CN111158945B - Kernel fault processing method, device, network security equipment and readable storage medium - Google Patents
Kernel fault processing method, device, network security equipment and readable storage medium Download PDFInfo
- Publication number
- CN111158945B CN111158945B CN201911424835.9A CN201911424835A CN111158945B CN 111158945 B CN111158945 B CN 111158945B CN 201911424835 A CN201911424835 A CN 201911424835A CN 111158945 B CN111158945 B CN 111158945B
- Authority
- CN
- China
- Prior art keywords
- kernel
- memory space
- information
- fault
- fault information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 9
- 230000015654 memory Effects 0.000 claims abstract description 192
- 238000000034 method Methods 0.000 claims description 67
- 230000008569 process Effects 0.000 claims description 28
- 230000006870 function Effects 0.000 claims description 16
- 238000001914 filtration Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims description 3
- 238000004590 computer program Methods 0.000 abstract description 14
- 238000012545 processing Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000009472 formulation Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0766—Error or fault reporting or storing
- G06F11/0778—Dumping, i.e. gathering error/state information after a fault for later diagnosis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/079—Root cause analysis, i.e. error or fault diagnosis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Retry When Errors Occur (AREA)
Abstract
The present disclosure provides a kernel failure processing method for a network security device, including: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel fails; and when the kernel fails, writing the failure information of the kernel into the memory space so as to locate the failure of the kernel based on the failure information in the memory space. The present disclosure also provides a kernel failure handling apparatus for a network security device, a computer-readable storage medium, and a computer program product.
Description
Technical Field
The present disclosure relates to the field of computer technology, and more particularly, to a kernel failure processing method for a network security device, a kernel failure processing apparatus for a network security device, a computer-readable storage medium, and a computer program product.
Background
Network security devices typically employ Linux as the base kernel of an operating system, which is configured for clipping and modifying the kernel. Hardware device drivers that are not used, such as agp_intel (chip sets for supporting I8xx and E7x05, etc.), for example, are cut off; clipping compression algorithms such as LZMA compression Algorithm (Lempel-Ziv-Markov chain-Algorithm); kernel modules have been developed to enhance network traffic handling capabilities. Different from devices such as a server/a desktop, the server/the desktop devices mostly adopt an issued Linux system (such as Centos, ubuntu, etc.), and generally have comprehensive kernel configuration, such as kdump (kexec-based Linux kernel crash capture mechanism) configuration, common authoritative manufacturer device driving configuration, etc., and are aided with a powerful file system, so that the server/the desktop devices have perfect Linux system environments such as yum (software package manager) and network (network basic service), but the system operation requires larger resource expenditure. After the abnormal panic (fault) of the kernel is restarted when the distributed Linux system runs, error information, call stack information of a program and the like in the last panic can be obtained through/var/log/messages (a system log file directory of the distributed Linux system).
However, in the network security device, the operating system is highly tailored and is secured, and the last operation information is not reserved after the system is restarted due to the exception of the panic. Only when an abnormal panic occurs, the panic information is output to the serial port control console of the network security equipment, so that the problem analysis and the positioning are inconvenient.
Disclosure of Invention
In view of this, the present disclosure provides a kernel failure processing method for a network security device, a kernel failure processing apparatus for a network security device, a computer-readable storage medium, a computer program product.
One aspect of the present disclosure provides a kernel failure processing method for a network security device, including: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel breaks down; and when the kernel fails, writing the failure information of the kernel into the memory space so as to locate the failure of the kernel based on the failure information in the memory space.
According to an embodiment of the present disclosure, the setting the memory space includes: acquiring kernel starting parameters; and writing the kernel starting parameters into a memory in the process of starting the kernel so as to indicate the memory to reserve the memory space.
According to an embodiment of the present disclosure, writing the fault information of the kernel into the memory space includes: filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and writing the effective information into the memory space.
According to an embodiment of the present disclosure, the above-mentioned effective information includes one or more of the following: the process name, the process identification number, the function call hierarchy relation, the local variable value information in the function and the system register value information which lead to the kernel fault.
According to an embodiment of the present disclosure, the method further includes: judging whether the memory space has blank space without information written in the process of writing the fault information of the kernel into the memory space; deleting the written partial information in the memory space according to the time sequence of writing the written information into the memory space under the condition that the memory space does not have the blank space, so as to obtain a new blank space; and writing fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the method further includes: restarting the network security device before locating a failure of the core based on the failure information in the memory space; in the process of restarting the network security equipment, starting a fault information dump program; checking whether fault information exists in the memory space through the fault information dump program; and storing the fault information in the memory space in the hard disk when the fault information exists in the memory space.
Another aspect of the present disclosure provides a kernel failure processing apparatus for a network security device, including: the setting module is used for setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; the adding module is used for adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel breaks down; and the writing module is used for writing the fault information of the kernel into the memory space when the kernel breaks down, so as to locate the fault of the kernel based on the fault information in the memory space.
According to an embodiment of the present disclosure, the setting module includes: the acquisition unit is used for acquiring the kernel starting parameters; and a writing unit, configured to write the kernel start parameter into a memory during the process of starting the kernel, so as to indicate that the memory reserves the memory space.
According to an embodiment of the present disclosure, the apparatus further includes: the filtering module is used for filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and the writing module is used for writing the effective information into the memory space.
According to an embodiment of the present disclosure, the apparatus further includes: the judging module is used for judging whether the memory space has blank spaces in which information is not written in or not in the process of writing the fault information of the kernel into the memory space; the deleting module is used for deleting the written partial information in the memory space according to the time sequence of writing the written information into the memory space when the memory space does not exist in the blank space, so as to obtain a new blank space; and the writing module is further used for writing the fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the apparatus further includes: a restarting module, configured to restart the network security device before locating a failure of the kernel based on the failure information in the memory space; the starting module is used for starting a fault information dump program in the process of restarting the network security equipment; the checking module is used for checking whether fault information exists in the memory space through the fault information dump program; and the storage module is used for storing the fault information in the memory space in the hard disk under the condition that the fault information exists in the memory space.
Another aspect of the present disclosure provides a network security device, comprising: one or more processors; a storage medium storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program product comprising executable instructions which, when executed by a processor, cause the processor to implement a method as described above.
According to the embodiment of the disclosure, a part of system memory is reserved first by adopting a mode of modifying and perfecting a system kernel, fault information is selectively stored in the system memory when the kernel fails, and the size of the memory can be set according to the model of a product. After the system is restarted, the information stored in the memory is read through a self-development program (namely fault information output code) so as to facilitate fault positioning.
According to the embodiment of the disclosure, the information can be processed, filtered and redundant and then stored on the hard disk in the form of the self-defined file, so that the information can be stored for multiple times, files with longer storage time can be covered when the occupied space is large, and fault files can be sent back to the system server through the network according to configuration. The method modifies and perfects the kernel, has the characteristics of no hardware cost and lower memory space occupation, and effectively saves the system stack information in fault in real time under the condition of not affecting the performance and stability of the kernel.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates an exemplary system architecture to which kernel failure processing methods and apparatus for network security devices may be applied, in accordance with embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a kernel failure handling method for a network security device in accordance with an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart for setting up memory space according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart for writing failure information of a kernel to a memory space according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of a method of kernel failure handling for a network security device in accordance with another embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow chart for storing failure information in a memory space in a hard disk according to another embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a kernel failure handling apparatus for a network security device, in accordance with an embodiment of the present disclosure; and
fig. 8 schematically illustrates a block diagram of a network security device in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a kernel fault processing method for network security equipment, which comprises the following steps: setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information; adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel fails; and when the kernel fails, writing the failure information of the kernel into the memory space so as to locate the failure of the kernel based on the failure information in the memory space.
Fig. 1 schematically illustrates an exemplary system architecture to which the kernel failure processing methods and apparatuses for network security devices may be applied, according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include a network security device 101, a hard disk 102, and a server 103. Wherein the hard disk 102 may be comprised by the network security device 101; or may exist alone without being assembled into the network security device 101. The type of the hard disk 102 is not limited, and may be a mechanical hard disk of a SCSI interface, for example. The server 103 may be in a local machine room or in a remote machine room.
According to an embodiment of the present disclosure, the network security device 101 may include an operating system thereon, where the operating system may include a system kernel, after the system kernel is down, fault information may be written into the memory, and the fault information processing program may read memory data from the memory, write the memory data into the hard disk 102 through the SATA interface, or send the memory data to the server 103 through the network.
Specifically, for example, after the kernel is started, a system memory space may be reserved, and when the kernel fails, stack information including failure information is cached in the reserved memory. After the system is restarted, the fault information processing program can store the data in the reserved memory into a file, and the network security equipment 101 primarily and automatically analyzes the reasons of the kernel faults according to the file. The network security device 101 may remotely send a fault information file to the server 103, from which a developer may analyze the cause of the fault.
According to embodiments of the present disclosure, network security device 101 may include a firewall, IPS (intrusion prevention system ), IDS (intrusion detection system, intrusion detection system), etc., hardware devices based on network traffic monitoring in the field of network security.
It should be understood that the number of network security devices, hard disks, and servers in fig. 1 are merely illustrative. There may be any number of network security devices, hard disks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a kernel failure handling method for a network security device in accordance with an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S210 to S230.
In operation S210, a memory space is set, where the memory space is used to store one or more kernel fault information.
According to the embodiment of the disclosure, the set memory space belongs to reserved memory space, and can be specially used for storing one or more times of kernel fault information. The size of the memory space may be preset, for example, a space of 4MB size may be generally set to store the panic information (i.e., the memory failure information) multiple times.
In operation S220, a fault information output code is added to the core so that when a fault occurs in the core, fault information of the core is written into the memory space.
According to the embodiment of the disclosure, an information output code for outputting fault information can be added in the kernel source code, and a process name, a pid number (process identification number), a function call hierarchy relationship, local variable value information in a function, system register value information and the like which cause the kernel fault are effectively saved.
From the perspective of perfecting the system kernel, by adding fault information output codes, the code structure is utilized in each link of system starting, running and downtime, so that the effective information in the system when the system is downtime (kernel fault) is saved in the form of no hardware cost and less resource occupation (low memory occupation and disk space occupation).
In operation S230, when a failure occurs in the core, failure information of the core is written into the memory space so as to locate the failure of the core based on the failure information in the memory space.
According to an embodiment of the present disclosure, writing the fault information of the kernel into the memory space may include filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; and writing the effective information into the memory space. By writing effective information into the memory space without writing all fault information into the memory space, the memory space can be saved to realize the storage of multiple fault information.
According to embodiments of the present disclosure, the effective information may include one or more of the following: the process name, the process identification number, the function call hierarchy relation, the local variable value information in the function and the system register value information which lead to the kernel fault.
According to the embodiment of the disclosure, a part of system memory is reserved first by adopting a mode of modifying and perfecting a system kernel, fault information is selectively stored in the system memory when the kernel fails, and the size of the memory can be set according to the model of a product. After the system is restarted, the information stored in the memory is read through a self-development program (such as fault information output code) so as to facilitate fault positioning.
The method disclosed by the invention can be operated in products with various different architectures such as X86, ARM64, MIPS64 and the like, so that the accidental kernel fault information of the network product in the operation process is saved, and a foundation is provided for the subsequent positioning of fault reasons.
Taking firewall equipment as an example, once the system is down, technical positioning, particularly analysis of reasons of a kernel layer, is difficult to perform in a client. The method can effectively solve the problem, and after the system stores the kernel fault information, the system can automatically send the file back to the system server or keep the file locally according to the configuration, and then the file is sent to special kernel research personnel for positioning and analysis.
In addition, in the process of implementing the present disclosure, the inventor finds that if other independent systems are used on an additional hardware motherboard to read the kernel fault information, when the memory information is acquired to be located, the system is required to be interrupted at the moment of the kernel fault, and then the hardware is involved, at this time, the machine cannot be restarted, and thus a long-time interruption of the service is caused in an actual product, and the hardware motherboard is required to be attached to the hardware product, so that higher hardware cost is brought. The method disclosed by the invention has the advantages that the practical cost is lower, a hardware main board is not needed, the method can be effectively attached to a release product, and the system fault information of a network product (such as a firewall) in an actual operation scene can be effectively stored. In addition, the method and the device do not need system interruption and are in a kernel fault state, and the interruption time of product business processing can be reduced.
The method shown in fig. 2 is further described below with reference to fig. 3-6, in conjunction with the exemplary embodiment.
Fig. 3 schematically illustrates a flow chart for setting up a memory space according to an embodiment of the present disclosure.
As shown in fig. 3, setting the memory space includes operations S310 to S320.
In operation S310, kernel launch parameters are acquired.
In operation S320, during the process of starting the kernel, the kernel starting parameter is written into the memory, so as to indicate that the memory reserves a memory space.
According to the embodiment of the disclosure, the memory area size to be reserved is transferred to the kernel by increasing the kernel start parameter. For example, the memory area is a space of 1 MB. After the kernel is started, the kernel starting parameters are read when the kernel is initialized, a proper memory block is searched according to the size of the memory, the position of the reserved memory is determined according to the kernel starting parameters, and the memory block is not used in subsequent memory allocation. According to an embodiment of the present disclosure, the specific information of the memory may be recorded through a/proc/iomem file (a file recording the allocation of the physical address), and may include a start address and a size.
According to the embodiment of the disclosure, the memory space is preset, so that the memory space can be specially used for storing the fault information, and the fault information can be rapidly positioned and acquired when the fault information needs to be analyzed.
Fig. 4 schematically illustrates a flowchart for writing failure information of a kernel into a memory space according to an embodiment of the present disclosure.
As shown in fig. 4, the method includes operations S410 to S430.
In operation S410, in the process of writing the failure information of the kernel into the memory space, it is determined whether there is a blank space in which no information is written in the memory space.
According to the embodiment of the disclosure, since the space size of the reserved memory space is fixed, if multiple kernel failures occur, the memory space can be occupied. Therefore, before the fault information of the kernel is written into the memory space, or while the fault information is written into the memory space, whether the memory space has a blank space in which no information is written is judged.
In operation S420, when the empty space does not exist in the memory space, the written information is deleted according to the time sequence of writing the written information into the memory space, so as to obtain a new empty space.
For example, the fault information written into the memory space at the earliest is deleted, so that a new empty space is obtained in the memory. According to the embodiment of the disclosure, the data amount to be deleted can be determined according to the data amount of the fault information to be written at this time, and then the data amount to be deleted is deleted according to the time sequence written in the memory space.
In operation S430, failure information of the kernel is written into the new empty space.
According to the embodiment of the disclosure, if the space occupied by the core fault information to be written is larger, a new blank space can be left, so that the core fault information can be ensured to be stored in the memory, and the excessive memory space occupied by the core fault information is avoided due to the fixed memory space.
Fig. 5 schematically illustrates a flow chart of a method of kernel failure handling for a network security device in accordance with another embodiment of the present disclosure.
In this embodiment, operations S210 to S230 shown in fig. 2 may be included, and for brevity of description, a detailed description is omitted here. As shown in fig. 5, the method includes operations S510 to S540.
In operation S510, the network security device is restarted before the failure of the core is located based on the failure information in the memory space.
In operation S520, in restarting the network security device, a fault dump procedure is initiated.
In operation S530, it is checked whether there is fault information in the memory space through the fault dump program.
According to the embodiment of the disclosure, when the kernel fails, the system can be restarted, the network security equipment can automatically start a failure information dump program in the starting process, and whether the failure information exists in the reserved memory area is checked, so that the failure information is prevented from being lost after the restarting or the equipment is powered down for many times.
In operation S540, in the case where there is failure information in the memory space, the failure information in the memory space is stored in the hard disk.
According to the embodiment of the disclosure, if fault information exists in the memory space, the fault information can be stored in a file, and then whether the fault information is sent back to the system server or not and whether the fault information is kept locally are selected according to the configuration of the network security equipment. The fault dump program may have three incoming parameters, namely a/dev/mem device file (through which the user mode program can access the memory through the physical memory address), an offset address, and a path to generate the file. The fault information dump program can also process and verify the content of the memory field, filter to obtain effective information, write the content of the memory field to a disk file and the like.
Fig. 6 schematically illustrates a flow chart for storing failure information in a memory space in a hard disk according to another embodiment of the present disclosure.
As shown in fig. 6, the method includes operations S610 to S650.
In operation S610, it is determined whether there is data in the reserved memory.
In operation S620, if there is data in the reserved memory, the memory data is read, and failure information is obtained.
In operation S630, the fault information is processed to obtain effective information. For example, verifying and filtering fault information, and so forth.
In operation S640, valid information, such as a function call relationship, a register value, etc., is stored in a disk file or transmitted to a server.
In operation S650, if there is no data in the reserved memory, it may be determined again whether there is data in the reserved memory at a certain time interval or after the system is restarted.
According to the embodiment of the disclosure, the information can be processed, filtered and redundant and then stored on the hard disk in the form of a custom file, multiple times of storage is supported, and the fault file can be sent back to the system server through the network according to configuration. The method modifies and perfects the kernel, has the characteristics of no hardware cost and lower memory space occupation, and effectively saves the system stack information in fault in real time under the condition of not affecting the performance and stability of the kernel.
By the embodiment of the disclosure, the system occupies small space of a system hard disk and small space of a memory, and is suitable for embedded products with relatively tense system resources such as high-level cutting of cores.
Fig. 7 schematically illustrates a block diagram of a kernel failure handling apparatus for a network security device in accordance with an embodiment of the present disclosure.
As shown in fig. 7, the kernel failure processing apparatus 700 for a network security device includes a setting module 710, an adding module 720, and a writing module 730.
The setting module 710 is configured to set a memory space, where the memory space is configured to store one or more kernel fault information.
The adding module 720 is configured to add a fault information output code to the kernel, so that when the kernel fails, fault information of the kernel is written into the memory space.
The writing module 730 is configured to analyze the fault information in the memory space after writing the fault information of the core into the memory space, so as to locate the fault of the core.
According to an embodiment of the present disclosure, the setting module 710 includes an acquisition unit and a writing unit.
The acquisition unit is used for acquiring the kernel starting parameters.
The writing unit is used for writing the kernel starting parameters into the memory in the process of starting the kernel so as to indicate the memory to reserve a memory space.
According to an embodiment of the present disclosure, the kernel failure processing apparatus 700 for a network security device further includes a filtering module.
The filtering module is used for filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault.
The writing module is also used for writing the effective information into the memory space.
According to an embodiment of the present disclosure, the kernel failure processing apparatus 700 for a network security device further includes a judging module and a deleting module.
The judging module is used for judging whether the memory space has blank spaces in which information is not written in or not in the process of writing the fault information of the kernel into the memory space.
The deleting module is used for deleting the written partial information in the memory space according to the time sequence of writing the written information into the memory space under the condition that the memory space does not have the blank space, so as to obtain a new blank space.
The writing module is also used for writing the fault information of the kernel into the new blank space.
According to an embodiment of the present disclosure, the kernel failure processing apparatus 700 for a network security device further includes a restart module, a start module, a check module, and a storage module.
The restarting module is used for restarting the network security device before the fault of the kernel is positioned based on the fault information in the memory space.
The starting module is used for starting a fault information dump program in the process of restarting the network security device.
The checking module is used for checking whether the fault information exists in the memory space through a fault information dump program.
The storage module is used for storing the fault information in the memory space in the hard disk under the condition that the fault information exists in the memory space.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which when executed, may perform the corresponding functions.
For example, any of the setup module 710, the add module 720, and the write module 730 may be combined in one module/unit/sub-unit or any of the modules/units/sub-units may be split into multiple modules/units/sub-units. Alternatively, at least some of the functionality of one or more of these modules/units/sub-units may be combined with at least some of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to embodiments of the present disclosure, at least one of the setup module 710, the add-on module 720, and the write module 730 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or in hardware or firmware, such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of any of three implementations of software, hardware, and firmware. Alternatively, at least one of the setup module 710, the add module 720, and the write module 730 may be at least partially implemented as computer program modules that, when executed, perform the corresponding functions.
There is also provided, in accordance with an embodiment of the present disclosure, a network security device including: one or more processors; a storage medium storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the methods of embodiments of the present disclosure.
Fig. 8 schematically illustrates a block diagram of a network security device in accordance with an embodiment of the present disclosure. The computer system illustrated in fig. 8 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 8, the network security device 800 according to the embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM 803, various programs and data necessary for the operation of the network security device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, network security device 800 may also include an input/output (I/O) interface 805, with input/output (I/O) interface 805 also connected to bus 804. Network security device 800 may also include one or more of the following components connected to I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement the methods of embodiments of the present disclosure. The computer-readable storage medium may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (7)
1. A method of kernel fault handling for a network security device, the network security device including one or more of a firewall, an intrusion prevention system, and an intrusion detection system, the method comprising:
setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information;
adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel breaks down; and
when the kernel fails, writing the failure information of the kernel into the memory space so as to locate the failure of the kernel based on the failure information in the memory space;
wherein writing the fault information of the kernel into the memory space includes: filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; writing the effective information into the memory space; the effective information includes at least one of: the process name, the local variable value information in the function and the system register value information which cause the kernel fault;
in the process of writing the fault information of the kernel into the memory space, judging whether the memory space has a blank space in which information is not written; deleting the written partial information in the memory space according to the time sequence of writing the written information into the memory space under the condition that the memory space does not have the blank space, so as to obtain a new blank space; and writing fault information of the kernel into the new blank space.
2. The method of claim 1, wherein the setting the memory space comprises:
acquiring kernel starting parameters; and
and writing the kernel starting parameters into a memory in the process of starting the kernel so as to indicate the memory to reserve the memory space.
3. The method of claim 1, wherein the valid information further comprises: function call hierarchy relationship.
4. The method of claim 1, further comprising:
restarting the network security device before locating a failure of the core based on the failure information in the memory space;
in the process of restarting the network security equipment, starting a fault information dump program;
checking whether fault information exists in the memory space or not through the fault information dump program; and
and storing the fault information in the memory space in a hard disk under the condition that the fault information exists in the memory space.
5. A kernel failure handling apparatus for a network security device, the network security device comprising one or more of a firewall, an intrusion prevention system, and an intrusion detection system, the apparatus comprising:
the setting module is used for setting a memory space, wherein the memory space is used for storing one or more times of kernel fault information;
the adding module is used for adding fault information output codes into the kernel so as to write the fault information of the kernel into the memory space when the kernel breaks down; and
the writing module is used for writing the fault information of the kernel into the memory space when the kernel breaks down, so as to locate the fault of the kernel based on the fault information in the memory space;
wherein writing the fault information of the kernel into the memory space includes: filtering the fault information of the kernel to obtain filtered effective information for analyzing the kernel fault; writing the effective information into the memory space; the effective information includes at least one of: the process name, the local variable value information in the function and the system register value information which cause the kernel fault;
in the process of writing the fault information of the kernel into the memory space, judging whether the memory space has a blank space in which information is not written; deleting the written partial information in the memory space according to the time sequence of writing the written information into the memory space under the condition that the memory space does not have the blank space, so as to obtain a new blank space; and writing fault information of the kernel into the new blank space.
6. A network security appliance comprising:
one or more processors;
a storage medium for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-4.
7. A computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to implement the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424835.9A CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911424835.9A CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111158945A CN111158945A (en) | 2020-05-15 |
| CN111158945B true CN111158945B (en) | 2023-12-22 |
Family
ID=70560687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911424835.9A Active CN111158945B (en) | 2019-12-31 | 2019-12-31 | Kernel fault processing method, device, network security equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111158945B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113900914A (en) * | 2020-06-22 | 2022-01-07 | 阿里巴巴集团控股有限公司 | Exception handling method and device, electronic equipment and computer storage medium |
| CN113687971B (en) * | 2021-08-24 | 2023-06-27 | 杭州迪普科技股份有限公司 | Method and device for generating memory map file |
| CN114706708B (en) * | 2022-05-24 | 2022-08-30 | 北京拓林思软件有限公司 | Fault analysis method and system for Linux operating system |
| CN116882966B (en) * | 2023-06-27 | 2024-04-19 | 广东慧云科技股份有限公司 | Fault judging method and device for inspection result of operation and maintenance equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662785A (en) * | 2012-04-12 | 2012-09-12 | 青岛海信移动通信技术股份有限公司 | Method and device for acquiring kernel error messages of Android system |
| CN104360939A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Method, equipment and system for positioning fault |
| WO2017148271A1 (en) * | 2016-03-04 | 2017-09-08 | 中兴通讯股份有限公司 | Linux system reset processing method and device, and computer storage medium |
| CN107832166A (en) * | 2017-11-27 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of Linux server is delayed machine trouble analysis system and method |
| CN109426606A (en) * | 2017-08-23 | 2019-03-05 | 东软集团股份有限公司 | Kernel failure diagnosis information processing method, device, storage medium and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6779132B2 (en) * | 2001-08-31 | 2004-08-17 | Bull Hn Information Systems Inc. | Preserving dump capability after a fault-on-fault or related type failure in a fault tolerant computer system |
-
2019
- 2019-12-31 CN CN201911424835.9A patent/CN111158945B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662785A (en) * | 2012-04-12 | 2012-09-12 | 青岛海信移动通信技术股份有限公司 | Method and device for acquiring kernel error messages of Android system |
| CN104360939A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Method, equipment and system for positioning fault |
| WO2017148271A1 (en) * | 2016-03-04 | 2017-09-08 | 中兴通讯股份有限公司 | Linux system reset processing method and device, and computer storage medium |
| CN109426606A (en) * | 2017-08-23 | 2019-03-05 | 东软集团股份有限公司 | Kernel failure diagnosis information processing method, device, storage medium and electronic equipment |
| CN107832166A (en) * | 2017-11-27 | 2018-03-23 | 郑州云海信息技术有限公司 | A kind of Linux server is delayed machine trouble analysis system and method |
Non-Patent Citations (3)
| Title |
|---|
| "龙芯多核处理器多线程故障恢复系统设计与实现";乔少明;《中国优秀硕士学位论文全文数据库信息科技辑》;第2017年卷(第02期);第 I137-58页 * |
| Hao Zheng et.al.."Improving Virtual Machine Reliability with Driver Fault Isolation".《2013 14th ACIS International Conference on Software Engineering》.2013,全文. * |
| 基于补偿回滚的操作系统故障自恢复技术;朱怡安;史佳龙;;西北工业大学学报;第33卷(第05期);第709-715页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111158945A (en) | 2020-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111158945B (en) | Kernel fault processing method, device, network security equipment and readable storage medium | |
| US9720757B2 (en) | Securing crash dump files | |
| KR102236522B1 (en) | Method and apparatus for processing information | |
| US10296423B2 (en) | System and method for live virtual incremental restoring of data from cloud storage | |
| CN107870968B (en) | Performing real-time updates to a file system volume | |
| US10067692B2 (en) | Method and apparatus for backing up and restoring cross-virtual machine application | |
| US20160364297A1 (en) | System and Method for Hosting Multiple Recovery Operating Systems in Memory | |
| US9954958B2 (en) | Shared resource management | |
| CN108475201B (en) | Data acquisition method in virtual machine starting process and cloud computing system | |
| US9983988B1 (en) | Resuming testing after a destructive event | |
| JP2013530441A (en) | Dismount storage volume | |
| JP2007133544A (en) | Failure information analysis method and its implementation device | |
| CN110716845A (en) | Method for reading log information of Android system | |
| CN111090546B (en) | Method, device and equipment for restarting operating system and readable storage medium | |
| CN111475335B (en) | Method, system, terminal and storage medium for quickly recovering database | |
| CN107145399B (en) | Shared memory management method and shared memory management equipment | |
| US8949588B1 (en) | Mobile telephone as bootstrap device | |
| CN114595038A (en) | Data processing method, computing device and computer storage medium | |
| US9792168B2 (en) | System and method for cloud remediation of a client with a non-bootable storage medium | |
| US9250942B2 (en) | Hardware emulation using on-the-fly virtualization | |
| CN111737088B (en) | Log acquisition method and device, electronic equipment and medium | |
| US8122203B2 (en) | Serviceability level indicator processing for storage alteration | |
| US20110202903A1 (en) | Apparatus and method for debugging a shared library | |
| US8171345B2 (en) | Disablement of an exception generating operation of a client system | |
| CN113900893B (en) | Log acquisition method and related equipment thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |