CN109684829A - Service call monitoring method and system in a kind of virtualized environment - Google Patents
Service call monitoring method and system in a kind of virtualized environment Download PDFInfo
- Publication number
- CN109684829A CN109684829A CN201811471745.0A CN201811471745A CN109684829A CN 109684829 A CN109684829 A CN 109684829A CN 201811471745 A CN201811471745 A CN 201811471745A CN 109684829 A CN109684829 A CN 109684829A
- Authority
- CN
- China
- Prior art keywords
- page
- service
- service call
- virtual machine
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000012544 monitoring process Methods 0.000 title claims abstract description 21
- 238000001514 detection method Methods 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 claims description 10
- 230000001960 triggered effect Effects 0.000 claims description 8
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 5
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 claims description 3
- YTAHJIFKAKIKAV-XNMGPUDCSA-N [(1R)-3-morpholin-4-yl-1-phenylpropyl] N-[(3S)-2-oxo-5-phenyl-1,3-dihydro-1,4-benzodiazepin-3-yl]carbamate Chemical compound O=C1[C@H](N=C(C2=C(N1)C=CC=C2)C1=CC=CC=C1)NC(O[C@H](CCN1CCOCC1)C1=CC=CC=C1)=O YTAHJIFKAKIKAV-XNMGPUDCSA-N 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 230000002596 correlated effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses service call monitoring method and systems in a kind of virtualized environment.The method include the steps that 1) the Hash library for being authorized to the critical code section that service routine and correlated source file generated are monitored in guest virtual machine that cloud is arranged according to tenant;2) after the monitored guest virtual machine starting, service call monitor is configured the page permission bits for being monitored guest virtual machine load, makes the code on page before execution, verifies to the integrality of critical code section in memory;3) when service call monitor detects that service call occurs, allow to execute the service call when the page directory address of the calling process is in white list process chained list according to the page directory address that the feature of the service call obtains calling process;When detecting when returning the result event generation of service call, allows this to return the result when calling process is in white list process chained list according to the information that the feature for the event that returns the result obtains calling process and pass through.
Description
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to a method and a system for providing service call monitoring in a virtualization environment.
Background
Cloud computing application based on virtualization technology develops rapidly, and with popularization of the cloud computing application, all services are migrated from local to cloud. According to the RightScale company report, 95% of visited IT practitioners indicate that their company is using cloud computing services. Meanwhile, in order to attract more tenants, the cloud service provider provides many additional services, so that the tenants can put efforts on their core businesses. However, the invoking security of the additional service provided by the cloud service provider currently depends on the ID and the password of the user, and once the ID and the password of the user are leaked, the additional service subscribed by the tenant may be maliciously invoked by an adversary to achieve the maliciousness purpose. For example, cloud service providers are beginning to deploy key management services and encryption services in the cloud. The key management service isolates the user's key from the guest virtual machine, and even if the guest virtual machine is breached by an adversary, the adversary cannot acquire the user's key. However, at present, the invoking security of the cryptographic operation service depends on the ID and the password of the user, once the adversary obtains the ID and the password of the user, the cryptographic operation service can be invoked maliciously in the client virtual machine, and the malicious purpose of the adversary is achieved. Generally, in order to guarantee the service of service automation, the ID and password of the user are written in the configuration file of the client virtual machine, which greatly increases the security threat that once the client virtual machine is broken by an adversary, the cryptographic operation service is not safe any more even if the key is safe.
The virtual machine monitor is an important component of the virtualization platform and is responsible for allocating resources that manage the host machine so that the guest virtual machines running thereon can share physical resources on the host machine. Typically, the hardware devices used by guest virtual machines are emulated by the virtual machine monitor, and the virtual machine monitor handles all guest virtual machine exit events.
Virtual Machine Introspection (VMI) is a technique for monitoring the operating state of a virtual machine outside the virtual machine. The monitoring function of the technique is accomplished by observing memory details, trapping hardware events and reading CPU registers. Most VMI implementations require knowing the operating system knowledge of the guest virtual machine in advance and using the operating system knowledge and the memory information of the guest virtual machine to resolve the state of the guest virtual machine. However, current VMI tools require the guest virtual machine to be suspended in a self-saving manner, which introduces a large performance overhead, and VMI tools rely on the knowledge of the guest virtual machine operating system to parse out semantically readable information, which is no longer trustworthy once the operating system of the guest virtual machine is corrupted. In order to reduce performance loss caused by virtual machine introspection, an auxiliary module of a client virtual machine is required to trigger security detection in the current detection scheme based on the virtual machine introspection technology. However, once the guest virtual machine is broken by an adversary, the auxiliary module installed in the guest virtual machine is no longer trusted.
Most CPU chips introduced by AMD and Intel support nested page table technology, and the speed of converting the virtual address of a client virtual machine into the physical address of a host machine is greatly improved through the nested page table technology. While the performance is improved, the nested page tables are provided with authority bit marks, and the general authority bits are three types: readable, writable, and executable. An exception is triggered upon the occurrence of a violation, causing the guest virtual machine to exit, and a virtual machine exit event is processed by the virtual machine monitor. If the authority of a memory page is set to be unknown, a fetch error is triggered when the code on the memory page is to be executed. A schematic diagram of address translation and its permission bit setting using nested page tables is shown in fig. 5.
Disclosure of Invention
The invention provides a method and a system for providing service call monitoring in a virtualization environment aiming at the safety problem that the service call safety only depends on user ID and password. The scheme designs a service call monitor which is used for detecting service call occurrence events occurring in the client virtual machine in real time and detecting the integrity of key codes in the client virtual machine in real time, only allowing authorized programs with good integrity to call services and providing an auditing function. The service call monitoring system is implemented as a component of a virtual machine monitor, and the architecture of the service call monitoring system is shown in fig. 1.
Specifically, the technical scheme adopted by the invention is as follows:
a method for providing service call monitoring, the scheme provides service in a virtualization environment, the concrete steps include:
1) generating operating system fingerprint information of the monitored client virtual machine for the monitoring system to solve part of semantic gap problem; constructing process chain information by using a process structure and a system symbol table in the fingerprint information, and traversing all processes in a process chain to acquire page directory address information of a calling process;
2) the tenant sets a program authorized to access the service in a safe environment, transmits a program source file authorized to access the service to the cloud end through safe network transmission, and the cloud end generates a hash library of key code segments in the monitored client virtual machine by using the binary source files for the service to call the monitoring system to check the integrity of the key code segments;
3) starting when a client virtual machine is started, setting a memory page permission limit loaded by the client virtual machine by using a nested page table technology provided in a CPU chip by using a service call monitor, checking the integrity of key code segments in a memory in real time before executing codes on the memory page, and maintaining a white list process list, wherein page directory addresses of the white list process are stored in the white list process list; the white list process is an authorized process, and the integrity of the code segment is verified;
4) the method comprises the steps that a service calling monitor detects service calling in a Virtual Machine Monitor (VMM), when a service calling event is detected, a virtual machine state detection module is called, information of a calling process is obtained according to the characteristic of the service calling, for example, a KMS service is called through a network, a data packet sent to the KMS can be found through filtering of a network data packet, so that the fact that a cryptographic operation calling event occurs in the VM is judged, an IP (Internet protocol) and a port of the network connection are not only the characteristic of the service calling, but also a memory of the virtual machine is saved, a page directory address of the calling process is obtained, and the service calling is allowed to pass (namely, the calling is allowed to be sent to a server) only when the page directory address of the calling process is in a white list of the calling process;
5) for the service call with the return result, the service call monitor detects the return result event of the service call in the VMM, when the return result event of the service call is detected, the virtual machine state detection module is called, the information of the call process is obtained according to the characteristics of the return result event, and the return result of the service call is allowed to pass only when the call process is in the white list process list (namely, the result returned by the service terminal is allowed to return to the monitored virtual machine).
Further, the service call monitoring system can be realized in a Xen-based virtualization system, a VMware ESX/ESxi and Hyper-V-based virtualization system, and a KVM-QEMU-based virtualization system.
Further in step 1), the user generates operating system fingerprint information of the monitored guest virtual machine in a secure environment, wherein the fingerprint information of the guest virtual machine includes kernel structure information and system symbol table information of the guest virtual machine operating system.
Further, in step 2), the user sets a white list program authorized to call the service, and transmits a source file containing key code segments to the cloud in a secure environment, so that the cloud generates a hash library of the key code segments in the monitored client virtual machine, wherein the key code segments comprise a kernel mirror code segment, a kernel module code segment, a code segment authorized to call an executable program of the cryptographic operation service, and a code segment authorized to call a dynamic link library related to the executable program of the cryptographic operation service. The hash library comprises entry point information of the key code segments, offset of the code segments, virtual addresses of the code segments loaded into a memory and hash values calculated by taking the key code segments as pages.
Further, in step 3), the integrity check of the key code segments loaded into the memory in real time by using the nested page table technology supported in the CPU chip may be implemented by the CPU chip based on the Intel EPT and AMD RVI.
Further, in step 3), by setting the permission bit in the nested page table supported by the CPU chip, it is ensured that the integrity of the code in the monitored client virtual machine is checked before the code is executed, and the specific steps are as follows:
a) setting the executable permission limit of all memory pages loaded by the client virtual machine as non-executable;
b) if the page fault exception occurs, the VMM processes the exception, if the page fault exception reason is the fetch error, the step c) is executed; if the page fault exception is due to a write fault, performing step d);
c) carrying out integrity verification on the memory causing the abnormal instruction fetching, and maintaining a white list process list according to a verification result; for the memory page passing the check (namely belonging to the key code segment), setting the page authority of the memory page to be executable and non-writable; for the memory pages which fail to be checked (namely, the memory pages do not belong to the key code pages or the damaged key code segments), setting the authority of the memory pages with page fault exception to be executable and writable;
d) and setting the writable permission limit of the memory page as writable and setting the executable permission limit as non-executable.
Furthermore, when the instruction fetching exception is processed, the integrity of the code segment is checked by utilizing the locality principle, and a white list process list is maintained according to the checking result, and the steps are as follows:
a) checking the virtual address of the monitored client virtual machine causing the instruction fetch error, and if the virtual address is the kernel space address, executing the step b); if the virtual address is the user space address, executing step g);
b) checking whether the virtual address is a known kernel address interval, and if the virtual address is a known address space, executing the step c); otherwise, executing step d);
c) calculating the hash value of the code segment on the memory page with the wrong instruction, comparing the hash value with the hash value of the corresponding kernel code page in the hash library, and executing the step d if the comparison results are different; if the two are the same, no operation is performed;
d) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash values of the code pages where the entry points of all the kernel modules are located, and executing the step e) if the comparison results are the same; otherwise, executing step f);
e) recording an address interval of the kernel module, so that if a new code page is executed and an unexecutable error is triggered and an address falls in the interval, a corresponding code page can be found for carrying out hash check; then step g) is executed;
f) clearing a white list process list, and marking the state of the monitored client virtual machine as a suspicious state; then step g) is executed;
g) checking whether the CR3 register value (i.e. the page directory address of the current process) is in the whitelist process list, and if so, performing step h); otherwise, executing step i);
h) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash value of the corresponding code page in the hash library, and executing the step j) if the comparison result is different;
i) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash values of the code pages where the entry points authorized to access the service program are located, and executing the step k) if the comparison result is the same, and the address of the memory page is the same as the address of the memory page where the entry point is located;
j) deleting the CR3 register value (namely the page directory address of the current process) from the white list process list, and executing the step i);
k) the CR3 register value is inserted into the whitelist process list.
Further, in step 4), once the service invocation monitor detects the occurrence of a service invocation event in the VMM, the service invocation monitor extracts the memory of the monitored virtual machine by using the fingerprint information of the monitored virtual machine, constructs a high-level semantic to acquire process information related to the invocation service event, acquires page directory address information of the invocation service process in the memory area of the invocation process, and then checks whether the value exists in the white list process table, if so, allows the service invocation to pass; if not, the service call is rejected.
Compared with the prior art, the invention has the following positive effects:
in the invention, the service calling monitoring system can monitor the calling of the service provided by the cloud service provider through the network and can also monitor the calling condition of other services. Such as cryptographic services provided by third parties over a network, services provided by virtual devices in a virtualization platform (e.g., vTPM), and services provided by physical devices.
Drawings
FIG. 1 is a schematic diagram of a cryptographic operation service call monitoring system;
FIG. 2 is a diagram of an embodiment of a cryptographic operation service call monitoring system in which cryptographic operation services are provided by KMS services;
FIG. 3 is a process structure description information diagram in the Linux system in the embodiment;
FIG. 4 is a flowchart of a critical code section integrity check;
FIG. 5 is a schematic diagram of address translation using nested page tables.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, the present invention is further described with reference to the following embodiments and accompanying drawings.
The embodiment is an example of a cryptographic operation service call monitoring system in a cloud environment.
FIG. 2 is a schematic diagram of a cryptographic operation service invocation monitoring service provided in a virtualized environment by the method of the present invention. A user subscribes to a Key Management Service (KMS) provided by a cloud facilitator, and the KMS service provides services through https. The KMS service is responsible for managing the user's secret key and providing cryptographic services.
The service call monitoring system in this embodiment is implemented in a QEMU-KVM virtualization platform, and the host machine uses an Intel CPU chip. The detection part of the cryptographic operation service call event is realized in QEMU, and the part for carrying out the integrity check of the key code segment by using the Intel EPT technology is realized in a KVM kernel module. The KVM is a module of a Linux kernel, the function of accelerating a client virtual machine is realized based on a hardware virtualization technology, and the maintenance of an EPT page table is also taken charge of by the KVM kernel module. All VM-EXIT are processed by KVM, and I/O events and the like which cannot be processed by KVM are handed to QEMU of the user space for processing. The guest virtual machine operating system uses the Linux operating system with a kernel version of 3.13.7.
In the embodiment, a Volatibility tool is utilized to generate the Profile of the kernel structure and system symbol information of the monitored client virtual machine in a safe environment.
In the embodiment, a program authorized to call the KMS service is set as A by a user, and a related dynamic link library of the A is libc. Analyzing an ELF file of the kernel mirror image, the program A and libc.so.6 in a safe environment, taking out the loading address of the code segment and the information of the code segment, carrying out hash on the code segment by taking a page as a unit, and writing the hash and the corresponding loading address into a hash library in a one-to-one correspondence manner. And meanwhile, collecting ko files in the monitored client virtual machine, simulating kernel loading links, calculating offset address information of code segments loaded into a memory in an Init segment and a Core segment of each kernel module corresponding to the ko, performing hash calculation on the corresponding code segments by taking pages as units, and writing the offset address information and the hashes into a hash library in a one-to-one correspondence manner.
In an embodiment, starting when a guest virtual machine is started, a permission bit of an entry in an EPT page table corresponding to a physical page in a memory loaded by the guest virtual machine is set to ensure that integrity detection is triggered before all codes loaded in the memory are executed, and the specific steps are as follows:
a) initializing a white list process linked list from the start of a client virtual machine, and setting page table entry permission bits corresponding to all newly loaded memory pages to be unexecutable on an EPT page table;
b) when the EPT virtualization abnormality causes the exit of the client virtual machine, reading error _ code in the KVM, and if the error _ code is an instruction fetch error, executing step c); if error _ code is a write error, performing step d);
c) checking the integrity of the code page;
d) and setting the authority of the memory page to be writable and non-executable.
In an embodiment, when the "EPT vision" is an instruction fetch error, the value of the CR3 register (the page directory address of the current process) in the monitored guest virtual machine, the value of the CR2 register (the virtual address of the monitored guest virtual machine causing the instruction fetch error), and the content of the code page causing the instruction fetch error are read, and then an integrity check is initiated on the code page, as shown in fig. 4, the checking steps are as follows:
a) checking the virtual address of the monitored guest virtual machine causing the fetch error, and if the virtual address is the kernel space address, executing step b); if the virtual address is the user space address, executing the step g);
b) checking whether the virtual address is a known kernel address interval, and if the virtual address is a known address space, executing the step c); otherwise, executing step d);
c) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash value of the corresponding kernel code page in the hash library, and executing the step d) if the comparison results are different;
d) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash values of the code pages where the entry points of all the kernel modules are located, and executing the step e) if the comparison results are the same; otherwise, executing step f);
e) recording the address interval of the kernel module;
f) clearing a white list process list, and marking the state of the monitored client virtual machine as a suspicious state;
g) checking whether the CR3 register value is in the whitelist process list, and if so, performing step h); otherwise, executing step i);
h) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash value of the corresponding code page in the hash library, and executing the step j) if the comparison result is different;
i) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash values of the code pages where the entry points of all authorized programs are located, and if the comparison results are the same, executing the step k);
j) deleting the CR3 register value from the white list process list, and executing step i);
k) the CR3 register value is inserted into the whitelist process list.
In the embodiment, a group of ioctls is implemented in the KVM module for QEMU to call, and the user detects whether the page directory address of the current process is in the white list process list. When a network packet filtering module detects a network data packet related to the KMS, a process linked list is traversed by using a memory analysis method, a process for calling a cryptographic service is analyzed, that is, a file handle opened by the process is a socket connection, and meanwhile, the address of the socket connection is the IP and the port of the KMS, and a page directory address of the process is taken out (the linux process structure is shown in fig. 3), and whether the page directory address is in a white list process table maintained by the KVM is detected. If the value is in the white list process table, allowing the network packet to pass through; otherwise, the network packet is discarded. Meanwhile, when a data packet returned by the KMS is detected, whether the page directory address of the calling process is still in a white list process list is detected again, and if the page directory address of the calling process is still in the white list process list, the returned data packet is allowed to enter a monitored client virtual machine; otherwise, the data packet is discarded.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.
Claims (9)
1. A service call monitoring method in a virtualization environment comprises the following steps:
1) the cloud generates a hash library of key code segments in the monitored client virtual machine according to the authorized access service program set by the tenant and the related source file, wherein the hash library is used for the service call monitor to check the integrity of the key code segments;
2) after the monitored client virtual machine is started, the service call monitor sets a memory page permission limit loaded by the monitored client virtual machine by using a nested page table technology, so that before codes on memory pages are executed, the integrity of key code segments in the memory is verified, a white list process linked list is maintained, and page directory addresses of the white list process are stored in the white list process linked list; the white list process is an authorized process, and the integrity of the code segment is verified;
3) when the service calling monitor detects that the service calling happens, calling a virtual machine state detection module, acquiring a page directory address of a calling process according to the feature of the service calling, and allowing the service calling to be executed when the page directory address of the calling process is in the white list process linked list;
4) and for service call with a return result, the service call monitor detects the return result event of the service call, when the return result event of the service call is detected to occur, the virtual machine state detection module is called, the information of the call process is obtained according to the characteristics of the return result event, and when the call process is in a white list process chain table, the return result of the service call is allowed to pass.
2. The method of claim 1, wherein the checking the integrity of the critical code sections in memory is performed by:
21) setting the executable permission limit of all memory pages loaded by the client virtual machine as non-executable;
22) if a page fault exception occurs and the page fault exception is an instruction fetch fault, executing step 23); if a page fault exception occurs and the page fault exception is a write fault, go to step 24);
23) carrying out integrity verification on the memory causing the abnormal instruction fetching, and maintaining a white list process list according to a verification result; for the memory page passing the verification, setting the page authority of the memory page to be executable and non-writable; for the memory pages which fail to be checked, setting the authority of the memory pages with the abnormal page errors as executable and writable;
24) the method comprises the steps of setting the writable permission limit of a memory page with a page fault exception to be writable, and setting the executable permission limit to be non-executable.
3. The method according to claim 2, wherein in step 23), the method for performing integrity check on the memory page with the value error and maintaining the white list process list according to the check result includes:
a) checking the virtual address of the monitored client virtual machine causing the instruction fetch error, and if the virtual address is the kernel space address, executing the step b); if the virtual address is the user space address, executing step g);
b) checking whether the virtual address is a known kernel address interval, and if the virtual address is a known kernel address space, executing the step c); otherwise, executing step d);
c) calculating the hash value of the code segment on the memory page with the wrong instruction, comparing the hash value with the corresponding hash value in the hash library, and executing the step d) if the comparison result is different;
d) calculating the hash value of the code segment on the memory page, comparing the hash value with the hash values of the code pages where the entry points of all the kernel modules are located, and executing the step e) if the comparison results are the same; otherwise, executing step f);
e) recording the address interval of the kernel module;
f) clearing a white list process list, and marking the state of the monitored client virtual machine as a suspicious state;
g) checking whether the page directory address of the current process is in the white list process linked list, if yes, executing the step h); otherwise, executing step i);
h) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash value of the corresponding code page in the hash library, and executing the step j) if the comparison result is different;
i) calculating the hash value of the code segment on the memory page with the triggered value error, comparing the hash value with the hash values of the code pages where the entry points authorized to access the service program are located, and if the hash values are the same and the addresses of the memory page and the memory page where the entry points are located are the same, executing step k);
j) deleting the page directory address of the current process from the white list process list, and executing the step i);
k) and inserting the page directory address of the current process into the white list process list.
4. The method according to claim 1, wherein when the service call monitor detects the occurrence of a service call in the VMM, extracting a memory of the monitored virtual machine according to fingerprint information of the monitored virtual machine, constructing a high-level semantic to acquire process information related to the call service, and acquiring page directory address information of the calling service process in a memory area of the calling process, and then checking whether the page directory address exists in the whitelist process table, and if so, allowing the service call to be executed; if not, the service call is rejected.
5. The method as claimed in claim 1, wherein the hash library comprises entry point information of the critical code section, an offset of the critical code section, a virtual address of the critical code section loaded into the memory, and a hash value calculated in units of pages in the critical code section.
6. The method of claim 1 or 5, wherein the critical code sections include a kernel image code section, a kernel module code section, a code section of an executable program authorized to access the service, and a code section of a dynamically linked library associated with the executable program authorized to access the service.
7. A service call monitoring system in a virtualization environment is characterized by comprising a hash library and a service call monitor; wherein,
the service call monitor is responsible for setting a memory page permission limit loaded by a monitored client virtual machine by using a nested page table technology when the monitored client virtual machine is started, checking the integrity of key code segments in a memory in real time before executing codes on the memory page, and maintaining a white list process linked list, wherein the white list process linked list stores page directory addresses of white list processes; the white list process is an authorized process, and the integrity of the code segment is verified; when detecting that the service call occurs, calling a virtual machine state detection module to acquire a page directory address of a calling process, and allowing the service call to be executed when the page directory address of the calling process is in the white list process list; for service call with a return result, the service call monitor detects a return result event of the service call, when the return result event of the service call is detected, the virtual machine state detection module is called, information of a call process is obtained according to the characteristics of the return result event, and when the call process is in a white list process list, the return result of the service call is allowed to pass;
and the hash library is used for storing the hash of the key code segment in the monitored client virtual machine, so that the service call monitor can check the integrity of the key code segment.
8. The system as claimed in claim 7, wherein the hash library includes entry point information of the critical code section, an offset of the critical code section, a virtual address of the critical code section loaded into the memory, and a hash value calculated in units of pages in the critical code section.
9. The system of claim 7 wherein the critical code sections include a kernel image code section, a kernel module code section, a code section of an executable program authorized to access the service, and a code section of a dynamically linked library associated with the executable program authorized to access the service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811471745.0A CN109684829B (en) | 2018-12-04 | 2018-12-04 | Service call monitoring method and system in virtualization environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811471745.0A CN109684829B (en) | 2018-12-04 | 2018-12-04 | Service call monitoring method and system in virtualization environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109684829A true CN109684829A (en) | 2019-04-26 |
CN109684829B CN109684829B (en) | 2020-12-04 |
Family
ID=66186627
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811471745.0A Active CN109684829B (en) | 2018-12-04 | 2018-12-04 | Service call monitoring method and system in virtualization environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109684829B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110598378A (en) * | 2019-08-01 | 2019-12-20 | 华为技术有限公司 | Global offset table measuring method, dynamic measuring method, related device and equipment |
CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
CN111831609A (en) * | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary file metric values in virtualization environment |
CN113138835A (en) * | 2021-04-08 | 2021-07-20 | 中国科学院信息工程研究所 | IPT and virtual machine introspection-based API call monitoring method and system |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102736969A (en) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | Method and system for monitoring virtualized internal memory of hardware |
CN103020531A (en) * | 2012-12-06 | 2013-04-03 | 中国科学院信息工程研究所 | Method and system for trusted control of operating environment of Android intelligent terminal |
CN103885829A (en) * | 2014-04-16 | 2014-06-25 | 中国科学院软件研究所 | Virtual machine cross-data-center dynamic migration optimization method based on statistics |
CN103955438A (en) * | 2014-05-21 | 2014-07-30 | 南京大学 | Process memory protecting method based on auxiliary virtualization technology for hardware |
CN104714877A (en) * | 2015-03-30 | 2015-06-17 | 上海交通大学 | Mixed monitoring and measurement method and system used on virtual machines |
US20150318986A1 (en) * | 2014-05-05 | 2015-11-05 | Microsoft Corporation | Secure Transport of Encrypted Virtual Machines with Continuous Owner Access |
CN105184154A (en) * | 2015-09-15 | 2015-12-23 | 中国科学院信息工程研究所 | System and method for providing cryptogrammic operation service in virtualized environment |
CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
CN107450962A (en) * | 2017-07-03 | 2017-12-08 | 北京东土科技股份有限公司 | Abnormality eliminating method, apparatus and system under a kind of virtualization running environment |
-
2018
- 2018-12-04 CN CN201811471745.0A patent/CN109684829B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102736969A (en) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | Method and system for monitoring virtualized internal memory of hardware |
CN103020531A (en) * | 2012-12-06 | 2013-04-03 | 中国科学院信息工程研究所 | Method and system for trusted control of operating environment of Android intelligent terminal |
CN103885829A (en) * | 2014-04-16 | 2014-06-25 | 中国科学院软件研究所 | Virtual machine cross-data-center dynamic migration optimization method based on statistics |
US20150318986A1 (en) * | 2014-05-05 | 2015-11-05 | Microsoft Corporation | Secure Transport of Encrypted Virtual Machines with Continuous Owner Access |
CN103955438A (en) * | 2014-05-21 | 2014-07-30 | 南京大学 | Process memory protecting method based on auxiliary virtualization technology for hardware |
CN104714877A (en) * | 2015-03-30 | 2015-06-17 | 上海交通大学 | Mixed monitoring and measurement method and system used on virtual machines |
CN105184154A (en) * | 2015-09-15 | 2015-12-23 | 中国科学院信息工程研究所 | System and method for providing cryptogrammic operation service in virtualized environment |
CN106897121A (en) * | 2017-03-01 | 2017-06-27 | 四川大学 | It is a kind of based on Intel Virtualization Technology without proxy client process protection method |
CN107450962A (en) * | 2017-07-03 | 2017-12-08 | 北京东土科技股份有限公司 | Abnormality eliminating method, apparatus and system under a kind of virtualization running environment |
Non-Patent Citations (2)
Title |
---|
FANGJIE JIANG等: "Enforcing Access Controls for the Cryptographic Cloud Service Invocation Based on Virtual Machine Introspection", 《21ST INTERNATIONAL CONFERENCE,ISC2018》 * |
陈锦富等: "一种采用接口错误注入的构件安全性测试方法", 《小型微型计算机系统》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110598378A (en) * | 2019-08-01 | 2019-12-20 | 华为技术有限公司 | Global offset table measuring method, dynamic measuring method, related device and equipment |
CN110598378B (en) * | 2019-08-01 | 2023-07-18 | 华为技术有限公司 | Global offset table measurement method, dynamic measurement method, related device and equipment |
CN111400702A (en) * | 2020-03-24 | 2020-07-10 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
CN111400702B (en) * | 2020-03-24 | 2023-06-27 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
CN111831609A (en) * | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary file metric values in virtualization environment |
CN111831609B (en) * | 2020-06-18 | 2024-01-02 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary metric values in virtualized environments |
CN113138835A (en) * | 2021-04-08 | 2021-07-20 | 中国科学院信息工程研究所 | IPT and virtual machine introspection-based API call monitoring method and system |
CN113138835B (en) * | 2021-04-08 | 2024-01-16 | 中国科学院信息工程研究所 | API call monitoring method and system based on IPT and virtual machine introspection |
Also Published As
Publication number | Publication date |
---|---|
CN109684829B (en) | 2020-12-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102306568B1 (en) | Processor trace-based enforcement of control flow integrity in computer systems | |
CN109684829B (en) | Service call monitoring method and system in virtualization environment | |
US9934380B2 (en) | Execution profiling detection of malicious objects | |
US20130312099A1 (en) | Realtime Kernel Object Table and Type Protection | |
CN107912064B (en) | Shell code detection | |
US10885183B2 (en) | Return oriented programming attack protection | |
Ahmad et al. | CHANCEL: Efficient Multi-client Isolation Under Adversarial Programs. | |
Schmidt et al. | Malware detection and kernel rootkit prevention in cloud computing environments | |
Taubmann et al. | Cloudphylactor: Harnessing mandatory access control for virtual machine introspection in cloud data centers | |
CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment | |
Wang et al. | Vmdetector: A vmm-based platform to detect hidden process by multi-view comparison | |
US9785492B1 (en) | Technique for hypervisor-based firmware acquisition and analysis | |
Zhou et al. | Hardware-based on-line intrusion detection via system call routine fingerprinting | |
Eckel et al. | Secure attestation of virtualized environments | |
Guerra et al. | Introspection for ARM TrustZone with the ITZ Library | |
CN112883369B (en) | Trusted virtualization system | |
Zhang et al. | Secure virtualization environment based on advanced memory introspection | |
Zhong et al. | A virtualization based monitoring system for mini-intrusive live forensics | |
Kittel et al. | Code validation for modern os kernels | |
US20200104508A1 (en) | Cyber security for space-switching program calls | |
US20180260563A1 (en) | Computer system for executing analysis program, and method of monitoring execution of analysis program | |
Taubmann | Improving digital forensics and incident analysis in production environments by using virtual machine introspection | |
Tian et al. | A policy‐centric approach to protecting OS kernel from vulnerable LKMs | |
Mao et al. | HVSM: An In-Out-VM security monitoring architecture in IAAS cloud | |
Yu et al. | Vis: virtualization enhanced live acquisition for native system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |