CN109697358A - Application credible security method based on virtualization - Google Patents
Application credible security method based on virtualization Download PDFInfo
- Publication number
- CN109697358A CN109697358A CN201811308343.9A CN201811308343A CN109697358A CN 109697358 A CN109697358 A CN 109697358A CN 201811308343 A CN201811308343 A CN 201811308343A CN 109697358 A CN109697358 A CN 109697358A
- Authority
- CN
- China
- Prior art keywords
- address
- virtual machine
- virtualization
- application
- security method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The application credible security method based on virtualization that the invention discloses a kind of, monitoring virtual machine CPU register variation, intercepts and captures kernel module and process load events in virtual machine;Integrity verification is carried out when module and process load, intercepts and captures the integrality of verifying executable code during load events;Process switching event is intercepted and captured in real time;In process switching event, respective application information integrity is verified;If integrity verification does not pass through in the above process, alarm and termination system operation.This method realizes code integrity verifying when kernel module and process load in virtual machine first;Meanwhile intercepting and capturing application switching event in real time at runtime, and in process switching, verify respective application information integrity.And keep transparent to monitored virtual machine simultaneously.It ensure that the complete of information, be not easy to be tampered.
Description
Technical field
The invention belongs to communication reliability field, it is related to using credible security method, it is especially a kind of based on virtualization
Using credible security method.
Background technique
Malware is a kind of common tool of the network crime, including trojans and backdoors.Malware enters
After invading computing system, often destroys system and operate normally, cause system performance to decline, some master files and private file are deposited
In the risk being stolen, constitute a serious threat to computer user.Under the driving of various interests, Malware is constantly sent out
Exhibition and update, have merged a variety of main security attack technologies.Major part Malware, which is provided with, at present resists Believable Protection system
The ability of system, as AgoBot is immune to 105 kinds of guard systems.Therefore safety monitoring system must assure that saturating for Malware
It is bright.
Traditional Believable Protection system can be divided into two classes according to deployed position, the Believable Protection system of first kind Intrusion Detection based on host,
Second class is network-based guard system.Wherein first kind Believable Protection system and monitored computer system are deployed in one
It rising, this mode can obtain sufficient monitoring information, but for Malware as it can be seen that vulnerable to attack.Second class system
From monitored system deployment on different hosts, monitoring information is obtained by network transmission mode, is had good transparent
Property, but it is few to obtain information content, and network state constitutes system bottleneck.These two types of systems have shortcoming, can not be simultaneously
Meet not only available abundant monitoring information, but also can guarantee Believable Protection system transparent.
Summary of the invention
Present invention purpose to be achieved is just to provide a kind of application credible security method based on virtualization, this method
Based on hardware virtualization technology, improve traditional Believable Protection system.
In order to achieve the above object, the present invention adopts the following technical scheme: a kind of application credible security based on virtualization
Method, wherein
The variation of virtual machine CPU register is monitored, kernel module and process load events in virtual machine are intercepted and captured;
Integrity verification is carried out when module and process load, load events is intercepted and captured and verifies executable code in the process
Integrality;
Process switching event is intercepted and captured in real time;
In process switching event, respective application information integrity is verified;
If integrity verification does not pass through in the above process, alarm and termination system operation.
Further, the process intercepted and captured load events and verify the integrality of executable code in the process, can for verifying
It executes whether code changes, to be loaded as standard for the first time, and records when each executable code is loaded it and dissipate
Train value is read file in virtual machine and is read by the way of load document system driver.
Further, the integrality of verifying executable code includes: during intercepting and capturing load events
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. it compares with the summary info being previously stored in trust data in advance, if summary info is consistent, illustrates in load
Rong Wei is tampered, and can be safely loaded with, if summary info is inconsistent, is alarmed.
Further, in the intercepting and capturing process switching event, virtual machine process list and calculation procedure CPU are obtained
Utilization rate.
Further, the intercepting and capturing switch over event, and operating system includes two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is that preservation process is complete
CR3 register is written in the register of office's directory address, new process address;
S22. switch kernel stack and hardware context afterwards, ESP register, tracking is written in the kernel stack address of process
The transformation of CR3 register, which is realized, intercepts and captures process switching event.
Further, the process that the application related information is stored in that data type is struct task_struct is retouched
It states in symbol, the process descriptors of PID and process title in the process descriptors comprising process and next process
Location.
Further, it is that each process individually distributes one that the descriptor for obtaining current process, which includes: operating system,
Memory space, in the memory space save two different data structures, one be kernel state process stacks, it is another
A is progress information, and the process stacks increase from top to bottom, and ESP register when process switching occurs and indicates current process heap
The address of stack.
Further, the address thread_info_addr of progress information thread_info structural body is obtained by esp;
According to task, offset calculates the address of process descriptors in progress information thread_info structural body
task_addr;
Current process descriptor is obtained by reading virutal machine memory, by the data kept in process descriptors, is obtained
The information such as process PID and process title.
Further, the acquisition virtual machine process list includes: that operating system will be owned by the way of doubly linked list
Process is chained up, and includes two pointers in the process descriptors: prev is directed toward previous process descriptors, and next is directed toward
Next process descriptors obtain current process descriptor by section description method in process switching, just by next pointer
The process in all current systems is traversed, the list of current process and the information of each process are obtained.
Further, the acquisition process cpu busy percentage includes: and obtains process CPU by process switching to execute the time,
Calculation procedure cpu busy percentage.
After adopting the above technical scheme, the present invention has the advantage that this method realizes kernel module in virtual machine first
With code integrity verifying when process load;Meanwhile intercepting and capturing application switching event in real time at runtime, and in process switching
When, verify respective application information integrity.And keep transparent to monitored virtual machine simultaneously.Based on hardware virtualization skill
Art obtains virtual machine internal system calling and process switching information by analysis virtual machine CPU register variation, this to be based on
The monitoring of virtual machine hardware bottom-up information ensure that the complete of information, be not easy to be tampered.And herein by safety monitoring system
It is embodied as linux system module, can installs and uninstalls according to demand.And develop one group of acquisition virtual machine bottom-up information
API, can be used for other developers.And security monitoring information is comprehensive, can be used as the basic number of other security systems
According to.
Simultaneously compared with prior art, the latter code trust authentication master when carrying out system kernel load and application load
The method based on kernel is used, i.e., adds new a kernel module or code in system under test (SUT) kernel.To realization pair
The intercepting and capturing of system operatio kernel loads and application load events, and verified in intercepting and capturing.This method transparency is poor, can change
The state for becoming system under test (SUT), causes the cost of secondary development.In addition, the part of modification is to malicious attack as it can be seen that easily becoming bright
True target of attack.In this technology, authentication module is in virtual machine monitor layer face, intercepts and captures system based on monitor of virtual machine
The method of system obtains corresponding effect.This method does not need modification system under test (SUT), while invisible to system under test (SUT).
Compared with another prior art, such as file integrality monitoring system based on virtual machine, its essence is by virtual
Monitor unit layer realizes the integrity protection of file, the functions such as access control.Such system mainly passes through the IO for intercepting and capturing virtual machine
Operation carries out, that is, All Files operation is intercepted and captured and monitored.Overall overhead is big.And the purpose of the technical program is
Kernel loads and application load integrity verification, therefore capture point is system loads event rather than IO, thereby may be ensured that and is
The performance of system.
Detailed description of the invention
The present invention will be further explained below with reference to the attached drawings:
Fig. 1 is overall system architecture schematic diagram in the present invention;
Fig. 2 is local authentication method schematic diagram in the present invention.
Specific embodiment
Embodiment:
As shown in Figure 1, the present invention relates to a kind of application credible security method based on virtualization, monitoring virtual machine CPU is posted
Storage variation, intercepts and captures kernel module and process load events in virtual machine;Integrality is carried out when module and process load to test
Card intercepts and captures the integrality of verifying executable code during load events;Process switching event is intercepted and captured in real time;In process switching
When event, respective application information integrity is verified;If integrity verification does not pass through in the above process, alarm and termination system
Operation.
By hardware virtualization technology, the variation of virtual machine CPU register is monitored, realizes intercept and capture kernel in virtual machine first
Module and process load events, and executable code integrity verification is realized during intercepting and capturing;Meanwhile at runtime in real time
Process switching event is intercepted and captured, and in process switching, verifies respective application information integrity.If integrity verification is not in the process
Pass through, then alarm and termination system operation, to realize the credible of whole system.The performance of virtual machine is lost in the present invention
Less than 10%;And do not need to interact with operating system in virtual machine, it realizes the fully transparent of monitored system, ensure that prison
The anti-infection ability of control system;In addition, the present invention can be installed and uninstalled according to monitoring demand, avoid not needing safety prison
When control, useless waste is generated to virtual machine performance.
In the present embodiment specifically, integrity verification includes: when module loading and application load
Integrity verification is whether verifying executable code changes when module loading and process load, that is to say, that
The process of the integrality of executable code is verified during the intercepting and capturing load events, whether is occurred for verifying executable code
Variation, to be loaded as standard for the first time, and records its hashed value when each executable code is loaded, and reads virtual machine
Middle file is read by the way of load document system driver.
(SuSE) Linux OS is called by execv system realizes that (windows passes through for application program load
CreateProcess system calls the load of realization process), 11 when the system call number which calls, first parameter be
The path of executable code;Similarly, linux system is called by init_module system realizes module loading, and system is called
Number be 175, first parameter is executable code path.
Integrity verification when both the above event all realizes that module and application load according to following processes.Intercept and capture load thing
The integrality of verifying executable code includes: during part
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. it compares with the summary info being previously stored in trust data in advance, if summary info is consistent, illustrates in load
Rong Wei is tampered, and can be safely loaded with, if summary info is inconsistent, is alarmed.
Wherein the summary info of loading content is stored in HASH chained list, searches for some hashed value behaviour for executing code
The time complexity for making (find_md5) is O (1), saves the time for the hash Value Operations (save_md5) that some executes code
Complicated is also O (1), so only documentary size N is directly proportional for time complexity, therefore the time of above-mentioned algorithm is complicated
Degree is O (N).
In the present embodiment specifically, operation when application integrity verifying include:
Application integrity verifying is mainly by intercepting and capturing process switching when operation, during process switching, obtains virtual machine
In current application information and be compared with the reliable information in white list, if unanimously, verifying is complete, if inconsistent
It is then imperfect.It how is described below based on hardware virtualization technology intercepting and capturing process switching, obtains virtual machine process list and meter
Add journey cpu busy percentage.
The intercepting and capturing switch over event, and operating system includes two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is that preservation process is complete
CR3 register is written in the register of office's directory address, new process address;
S22. switch kernel stack and hardware context afterwards, ESP register, tracking is written in the kernel stack address of process
The transformation of CR3 register, which is realized, intercepts and captures process switching event.
To install a new address space, CR3 register is that preservation process is complete for switching Page Global Directory address first
CR3 register is written in the register of office's directory address, new process address.Then switch kernel stack and hardware context, into
ESP register is written in the kernel stack address of journey.The first step of process switching needs to be written CR3 register, generates VmExit thing
Part, CPU control gives monitor of virtual machine, therefore can be realized by tracking CR3 register transformation and intercept and capture process switching.
Although having intercepted and captured process switching, any information relevant to process is not obtained at this time.The application related information is protected
There are the PID in the process descriptors that data type is struct task_struct, in the process descriptors including process
With the process descriptors address of process title and next process.The relevant information of process saves in (SuSE) Linux OS
It is in the process descriptors of struct task_struct in data type.It include the PID and process of process in process descriptors
The descriptor address of title and next process.The descriptor for obtaining current process can obtain the basic of current process
Information.
If the introduction of following two trifle obtains current progress information and current process column when intercepting and capturing process switching
Table.
Obtain the descriptor of current process:
Operating system is that each process individually distributes a memory space, and two differences are saved in the memory space
Data structure, one be kernel state process stacks, the other is progress information, the process stacks increase from top to bottom,
The address of ESP register instruction current process storehouse when process switching occurs.
As shown in Fig. 2, (SuSE) Linux OS is that each process individually distributes a memory space buffer, this storage
Space size is usually 8k, occupies continuous two page frames, buffer initial address be 213Multiple.In this memory space
In save two different data structures, one be kernel state process stacks, the other is progress information struct
Thread_info structural body, the attribute task of thread_info are the addresses of process descriptors.Thread_info is located at this
The initial position of a memory space, process stacks increase from top to bottom, and ESP register instruction when process switching occurs and works as advance
The address of journey storehouse.
The relationship of process current process stack address Yu process descriptors address is described above, it can by ESP register
To obtain ESP value esp.Utilize the descriptor address of following formula calculation procedure.
The address thread_info_addr of progress information thread_info structural body is obtained by esp;According to task
Offset calculates the address task_addr of process descriptors in progress information thread_info structural body;Pass through reading
Virutal machine memory obtains current process descriptor, by the data kept in process descriptors, obtains process PID and process
The information such as title.
The address thread_info_addr of progress information thread_info structural body is obtained by esp first.
Thread_info_addr=esp&0xfffe0000;
Then according to task, offset calculates the ground of process descriptors in progress information thread_info structural body
Location task_addr.
Task_addr=thread_info_addr
+offset(thread_info,task)。
Current process descriptor is obtained finally by virutal machine memory is read, by the data kept in process descriptors,
The information such as acquisition process PID and process title.
The acquisition virtual machine process list:
All processes are chained up by operating system by the way of doubly linked list, include two in the process descriptors
A pointer: prev is directed toward previous process descriptors, and next is directed toward next process descriptors, passes through section in process switching
Description method obtains current process descriptor, just traverses the process in all current systems by next pointer, obtains when advance
The information of the list of journey and each process.
All processes are chained up by (SuSE) Linux OS by the way of doubly linked list, include two in process descriptors
A pointer: prev is directed toward previous process descriptors, and next is directed toward the descriptor of next process.It can be in process switching
Current process descriptor is obtained by section description method, the process in all current systems is just then traversed by next pointer,
Obtain the list of current process and the information of each process.
Acquisition process cpu busy percentage:
The acquisition process cpu busy percentage includes: to obtain process CPU by process switching to execute time, calculation procedure
Cpu busy percentage.
Often there are some exceptions in cpu busy percentage mutation process, these processes may be malicious code.Be described below as
What passes through the cpu busy percentage of process switching acquisition of information process.
Process CPU, which is obtained, by process switching executes time, calculation procedure cpu busy percentage.Here is specific calculating side
Method.
tstartIt is process creation time, now is present time, trunIt is process CPU using temporal summation, then process
Cpu busy percentage rate=trun/(now-tstart).There are multiple processes to run simultaneously in operating system, seizes between process
CPU, the CPU of each process are equal to the summation for seizing the time every time using the time.tiTime after CPU, institute are seized for process i-th
WithTime, that is, process seizes CPU runing time between process switching twice.It is when generation process switching
System record will run process Pnext, last time run process PlastAnd the process switching time, then compare last time process switching
Time can be with calculation procedure PlastSeize the CPU time.
By hardware virtualization technology, the variation of virtual machine CPU register is monitored, realizes intercept and capture kernel in virtual machine first
Module and process load events, and executable code integrity verification is realized during intercepting and capturing;Meanwhile at runtime in real time
Process switching event is intercepted and captured, and in process switching, verifies respective application information integrity.If integrity verification is not in the process
Pass through, then alarm and termination system operation, to realize the credible of whole system.The performance of virtual machine is lost in the present invention
Less than 10%;And do not need to interact with operating system in virtual machine, it realizes the fully transparent of monitored system, ensure that prison
The anti-infection ability of control system;In addition, the present invention can be installed and uninstalled according to monitoring demand, avoid not needing safety prison
When control, useless waste is generated to virtual machine performance.
This method realizes code integrity verifying when kernel module and process load in virtual machine first;Meanwhile it transporting
Application switching event is intercepted and captured when row in real time, and in process switching, verifies respective application information integrity.And it keeps simultaneously
It is transparent to monitored virtual machine.It is obtained virtual based on hardware virtualization technology by analysis virtual machine CPU register variation
Machine built-in system calls and process switching information, and this monitoring based on virtual machine hardware bottom-up information ensure that the complete of information
It is whole, it is not easy to be tampered.And safety monitoring system is embodied as linux system module herein, loading and unloading can be pacified according to demand
It carries.And the API of one group of acquisition virtual machine bottom-up information is developed, can be used for other developers.And security monitoring is believed
Breath comprehensively, can be used as the basic data of other security systems.
Simultaneously compared with prior art, the latter code trust authentication master when carrying out system kernel load and application load
The method based on kernel is used, i.e., adds new a kernel module or code in system under test (SUT) kernel.To realization pair
The intercepting and capturing of system operatio kernel loads and application load events, and verified in intercepting and capturing.This method transparency is poor, can change
The state for becoming system under test (SUT), causes the cost of secondary development.In addition, the part of modification is to malicious attack as it can be seen that easily becoming bright
True target of attack.In this technology, authentication module is in virtual machine monitor layer face, intercepts and captures system based on monitor of virtual machine
The method of system obtains corresponding effect.This method does not need modification system under test (SUT), while invisible to system under test (SUT).
Compared with another prior art, such as file integrality monitoring system based on virtual machine, its essence is by virtual
Monitor unit layer realizes the integrity protection of file, the functions such as access control.Such system mainly passes through the IO for intercepting and capturing virtual machine
Operation carries out, that is, All Files operation is intercepted and captured and monitored.Overall overhead is big.And the purpose of the technical program is
Kernel loads and application load integrity verification, therefore capture point is system loads event rather than IO, thereby may be ensured that and is
The performance of system.
In addition to above preferred embodiment, there are other embodiments of the invention, and those skilled in the art can be according to this
Invention makes various changes and modifications, and as long as it does not depart from the spirit of the invention, should belong to appended claims of the present invention and determines
The range of justice.
Claims (10)
1. the application credible security method based on virtualization, which is characterized in that
The variation of virtual machine CPU register is monitored, kernel module and process load events in virtual machine are intercepted and captured;
Integrity verification is carried out when module and process load, load events is intercepted and captured and verifies the complete of executable code in the process
Property;
Process switching event is intercepted and captured in real time;
In process switching event, respective application information integrity is verified;
If integrity verification does not pass through in the above process, alarm and termination system operation.
2. the application credible security method according to claim 1 based on virtualization, which is characterized in that
The process of the integrality of executable code is verified during the intercepting and capturing load events, whether is sent out for verifying executable code
Changing to be loaded as standard for the first time, and records its hashed value when each executable code is loaded, and reads virtual machine
Middle file is read by the way of load document system driver.
3. the application credible security method according to claim 2 based on virtualization, which is characterized in that intercept and capture load events
The integrality of verifying executable code includes: in the process
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. compared with the summary info that is previously stored in trust data in advance, if summary info is consistent, illustrate loading content without
It distorts, can be safely loaded with, if summary info is inconsistent, alarm.
4. the application credible security method according to claim 1 based on virtualization, which is characterized in that it is described intercept and capture into
When journey handover event, virtual machine process list and calculation procedure cpu busy percentage are obtained.
5. the application credible security method according to claim 4 based on virtualization, which is characterized in that the intercepting and capturing carry out
Handover event, operating system include two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is preservation process overall situation mesh
The register of address is recorded, CR3 register is written in new process address;
S22. switch kernel stack and hardware context afterwards, ESP register is written in the kernel stack address of process, and tracking CR3 is posted
Storage transformation, which is realized, intercepts and captures process switching event.
6. the application credible security method according to claim 5 based on virtualization, which is characterized in that the application is related
Information preservation is in the process descriptors of struct task_struct in data type, includes process in the process descriptors
PID and process title and next process process descriptors address.
7. the application credible security method according to claim 6 based on virtualization, which is characterized in that described to obtain currently
The descriptor of process includes: that operating system is that each process individually distributes a memory space, is saved in the memory space
Two different data structures, one be kernel state process stacks, the other is progress information, the process stacks from upper and
The address of ESP register instruction current process storehouse when process switching occurs for lower growth.
8. the application credible security method according to claim 7 based on virtualization, which is characterized in that
The address thread_info_addr of progress information thread_info structural body is obtained by esp;
According to task, offset calculates the address task_ of process descriptors in progress information thread_info structural body
addr;
Current process descriptor is obtained by reading virutal machine memory, by the data kept in process descriptors, obtains process
The information such as PID and process title.
9. the application credible security method according to claim 8 based on virtualization, which is characterized in that described to obtain virtually
Machine process list includes: that all processes are chained up by operating system by the way of doubly linked list, in the process descriptors
Include two pointers: prev is directed toward previous process descriptors, and next is directed toward next process descriptors, leads in process switching
Description method of celebrating a festival obtains current process descriptor, just traverses the process in all current systems by next pointer, acquisition is worked as
The information of the list of preceding process and each process.
10. the application credible security method according to claim 4 based on virtualization, which is characterized in that it is described obtain into
Journey cpu busy percentage includes: to obtain process CPU by process switching to execute time, calculation procedure cpu busy percentage.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811308343.9A CN109697358A (en) | 2018-11-05 | 2018-11-05 | Application credible security method based on virtualization |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811308343.9A CN109697358A (en) | 2018-11-05 | 2018-11-05 | Application credible security method based on virtualization |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109697358A true CN109697358A (en) | 2019-04-30 |
Family
ID=66229811
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811308343.9A Pending CN109697358A (en) | 2018-11-05 | 2018-11-05 | Application credible security method based on virtualization |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109697358A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN103679025A (en) * | 2013-11-26 | 2014-03-26 | 南京邮电大学 | Malicious code detection method based on dendritic cell algorithm |
CN104007956A (en) * | 2013-02-27 | 2014-08-27 | 华为技术有限公司 | Method and device for identifying and tracking operating system process and acquiring information |
US9690719B2 (en) * | 2014-09-11 | 2017-06-27 | Nxp Usa, Inc. | Mechanism for managing access to at least one shared integrated peripheral of a processing unit and a method of operating thereof |
-
2018
- 2018-11-05 CN CN201811308343.9A patent/CN109697358A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN104007956A (en) * | 2013-02-27 | 2014-08-27 | 华为技术有限公司 | Method and device for identifying and tracking operating system process and acquiring information |
CN103679025A (en) * | 2013-11-26 | 2014-03-26 | 南京邮电大学 | Malicious code detection method based on dendritic cell algorithm |
US9690719B2 (en) * | 2014-09-11 | 2017-06-27 | Nxp Usa, Inc. | Mechanism for managing access to at least one shared integrated peripheral of a processing unit and a method of operating thereof |
Non-Patent Citations (2)
Title |
---|
WEIXIN_30376509: "【Linux操作系统分析】进程——进程切换,进程的创建和撤销_运维", 《HTTPS://BLOG.CSDN.NET/WEIXIN_30376509/ARTICLE/DETAILS/95970058》 * |
邓良等: "引入内可信基的应用程序保护方法", 《软件学报》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110998582B (en) | Secure storage device and computer security method | |
US9565214B2 (en) | Real-time module protection | |
US11416612B2 (en) | Protecting against malware code injections in trusted processes | |
Bauman et al. | A survey on hypervisor-based monitoring: approaches, applications, and evolutions | |
EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
JP6073482B2 (en) | Secure disk access control | |
CN107066311B (en) | Kernel data access control method and system | |
CN105740046B (en) | A kind of virtual machine process behavior monitoring method and system based on dynamic base | |
US11494491B2 (en) | Systems and methods for protecting against malware code injections in trusted processes by a multi-target injector | |
CN103620613A (en) | System and method for virtual machine monitor based anti-malware security | |
US10114948B2 (en) | Hypervisor-based buffer overflow detection and prevention | |
US20150067838A1 (en) | Trusted execution of binaries and modules | |
Joy et al. | Rootkit detection mechanism: A survey | |
EP3079057B1 (en) | Method and device for realizing virtual machine introspection | |
CN108920253B (en) | Agent-free virtual machine monitoring system and monitoring method | |
KR20090067569A (en) | Windows kernel protection system using virtualization | |
CN110737888B (en) | Method for detecting attack behavior of kernel data of operating system of virtualization platform | |
CN109120618B (en) | Cloud platform controlled side channel attack detection method based on hardware virtualization | |
CN111428240A (en) | Method and device for detecting illegal access of memory of software | |
Mahapatra et al. | An online cross view difference and behavior based kernel rootkit detector | |
Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
US20220253524A1 (en) | Malware Detection System | |
Grizzard et al. | Re-establishing trust in compromised systems: recovering from rootkits that trojan the system call table | |
CN109697358A (en) | Application credible security method based on virtualization | |
Lombardi et al. | A security management architecture for the protection of kernel virtual machines |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190430 |
|
RJ01 | Rejection of invention patent application after publication |