CN109697358A - Application credible security method based on virtualization - Google Patents

Application credible security method based on virtualization Download PDF

Info

Publication number
CN109697358A
CN109697358A CN201811308343.9A CN201811308343A CN109697358A CN 109697358 A CN109697358 A CN 109697358A CN 201811308343 A CN201811308343 A CN 201811308343A CN 109697358 A CN109697358 A CN 109697358A
Authority
CN
China
Prior art keywords
address
virtual machine
virtualization
application
security method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811308343.9A
Other languages
Chinese (zh)
Inventor
姚一杨
陈建
戴波
王彦波
张旭东
龚小刚
叶志远
黄云
凡恒山
倪鹏程
蒲强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Zhejiang Electric Power Co Ltd
Anhui Jiyuan Software Co Ltd
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Zhejiang Electric Power Co Ltd
Anhui Jiyuan Software Co Ltd
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Zhejiang Electric Power Co Ltd, Anhui Jiyuan Software Co Ltd, Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Zhejiang Electric Power Co Ltd
Priority to CN201811308343.9A priority Critical patent/CN109697358A/en
Publication of CN109697358A publication Critical patent/CN109697358A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The application credible security method based on virtualization that the invention discloses a kind of, monitoring virtual machine CPU register variation, intercepts and captures kernel module and process load events in virtual machine;Integrity verification is carried out when module and process load, intercepts and captures the integrality of verifying executable code during load events;Process switching event is intercepted and captured in real time;In process switching event, respective application information integrity is verified;If integrity verification does not pass through in the above process, alarm and termination system operation.This method realizes code integrity verifying when kernel module and process load in virtual machine first;Meanwhile intercepting and capturing application switching event in real time at runtime, and in process switching, verify respective application information integrity.And keep transparent to monitored virtual machine simultaneously.It ensure that the complete of information, be not easy to be tampered.

Description

Application credible security method based on virtualization
Technical field
The invention belongs to communication reliability field, it is related to using credible security method, it is especially a kind of based on virtualization Using credible security method.
Background technique
Malware is a kind of common tool of the network crime, including trojans and backdoors.Malware enters After invading computing system, often destroys system and operate normally, cause system performance to decline, some master files and private file are deposited In the risk being stolen, constitute a serious threat to computer user.Under the driving of various interests, Malware is constantly sent out Exhibition and update, have merged a variety of main security attack technologies.Major part Malware, which is provided with, at present resists Believable Protection system The ability of system, as AgoBot is immune to 105 kinds of guard systems.Therefore safety monitoring system must assure that saturating for Malware It is bright.
Traditional Believable Protection system can be divided into two classes according to deployed position, the Believable Protection system of first kind Intrusion Detection based on host, Second class is network-based guard system.Wherein first kind Believable Protection system and monitored computer system are deployed in one It rising, this mode can obtain sufficient monitoring information, but for Malware as it can be seen that vulnerable to attack.Second class system From monitored system deployment on different hosts, monitoring information is obtained by network transmission mode, is had good transparent Property, but it is few to obtain information content, and network state constitutes system bottleneck.These two types of systems have shortcoming, can not be simultaneously Meet not only available abundant monitoring information, but also can guarantee Believable Protection system transparent.
Summary of the invention
Present invention purpose to be achieved is just to provide a kind of application credible security method based on virtualization, this method Based on hardware virtualization technology, improve traditional Believable Protection system.
In order to achieve the above object, the present invention adopts the following technical scheme: a kind of application credible security based on virtualization Method, wherein
The variation of virtual machine CPU register is monitored, kernel module and process load events in virtual machine are intercepted and captured;
Integrity verification is carried out when module and process load, load events is intercepted and captured and verifies executable code in the process Integrality;
Process switching event is intercepted and captured in real time;
In process switching event, respective application information integrity is verified;
If integrity verification does not pass through in the above process, alarm and termination system operation.
Further, the process intercepted and captured load events and verify the integrality of executable code in the process, can for verifying It executes whether code changes, to be loaded as standard for the first time, and records when each executable code is loaded it and dissipate Train value is read file in virtual machine and is read by the way of load document system driver.
Further, the integrality of verifying executable code includes: during intercepting and capturing load events
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. it compares with the summary info being previously stored in trust data in advance, if summary info is consistent, illustrates in load Rong Wei is tampered, and can be safely loaded with, if summary info is inconsistent, is alarmed.
Further, in the intercepting and capturing process switching event, virtual machine process list and calculation procedure CPU are obtained Utilization rate.
Further, the intercepting and capturing switch over event, and operating system includes two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is that preservation process is complete CR3 register is written in the register of office's directory address, new process address;
S22. switch kernel stack and hardware context afterwards, ESP register, tracking is written in the kernel stack address of process The transformation of CR3 register, which is realized, intercepts and captures process switching event.
Further, the process that the application related information is stored in that data type is struct task_struct is retouched It states in symbol, the process descriptors of PID and process title in the process descriptors comprising process and next process Location.
Further, it is that each process individually distributes one that the descriptor for obtaining current process, which includes: operating system, Memory space, in the memory space save two different data structures, one be kernel state process stacks, it is another A is progress information, and the process stacks increase from top to bottom, and ESP register when process switching occurs and indicates current process heap The address of stack.
Further, the address thread_info_addr of progress information thread_info structural body is obtained by esp;
According to task, offset calculates the address of process descriptors in progress information thread_info structural body task_addr;
Current process descriptor is obtained by reading virutal machine memory, by the data kept in process descriptors, is obtained The information such as process PID and process title.
Further, the acquisition virtual machine process list includes: that operating system will be owned by the way of doubly linked list Process is chained up, and includes two pointers in the process descriptors: prev is directed toward previous process descriptors, and next is directed toward Next process descriptors obtain current process descriptor by section description method in process switching, just by next pointer The process in all current systems is traversed, the list of current process and the information of each process are obtained.
Further, the acquisition process cpu busy percentage includes: and obtains process CPU by process switching to execute the time, Calculation procedure cpu busy percentage.
After adopting the above technical scheme, the present invention has the advantage that this method realizes kernel module in virtual machine first With code integrity verifying when process load;Meanwhile intercepting and capturing application switching event in real time at runtime, and in process switching When, verify respective application information integrity.And keep transparent to monitored virtual machine simultaneously.Based on hardware virtualization skill Art obtains virtual machine internal system calling and process switching information by analysis virtual machine CPU register variation, this to be based on The monitoring of virtual machine hardware bottom-up information ensure that the complete of information, be not easy to be tampered.And herein by safety monitoring system It is embodied as linux system module, can installs and uninstalls according to demand.And develop one group of acquisition virtual machine bottom-up information API, can be used for other developers.And security monitoring information is comprehensive, can be used as the basic number of other security systems According to.
Simultaneously compared with prior art, the latter code trust authentication master when carrying out system kernel load and application load The method based on kernel is used, i.e., adds new a kernel module or code in system under test (SUT) kernel.To realization pair The intercepting and capturing of system operatio kernel loads and application load events, and verified in intercepting and capturing.This method transparency is poor, can change The state for becoming system under test (SUT), causes the cost of secondary development.In addition, the part of modification is to malicious attack as it can be seen that easily becoming bright True target of attack.In this technology, authentication module is in virtual machine monitor layer face, intercepts and captures system based on monitor of virtual machine The method of system obtains corresponding effect.This method does not need modification system under test (SUT), while invisible to system under test (SUT).
Compared with another prior art, such as file integrality monitoring system based on virtual machine, its essence is by virtual Monitor unit layer realizes the integrity protection of file, the functions such as access control.Such system mainly passes through the IO for intercepting and capturing virtual machine Operation carries out, that is, All Files operation is intercepted and captured and monitored.Overall overhead is big.And the purpose of the technical program is Kernel loads and application load integrity verification, therefore capture point is system loads event rather than IO, thereby may be ensured that and is The performance of system.
Detailed description of the invention
The present invention will be further explained below with reference to the attached drawings:
Fig. 1 is overall system architecture schematic diagram in the present invention;
Fig. 2 is local authentication method schematic diagram in the present invention.
Specific embodiment
Embodiment:
As shown in Figure 1, the present invention relates to a kind of application credible security method based on virtualization, monitoring virtual machine CPU is posted Storage variation, intercepts and captures kernel module and process load events in virtual machine;Integrality is carried out when module and process load to test Card intercepts and captures the integrality of verifying executable code during load events;Process switching event is intercepted and captured in real time;In process switching When event, respective application information integrity is verified;If integrity verification does not pass through in the above process, alarm and termination system Operation.
By hardware virtualization technology, the variation of virtual machine CPU register is monitored, realizes intercept and capture kernel in virtual machine first Module and process load events, and executable code integrity verification is realized during intercepting and capturing;Meanwhile at runtime in real time Process switching event is intercepted and captured, and in process switching, verifies respective application information integrity.If integrity verification is not in the process Pass through, then alarm and termination system operation, to realize the credible of whole system.The performance of virtual machine is lost in the present invention Less than 10%;And do not need to interact with operating system in virtual machine, it realizes the fully transparent of monitored system, ensure that prison The anti-infection ability of control system;In addition, the present invention can be installed and uninstalled according to monitoring demand, avoid not needing safety prison When control, useless waste is generated to virtual machine performance.
In the present embodiment specifically, integrity verification includes: when module loading and application load
Integrity verification is whether verifying executable code changes when module loading and process load, that is to say, that The process of the integrality of executable code is verified during the intercepting and capturing load events, whether is occurred for verifying executable code Variation, to be loaded as standard for the first time, and records its hashed value when each executable code is loaded, and reads virtual machine Middle file is read by the way of load document system driver.
(SuSE) Linux OS is called by execv system realizes that (windows passes through for application program load CreateProcess system calls the load of realization process), 11 when the system call number which calls, first parameter be The path of executable code;Similarly, linux system is called by init_module system realizes module loading, and system is called Number be 175, first parameter is executable code path.
Integrity verification when both the above event all realizes that module and application load according to following processes.Intercept and capture load thing The integrality of verifying executable code includes: during part
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. it compares with the summary info being previously stored in trust data in advance, if summary info is consistent, illustrates in load Rong Wei is tampered, and can be safely loaded with, if summary info is inconsistent, is alarmed.
Wherein the summary info of loading content is stored in HASH chained list, searches for some hashed value behaviour for executing code The time complexity for making (find_md5) is O (1), saves the time for the hash Value Operations (save_md5) that some executes code Complicated is also O (1), so only documentary size N is directly proportional for time complexity, therefore the time of above-mentioned algorithm is complicated Degree is O (N).
In the present embodiment specifically, operation when application integrity verifying include:
Application integrity verifying is mainly by intercepting and capturing process switching when operation, during process switching, obtains virtual machine In current application information and be compared with the reliable information in white list, if unanimously, verifying is complete, if inconsistent It is then imperfect.It how is described below based on hardware virtualization technology intercepting and capturing process switching, obtains virtual machine process list and meter Add journey cpu busy percentage.
The intercepting and capturing switch over event, and operating system includes two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is that preservation process is complete CR3 register is written in the register of office's directory address, new process address;
S22. switch kernel stack and hardware context afterwards, ESP register, tracking is written in the kernel stack address of process The transformation of CR3 register, which is realized, intercepts and captures process switching event.
To install a new address space, CR3 register is that preservation process is complete for switching Page Global Directory address first CR3 register is written in the register of office's directory address, new process address.Then switch kernel stack and hardware context, into ESP register is written in the kernel stack address of journey.The first step of process switching needs to be written CR3 register, generates VmExit thing Part, CPU control gives monitor of virtual machine, therefore can be realized by tracking CR3 register transformation and intercept and capture process switching. Although having intercepted and captured process switching, any information relevant to process is not obtained at this time.The application related information is protected There are the PID in the process descriptors that data type is struct task_struct, in the process descriptors including process With the process descriptors address of process title and next process.The relevant information of process saves in (SuSE) Linux OS It is in the process descriptors of struct task_struct in data type.It include the PID and process of process in process descriptors The descriptor address of title and next process.The descriptor for obtaining current process can obtain the basic of current process Information.
If the introduction of following two trifle obtains current progress information and current process column when intercepting and capturing process switching Table.
Obtain the descriptor of current process:
Operating system is that each process individually distributes a memory space, and two differences are saved in the memory space Data structure, one be kernel state process stacks, the other is progress information, the process stacks increase from top to bottom, The address of ESP register instruction current process storehouse when process switching occurs.
As shown in Fig. 2, (SuSE) Linux OS is that each process individually distributes a memory space buffer, this storage Space size is usually 8k, occupies continuous two page frames, buffer initial address be 213Multiple.In this memory space In save two different data structures, one be kernel state process stacks, the other is progress information struct Thread_info structural body, the attribute task of thread_info are the addresses of process descriptors.Thread_info is located at this The initial position of a memory space, process stacks increase from top to bottom, and ESP register instruction when process switching occurs and works as advance The address of journey storehouse.
The relationship of process current process stack address Yu process descriptors address is described above, it can by ESP register To obtain ESP value esp.Utilize the descriptor address of following formula calculation procedure.
The address thread_info_addr of progress information thread_info structural body is obtained by esp;According to task Offset calculates the address task_addr of process descriptors in progress information thread_info structural body;Pass through reading Virutal machine memory obtains current process descriptor, by the data kept in process descriptors, obtains process PID and process The information such as title.
The address thread_info_addr of progress information thread_info structural body is obtained by esp first.
Thread_info_addr=esp&0xfffe0000;
Then according to task, offset calculates the ground of process descriptors in progress information thread_info structural body Location task_addr.
Task_addr=thread_info_addr
+offset(thread_info,task)。
Current process descriptor is obtained finally by virutal machine memory is read, by the data kept in process descriptors, The information such as acquisition process PID and process title.
The acquisition virtual machine process list:
All processes are chained up by operating system by the way of doubly linked list, include two in the process descriptors A pointer: prev is directed toward previous process descriptors, and next is directed toward next process descriptors, passes through section in process switching Description method obtains current process descriptor, just traverses the process in all current systems by next pointer, obtains when advance The information of the list of journey and each process.
All processes are chained up by (SuSE) Linux OS by the way of doubly linked list, include two in process descriptors A pointer: prev is directed toward previous process descriptors, and next is directed toward the descriptor of next process.It can be in process switching Current process descriptor is obtained by section description method, the process in all current systems is just then traversed by next pointer, Obtain the list of current process and the information of each process.
Acquisition process cpu busy percentage:
The acquisition process cpu busy percentage includes: to obtain process CPU by process switching to execute time, calculation procedure Cpu busy percentage.
Often there are some exceptions in cpu busy percentage mutation process, these processes may be malicious code.Be described below as What passes through the cpu busy percentage of process switching acquisition of information process.
Process CPU, which is obtained, by process switching executes time, calculation procedure cpu busy percentage.Here is specific calculating side Method.
tstartIt is process creation time, now is present time, trunIt is process CPU using temporal summation, then process Cpu busy percentage rate=trun/(now-tstart).There are multiple processes to run simultaneously in operating system, seizes between process CPU, the CPU of each process are equal to the summation for seizing the time every time using the time.tiTime after CPU, institute are seized for process i-th WithTime, that is, process seizes CPU runing time between process switching twice.It is when generation process switching System record will run process Pnext, last time run process PlastAnd the process switching time, then compare last time process switching Time can be with calculation procedure PlastSeize the CPU time.
By hardware virtualization technology, the variation of virtual machine CPU register is monitored, realizes intercept and capture kernel in virtual machine first Module and process load events, and executable code integrity verification is realized during intercepting and capturing;Meanwhile at runtime in real time Process switching event is intercepted and captured, and in process switching, verifies respective application information integrity.If integrity verification is not in the process Pass through, then alarm and termination system operation, to realize the credible of whole system.The performance of virtual machine is lost in the present invention Less than 10%;And do not need to interact with operating system in virtual machine, it realizes the fully transparent of monitored system, ensure that prison The anti-infection ability of control system;In addition, the present invention can be installed and uninstalled according to monitoring demand, avoid not needing safety prison When control, useless waste is generated to virtual machine performance.
This method realizes code integrity verifying when kernel module and process load in virtual machine first;Meanwhile it transporting Application switching event is intercepted and captured when row in real time, and in process switching, verifies respective application information integrity.And it keeps simultaneously It is transparent to monitored virtual machine.It is obtained virtual based on hardware virtualization technology by analysis virtual machine CPU register variation Machine built-in system calls and process switching information, and this monitoring based on virtual machine hardware bottom-up information ensure that the complete of information It is whole, it is not easy to be tampered.And safety monitoring system is embodied as linux system module herein, loading and unloading can be pacified according to demand It carries.And the API of one group of acquisition virtual machine bottom-up information is developed, can be used for other developers.And security monitoring is believed Breath comprehensively, can be used as the basic data of other security systems.
Simultaneously compared with prior art, the latter code trust authentication master when carrying out system kernel load and application load The method based on kernel is used, i.e., adds new a kernel module or code in system under test (SUT) kernel.To realization pair The intercepting and capturing of system operatio kernel loads and application load events, and verified in intercepting and capturing.This method transparency is poor, can change The state for becoming system under test (SUT), causes the cost of secondary development.In addition, the part of modification is to malicious attack as it can be seen that easily becoming bright True target of attack.In this technology, authentication module is in virtual machine monitor layer face, intercepts and captures system based on monitor of virtual machine The method of system obtains corresponding effect.This method does not need modification system under test (SUT), while invisible to system under test (SUT).
Compared with another prior art, such as file integrality monitoring system based on virtual machine, its essence is by virtual Monitor unit layer realizes the integrity protection of file, the functions such as access control.Such system mainly passes through the IO for intercepting and capturing virtual machine Operation carries out, that is, All Files operation is intercepted and captured and monitored.Overall overhead is big.And the purpose of the technical program is Kernel loads and application load integrity verification, therefore capture point is system loads event rather than IO, thereby may be ensured that and is The performance of system.
In addition to above preferred embodiment, there are other embodiments of the invention, and those skilled in the art can be according to this Invention makes various changes and modifications, and as long as it does not depart from the spirit of the invention, should belong to appended claims of the present invention and determines The range of justice.

Claims (10)

1. the application credible security method based on virtualization, which is characterized in that
The variation of virtual machine CPU register is monitored, kernel module and process load events in virtual machine are intercepted and captured;
Integrity verification is carried out when module and process load, load events is intercepted and captured and verifies the complete of executable code in the process Property;
Process switching event is intercepted and captured in real time;
In process switching event, respective application information integrity is verified;
If integrity verification does not pass through in the above process, alarm and termination system operation.
2. the application credible security method according to claim 1 based on virtualization, which is characterized in that
The process of the integrality of executable code is verified during the intercepting and capturing load events, whether is sent out for verifying executable code Changing to be loaded as standard for the first time, and records its hashed value when each executable code is loaded, and reads virtual machine Middle file is read by the way of load document system driver.
3. the application credible security method according to claim 2 based on virtualization, which is characterized in that intercept and capture load events The integrality of verifying executable code includes: in the process
S1. the character string address stored in first parameter is called by system;
S2. the address for passing through S1 step, reads string content, obtains the file directory information for needing loading content;
S3. file, and calculation document summary info are opened by monitor of virtual machine;
S4. compared with the summary info that is previously stored in trust data in advance, if summary info is consistent, illustrate loading content without It distorts, can be safely loaded with, if summary info is inconsistent, alarm.
4. the application credible security method according to claim 1 based on virtualization, which is characterized in that it is described intercept and capture into When journey handover event, virtual machine process list and calculation procedure cpu busy percentage are obtained.
5. the application credible security method according to claim 4 based on virtualization, which is characterized in that the intercepting and capturing carry out Handover event, operating system include two steps:
S11. switch Page Global Directory address to install a new address space, CR3 register is preservation process overall situation mesh The register of address is recorded, CR3 register is written in new process address;
S22. switch kernel stack and hardware context afterwards, ESP register is written in the kernel stack address of process, and tracking CR3 is posted Storage transformation, which is realized, intercepts and captures process switching event.
6. the application credible security method according to claim 5 based on virtualization, which is characterized in that the application is related Information preservation is in the process descriptors of struct task_struct in data type, includes process in the process descriptors PID and process title and next process process descriptors address.
7. the application credible security method according to claim 6 based on virtualization, which is characterized in that described to obtain currently The descriptor of process includes: that operating system is that each process individually distributes a memory space, is saved in the memory space Two different data structures, one be kernel state process stacks, the other is progress information, the process stacks from upper and The address of ESP register instruction current process storehouse when process switching occurs for lower growth.
8. the application credible security method according to claim 7 based on virtualization, which is characterized in that
The address thread_info_addr of progress information thread_info structural body is obtained by esp;
According to task, offset calculates the address task_ of process descriptors in progress information thread_info structural body addr;
Current process descriptor is obtained by reading virutal machine memory, by the data kept in process descriptors, obtains process The information such as PID and process title.
9. the application credible security method according to claim 8 based on virtualization, which is characterized in that described to obtain virtually Machine process list includes: that all processes are chained up by operating system by the way of doubly linked list, in the process descriptors Include two pointers: prev is directed toward previous process descriptors, and next is directed toward next process descriptors, leads in process switching Description method of celebrating a festival obtains current process descriptor, just traverses the process in all current systems by next pointer, acquisition is worked as The information of the list of preceding process and each process.
10. the application credible security method according to claim 4 based on virtualization, which is characterized in that it is described obtain into Journey cpu busy percentage includes: to obtain process CPU by process switching to execute time, calculation procedure cpu busy percentage.
CN201811308343.9A 2018-11-05 2018-11-05 Application credible security method based on virtualization Pending CN109697358A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811308343.9A CN109697358A (en) 2018-11-05 2018-11-05 Application credible security method based on virtualization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811308343.9A CN109697358A (en) 2018-11-05 2018-11-05 Application credible security method based on virtualization

Publications (1)

Publication Number Publication Date
CN109697358A true CN109697358A (en) 2019-04-30

Family

ID=66229811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811308343.9A Pending CN109697358A (en) 2018-11-05 2018-11-05 Application credible security method based on virtualization

Country Status (1)

Country Link
CN (1) CN109697358A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593259A (en) * 2009-06-29 2009-12-02 北京航空航天大学 software integrity verification method and system
CN103679025A (en) * 2013-11-26 2014-03-26 南京邮电大学 Malicious code detection method based on dendritic cell algorithm
CN104007956A (en) * 2013-02-27 2014-08-27 华为技术有限公司 Method and device for identifying and tracking operating system process and acquiring information
US9690719B2 (en) * 2014-09-11 2017-06-27 Nxp Usa, Inc. Mechanism for managing access to at least one shared integrated peripheral of a processing unit and a method of operating thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593259A (en) * 2009-06-29 2009-12-02 北京航空航天大学 software integrity verification method and system
CN104007956A (en) * 2013-02-27 2014-08-27 华为技术有限公司 Method and device for identifying and tracking operating system process and acquiring information
CN103679025A (en) * 2013-11-26 2014-03-26 南京邮电大学 Malicious code detection method based on dendritic cell algorithm
US9690719B2 (en) * 2014-09-11 2017-06-27 Nxp Usa, Inc. Mechanism for managing access to at least one shared integrated peripheral of a processing unit and a method of operating thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WEIXIN_30376509: "【Linux操作系统分析】进程——进程切换,进程的创建和撤销_运维", 《HTTPS://BLOG.CSDN.NET/WEIXIN_30376509/ARTICLE/DETAILS/95970058》 *
邓良等: "引入内可信基的应用程序保护方法", 《软件学报》 *

Similar Documents

Publication Publication Date Title
CN110998582B (en) Secure storage device and computer security method
US9565214B2 (en) Real-time module protection
US11416612B2 (en) Protecting against malware code injections in trusted processes
Bauman et al. A survey on hypervisor-based monitoring: approaches, applications, and evolutions
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
JP6073482B2 (en) Secure disk access control
CN107066311B (en) Kernel data access control method and system
CN105740046B (en) A kind of virtual machine process behavior monitoring method and system based on dynamic base
US11494491B2 (en) Systems and methods for protecting against malware code injections in trusted processes by a multi-target injector
CN103620613A (en) System and method for virtual machine monitor based anti-malware security
US10114948B2 (en) Hypervisor-based buffer overflow detection and prevention
US20150067838A1 (en) Trusted execution of binaries and modules
Joy et al. Rootkit detection mechanism: A survey
EP3079057B1 (en) Method and device for realizing virtual machine introspection
CN108920253B (en) Agent-free virtual machine monitoring system and monitoring method
KR20090067569A (en) Windows kernel protection system using virtualization
CN110737888B (en) Method for detecting attack behavior of kernel data of operating system of virtualization platform
CN109120618B (en) Cloud platform controlled side channel attack detection method based on hardware virtualization
CN111428240A (en) Method and device for detecting illegal access of memory of software
Mahapatra et al. An online cross view difference and behavior based kernel rootkit detector
Petkovic et al. A host based method for data leak protection by tracking sensitive data flow
US20220253524A1 (en) Malware Detection System
Grizzard et al. Re-establishing trust in compromised systems: recovering from rootkits that trojan the system call table
CN109697358A (en) Application credible security method based on virtualization
Lombardi et al. A security management architecture for the protection of kernel virtual machines

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190430

RJ01 Rejection of invention patent application after publication