as follows:

a)检查引发取指错误的被监控客户虚拟机的虚拟地址,若该虚拟地址为内核空间地址,则执行步骤b);若该虚拟地址为用户空间地址,则执行步骤g);a) Check the virtual address of the monitored guest virtual machine that caused the instruction fetch error, if the virtual address is the kernel space address, then execute step b); if the virtual address is the user space address, then execute step g);

b)检查该虚拟地址是否为已知的内核地址区间,若为已知的地址空间执行步骤c);否则执行步骤d);b) Check whether the virtual address is a known kernel address range, if it is a known address space, perform step c); otherwise, perform step d);

c)计算取指错误的内存页上的代码段的哈希值,并将该哈希值与哈希库中对应的内核代码页的哈希值进行比较,若比较结果不相同则执行步骤d);如果相同就不做任何操作;c) Calculate the hash value of the code segment on the memory page with the fetch error, and compare the hash value with the hash value of the corresponding kernel code page in the hash library. If the comparison result is not the same, execute step d ); if the same, do nothing;

d)计算该内存页上的代码段的哈希值,并将该哈希值与所有内核模块的入口点所在的代码页的哈希值进行比较,若比较结果相同执行步骤e);否则执行步骤f);d) Calculate the hash value of the code segment on the memory page, and compare the hash value with the hash value of the code page where the entry points of all kernel modules are located, if the comparison results are the same, execute step e); otherwise, execute step f);

e)记录该内核模块的地址区间,以便如果有新的代码页执行并触发了不可执行错误,且地址落在了该区间中,就可以找到对应的代码页进行哈希校验;然后执行步骤g);e) Record the address range of the kernel module, so that if a new code page is executed and an unexecutable error is triggered, and the address falls in this range, the corresponding code page can be found for hash verification; then perform the steps g);

f)清空白名单进程列表,并将被监控客户虚拟机的状态标记为可疑状态;然后执行步骤g);f) Clear the list of blank list processes, and mark the state of the monitored guest virtual machine as a suspicious state; then perform step g);

g)检查CR3寄存器值(即当前进程的页目录地址)是否在白名单进程列表中,如果存在,则执行步骤h);否则执行步骤i);g) Check whether the CR3 register value (that is, the page directory address of the current process) is in the whitelist process list, and if so, execute step h); otherwise, execute step i);

h)计算触发了取值错误的内存页上的代码段的哈希值,并与哈希库中对应的代码页的哈希值进行比较,若比较结果不相同,执行步骤j);h) Calculate the hash value of the code segment on the memory page that triggers the value error, and compare it with the hash value of the corresponding code page in the hash library. If the comparison result is not the same, execute step j);

i)计算触发了取值错误的内存页上的代码段的哈希值,并与所有被授权访问服务程序的入口点所在的代码页的哈希值进行比较,如果比较结果相同,及该内存页的地址和入口点所在的内存页的地址相同,则执行步骤k);i) Calculate the hash value of the code segment on the memory page that triggers the value error, and compare it with the hash value of the code page where the entry points of all authorized access service programs are located. If the comparison results are the same, and the memory The address of the page is the same as the address of the memory page where the entry point is located, then execute step k);

j)将该CR3寄存器值(即当前进程的页目录地址)从白名单进程列表中删除,并执行步骤i);j) delete the CR3 register value (that is, the page directory address of the current process) from the whitelist process list, and execute step i);

k)将该CR3寄存器值插入到白名单进程列表中。k) Insert the CR3 register value into the whitelist process list.

进一步的在步骤4)中,服务调用监控器在VMM中一旦检测到服务调用事件的发生,则利用被监控虚拟机的指纹信息,提取被监控虚拟机的内存,构建出高层语义获取与调用服务事件相关的进程信息,并在调用进程的内存区域中获取调用服务进程的页目录地址信息,然后检查该值是否存在于白名单进程表中,若存在,则允许该服务调用通过;若不存在,则拒绝该服务调用。Further in step 4), once the service invocation monitor detects the occurrence of the service invocation event in the VMM, the fingerprint information of the monitored virtual machine is used to extract the memory of the monitored virtual machine, and a high-level semantic acquisition and invocation service is constructed. Process information related to the event, and obtain the page directory address information of the calling service process in the memory area of the calling process, and then check whether the value exists in the whitelist process table. If it exists, the service call is allowed to pass; if it does not exist , the service call is rejected.

与现有技术相比,本发明的积极效果为:Compared with the prior art, the positive effects of the present invention are:

本发明中,服务调用监控系统不仅可以监控云服务商通过网络提供的服务的调用,还可以监控其他服务的调用情况。例如由第三方通过网络提供的密码运算服务、由虚拟化平台中的虚拟设备提供(如vTPM)提供的服务及利用物理设备提供的服务等。In the present invention, the service invocation monitoring system can not only monitor the invocation of services provided by the cloud service provider through the network, but also monitor the invocation of other services. For example, a cryptographic computing service provided by a third party through a network, a service provided by a virtual device (eg vTPM) in a virtualization platform, and a service provided by using a physical device, etc.

附图说明Description of drawings

图1是密码运算服务调用监控系统示意图;Fig. 1 is a schematic diagram of a cryptographic computing service invocation monitoring system;

图2是实施例中由KMS服务提供密码运算服务的密码运算服务调用监控系统示意图;2 is a schematic diagram of a cryptographic operation service invocation monitoring system that provides a cryptographic operation service by KMS service in an embodiment;

图3是实施例中Linux系统中的进程结构体描述信息图;Fig. 3 is the process structure description information diagram in the Linux system in the embodiment;

图4关键代码段完整性校验流程图;Figure 4 is a flow chart of integrity verification of key code segments;

图5是利用嵌套页表进行地址转换的示意图。FIG. 5 is a schematic diagram of address translation using nested page tables.

具体实施方式Detailed ways

为使本发明的上述目的、特征和优点能够更加明显易懂,下面通过具体实施例和附图,对本发明做进一步的说明。In order to make the above objects, features and advantages of the present invention more clearly understood, the present invention will be further described below through specific embodiments and accompanying drawings.

本实施例是一个云环境中的密码运算服务调用监控系统实例。This embodiment is an example of a cryptographic computing service invocation monitoring system in a cloud environment.

图2是采用本发明方法在虚拟化环境中提供密码运算服务调用监控服务的示意图。用户订购云服务商提供的密钥管理服务(KMS),KMS服务通过https提供服务。KMS服务负责管理用户的密钥及提供密码运算服务。FIG. 2 is a schematic diagram of providing a cryptographic computing service invocation monitoring service in a virtualized environment by adopting the method of the present invention. The user subscribes to the key management service (KMS) provided by the cloud service provider, and the KMS service provides services through https. The KMS service is responsible for managing the user's key and providing cryptographic computing services.

本实施例中的服务调用监控系统在QEMU-KVM虚拟化平台中实现,宿主机使用Intel CPU芯片。密码运算服务调用事件的检测部分在QEMU中实现,涉及利用Intel EPT技术进行关键代码段完整性检验的部分在KVM内核模块中实现。KVM是Linux内核的一个模块,基于硬件虚拟化技术实现客户虚拟机加速的功能,EPT页表的维护也由KVM内核模块负责。所有的VM-EXIT都先经过KVM处理,KVM无法处理的I/O事件等交给用户空间的QEMU进行处理。客户虚拟机操作系统使用Linux操作系统,内核版本为3.13.7。The service call monitoring system in this embodiment is implemented in the QEMU-KVM virtualization platform, and the host computer uses an Intel CPU chip. The detection part of the cryptographic operation service invocation event is implemented in QEMU, and the part involving the use of Intel EPT technology to check the integrity of key code segments is implemented in the KVM kernel module. KVM is a module of the Linux kernel. It implements the function of guest virtual machine acceleration based on hardware virtualization technology. The maintenance of the EPT page table is also responsible for the KVM kernel module. All VM-EXITs are processed by KVM first, and I/O events that cannot be processed by KVM are handed over to QEMU in user space for processing. The guest virtual machine operating system uses the Linux operating system, and the kernel version is 3.13.7.

实施例中利用Volatility工具在安全的环境中生成被监控客户虚拟机的内核结构和系统符号信息的Profile。In the embodiment, the Volatility tool is used to generate a profile of the kernel structure and system symbol information of the monitored guest virtual machine in a safe environment.

实施例中用户设置被授权调用KMS服务的程序为A,A相关的动态链接库为libc.so.6。在安全的环境中对内核镜像、程序A和libc.so.6的ELF文件进行分析,取出其中的代码段的加载地址和代码段的信息,并将其代码段以页为单位进行哈希,将该哈希及对应的加载地址一一对应写入哈希库中。同时收集被监控客户虚拟机中的.ko文件,并模拟内核加载链接.ko的过程,计算出每个.ko对应的内核模块的Init段和Core段中的代码段加载到内存中的偏移地址信息,并将其对应的代码段,以页为单位进行哈希计算,将其偏移地址信息和哈希一一对应写入哈希库中。In the embodiment, the user sets the program authorized to call the KMS service as A, and the dynamic link library related to A is libc.so.6. Analyze the ELF file of the kernel image, program A and libc.so.6 in a safe environment, take out the load address of the code segment and the information of the code segment, and hash the code segment in page units, Write the hash and the corresponding load address into the hash library in a one-to-one correspondence. At the same time, collect the .ko files in the monitored guest virtual machine, simulate the process of kernel loading and linking .ko, and calculate the offset of the Init segment of the kernel module and the code segment in the Core segment corresponding to each .ko loaded into the memory. The address information, and the corresponding code segment is hashed in units of pages, and the offset address information and the hash are written into the hash library in a one-to-one correspondence.

实施例中,在客户虚拟机启动时开始,对其加载的内存中的物理页所对应的EPT页表中条目的权限位进行设置,保证所有加载到内存中的代码在执行前触发完整性检测,具体步骤如下:In the embodiment, starting when the guest virtual machine is started, the permission bits of the entries in the EPT page table corresponding to the physical pages in the loaded memory are set to ensure that all codes loaded into the memory trigger integrity detection before execution. ,Specific steps are as follows:

a)从客户虚拟机启动时开始,初始化一个白名单进程链表,且在EPT页表上将所有新加载的内存页对应的页表条目权限位设置为不可执行;a) Starting from when the guest virtual machine is started, initialize a whitelist process linked list, and set the page table entry permission bits corresponding to all newly loaded memory pages to non-executable on the EPT page table;

b)发生EPT Violation异常造成客户虚拟机退出时,在KVM中读取error_code,若error_code为取指错误,执行步骤c);如果error_code为写错误执行步骤d);b) When the EPT Violation exception occurs and the guest virtual machine exits, read the error_code in the KVM, if the error_code is an instruction fetch error, execute step c); if the error_code is a write error, execute step d);

c)对该代码页的完整性校验;c) Integrity check of the code page;

d)将该内存页的权限设置为可写、不可执行。d) Set the permission of the memory page to be writable and non-executable.

实施例中,当“EPT violation”为取指错误时,读取被监控客户虚拟机中的CR3寄存器的值(当前进程的页目录地址)、CR2寄存器的值(造成取指错误的被监控客户虚拟机的虚拟地址)及造成取指错误的代码页的内容,然后启动对代码页的完整性校验,如图4所示,校验步骤如下:In the embodiment, when "EPT violation" is an instruction fetch error, read the value of the CR3 register (the page directory address of the current process) and the value of the CR2 register (the monitored client that caused the instruction fetch error) in the monitored guest virtual machine. The virtual address of the virtual machine) and the content of the code page that caused the instruction fetch error, and then start the integrity check of the code page, as shown in Figure 4, the check steps are as follows:

a)检查引发取之错误的被监控客户虚拟机的虚拟地址,若该虚拟地址为内核空间地址执行步骤b);若该虚拟地址为用户空间地址执行步骤g);a) Check the virtual address of the monitored guest virtual machine that caused the error, and if the virtual address is a kernel space address, execute step b); if the virtual address is a user space address, execute step g);

b)检查该虚拟地址是否为已知的内核地址区间,若为已知的地址空间执行步骤c);否则执行步骤d);b) Check whether the virtual address is a known kernel address range, if it is a known address space, perform step c); otherwise, perform step d);

c)计算该内存页上的代码段的哈希值,并将该哈希值与哈希库中对应的内核代码页的哈希值进行比较,若比较结果不相同则执行步骤d);c) Calculate the hash value of the code segment on the memory page, compare the hash value with the hash value of the corresponding kernel code page in the hash library, and execute step d) if the comparison result is not the same;

d)计算该内存页上的代码段的哈希值,并将该哈希值与所有内核模块的入口点所在的代码页的哈希值进行比较,若比较结果相同执行步骤e);否则执行步骤f);d) Calculate the hash value of the code segment on the memory page, and compare the hash value with the hash value of the code page where the entry points of all kernel modules are located, if the comparison results are the same, execute step e); otherwise, execute step f);

e)记录该内核模块的地址区间;e) record the address range of the kernel module;

f)清空白名单进程列表,并将被监控客户虚拟机的状态标记为可疑状态;f) Clear the blank list process list, and mark the status of the monitored guest virtual machine as suspicious;

g)检查该CR3寄存器值是否在白名单进程列表中,如果存在,则执行步骤h);否则执行步骤i);g) Check whether the CR3 register value is in the whitelist process list, if so, execute step h); otherwise, execute step i);

h)计算该内存页上的代码段的哈希值,并与哈希库中对应的代码页的哈希值进行比较,若比较结果不相同,执行步骤j);h) Calculate the hash value of the code segment on the memory page, and compare it with the hash value of the corresponding code page in the hash library, if the comparison result is not the same, execute step j);

i)计算该内存页上的代码段的哈希值,并与所有被授权的程序的入口点所在的代码页的哈希值进行比较,如果比较结果相同,则执行步骤k);i) Calculate the hash value of the code segment on the memory page, and compare it with the hash value of the code page where the entry points of all authorized programs are located, if the comparison results are the same, then perform step k);

j)将该CR3寄存器值从白名单进程列表中删除,并执行步骤i);j) delete the CR3 register value from the whitelist process list, and perform step i);

k)将该CR3寄存器值插入到白名单进程列表中。k) Insert the CR3 register value into the whitelist process list.

实施例中,在KVM模块中实现了一组ioctl供QEMU调用,用户检测当前进程的页目录地址是否在白名单进程列表中。当有网络包过滤模块检测到与KMS相关的网络数据包时,利用内存分析的方法,遍历进程链表,分析出调用密码服务的进程,即该进程打开的文件句柄为socket连接,同时该socket连接的地址是KMS的IP和端口,并取出该进程的页目录地址(linux进程结构如图3所示),检测该页目录地址是否在KVM维护的白名单进程表中。若该值在白名单进程表中,允许该网络包通过;否则,丢弃该网络包。同时当检测到KMS返回的数据包时,再次检测调用进程的页目录地址是否依然在白名单进程列表中,若存在,则允许该返回数据包进入被监控客户虚拟机;否则丢弃该数据包。In the embodiment, a set of ioctl is implemented in the KVM module for QEMU to call, and the user detects whether the page directory address of the current process is in the whitelist process list. When a network packet filtering module detects a network data packet related to KMS, it uses the method of memory analysis to traverse the process linked list and analyze the process that calls the password service, that is, the file handle opened by the process is a socket connection, and the socket connection The address is the IP and port of KMS, and take out the page directory address of the process (the linux process structure is shown in Figure 3), and check whether the page directory address is in the whitelist process table maintained by KVM. If the value is in the whitelist process table, allow the network packet to pass; otherwise, discard the network packet. At the same time, when the data packet returned by KMS is detected, it is checked again whether the page directory address of the calling process is still in the whitelist process list. If it exists, the returned data packet is allowed to enter the monitored guest virtual machine; otherwise, the data packet is discarded.

以上实施例仅用以说明本发明的技术方案而非对其进行限制,本领域的普通技术人员可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明的精神和范围,本发明的保护范围应以权利要求所述为准。The above embodiments are only used to illustrate the technical solutions of the present invention rather than limit them. Those of ordinary skill in the art can modify or equivalently replace the technical solutions of the present invention without departing from the spirit and scope of the present invention. The scope of protection shall be subject to what is stated in the claims.

Claims (9)

1. A service call monitoring method in a virtualization environment comprises the following steps:
1) the cloud generates a hash library of key code segments in the monitored client virtual machine according to the authorized access service program set by the tenant and the related source file, wherein the hash library is used for the service call monitor to check the integrity of the key code segments;
2) after the monitored client virtual machine is started, the service call monitor sets a memory page permission limit loaded by the monitored client virtual machine by using a nested page table technology, so that before codes on memory pages are executed, the integrity of key code segments in the memory is verified, a white list process linked list is maintained, and page directory addresses of the white list process are stored in the white list process linked list; the white list process is an authorized process, and the integrity of the code segment is verified;
3) when the service calling monitor detects that the service calling happens, calling a virtual machine state detection module, acquiring a page directory address of a calling process according to the feature of the service calling, and allowing the service calling to be executed when the page directory address of the calling process is in the white list process linked list;
4) and for service call with a return result, the service call monitor detects the return result event of the service call, when the return result event of the service call is detected to occur, the virtual machine state detection module is called, the information of the call process is obtained according to the characteristics of the return result event, and when the call process is in a white list process chain table, the return result of the service call is allowed to pass.
2. The method of claim 1, wherein the checking the integrity of the critical code sections in memory is performed by:
21) setting the executable permission limit of all memory pages loaded by the client virtual machine as non-executable;
22) if a page fault exception occurs and the page fault exception is an instruction fetch fault, executing step 23); if a page fault exception occurs and the page fault exception is a write fault, go to step 24);
23) carrying out integrity verification on the memory causing the abnormal instruction fetching, and maintaining a white list process list according to a verification result; for the memory page passing the verification, setting the page authority of the memory page to be executable and non-writable; for the memory pages which fail to be checked, setting the authority of the memory pages with the abnormal page errors as executable and writable;
24) the method comprises the steps of setting the writable permission limit of a memory page with a page fault exception to be writable, and setting the executable permission limit to be non-executable.
3. The method according to claim 2, wherein in step 23), the method for performing integrity check on the memory page with the value error and maintaining the white list process list according to the check result includes:
a) checking the virtual address of the monitored client virtual machine causing the instruction fetch error, and if the virtual address is the kernel space address, executing the step b); if the virtual address is the user space address, executing step g);
b) checking whether the virtual address is a known kernel address interval, and if the virtual address is a known kernel address space, executing the step c); otherwise, executing step d);
c) calculating the hash value of the code segment on the memory page with the wrong instruction, comparing the hash value with the corresponding hash value in the hash library, and executing the step d) if the comparison result is different;
d) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash values of the code pages where the entry points of all the kernel modules are located, and executing the step e) if the comparison results are the same; otherwise, executing step f);
e) recording the address interval of the kernel module;
f) clearing a white list process list, and marking the state of the monitored client virtual machine as a suspicious state;
g) checking whether the page directory address of the current process is in the white list process linked list, if yes, executing the step h); otherwise, executing step i);
h) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash value of the corresponding code page in the hash library, and executing the step j) if the comparison result is different;
i) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash values of the code pages where the entry points authorized to access the service program are located, and if the hash values are the same and the addresses of the memory page and the memory page where the entry points are located are the same, executing step k);
j) deleting the page directory address of the current process from the white list process list, and executing the step i);
k) and inserting the page directory address of the current process into the white list process list.
4. The method according to claim 1, wherein when the service call monitor detects the occurrence of a service call in the VMM, extracting a memory of the monitored virtual machine according to fingerprint information of the monitored virtual machine, constructing a high-level semantic to acquire process information related to the call service, and acquiring page directory address information of the calling service process in a memory area of the calling process, and then checking whether the page directory address exists in the whitelist process table, and if so, allowing the service call to be executed; if not, the service call is rejected.
5. The method as claimed in claim 1, wherein the hash library comprises entry point information of the critical code section, an offset of the critical code section, a virtual address of the critical code section loaded into the memory, and a hash value calculated in units of pages in the critical code section.
6. The method of claim 1 or 5, wherein the critical code sections include a kernel image code section, a kernel module code section, a code section of an executable program authorized to access the service, and a code section of a dynamically linked library associated with the executable program authorized to access the service.
7. A service call monitoring system in a virtualization environment is characterized by comprising a hash library and a service call monitor; wherein,
the service call monitor is responsible for setting a memory page permission limit loaded by a monitored client virtual machine by using a nested page table technology when the monitored client virtual machine is started, checking the integrity of key code segments in a memory in real time before executing codes on the memory page, and maintaining a white list process linked list, wherein the white list process linked list stores page directory addresses of white list processes; the white list process is an authorized process, and the integrity of the code segment is verified; when detecting that the service call occurs, calling a virtual machine state detection module to acquire a page directory address of a calling process, and allowing the service call to be executed when the page directory address of the calling process is in the white list process list; for service call with a return result, the service call monitor detects a return result event of the service call, when the return result event of the service call is detected, the virtual machine state detection module is called, information of a call process is obtained according to the characteristics of the return result event, and when the call process is in a white list process list, the return result of the service call is allowed to pass;
and the hash library is used for storing the hash of the key code segment in the monitored client virtual machine, so that the service call monitor can check the integrity of the key code segment.
8. The system as claimed in claim 7, wherein the hash library includes entry point information of the critical code section, an offset of the critical code section, a virtual address of the critical code section loaded into the memory, and a hash value calculated in units of pages in the critical code section.
9. The system of claim 7 wherein the critical code sections include a kernel image code section, a kernel module code section, a code section of an executable program authorized to access the service, and a code section of a dynamically linked library associated with the executable program authorized to access the service.
CN201811471745.0A 2018-12-04 2018-12-04 A service call monitoring method and system in a virtualized environment Expired - Fee Related CN109684829B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811471745.0A CN109684829B (en) 2018-12-04 2018-12-04 A service call monitoring method and system in a virtualized environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811471745.0A CN109684829B (en) 2018-12-04 2018-12-04 A service call monitoring method and system in a virtualized environment

Publications (2)

Publication Number Publication Date
CN109684829A true CN109684829A (en) 2019-04-26
CN109684829B CN109684829B (en) 2020-12-04

Family

ID=66186627

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811471745.0A Expired - Fee Related CN109684829B (en) 2018-12-04 2018-12-04 A service call monitoring method and system in a virtualized environment

Country Status (1)

Country Link
CN (1) CN109684829B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598378A (en) * 2019-08-01 2019-12-20 华为技术有限公司 Global offset table measuring method, dynamic measuring method, related device and equipment
CN111400702A (en) * 2020-03-24 2020-07-10 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method
CN111831609A (en) * 2020-06-18 2020-10-27 中国科学院数据与通信保护研究教育中心 A method and system for unified management and distribution of binary file metrics in a virtualized environment
CN112464221A (en) * 2019-09-09 2021-03-09 北京奇虎科技有限公司 Method and system for monitoring memory access behavior
CN113138835A (en) * 2021-04-08 2021-07-20 中国科学院信息工程研究所 IPT and virtual machine introspection-based API call monitoring method and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102736969A (en) * 2012-05-22 2012-10-17 中国科学院计算技术研究所 A memory monitoring method and system for hardware virtualization
CN103020531A (en) * 2012-12-06 2013-04-03 中国科学院信息工程研究所 Android smart terminal operating environment trusted control method and system
CN103885829A (en) * 2014-04-16 2014-06-25 中国科学院软件研究所 Virtual machine cross-data-center dynamic migration optimization method based on statistics
CN103955438A (en) * 2014-05-21 2014-07-30 南京大学 Process memory protecting method based on auxiliary virtualization technology for hardware
CN104714877A (en) * 2015-03-30 2015-06-17 上海交通大学 Mixed monitoring and measurement method and system used on virtual machines
US20150318986A1 (en) * 2014-05-05 2015-11-05 Microsoft Corporation Secure Transport of Encrypted Virtual Machines with Continuous Owner Access
CN105184154A (en) * 2015-09-15 2015-12-23 中国科学院信息工程研究所 System and method for providing cryptogrammic operation service in virtualized environment
CN106897121A (en) * 2017-03-01 2017-06-27 四川大学 It is a kind of based on Intel Virtualization Technology without proxy client process protection method
CN107450962A (en) * 2017-07-03 2017-12-08 北京东土科技股份有限公司 Abnormality eliminating method, apparatus and system under a kind of virtualization running environment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102736969A (en) * 2012-05-22 2012-10-17 中国科学院计算技术研究所 A memory monitoring method and system for hardware virtualization
CN103020531A (en) * 2012-12-06 2013-04-03 中国科学院信息工程研究所 Android smart terminal operating environment trusted control method and system
CN103885829A (en) * 2014-04-16 2014-06-25 中国科学院软件研究所 Virtual machine cross-data-center dynamic migration optimization method based on statistics
US20150318986A1 (en) * 2014-05-05 2015-11-05 Microsoft Corporation Secure Transport of Encrypted Virtual Machines with Continuous Owner Access
CN103955438A (en) * 2014-05-21 2014-07-30 南京大学 Process memory protecting method based on auxiliary virtualization technology for hardware
CN104714877A (en) * 2015-03-30 2015-06-17 上海交通大学 Mixed monitoring and measurement method and system used on virtual machines
CN105184154A (en) * 2015-09-15 2015-12-23 中国科学院信息工程研究所 System and method for providing cryptogrammic operation service in virtualized environment
CN106897121A (en) * 2017-03-01 2017-06-27 四川大学 It is a kind of based on Intel Virtualization Technology without proxy client process protection method
CN107450962A (en) * 2017-07-03 2017-12-08 北京东土科技股份有限公司 Abnormality eliminating method, apparatus and system under a kind of virtualization running environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FANGJIE JIANG等: "Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection", 《21ST INTERNATIONAL CONFERENCE,ISC2018》 *
陈锦富等: "一种采用接口错误注入的构件安全性测试方法", 《小型微型计算机系统》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598378A (en) * 2019-08-01 2019-12-20 华为技术有限公司 Global offset table measuring method, dynamic measuring method, related device and equipment
CN110598378B (en) * 2019-08-01 2023-07-18 华为技术有限公司 Global offset table measurement method, dynamic measurement method and related devices and equipment
CN112464221A (en) * 2019-09-09 2021-03-09 北京奇虎科技有限公司 Method and system for monitoring memory access behavior
CN111400702A (en) * 2020-03-24 2020-07-10 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method
CN111400702B (en) * 2020-03-24 2023-06-27 上海瓶钵信息科技有限公司 Virtualized operating system kernel protection method
CN111831609A (en) * 2020-06-18 2020-10-27 中国科学院数据与通信保护研究教育中心 A method and system for unified management and distribution of binary file metrics in a virtualized environment
CN111831609B (en) * 2020-06-18 2024-01-02 中国科学院数据与通信保护研究教育中心 Method and system for unified management and distribution of binary metric values in virtualized environments
CN113138835A (en) * 2021-04-08 2021-07-20 中国科学院信息工程研究所 IPT and virtual machine introspection-based API call monitoring method and system
CN113138835B (en) * 2021-04-08 2024-01-16 中国科学院信息工程研究所 API call monitoring method and system based on IPT and virtual machine introspection

Also Published As

Publication number Publication date
CN109684829B (en) 2020-12-04

Similar Documents

Publication Publication Date Title
US11693685B2 (en) Virtual machine vulnerabilities and sensitive data analysis and detection
CN109684829B (en) A service call monitoring method and system in a virtualized environment
Lengyel et al. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system
US9436603B1 (en) Detection and mitigation of timing side-channel attacks
US9063899B2 (en) Security in virtualized computer programs
Graziano et al. Hypervisor memory forensics
CN107408176A (en) The execution of malicious objects dissects detection
Taubmann et al. Cloudphylactor: Harnessing mandatory access control for virtual machine introspection in cloud data centers
Gu et al. Multi-aspect, robust, and memory exclusive guest os fingerprinting
US20160092313A1 (en) Application Copy Counting Using Snapshot Backups For Licensing
Wang et al. Vmdetector: A vmm-based platform to detect hidden process by multi-view comparison
Zhou et al. Hardware-based on-line intrusion detection via system call routine fingerprinting
Guerra et al. Introspection for ARM TrustZone with the ITZ Library
Wu et al. Evaluation on the security of commercial cloud container services
CN107239700A (en) A kind of safety protecting method based on xen virtual platforms
Zhong et al. A virtualization based monitoring system for mini-intrusive live forensics
Zhang et al. Secure virtualization environment based on advanced memory introspection
Taubmann Improving digital forensics and incident analysis in production environments by using virtual machine introspection
Kumara et al. Virtual machine introspection based spurious process detection in virtualized cloud computing environment
Tian et al. A policy‐centric approach to protecting OS kernel from vulnerable LKMs
Zhan et al. A low-overhead kernel object monitoring approach for virtual machine introspection
Jiang et al. Enforcing access controls for the cryptographic cloud service invocation based on virtual machine introspection
Ahmed et al. Rule-based integrity checking of interrupt descriptor tables in cloud environments
Yu et al. Vis: virtualization enhanced live acquisition for native system
Ainapure et al. Performance analysis of virtual machine introspection tools in cloud environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201204

CF01 Termination of patent right due to non-payment of annual fee