CN111444508A - CPU bug detection device and method based on virtual machine - Google Patents
CPU bug detection device and method based on virtual machine Download PDFInfo
- Publication number
- CN111444508A CN111444508A CN201811611543.1A CN201811611543A CN111444508A CN 111444508 A CN111444508 A CN 111444508A CN 201811611543 A CN201811611543 A CN 201811611543A CN 111444508 A CN111444508 A CN 111444508A
- Authority
- CN
- China
- Prior art keywords
- module
- unknown
- cpu
- instruction
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 330
- 238000001514 detection method Methods 0.000 title claims abstract description 44
- 230000008569 process Effects 0.000 claims abstract description 310
- 238000012544 monitoring process Methods 0.000 claims abstract description 102
- 230000007123 defense Effects 0.000 claims abstract description 51
- 238000004891 communication Methods 0.000 claims description 22
- 238000012545 processing Methods 0.000 claims description 7
- 230000000694 effects Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a CPU bug detection device and method based on virtual machine, comprising: the system comprises a process monitoring module and a driving module; the process monitoring module is suitable for sending process information of an unknown process to the cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset grade according to a query result returned by the cloud server; and the driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device can monitor whether the unknown process executes the instruction related to the CPU bug, and provides the monitoring result returned by the host device to the process monitoring module so that the process monitoring module can process the monitoring result returned by the host device. The mode can realize instruction level monitoring, further can monitor each instruction related to the CPU bug, and realizes a more comprehensive defense effect.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a CPU vulnerability detection device and method based on virtual machine implementation.
Background
A Central Processing Unit (CPU) vulnerability is undoubtedly a high-risk vulnerability, and once a malicious program attacks with the CPU vulnerability, the malicious program may cause inestimable negative effects on the personal device of the user, and even may cause major problems such as device paralysis and the like.
In the prior art, whether an attack action aiming at a CPU bug exists can be determined only by monitoring an interface provided by an operating system. For example, when a malicious program tries to launch an attack action aiming at a CPU bug by calling an interface provided by an operating system, the malicious action can be monitored and intercepted by setting a monitoring mode such as a hook at the interface provided by the operating system.
However, the inventor finds that the above mode in the prior art has at least the following defects in the process of implementing the invention: the interception operation of malicious behaviors can be realized only from the layer of the interface provided by the operating system, and once a malicious program bypasses the interface provided by the operating system and directly enters the operating system, serious consequences can be caused.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a CPU vulnerability detection apparatus and method based on virtual machine implementation that overcomes or at least partially solves the above problems.
According to an aspect of the present invention, there is provided a CPU vulnerability detection apparatus implemented based on a virtual machine, including: the system comprises a process monitoring module and a driving module; wherein,
the process monitoring module is suitable for sending process information of an unknown process to a cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset grade according to a query result returned by the cloud server;
the driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to the CPU bug, and provides a monitoring result returned by the host device to the process monitoring module so that the process monitoring module can process the monitoring result returned by the host device.
According to another aspect of the present invention, there is provided a CPU vulnerability detection method implemented based on the above CPU vulnerability detection apparatus, including:
when an unknown process is monitored, sending process information of the unknown process to a cloud server;
when the unknown process is determined to be a process of a preset grade according to the query result returned by the cloud server, sending the process information of the unknown process to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to a CPU bug;
and processing according to the monitoring result returned by the host device.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the CPU vulnerability detection method realized based on the CPU vulnerability detection device.
According to another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to execute operations corresponding to the CPU vulnerability detection method implemented by the CPU vulnerability detection apparatus.
According to the CPU vulnerability detection device and method based on the virtual machine, disclosed by the invention, through the mutual cooperation of the process monitoring module and the driving module, when an unknown process is monitored, whether the unknown process is a process of a preset grade or not is determined through the inquiry cloud server, and when the inquiry result is yes, the process information of the unknown process is sent to a preset host device through the driving module and is processed according to the monitoring result returned by the host device. By the method, the unknown process can be identified through the virtual machine and is matched with the host device, so that whether the unknown process executes the instruction related to the CPU bug or not is detected, and the defense function is realized at the instruction level.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic structural diagram of a CPU vulnerability detection apparatus implemented based on a virtual machine according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a CPU vulnerability detection apparatus implemented based on a virtual machine according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a CPU vulnerability detection method implemented based on a CPU vulnerability detection apparatus according to another embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 shows a schematic structural diagram of a CPU vulnerability detection apparatus implemented based on a virtual machine according to an embodiment of the present invention. As shown in fig. 1, the apparatus includes: a process monitoring module 11 and a driving module 12; the process monitoring module 11 is adapted to send process information of an unknown process to the cloud server when the unknown process is monitored, and provide the process information of the unknown process to the driving module 12 when the unknown process is determined to be a process of a preset level according to a query result returned by the cloud server. The driving module 12 is adapted to send the process information of the unknown process provided by the process monitoring module 11 to a preset host device, so that the host device monitors whether the unknown process executes an instruction related to the CPU vulnerability, and provides a monitoring result returned by the host device to the process monitoring module, so that the process monitoring module processes the monitoring result returned by the host device.
The process monitoring module is mainly used for monitoring each unknown process, determining whether each unknown process is a safe process or not through inquiring the cloud server, and if not, providing process information of the unknown process to a preset host device through the driving module so that the host device can monitor whether the unknown process executes an instruction related to the CPU vulnerability or not.
Therefore, according to the CPU vulnerability detection device realized based on the virtual machine disclosed by the invention, through the mutual cooperation of the process monitoring module and the driving module, when an unknown process is monitored, whether the unknown process is a process of a preset grade is determined through the inquiry cloud server, and when the inquiry result is yes, the process information of the unknown process is sent to a preset host device through the driving module and is processed according to the monitoring result returned by the host device. By the method, the unknown process can be identified through the virtual machine and is matched with the host device, so that whether the unknown process executes the instruction related to the CPU bug or not is detected, and the defense function is realized at the instruction level. According to the method, a more comprehensive defense effect can be achieved, even if an unknown process bypasses an interface provided by an operating system and directly enters the inside of the operating system, interception can be performed through an instruction, and the system safety is improved.
Fig. 2 is a schematic structural diagram of a CPU vulnerability detection apparatus 20 implemented based on a virtual machine according to another embodiment of the present invention. As shown in fig. 2, the apparatus includes: a process monitoring module 11, and a driver module 12. Optionally, the process monitoring module 11 further includes: a process management module 111, a defense module 112, and a cloud check module 113. The process management module 111 and the cloud check module 113 are respectively connected to the defense module 112, and the defense module 112 is further connected to the driver module 12. And, further optionally, the apparatus further comprises: the shared memory module 13 is connected to the driving module 12 and the predetermined host device 30, and is adapted to store the monitoring result returned by the predetermined host device 30 for the driving module 22 to read. Wherein, a host monitoring module is further arranged inside the host device 30.
As can be seen, the CPU vulnerability detection apparatus 20 in this embodiment is a virtual machine apparatus, and a virtual operating system is installed in the virtual machine apparatus. The virtual operating system may be, for example, a Windows system or the like. The host device 30 is a host device corresponding to the virtual machine device, and a host operating system corresponding to the virtual operating system is installed in the host device. For convenience of description, the virtual machine implemented by the CPU vulnerability detection apparatus 20 may be referred to as Guest side, and the Host device implemented by the Host device 30 may be referred to as Host side. The Guest end can realize the CPU vulnerability detection function under the support of the Host end.
The following description focuses on the specific working principle of each module included in the CPU vulnerability detection apparatus 20 provided in the embodiment of the present invention:
the process monitoring module 11 is mainly used for monitoring each process. Each time a process is started, the process monitoring module 11 may obtain information about the started process, so as to perform continuous monitoring on the process. In order to ensure that the process monitoring module 11 can monitor the corresponding start event at the first time of starting the process and perform effective monitoring in time, the process monitoring module 11 in this embodiment further includes: a process management module 111 and a defense module 112. The process management module 111 is configured to register callback information of each process through the defense module 112, and send a callback notification to the defense module 112 when the registered process is executed. Therefore, the process management module can register callback information of each process and/or thread with the defense module in advance to create callback functions corresponding to each process and/or thread. Accordingly, when a process and/or thread that has been registered executes, a callback notification will be sent to the defense module 112 via the corresponding callback function. The defense module 112 is configured to, when receiving the callback notification sent by the process management module 111, obtain process information of an unknown process corresponding to the callback notification, and send the obtained process information of the unknown process to the cloud check module 113. Wherein, the process information of the unknown process comprises: process name, process identification (e.g., ID or PID of the process), path of the process, etc. The cloud check module 113 is configured to send the process information of the unknown process sent by the defense module 112 to the cloud server, and return a query result returned by the cloud server to the defense module 112. The cloud server stores relevant information of processes with known security levels. For example, a process level table is maintained on the cloud server, and the process level table stores information about processes of various levels. Wherein, the process level can be divided into: a risk level, a safety level, and a suspicious level. Alternatively, the ranking information may be represented by black and white lists, for example, security ranking for processes stored in the white list, danger ranking for processes stored in the black list, and suspicious ranking for processes stored in the gray list. Accordingly, the defense module 112 may execute corresponding processing according to the query results of different levels, and when it is determined that the unknown process is a process of a preset level according to the query result returned by the cloud server, provide the process information of the unknown process to the driver module, so that the driver module sends the process information of the unknown process to the preset host device to perform instruction level monitoring. The preset level may be a suspicious level and/or a dangerous level, and other various non-safety levels. For example, in one particular implementation, the defense module 112 performs the following operations: if the level of the unknown process is the security level, releasing the unknown process; if the level of the unknown process is a danger level, intercepting the unknown process (for example, killing the unknown process to prevent the unknown process from continuing to run); and if the level of the unknown process is the suspicious level, providing the process information of the unknown process to the drive module.
Therefore, each process started in the current system can be monitored at the first time through the process monitoring module 11, and the security level of each started process is queried in real time through the cloud server, so that the real-time protection function for the process with the non-security level is realized.
In addition, the driving module 12 is configured to send the process information of the unknown process provided by the process monitoring module 11 to a preset host device, so that the host device monitors whether the unknown process executes an instruction related to a CPU vulnerability, and provides a monitoring result returned by the host device to the process monitoring module, so that the process monitoring module processes the monitoring result returned by the host device. Since the operating systems running in the CPU vulnerability detection apparatus 20 and the host apparatus 30 are respectively a virtual operating system and a host operating system, in order to facilitate the communication function across the operating systems, in the present embodiment, the driver module 12 is further provided. The driver module 12 is dedicated to enabling communication between the virtual operating system and the host operating system.
In addition, optionally, in this embodiment, in order to further facilitate the communication between the virtual operating system and the host operating system, the CPU vulnerability detection apparatus 20 further includes a shared memory module 13, which is respectively connected to the driving module 12 and the preset host apparatus 30, and is adapted to store the monitoring result returned by the preset host apparatus for the driving module 12 to read. The shared memory module can cache process data corresponding to the processes, and the cached process data can be accessed by the virtual operating system and the host operating system at the same time, so that data sharing among a plurality of processes can be realized under the condition of multiple processes, and the communication efficiency between the virtual operating system and the host operating system is improved.
The specific functions of the host device 30 are described below: the host device 30 is configured to monitor whether an unknown process executes an instruction related to a CPU vulnerability, and provide a monitoring result to the process monitoring module through the driver module, so that the process monitoring module processes the monitoring result according to the monitoring result returned by the host device.
In specific implementation, the preset host device 30 is configured to inject a preset monitoring code into an unknown process corresponding to the process information, so as to obtain an instruction corresponding to the unknown process through the preset monitoring code, and determine whether the instruction corresponding to the unknown process is an instruction related to a CPU vulnerability according to a preset vulnerability defense rule. Wherein the preset vulnerability defense rules include at least one of: the rule for defending is carried out according to whether the instruction frequency is greater than a preset frequency threshold value, and the rule for defending is carried out according to whether the instruction sequence and/or the instruction sequence combination is matched with the preset characteristics of the vulnerability instruction sequence. And the preset vulnerability instruction sequence characteristics stored in the preset vulnerability defense rules include at least one of the following characteristics: an instruction sequence feature corresponding to a cache line flush instruction, an instruction sequence feature corresponding to a read time tag counter opcode instruction, and an instruction sequence feature corresponding to a read TSC register instruction.
A specific implementation of injecting the pre-set monitoring code into the unknown process corresponding to the process information is given below, in which the pre-set monitoring code is the dynamic link library D LL.
In the embodiment, the D LL is configured to implement a virtual CPU environment through a virtual machine to allow an unknown process to run in the virtual CPU environment, that is, after the D LL is injected into the unknown process, a virtual CPU environment and other various hardware environments can be simulated through the virtual machine, and the virtual CPU environment is provided for the unknown process to switch the unknown process from a real CPU environment to a virtual CPU environment to run, specifically, the switching process can be implemented by communicating with the unknown process and forwarding a message, and the purpose of monitoring the unknown process through the dynamic link library D LL can be achieved.
Specifically, since the D LL is equivalent to a virtual machine capable of supporting the running of the process, the unknown process runs in the virtual CPU environment created by the virtual machine through the dynamic link library D LL, and therefore each instruction sent by the unknown process through the operating system is taken over by the D LL, and accordingly, the D LL can obtain all instructions corresponding to the unknown process.
And finally, judging whether the instruction corresponding to the unknown process is an instruction related to the CPU bug according to a preset bug defense rule. In this manner, the preset vulnerability defense rules include at least one of the following two rules:
the first vulnerability defense rule is: and carrying out defense rules according to whether the command frequency is greater than a preset frequency threshold value. Specifically, the inventors found in the process of implementing the present invention that: when the malicious process initiates an attack, the attack purpose is realized by sending the instruction for many times in a short period. Accordingly, screening for malicious instructions is facilitated by monitoring instruction frequency. For example, in this embodiment, a preset frequency threshold is determined according to the preset frequency threshold, and when the number of times of hitting a preset bug instruction within one second exceeds the preset frequency threshold, it is determined that the instruction conforms to the bug defense rule. The preset bug instruction may be a predetermined instruction related to a CPU bug.
The second type of bug protection rule is a rule for protecting against bugs according to whether a sequence of instructions and/or a combination of sequences of instructions matches a predetermined bug instruction sequence characteristic, wherein the predetermined bug instruction sequence characteristic is generated according to a predetermined instruction related to a CPU bug, the bug instruction sequence characteristic may be a single sequence characteristic of a single instruction or a sequence set characteristic of an instruction set composed of a plurality of instructions, for example, the bug instruction sequence characteristic includes an instruction sequence characteristic corresponding to a cache line flush instruction (e.g., a C L F L USH instruction), an instruction sequence characteristic corresponding to a read time tag counter opcode instruction (e.g., a RDTSC instruction), and/or an instruction sequence characteristic corresponding to a read TSC register instruction (e.g., a RDTSC instruction), instructions related to a CPU bug may include, in addition to the aforementioned C L F L cache instruction (i.e., a line optimized line) instruction, an RDTSC instruction, a RDTSC instruction, and a RDP instruction sequence characteristic, and may include a predetermined instruction sequence characteristic when the instruction sequence characteristic is read, the CPU bug instruction sequence characteristic is considered, the instruction sequence characteristic may include a predetermined instruction sequence characteristic, and the instruction sequence characteristic may include a number of instructions may be read only a predetermined number of instructions, such as a CPU bug when the CPU bug is executed, and the instruction sequence characteristic is considered, the instruction sequence characteristic may include a number of a predetermined number of instructions, such as a CPU bug is reached, such as a CPU bug, such as a CPU TSC 675, a CPU bug, a number of instructions, such as a CPU instruction sequence characteristic, a number of instructions, a CPU instruction sequence characteristic, a number of instructions, a predetermined number of instructions, a CPU instruction sequence characteristic, a CPU instruction, a number of instructions, a CPU instruction sequence characteristic, a CPU instruction.
The method comprises the steps of firstly, respectively injecting sample monitoring codes into each sample process, taking over instructions corresponding to each sample process by the sample monitoring codes so that the instructions corresponding to each sample process are executed in a virtual CPU environment, then, training the instructions corresponding to each sample process and instruction execution results by a machine learning algorithm, and determining the preset vulnerability defense rules according to the training results, wherein the sample monitoring codes are similar to the preset monitoring codes and can be realized by D LL.
When the instruction corresponding to the unknown process is judged to be the instruction related to the CPU bug, the unknown process can be determined to be a malicious process, and the attack is attempted to be initiated by utilizing the CPU bug. Accordingly, interception is required against unknown processes in order to defend against attacks. Specifically, when intercepting an unknown process, the interception can be implemented in various ways, for example, the unknown process can be directly killed, so as to avoid that the process continues to launch an attack; for another example, instructions corresponding to unknown processes can be intercepted, so that only one or more malicious instructions are intercepted, and the processes are prevented from being killed by mistake. The intercepting operation may be directly executed by the host device, or may be executed by the host device through the driving module by the virtual machine device, which is not limited in the present invention.
In addition, when the instruction corresponding to the unknown process is judged not to be the instruction related to the CPU bug, the dynamic link library D LL can take over the instruction corresponding to the unknown process so as to enable the instruction corresponding to the unknown process to be executed in the virtual CPU environment, the execution result of the instruction corresponding to the unknown process is obtained, and when the execution result is the result related to the CPU bug, the preset bug defense rule is updated according to the instruction corresponding to the unknown process.
In summary, the dynamic link library D LL file in the embodiment can realize a virtual CPU environment through a virtual machine, and can cooperate with a host device to detect whether an unknown process executes an instruction related to a CPU bug, and further realize a defense function at an instruction level, which can realize a more comprehensive defense effect, and can intercept through an instruction even if the unknown process directly enters an operating system by bypassing an interface provided by the operating system, thereby improving system security, in the embodiment, the process can be monitored from the instruction level because the instruction is more detailed, and therefore, compared with a conventional method for monitoring an interface provided by an operating system or a CPU, the monitoring range is expanded, the monitoring accuracy is improved, the method can inject D LL of a process virtual machine (i.e., a virtual machine providing a process running environment) into the process, the process can be subsequently restarted in the process virtual machine D LL, accordingly, the D LL can monitor the process at an instruction level, if an instruction conforming to a bug rules is monitored, the defense rule is intercepted, the process can be monitored by a suspicious process running environment, and a suspicious process can be restarted by a suspicious process monitoring process triggering mechanism (e.g., a suspicious process monitoring process triggering mechanism) by a suspicious process triggering mechanism, and a suspicious process can be restarted under a suspicious process monitoring system, and a suspicious process monitoring system can be restarted by a suspicious process monitoring system, and a suspicious process monitoring system can be realized by a suspicious process monitoring system, and a suspicious process monitoring system can be realized by a system, and a method of a system can be realized by a system, and a system can be realized by a method of a system, wherein a system can be realized by a system, and a system can be realized by a system, and a system can be used for example, and a system can.
Fig. 3 is a schematic flow chart of a CPU vulnerability detection method implemented based on the CPU vulnerability detection apparatus provided in any one of the embodiments of the present invention, and as shown in fig. 3, the method includes:
step S310: when monitoring an unknown process, sending process information of the unknown process to a cloud server.
Step S320: and when the unknown process is determined to be a process of a preset grade according to the query result returned by the cloud server, sending the process information of the unknown process to a preset host device so that the host device can monitor whether the unknown process executes the instruction related to the CPU bug.
Step S330: and processing according to the monitoring result returned by the host device.
The details of the foregoing steps may refer to the description of the corresponding parts in the embodiments of the apparatus, and are not described herein again.
The embodiment of the application provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the CPU vulnerability detection method based on virtual machine implementation in any method embodiment.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 4, the electronic device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein:
the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically execute relevant steps in the above-described CPU vulnerability detection method embodiment implemented based on a virtual machine.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU, or an application specific Integrated circuit asic, or one or more Integrated circuits configured to implement an embodiment of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may be specifically configured to enable the processor 402 to perform relevant steps in the above-described CPU vulnerability detection method embodiment based on virtual machine implementation.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the virtual machine implementation based CPU vulnerability detection apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention also discloses A1. a CPU vulnerability detection device based on the virtual machine, which comprises: the system comprises a process monitoring module and a driving module; wherein,
the process monitoring module is suitable for sending process information of an unknown process to a cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset grade according to a query result returned by the cloud server;
the driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to the CPU bug, and provides a monitoring result returned by the host device to the process monitoring module so that the process monitoring module can process the monitoring result returned by the host device.
A2. The apparatus according to claim a1, wherein the process monitoring module specifically includes: the system comprises a process management module, a defense module and a cloud checking module; the process management module and the cloud search module are respectively connected with the defense module, and the defense module is further connected with the driving module.
A3. The apparatus of claim a2, wherein the process management module is adapted to register callback information of each process by the defense module and send callback notifications to the defense module when a registered process executes;
the defense module is suitable for acquiring the process information of the unknown process corresponding to the callback notification when the callback notification sent by the process management module is received, and sending the acquired process information of the unknown process to the cloud check module;
the cloud searching module is suitable for sending the process information of the unknown process sent by the defense module to a cloud server and returning the query result returned by the cloud server to the defense module.
A4. The apparatus of any of claims a1-3, wherein the apparatus further comprises:
and the shared memory module is respectively connected with the drive module and the preset host device and is suitable for storing a monitoring result returned by the preset host device so as to be read by the drive module.
A5. The apparatus of any one of claims a1-4, wherein the CPU vulnerability detection apparatus is a virtual machine implemented based on a Windows system.
A6. The device according to any of claims a1-5, wherein the predetermined host device is configured to inject a predetermined monitoring code into an unknown process corresponding to the process information, so as to obtain an instruction corresponding to the unknown process through the predetermined monitoring code, and determine whether the instruction corresponding to the unknown process is an instruction related to a CPU vulnerability according to a predetermined vulnerability defense rule.
A7. The apparatus of claim a6, wherein the preset vulnerability defense rules include at least one of:
the rule for defending is carried out according to whether the instruction frequency is greater than a preset frequency threshold value, and the rule for defending is carried out according to whether the instruction sequence and/or the instruction sequence combination is matched with the preset characteristics of the vulnerability instruction sequence.
A8. The apparatus of claim a7, wherein the preset vulnerability instruction sequence characteristics stored in the preset vulnerability defense rules include at least one of:
an instruction sequence feature corresponding to a cache line flush instruction, an instruction sequence feature corresponding to a read time tag counter opcode instruction, and an instruction sequence feature corresponding to a read TSC register instruction.
A9. The apparatus of claim A8, wherein the pre-set monitor code includes a dynamic link library D LL file, and the dynamic link library D LL file is used to implement a virtual CPU environment through a virtual machine.
B10. A CPU vulnerability detection method implemented based on the CPU vulnerability detection apparatus of any of claims a1-9, comprising:
when an unknown process is monitored, sending process information of the unknown process to a cloud server;
when the unknown process is determined to be a process of a preset grade according to the query result returned by the cloud server, sending the process information of the unknown process to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to a CPU bug;
and processing according to the monitoring result returned by the host device.
C11. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the CPU vulnerability detection method based on virtual machine implementation according to claim B10.
D12. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the virtual machine implementation-based CPU vulnerability detection method recited in claim B10.
Claims (10)
1. A CPU vulnerability detection device based on virtual machine implementation comprises: the system comprises a process monitoring module and a driving module; wherein,
the process monitoring module is suitable for sending process information of an unknown process to a cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset grade according to a query result returned by the cloud server;
the driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to the CPU bug, and provides a monitoring result returned by the host device to the process monitoring module so that the process monitoring module can process the monitoring result returned by the host device.
2. The apparatus according to claim 1, wherein the process monitoring module specifically includes: the system comprises a process management module, a defense module and a cloud checking module; the process management module and the cloud search module are respectively connected with the defense module, and the defense module is further connected with the driving module.
3. The apparatus of claim 2, wherein the process management module is adapted to register callback information of each process by the defense module and send a callback notification to the defense module when the registered process executes;
the defense module is suitable for acquiring the process information of the unknown process corresponding to the callback notification when the callback notification sent by the process management module is received, and sending the acquired process information of the unknown process to the cloud check module;
the cloud searching module is suitable for sending the process information of the unknown process sent by the defense module to a cloud server and returning the query result returned by the cloud server to the defense module.
4. The apparatus of any of claims 1-3, wherein the apparatus further comprises:
and the shared memory module is respectively connected with the drive module and the preset host device and is suitable for storing a monitoring result returned by the preset host device so as to be read by the drive module.
5. The device according to any one of claims 1 to 4, wherein the CPU bug detection device is a virtual machine implemented based on a Windows system.
6. The device according to any one of claims 1 to 5, wherein the preset host device is configured to inject a preset monitoring code into an unknown process corresponding to the process information, so as to obtain an instruction corresponding to the unknown process through the preset monitoring code, and determine whether the instruction corresponding to the unknown process is an instruction related to a CPU vulnerability according to a preset vulnerability defense rule.
7. The apparatus of claim 6, wherein the preset vulnerability defense rules include at least one of:
the rule for defending is carried out according to whether the instruction frequency is greater than a preset frequency threshold value, and the rule for defending is carried out according to whether the instruction sequence and/or the instruction sequence combination is matched with the preset characteristics of the vulnerability instruction sequence.
8. A CPU vulnerability detection method implemented based on the CPU vulnerability detection apparatus of any of claims 1-7, comprising:
when an unknown process is monitored, sending process information of the unknown process to a cloud server;
when the unknown process is determined to be a process of a preset grade according to the query result returned by the cloud server, sending the process information of the unknown process to a preset host device so that the host device can monitor whether the unknown process executes an instruction related to a CPU bug;
and processing according to the monitoring result returned by the host device.
9. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the CPU vulnerability detection method based on the virtual machine implementation according to claim 8.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the CPU vulnerability detection method based on virtual machine implementation according to claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811611543.1A CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811611543.1A CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111444508A true CN111444508A (en) | 2020-07-24 |
| CN111444508B CN111444508B (en) | 2024-06-18 |
Family
ID=71626502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811611543.1A Active CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111444508B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090254993A1 (en) * | 2006-07-31 | 2009-10-08 | Manuel Leone | System for implementing security on telecommunications terminals |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| US20130298203A1 (en) * | 2012-05-07 | 2013-11-07 | Samsung Electronics Co., Ltd. | Apparatus and method of providing security to cloud data to prevent unauthorized access |
| US8713631B1 (en) * | 2012-12-25 | 2014-04-29 | Kaspersky Lab Zao | System and method for detecting malicious code executed by virtual machine |
| US20150007315A1 (en) * | 2013-06-28 | 2015-01-01 | Symantec Corporation | Techniques for Detecting a Security Vulnerability |
| WO2015081900A1 (en) * | 2013-12-06 | 2015-06-11 | 北京奇虎科技有限公司 | Method, device, and system for cloud-security-based blocking of advertisement programs |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
| CN107864676A (en) * | 2015-08-11 | 2018-03-30 | 赛门铁克公司 | System and method for detecting unknown leak in calculating process |
| US20180295154A1 (en) * | 2015-10-28 | 2018-10-11 | Fractal Industries, Inc. | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management |
-
2018
- 2018-12-27 CN CN201811611543.1A patent/CN111444508B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090254993A1 (en) * | 2006-07-31 | 2009-10-08 | Manuel Leone | System for implementing security on telecommunications terminals |
| US20130298203A1 (en) * | 2012-05-07 | 2013-11-07 | Samsung Electronics Co., Ltd. | Apparatus and method of providing security to cloud data to prevent unauthorized access |
| US8713631B1 (en) * | 2012-12-25 | 2014-04-29 | Kaspersky Lab Zao | System and method for detecting malicious code executed by virtual machine |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| US20150007315A1 (en) * | 2013-06-28 | 2015-01-01 | Symantec Corporation | Techniques for Detecting a Security Vulnerability |
| WO2015081900A1 (en) * | 2013-12-06 | 2015-06-11 | 北京奇虎科技有限公司 | Method, device, and system for cloud-security-based blocking of advertisement programs |
| CN107864676A (en) * | 2015-08-11 | 2018-03-30 | 赛门铁克公司 | System and method for detecting unknown leak in calculating process |
| US20180295154A1 (en) * | 2015-10-28 | 2018-10-11 | Fractal Industries, Inc. | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management |
| CN105740046A (en) * | 2016-01-26 | 2016-07-06 | 华中科技大学 | Virtual machine process behavior monitoring method and system based on dynamic library |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
Non-Patent Citations (2)
| Title |
|---|
| 林杰: "面向服务监控的可控云关键技术研究", 信息科技, no. 3, 15 March 2016 (2016-03-15), pages 20 - 40 * |
| 潘剑锋: "主机恶意代码检测系统的设计与实现", 信息科技, no. 2, 15 February 2011 (2011-02-15), pages 20 - 50 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111444508B (en) | 2024-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9781144B1 (en) | Determining duplicate objects for malware analysis using environmental/context information | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| US9842208B2 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN109583202B (en) | System and method for detecting malicious code in address space of process | |
| CN103034808B (en) | Scan method, equipment and system and cloud management and equipment | |
| CN102982284A (en) | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US9910983B2 (en) | Malware detection | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN102984134B (en) | Safety defense system | |
| CN110505246B (en) | Client network communication detection method, device and storage medium | |
| CN105791250B (en) | Application program detection method and device | |
| CN112307469A (en) | Kernel intrusion prevention method and device, computing equipment and computer storage medium | |
| CN102984135B (en) | Safety defense method, equipment and system | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN111444509B (en) | CPU vulnerability detection method and system based on virtual machine | |
| KR102292844B1 (en) | Apparatus and method for detecting malicious code | |
| US11316873B2 (en) | Detecting malicious threats via autostart execution point analysis | |
| CN108256327B (en) | File detection method and device | |
| CN111291368B (en) | Method and system for defending CPU loopholes | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| CN111382440B (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN111444508A (en) | CPU bug detection device and method based on virtual machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |