CN111158945A - Kernel fault processing method and device, network security equipment and readable storage medium - Google Patents
Kernel fault processing method and device, network security equipment and readable storage medium Download PDFInfo
- Publication number
- CN111158945A CN111158945A CN201911424835.9A CN201911424835A CN111158945A CN 111158945 A CN111158945 A CN 111158945A CN 201911424835 A CN201911424835 A CN 201911424835A CN 111158945 A CN111158945 A CN 111158945A
- Authority
- CN
- China
- Prior art keywords
- kernel
- memory space
- fault
- information
- fault information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 6
- 230000015654 memory Effects 0.000 claims abstract description 189
- 238000004590 computer program Methods 0.000 claims abstract description 15
- 238000000034 method Methods 0.000 claims description 70
- 230000008569 process Effects 0.000 claims description 27
- 230000006870 function Effects 0.000 claims description 16
- 238000001914 filtration Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 8
- 230000036961 partial effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 241000109539 Conchita Species 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 239000012792 core layer Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0766—Error or fault reporting or storing
- G06F11/0778—Dumping, i.e. gathering error/state information after a fault for later diagnosis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/079—Root cause analysis, i.e. error or fault diagnosis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Retry When Errors Occur (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present disclosure provides a kernel fault processing method for a network security device, including: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding a fault information output code in the kernel so as to write the fault information of the kernel into a memory space when the kernel fails; and when the kernel fails, writing the fault information of the kernel into the memory space so as to locate the fault of the kernel based on the fault information in the memory space. The present disclosure also provides a kernel fault handling apparatus for a network security device, a computer readable storage medium and a computer program product.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a kernel fault processing method for a network security device, a kernel fault processing apparatus for a network security device, a computer-readable storage medium, and a computer program product.
Background
The network security device usually adopts Linux as a basic kernel of an operating system, and configuration cutting and modification are carried out on the kernel. E.g., cutting out unused hardware device drivers such as AGP _ INTEL (for supporting chipsets such as I8xx and E7x 05); clipping some compression algorithms, such as the LZMA compression Algorithm (Lempel-Ziv-Markov chain-Algorithm); a kernel module is developed for enhancing network traffic handling capabilities. Different from devices such as a server/a desktop, the server/the desktop mostly adopts a release Linux system (such as centros, Ubuntu, etc.), generally has a comprehensive configuration for kernels, such as a kdump (Linux kernel crash capture mechanism based on kexec) configuration, a common authoritative vendor device drive configuration, and the like, is assisted by a file system with a powerful function, and has a perfect Linux system environment such as yum (software package manager) and a network (network basic service), but the system operation needs a large resource overhead. After the kernel of the Linux system runs and is restarted due to abnormal pancic (fault), error information and program call stack information during the last pancic can be obtained through var/log/messages (system log file directory of the Linux system).
However, in the network security device, the operating system is highly tailored and security-hardened, and the last running information is not retained after the system is abnormally restarted. Only when abnormal panic occurs, panic information is output to a serial port console of the network security device, and problem analysis and positioning are not convenient.
Disclosure of Invention
In view of the above, the present disclosure provides a kernel fault handling method for a network security device, a kernel fault handling apparatus for a network security device, a computer readable storage medium, and a computer program product.
One aspect of the present disclosure provides a kernel fault handling method for a network security device, including: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding fault information output codes in the kernel so as to write the fault information of the kernel into the memory space when the kernel fails; and when the kernel fails, writing the fault information of the kernel into the memory space so as to locate the fault of the kernel based on the fault information in the memory space.
According to an embodiment of the present disclosure, the setting the memory space includes: acquiring kernel starting parameters; and writing the kernel starting parameter into a memory in the process of starting the kernel so as to indicate the memory to reserve the memory space.
According to an embodiment of the present disclosure, writing the fault information of the kernel into the memory space includes: filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and writing the effective information into the memory space.
According to an embodiment of the present disclosure, the valid information includes one or more of the following: the process name, the process identification number, the function calling hierarchical relation, the information of the local variable value in the function and the information of the system register value which cause the kernel fault.
According to an embodiment of the present disclosure, the method further includes: in the process of writing the fault information of the kernel into the memory space, judging whether the memory space has a blank space in which information is not written; deleting the written partial information in the memory space according to the time sequence of the written information written in the memory space under the condition that the blank space does not exist in the memory space so as to obtain a new blank space; and writing the fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the method further includes: restarting the network security device before positioning the fault of the kernel based on the fault information in the memory space; in the process of restarting the network security equipment, starting a fault information dump program; checking whether the memory space has fault information or not through the fault information dump program; and storing the fault information in the memory space in a hard disk if the fault information exists in the memory space.
Another aspect of the present disclosure provides a core fault handling apparatus for a network security device, including: the device comprises a setting module, a judging module and a judging module, wherein the setting module is used for setting a memory space, and the memory space is used for storing one or more times of kernel fault information; an adding module, configured to add a fault information output code in the kernel, so that when the kernel fails, the fault information of the kernel is written into the memory space; and a writing module, configured to write the fault information of the kernel into the memory space when the kernel fails, so as to locate a fault of the kernel based on the fault information in the memory space.
According to an embodiment of the present disclosure, the setting module includes: the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring kernel starting parameters; and a write-in unit, configured to write the kernel start parameter into a memory in a process of starting the kernel, so as to indicate that the memory reserves the memory space.
According to an embodiment of the present disclosure, the apparatus further includes: the filtering module is used for filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and the writing module is used for writing the effective information into the memory space.
According to an embodiment of the present disclosure, the apparatus further includes: the judging module is used for judging whether the memory space has a blank space in which information is not written in the process of writing the fault information of the kernel into the memory space; a deleting module, configured to delete, according to a time sequence in which written information is written in the memory space, part of the written information in the memory space to obtain a new blank space when the blank space does not exist in the memory space; and the writing module is also used for writing the fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the apparatus further includes: a restart module, configured to restart the network security device before a fault of the kernel is located based on the fault information in the memory space; the starting module is used for starting a fault information dump program in the process of restarting the network safety equipment; the checking module is used for checking whether the fault information exists in the memory space through the fault information dump program; and the storage module is used for storing the fault information in the memory space in a hard disk under the condition that the fault information exists in the memory space.
Another aspect of the present disclosure provides a network security device, including: one or more processors; a storage medium for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising executable instructions that, when executed by a processor, cause the processor to implement the method as described above.
According to the embodiment of the disclosure, a mode of modifying and perfecting a system kernel is adopted, a part of system memory is reserved firstly, fault information is selectively stored in the system memory when the kernel fails, and the size of the system memory can be set according to a product model. After the system is restarted, the information stored in the memory is read through a self-development program (namely, a fault information output code) so as to facilitate fault positioning.
According to the embodiment of the disclosure, the information can be processed, filtered out of redundancy and stored on the hard disk in the form of the user-defined file, multiple storage is supported, the file with longer storage time can be covered when the occupied space is larger, and the fault file can be sent back to the system server through the network according to the configuration. The method modifies and perfects the kernel, has the characteristics of no hardware cost and low memory space occupation, and effectively saves the system stack information in fault in real time under the condition of not influencing the performance and stability of the kernel.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture to which the kernel fault handling method and apparatus for a network security device may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a method for kernel fault handling for a network security device, in accordance with an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart for setting a memory space according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart for writing fault information of a kernel to a memory space according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of a method for kernel fault handling for a network security device according to another embodiment of the present disclosure;
FIG. 6 schematically shows a flowchart for storing failure information in a memory space in a hard disk according to another embodiment of the present disclosure;
FIG. 7 is a block diagram that schematically illustrates an apparatus for handling a core fault for a network security device, in accordance with an embodiment of the present disclosure; and
fig. 8 schematically illustrates a block diagram of a network security device according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a kernel fault processing method for network security equipment, which includes: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding a fault information output code in the kernel so as to write the fault information of the kernel into a memory space when the kernel fails; and when the kernel fails, writing the fault information of the kernel into the memory space so as to locate the fault of the kernel based on the fault information in the memory space.
Fig. 1 schematically shows an exemplary system architecture to which the kernel fault handling method and apparatus for a network security device may be applied according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include a network security device 101, a hard disk 102, and a server 103. The hard disk 102 may be included in the network security device 101; or may exist separately without being assembled into the network security device 101. The type of the hard disk 102 is not limited, and may be a mechanical hard disk of a SCSI interface, for example. The server 103 may be in a local computer room or a remote computer room.
According to an embodiment of the present disclosure, the network security device 101 may include an operating system, the operating system may include a system kernel, and when the system kernel is down, the fault information may be written into the memory, and the fault information processing program may read memory data from the memory, write the memory data into the hard disk 102 through the SATA interface, or send the memory data to the server 103 through the network.
Specifically, for example, after the kernel is started, a system memory space may be reserved, and when the kernel fails, stack information including failure information is cached in the reserved memory. After the system is restarted, the fault information processing program may store the data in the reserved memory in a file, and the network security device 101 may preliminarily and automatically analyze the cause of the kernel fault according to the file. The network security device 101 may remotely send a fault information file to the server 103, and a developer may analyze the fault reason according to the fault information file.
According to an embodiment of the present disclosure, the network security device 101 may include a firewall, an IPS (intrusion prevention system), an IDS (intrusion detection system), and other hardware devices based on network traffic monitoring in the network security field.
It should be understood that the number of network security devices, hard disks, and servers in fig. 1 are merely illustrative. There may be any number of network security devices, hard disks, and servers, as desired for implementation.
Fig. 2 schematically shows a flowchart of a kernel fault handling method for a network security device according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S210 to S230.
In operation S210, a memory space is set, where the memory space is used to store one or more times of kernel fault information.
According to the embodiment of the disclosure, the set memory space belongs to the reserved memory space, and can be specially used for storing the kernel fault information for one time or multiple times. The size of the memory space may be predetermined, for example, a space with a size of 4MB may be generally set to store multiple times of panic information (i.e., memory failure information).
In operation S220, a fault information output code is added to the kernel so that the fault information of the kernel is written into the memory space when the kernel fails.
According to the embodiment of the disclosure, an information output code for outputting fault information can be added to the kernel source code, and the process name, pid number (process identification number), function calling hierarchical relation, local variable value information in the function, system register value information and the like which cause the kernel fault are effectively stored.
From the perspective of improving the system kernel, fault information output codes are added, code structures are utilized in all links of starting, running and downtime of the system, and effective information in the system when the system is down (kernel faults) is saved in the mode of no hardware cost and less resource occupation (low memory occupation and disk space occupation).
In operation S230, when the kernel fails, the failure information of the kernel is written into the memory space, so that the failure of the kernel is located based on the failure information in the memory space.
According to the embodiment of the disclosure, writing the fault information of the kernel into the memory space may include filtering the fault information of the kernel to obtain filtered effective information for analyzing the fault of the kernel; and writing the valid information into the memory space. By writing the valid information into the memory space without writing all the fault information into the memory space, the memory space can be saved, so that the fault information can be saved for many times.
According to an embodiment of the present disclosure, the valid information may include one or more of: the process name, the process identification number, the function calling hierarchical relation, the information of the local variable value in the function and the information of the system register value which cause the kernel fault.
According to the embodiment of the disclosure, a mode of modifying and perfecting a system kernel is adopted, a part of system memory is reserved firstly, fault information is selectively stored in the system memory when the kernel fails, and the size of the system memory can be set according to a product model. After the system is restarted, the information stored in the memory is read by a self-development program (such as a fault information output code) so as to facilitate fault location.
The method disclosed by the invention can be operated in products with different architectures such as X86, ARM64, MIPS64 and the like, so that core fault information which happens in the operation process of network products can be stored, and a foundation is provided for the subsequent positioning of fault reasons.
Taking the fire wall equipment as an example, once the system is down, technical positioning is difficult to perform in the hands of customers, especially the reason analysis of the inner core layer. The method can effectively solve the problem, and the system can automatically send the file back to the system server or keep the file locally according to the configuration after storing the kernel fault information, and then deliver the file to a special kernel research and development personnel for positioning and analysis.
In addition, in the process of implementing the present disclosure, the inventor finds that if other independent systems are used on an additional hardware motherboard to read kernel fault information, when obtaining memory information for positioning, a system interrupt is required at the moment of kernel fault, and then hardware intervenes, at this time, a machine cannot be restarted, which also causes long-time interruption of service in an actual product, and the hardware motherboard needs to be attached to a hardware product, resulting in higher hardware cost. The method disclosed by the invention is lower in practical cost, does not need a hardware mainboard, can be effectively attached to a release product, and can effectively store the system fault information of a network product (such as a firewall) in an actual operation scene. In addition, the system is not required to be interrupted and is in a kernel fault state, and the interruption time of product service processing can be reduced.
The method shown in fig. 2 is further described with reference to fig. 3-6 in conjunction with specific embodiments.
Fig. 3 schematically shows a flowchart for setting a memory space according to an embodiment of the present disclosure.
As shown in FIG. 3, setting the memory space includes operations S310-S320.
In operation S310, kernel boot parameters are acquired.
In operation S320, during the kernel boot process, the kernel boot parameters are written into the memory so as to indicate that the memory reserves a memory space.
According to the embodiment of the disclosure, the size of the memory area needing to be reserved is transferred to the kernel by increasing the kernel boot parameters. For example, the memory area size is 1MB size space. After the kernel is started, the kernel starting parameters are read when the memory is initialized, a proper memory block is searched according to the size of the memory, the position of the reserved memory is determined according to the kernel starting parameters, and the memory block cannot be used in subsequent memory allocation. According to the embodiment of the present disclosure, the specific information of the block of memory may be recorded by a/proc/iomem file (a file recording the allocation condition of the physical address), which may include a start address and a size.
Through the embodiment of the disclosure, the memory space is preset, so that the memory space can be specially used for storing the fault information, and when the fault information needs to be analyzed, the fault information can be quickly positioned and acquired.
Fig. 4 schematically shows a flowchart for writing fault information of a core into a memory space according to an embodiment of the present disclosure.
As shown in fig. 4, the method includes operations S410 to S430.
In operation S410, in the process of writing the failure information of the kernel into the memory space, it is determined whether the memory space has a blank space into which information is not written.
According to the embodiment of the disclosure, since the space size of the reserved memory space is fixed, if multiple kernel failures occur, the memory space may be occupied. Therefore, before the fault information of the kernel is written into the memory space, or while the fault information is written into the memory space, whether the memory space has a blank space in which information is not written is judged.
In operation S420, in the case that there is no empty space in the memory space, the written partial information in the memory space is deleted according to the time sequence of the written information written in the memory space, so as to obtain a new empty space.
For example, the failure information written into the memory space at the earliest time is deleted, so that a new empty space is obtained in the memory. According to the embodiment of the disclosure, the data size required to be deleted can be determined according to the data size of the fault information to be written at this time, and then the data size required to be deleted can be deleted according to the time sequence written into the memory space.
In operation S430, the failure information of the kernel is written in the new empty space.
According to the embodiment of the disclosure, if the occupied space of the kernel fault information to be written is large, a new blank space can be left, so that the kernel fault information can be stored in the memory, and the excessive memory space occupied by the kernel fault information is avoided due to the fixed memory space.
Fig. 5 schematically illustrates a flowchart of a kernel fault handling method for a network security device according to another embodiment of the present disclosure.
In this embodiment, operations S210 to S230 shown in fig. 2 may be included, and for brevity of description, the details are not repeated herein. As shown in fig. 5, the method includes operations S510 to S540.
In operation S510, before locating a failure of the kernel based on the failure information in the memory space, the network security device is restarted.
In operation S520, in the process of restarting the network security device, a failure dump procedure is started.
In operation S530, it is checked whether there is failure information in the memory space by the failure information dump program.
According to the embodiment of the disclosure, when the kernel fails, the system can be restarted, the network security device can automatically start a fault information dump program in the starting process, and check whether fault information exists in the reserved memory area, so that the fault information is prevented from being lost after repeated restarting or power-off of the device.
In operation S540, in the case where there is the failure information in the memory space, the failure information in the memory space is stored in the hard disk.
According to the embodiment of the disclosure, if the fault information exists in the memory space, the fault information can be stored in a file, and whether the fault information is sent back to the system server or not and whether the fault information is kept locally or not is selected according to the configuration of the network security equipment. The fault dump program may have three incoming parameters, which are the/dev/mem device file (through which the user mode program can access the memory through the physical memory address), the offset address, and the path of the generated file. The fault information dump program can also process and verify the contents of the memory fields, filter the contents of the memory fields to obtain valid information, write the contents of the memory fields to a disk file and the like.
Fig. 6 schematically shows a flowchart for storing failure information in a memory space in a hard disk according to another embodiment of the present disclosure.
As shown in fig. 6, the method includes operations S610 to S650.
In operation S610, it is determined whether data exists in the reserved memory.
In operation S620, if data exists in the reserved memory, the memory data is read, and the failure information is obtained.
In operation S630, the failure information is processed to obtain valid information. For example, the failure information is verified and filtered, etc.
In operation S640, valid information, for example, a function call relation, a register value, etc., is stored in a disk file or transmitted to a server.
In operation S650, if there is no data in the reserved memory, it may be determined again whether there is data in the reserved memory at a certain time interval or after the system is restarted.
According to the embodiment of the disclosure, the information can be processed, filtered out of redundancy, and then stored on the hard disk in the form of a user-defined file, multiple storage is supported, and a fault file can be sent back to a system server through a network according to configuration. The method modifies and perfects the kernel, has the characteristics of no hardware cost and low memory space occupation, and effectively saves the system stack information in fault in real time under the condition of not influencing the performance and stability of the kernel.
Through the embodiment of the disclosure, the system hard disk space and the memory space occupied by the system hard disk space are small, and the method is suitable for embedded products with tense system resources, such as kernel height cutting and the like.
Fig. 7 schematically shows a block diagram of a core fault handling apparatus for a network security device according to an embodiment of the present disclosure.
As shown in fig. 7, the core failure handling apparatus 700 for a network security device includes a setting module 710, an adding module 720, and a writing module 730.
The setting module 710 is configured to set a memory space, where the memory space is used to store one or more times of kernel fault information.
The adding module 720 is configured to add a fault information output code in the kernel, so that when the kernel fails, the fault information of the kernel is written into the memory space.
The writing module 730 is configured to analyze the fault information in the memory space after writing the fault information of the kernel into the memory space, so as to locate the fault of the kernel.
According to an embodiment of the present disclosure, the setup module 710 includes an acquisition unit and a writing unit.
The obtaining unit is used for obtaining the kernel starting parameter.
The write-in unit is used for writing the kernel starting parameter into the memory in the kernel starting process so as to indicate the memory to reserve a memory space.
According to an embodiment of the present disclosure, the core fault handling apparatus 700 for a network security device further includes a filtering module.
The filtering module is used for filtering the fault information of the kernel to obtain the filtered effective information for analyzing the kernel fault.
The writing module is further used for writing the valid information into the memory space.
According to the embodiment of the present disclosure, the core failure processing apparatus 700 for a network security device further includes a determining module and a deleting module.
The judging module is used for judging whether the memory space has a blank space in which information is not written in the process of writing the fault information of the kernel into the memory space.
The deleting module is used for deleting the written partial information in the memory space according to the time sequence of the written information written in the memory space under the condition that the memory space does not have a blank space, so as to obtain a new blank space.
The writing module is also used for writing the fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the apparatus 700 for handling a core fault of a network security device further includes a restart module, a start module, a check module, and a storage module.
The restarting module is used for restarting the network security equipment before the fault of the kernel is positioned based on the fault information in the memory space.
The starting module is used for starting a fault information dump program in the process of restarting the network security equipment.
The checking module is used for checking whether the fault information exists in the memory space through a fault information dump program.
The storage module is used for storing the fault information in the memory space in the hard disk under the condition that the fault information exists in the memory space.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the setup module 710, the add module 720, and the write module 730 may be combined into one module/unit/sub-unit to be implemented, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the setting module 710, the adding module 720 and the writing module 730 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware by any other reasonable manner of integrating or packaging a circuit, or may be implemented in any one of or a suitable combination of software, hardware and firmware. Alternatively, at least one of the setting module 710, the adding module 720 and the writing module 730 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
According to an embodiment of the present disclosure, there is also provided a network security device, including: one or more processors; a storage medium to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the methods of embodiments of the present disclosure.
Fig. 8 schematically illustrates a block diagram of a network security device according to an embodiment of the present disclosure. The computer system illustrated in FIG. 8 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 8, a network security device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 801 may also include onboard memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 803, various programs and data necessary for the operation of the network security apparatus 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or RAM 803. Note that the programs may also be stored in one or more memories other than the ROM 802 and RAM 803. The processor 801 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program, when executed by the processor 801, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement the methods of the embodiments of the present disclosure. The computer-readable storage medium may be embodied in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 802 and/or RAM 803 described above and/or one or more memories other than the ROM 802 and RAM 803.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A kernel fault processing method for a network security device comprises the following steps:
setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information;
adding a fault information output code in the kernel so as to write the fault information of the kernel into the memory space when the kernel fails; and
and when the kernel fails, writing the fault information of the kernel into the memory space so as to locate the fault of the kernel based on the fault information in the memory space.
2. The method of claim 1, wherein the setting memory space comprises:
acquiring kernel starting parameters; and
and in the process of starting the kernel, writing the kernel starting parameter into a memory so as to indicate the memory to reserve the memory space.
3. The method of claim 1, wherein writing fault information for the kernel to the memory space comprises:
filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and
and writing the effective information into the memory space.
4. The method of claim 1, wherein the valid information comprises at least one of:
the process name causing the kernel fault, the function calling hierarchical relation, the local variable value information in the function and the system register value information.
5. The method of claim 1, further comprising:
in the process of writing the fault information of the kernel into the memory space, judging whether the memory space has a blank space in which information is not written;
deleting the written partial information in the memory space according to the time sequence of the written information written in the memory space under the condition that the blank space does not exist in the memory space so as to obtain a new blank space; and
and writing the fault information of the kernel into the new blank space.
6. The method of claim 1, further comprising:
restarting the network security device before positioning the fault of the kernel based on the fault information in the memory space;
starting a fault information dump program in the process of restarting the network security equipment;
checking whether fault information exists in the memory space through the fault information dump program; and
and under the condition that the fault information exists in the memory space, storing the fault information in the memory space in a hard disk.
7. A core fault handling apparatus for a network security device, comprising:
the device comprises a setting module, a memory space and a processing module, wherein the setting module is used for setting the memory space, and the memory space is used for storing one or more times of kernel fault information;
the increasing module is used for increasing a fault information output code in the kernel so as to write the fault information of the kernel into the memory space when the kernel fails; and
and the writing module is used for writing the fault information of the kernel into the memory space when the kernel fails so as to locate the fault of the kernel based on the fault information in the memory space.
8. A network security appliance comprising:
one or more processors;
a storage medium for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
10. A computer program product comprising executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424835.9A CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424835.9A CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111158945A true CN111158945A (en) | 2020-05-15 |
| CN111158945B CN111158945B (en) | 2023-12-22 |
Family
ID=70560687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911424835.9A Active CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111158945B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113687971A (en) * | 2021-08-24 | 2021-11-23 | 杭州迪普科技股份有限公司 | Method and device for generating memory mapping file |
| CN113900914A (en) * | 2020-06-22 | 2022-01-07 | 阿里巴巴集团控股有限公司 | Exception handling method and device, electronic equipment and computer storage medium |
| CN114706708A (en) * | 2022-05-24 | 2022-07-05 | 北京拓林思软件有限公司 | Fault analysis method and system for Linux operating system |
| CN116882966A (en) * | 2023-06-27 | 2023-10-13 | 广州慧云网络科技有限公司 | Fault judging method and device for inspection result of operation and maintenance equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030120968A1 (en) * | 2001-08-31 | 2003-06-26 | Bull Hn Information Systems Inc. | Preserving dump capability after a fault-on-fault or related type failure in a fault tolerant computer system |
| CN102662785A (en) * | 2012-04-12 | 2012-09-12 | 青岛海信移动通信技术股份有限公司 | Method and device for acquiring kernel error messages of Android system |
| CN104360939A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Method, equipment and system for positioning fault |
| WO2017148271A1 (en) * | 2016-03-04 | 2017-09-08 | 中兴通讯股份有限公司 | Linux system reset processing method and device, and computer storage medium |
| CN107832166A (en) * | 2017-11-27 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of Linux server is delayed machine trouble analysis system and method |
| CN109426606A (en) * | 2017-08-23 | 2019-03-05 | 东软集团股份有限公司 | Kernel failure diagnosis information processing method, device, storage medium and electronic equipment |
-
2019
- 2019-12-31 CN CN201911424835.9A patent/CN111158945B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030120968A1 (en) * | 2001-08-31 | 2003-06-26 | Bull Hn Information Systems Inc. | Preserving dump capability after a fault-on-fault or related type failure in a fault tolerant computer system |
| CN102662785A (en) * | 2012-04-12 | 2012-09-12 | 青岛海信移动通信技术股份有限公司 | Method and device for acquiring kernel error messages of Android system |
| CN104360939A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Method, equipment and system for positioning fault |
| WO2017148271A1 (en) * | 2016-03-04 | 2017-09-08 | 中兴通讯股份有限公司 | Linux system reset processing method and device, and computer storage medium |
| CN109426606A (en) * | 2017-08-23 | 2019-03-05 | 东软集团股份有限公司 | Kernel failure diagnosis information processing method, device, storage medium and electronic equipment |
| CN107832166A (en) * | 2017-11-27 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of Linux server is delayed machine trouble analysis system and method |
Non-Patent Citations (3)
| Title |
|---|
| HAO ZHENG ET.AL.: ""Improving Virtual Machine Reliability with Driver Fault Isolation"", 《2013 14TH ACIS INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, ARTIFICIAL INTELLIGENCE, NETWORKING AND PARALLEL/DISTRIBUTED COMPUTING》 * |
| 乔少明: ""龙芯多核处理器多线程故障恢复系统设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》, vol. 2017, no. 02, pages 137 - 58 * |
| 朱怡安;史佳龙;: "基于补偿回滚的操作系统故障自恢复技术", 西北工业大学学报, vol. 33, no. 05, pages 709 - 715 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113900914A (en) * | 2020-06-22 | 2022-01-07 | 阿里巴巴集团控股有限公司 | Exception handling method and device, electronic equipment and computer storage medium |
| CN113687971A (en) * | 2021-08-24 | 2021-11-23 | 杭州迪普科技股份有限公司 | Method and device for generating memory mapping file |
| CN114706708A (en) * | 2022-05-24 | 2022-07-05 | 北京拓林思软件有限公司 | Fault analysis method and system for Linux operating system |
| CN114706708B (en) * | 2022-05-24 | 2022-08-30 | 北京拓林思软件有限公司 | Fault analysis method and system for Linux operating system |
| CN116882966A (en) * | 2023-06-27 | 2023-10-13 | 广州慧云网络科技有限公司 | Fault judging method and device for inspection result of operation and maintenance equipment |
| CN116882966B (en) * | 2023-06-27 | 2024-04-19 | 广东慧云科技股份有限公司 | Fault judging method and device for inspection result of operation and maintenance equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111158945B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111158945B (en) | Kernel fault processing method, device, network security equipment and readable storage medium | |
| US11392461B2 (en) | Method and apparatus for processing information | |
| TWI544328B (en) | Method and system for probe insertion via background virtual machine | |
| US10067692B2 (en) | Method and apparatus for backing up and restoring cross-virtual machine application | |
| US10061651B2 (en) | System and method for hosting multiple recovery operating systems in memory | |
| US10802847B1 (en) | System and method for reproducing and resolving application errors | |
| CN108304209B (en) | Firmware upgrading method and firmware upgrading system | |
| US9954958B2 (en) | Shared resource management | |
| US10430261B2 (en) | Detecting a guest operating system crash on a virtual computing instance | |
| US11586513B2 (en) | Live migrating virtual machines to a target host upon fatal memory errors | |
| JP2007133544A (en) | Failure information analysis method and its implementation device | |
| CN111090546B (en) | Method, device and equipment for restarting operating system and readable storage medium | |
| US8949588B1 (en) | Mobile telephone as bootstrap device | |
| US9454485B2 (en) | Sharing local cache from a failover node | |
| US9026777B2 (en) | Automatic update of persistent boot parameter storage | |
| US9792168B2 (en) | System and method for cloud remediation of a client with a non-bootable storage medium | |
| CN111737088B (en) | Log acquisition method and device, electronic equipment and medium | |
| US8122203B2 (en) | Serviceability level indicator processing for storage alteration | |
| CN108156048A (en) | It is a kind of to realize the method and apparatus that application crashes information is obtained in complex scene | |
| US20100268993A1 (en) | Disablement of an exception generating operation of a client system | |
| US20230025126A1 (en) | Virtualization layer assisted upgrading of in-guest agents | |
| US20240020103A1 (en) | Parallelizing data processing unit provisioning | |
| US11977431B2 (en) | Memory error prevention by proactive memory poison recovery | |
| US11709683B2 (en) | State semantics kexec based firmware update | |
| JP2016076152A (en) | Error detection system, error detection method, and error detection program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |