CN111737656A - Privileged hardware resource access method for application program and electronic equipment - Google Patents
Privileged hardware resource access method for application program and electronic equipment Download PDFInfo
- Publication number
- CN111737656A CN111737656A CN202010473124.7A CN202010473124A CN111737656A CN 111737656 A CN111737656 A CN 111737656A CN 202010473124 A CN202010473124 A CN 202010473124A CN 111737656 A CN111737656 A CN 111737656A
- Authority
- CN
- China
- Prior art keywords
- root mode
- mode
- privileged
- root
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000012545 processing Methods 0.000 claims description 31
- 230000006870 function Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 2
- 238000003672 processing method Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 101100452681 Arabidopsis thaliana INVD gene Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000007727 signaling mechanism Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Remote Sensing (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Radar, Positioning & Navigation (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an application program-oriented privileged hardware resource access method and electronic equipment, wherein the method divides a CPU operation mode into a root mode and a non-root mode, and each mode has a corresponding kernel mode and a user mode. The method comprises the following steps: running the application in a kernel mode of a non-root mode; and restricting execution of unauthorized privileged instructions by the application. Wherein the non-privileged instruction refers to an instruction to access a privileged hardware resource to which the application does not have access. The invention improves the performance, the safety and the universality of the privileged hardware resource accessed by the application program.
Description
Technical Field
The invention relates to the technical field of computer system security and system virtualization, in particular to a privileged hardware resource access method for an application program and electronic equipment.
Background
With the widespread use of various computer devices, there are more and more attacks on computer systems. To deal with various security threats in the real world, people put higher demands on the security of computer systems. Currently, some researchers have proposed to improve the security of computer systems by restricting the access of applications to privileged hardware resources because when an application is attacked by an attacker, the less resources the application has and the less resources the attacker can utilize, and thus the ability of the attacker will be limited, protecting the computer system from a greater security threat. Some researchers have also used privileged hardware resources to enhance the capabilities of applications to achieve stronger defense mechanisms, such as using the hardware Intel processor trace Unit (IPT) that records path information in the Intel processor to achieve more accurate control flow integrity check, using Last Branch Recording (LBR) to defend against return address programming-oriented attacks, using Performance Monitoring Unit (PMU) to detect cache-based side channel attacks suffered by the system, etc.
Since the application program in the user mode cannot directly access the privileged hardware resource in the existing operating system design, the utilization of the privileged hardware resource is mainly completed by using a kernel module or using a virtual device. The mode of using the kernel module comprises loading the kernel module into the kernel in the running process of the operating system, and running the kernel module in a kernel state, so that privileged hardware resources can be accessed in the kernel module; the way of using virtual devices requires a developer to create a virtual device in the system, when an application accesses privileged hardware resources, the developer first communicates with the virtual device, then completes the access to the privileged hardware resources in the virtual device, and finally returns the result to the application by the virtual device. The mode using the kernel module generally has better performance (i.e. higher access efficiency), but because the process of writing the kernel module is more complicated, and the kernel modules implementing different functions may conflict and cannot coexist in the same computer system, the mode has lower universality. The approach of using virtual devices is generally high in security, however, the approach needs to be trapped in the kernel to execute a large amount of kernel code, which results in poor performance (i.e., low access efficiency) and is not suitable for scenarios requiring frequent access to privileged hardware resources; in addition, the way of using the virtual device needs to create different virtual devices for different scenes, so the universality is also low.
There is also a way to take advantage of privileged hardware resources by putting applications running in kernel mode, which has better performance and higher versatility (e.g., Dune, which consists of small kernel modules). However, this approach is less secure because all privileged hardware resources in the kernel mode are exposed to the application, and once the application is controlled by an attacker, the attacker will have the right to use all privileged hardware resources, with which the attacker can make more harmful attacks, which can affect the application and even the entire computer system.
Disclosure of Invention
To solve the above problems in the prior art, according to an embodiment of the present invention, an application-oriented privileged hardware resource access method is provided, which divides a CPU operation mode into a root mode and a non-root mode, where each mode has a corresponding kernel mode and a user mode. The method comprises the following steps: running the application in a kernel mode of a non-root mode; and restricting execution of an unauthorized privileged instruction by the application, wherein the unauthorized privileged instruction refers to an instruction for accessing a privileged hardware resource to which the application does not have access.
In the above method, limiting the execution of the unauthorized privileged instruction by the application program may include: in response to intercepting an unauthorized privileged instruction that triggers a virtual machine to sink, execution of the unauthorized privileged instruction is halted. The above method may further comprise: in response to determining that the unauthorized privileged instruction is a conditional dip instruction, configuring the unauthorized privileged instruction to trigger a virtual machine dip when executed.
The above method may further comprise: configuring an unauthorized privileged instruction to raise an exception upon execution to trigger a virtual machine sag, and restricting execution of the unauthorized privileged instruction by the application includes: in response to intercepting an unauthorized privileged instruction that triggers a virtual machine to sink causing an exception, execution of the unauthorized privileged instruction is halted.
In the above method, limiting the execution of the unauthorized privileged instruction by the application program may include: invalidating an execution result of the unauthorized privileged instruction.
The method may further include configuring the memory in the non-root mode by: copying a user space portion of a highest level page table in the root mode to the non-root mode; and the non-root mode multiplexes the page tables of other levels except the page table of the highest level in the root mode.
The above method may further comprise: triggering the virtual machine to sink at the entrance of the system call; after the virtual machine sinks, calling a system call processing function under the root mode to process a system call; and returning the non-root mode from the root mode.
The above method may further comprise: triggering the virtual machine to sink when an interrupt or exception occurs; after the virtual machine sinks, calling an interrupt processing function in the root mode to process an interrupt, or calling an exception handling function in the root mode to process an exception; and returning the non-root mode from the root mode.
In the above method, returning from the root mode to the non-root mode includes: determining whether there is a signal to be processed, wherein the signal is used to notify that an asynchronous event occurs; in response to determining that there is a signal to process, deploying a signal stack to store register state and returning to the non-root mode; executing a signal processing function in the non-root mode and re-triggering a virtual machine sag; restoring a previous register according to a register state stored on the signal stack in the root mode; and returning to the non-root mode to continue running the application.
There is also provided, in accordance with an embodiment of the present invention, electronic equipment including a processor and a memory for storing one or more computer programs that, when executed by the processor, cause the electronic equipment to implement the above-described application-oriented privileged hardware resource access method.
The embodiment of the invention provides the following beneficial effects:
1. the application program is operated in a kernel mode of a non-root mode by utilizing a hardware auxiliary virtualization technology, so that the direct access of the application program to privileged hardware resources is realized, and the access efficiency is higher. Meanwhile, the application program can only access privileged hardware resources which are customized in advance and have access right, so that when the application program runs in the kernel mode, no additional attack surface is brought to an attacker, and the running safety of the application program in the kernel mode is ensured. In addition, the application program runs in a non-root mode and is effectively isolated from the host machine operating system running in the root mode, so that any attack on the application program cannot affect the host machine operating system, and the safety of the host machine operating system is ensured. Developers can realize the customization of privileged hardware resources by using the configuration files of the application programs, so the universality is high.
2. The memory configuration under the virtualization environment is provided, and system call processing, exception and interrupt processing and signal processing in the running process of the application program are optimized, so that the application program can run correctly in a kernel mode of a non-root mode. The application program cannot access the kernel space memory in the non-root mode, so that the safety is ensured, and an EPT mechanism is not required to be used, so that the memory access efficiency of the application program is improved; in addition, the system call, the exception and the interrupt are transferred to the root mode for processing, so that extra security threat to the application program is avoided, and the security is further improved.
Drawings
Example embodiments will be described in detail below with reference to the attached drawings, which are intended to depict example embodiments and should not be construed as limiting the intended scope of the claims. The drawings are not to be considered as drawn to scale unless explicitly indicated.
FIG. 1 illustrates a block diagram of a privileged hardware customization platform, according to one embodiment of the present invention;
FIG. 2 illustrates a flow diagram of an application-oriented privileged hardware resource access method according to one embodiment of the present invention;
FIG. 3 is a diagram illustrating a memory layout in a virtualization environment, according to an embodiment of the invention;
fig. 4 shows a flow diagram of a processing method for a signal according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail by embodiments with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As described above, in order to enable an application program in a user mode to access privileged hardware resources, the currently common mode of using a kernel module or virtual equipment has the problems of poor performance, low universality and the like; however, the way of directly running the application program in the kernel state (e.g., dure) to directly access privileged hardware resources adds too many permissions to the application program, so that an attacker obtains a larger attack surface, resulting in lower security. In order to solve the problems, the invention utilizes a hardware auxiliary virtualization technology to operate the application program in a kernel state of a non-root mode, so that the application program can directly access privileged hardware resources and does not bring a larger attack surface to an attacker.
Currently, hardware-assisted virtualization technologies include, but are not limited to, VT-x by Intel and AMD-V by AMD. Taking Intel's VT-x as an example, a Virtual Machine Monitor (VMM) and a Guest operating system (Guest OS) respectively operate in different CPU operating modes, i.e., in a VMX Root mode (or VMX Root mode, host mode, Root mode, hereinafter collectively referred to as Root mode) and a VMX Non-Root mode (or VMX Non-Root mode, Guest mode, Non-Root mode, hereinafter collectively referred to as Non-Root mode), both of which have respective CPU operating levels 0-3(Ring0-Ring 3). In general, the core instructions of the Guest OS can be directly issued to the hardware of the computer system for execution without going through the VMM. When Guest OS executes to a special instruction (e.g., a privileged instruction to access a privileged hardware resource), the system switches to the VMM, letting the VMM handle the special instruction. In hardware-assisted virtualization techniques, a Virtual Machine Control Structure (VMCS) is utilized to save state in two CPU operating modes to enable transitions between the CPU operating modes, e.g., the VMM may configure the VMCS to determine which instruction or exception in non-root mode may cause a Virtual machine trap (VM-Exit, indicating a transition of the CPU operating mode from non-root mode to root mode); in addition, virtual machine sag may also be triggered manually by a VMCALL instruction.
The present invention utilizes the above-described hardware-assisted virtualization technology to provide a privileged hardware customization platform, specifically, the privileged hardware customization platform utilizes Intel's VT-x. Fig. 1 schematically shows a block diagram of the privileged hardware customization platform, and as shown in fig. 1, an application program runs in a non-root mode (more precisely, in a kernel state of a non-root mode), and a host operating system runs in a root mode (more precisely, in a kernel state of a root mode). The host machine operating system is loaded with a kernel module which is written in advance, and the kernel module is used for starting an application program and carrying out system call processing, exception and interrupt processing, signal processing and the like.
Based on the privileged hardware customization platform, according to one embodiment of the invention, a privileged hardware resource access method for an application program is provided. The method utilizes hardware assisted virtualization techniques to divide CPU operating modes into root and non-root modes to provide two types of VMX operation, each having a respective kernel and user state (in other words, each having a respective CPU run level Ring0-Ring 3).
FIG. 2 schematically shows a flow diagram of an application-oriented privileged hardware resource access method according to one embodiment of the present invention, as shown in FIG. 2, the method comprising the steps of:
1. the application program is run in a kernel mode in a non-root mode.
First, a kernel module is loaded in a host operating system, and virtualization is started and a virtual device is created by the kernel module. After virtualization is turned on, two CPU operating modes, non-root and root, are provided, with the current system environment (including the kernel and all processes) running in root mode.
The application is started in a user mode of a root mode, then the application communicates with the virtual device created by the kernel module to transmit running information thereof, the kernel module creates and configures a virtualization environment according to the running information, and then switches the processor to a kernel mode (Ring0) of a non-root mode to run. At this time, the code running in the virtualized environment is the code of the application, and the application runs in the kernel mode in the non-root mode.
2. Restricting execution of an unauthorized privileged instruction by an application, wherein an unauthorized privileged instruction refers to an instruction for accessing a privileged hardware resource to which the application does not have access.
To ensure security, an application can only access privileged hardware resources that the developer has customized for it, and does not have access to other privileged hardware resources. In one embodiment, the developer may implement the customization of the privileged hardware resources through a configuration file, for example, recording in the configuration file of the application which privileged hardware resource/resources the application has/have access to. Thus, when the application program is started, whether the application program can access a certain privileged hardware resource or not can be judged according to the configuration file of the application program.
According to an embodiment of the present invention, the privileged instructions may be classified, as shown in table 1, to execute different privileged instruction protection methods for different classes of privileged instructions, which may be used to restrict the execution of unauthorized privileged instructions by the application.
TABLE 1
| Privileged instruction classification | Privileged instruction names |
| Hardware correlation | HLT/INVD/INVLGNG, etc |
| Descriptor table correlation | LGDT/LIDT/LLDT etc |
| Control register/Debug register correlation | MOV CR0/CR3/DR0 and the like |
| Module specific register correlation | RDMSR/WRMSR/SWAPGS and the like |
| Input output correlation | IN/INS/OUT/OUTS, etc |
| Segment correlation | LAR/LDS/LES/MOV DS, etc |
| Virtualization correlation | VMLAUNCH/VMRESUME, etc |
| Other privileged instructions | CLI/STI etc |
Table 2 shows another classification example for privileged instructions, where privileged instructions are classified into three classes, the EXIT class, the INV class, and the EXP class.
TABLE 2
Based on the classification example shown in table 2, according to an embodiment of the present invention, the following three privileged instruction protection methods are provided for the three classes of privileged instructions, respectively, to limit the execution of the unauthorized privileged instruction in the kernel mode in the non-root mode:
in response to intercepting a privileged instruction that triggers a virtual machine to sink (e.g., the EXIT class privileged instruction shown in table 2), execution of the privileged instruction is halted.
In current hardware-assisted virtualization technologies, the VMM in root mode is able to monitor critical behavior in the virtual machine. The EXIT privileged instruction shown in table 2 may be intercepted by the VMM if the virtual machine trap is triggered when the EXIT privileged instruction is executed in the kernel mode in the non-root mode, and after the trap, the kernel module may stop the execution of the privileged instruction.
The EXIT class privileged instructions shown in table 2 may be further divided into unconditional and conditional dip instructions. Where execution of an unconditional dip instruction (such as the privileged instructions shown in lines 1-2 of Table 2) must trigger a virtual machine dip, and whether execution of a conditional dip instruction (such as the privileged instructions shown in lines 3-9 of Table 2) will trigger a virtual machine dip depends on the corresponding configuration in the VMCS. To limit the application from executing conditional-dip instructions in the kernel state in non-root mode, according to one embodiment of the invention, a conditional-dip instruction of the EXIT class of privileged instructions is configured to trigger a virtual machine dip when executed, thereby enabling the VMM to intercept these privileged instructions to halt execution of these privileged instructions.
② privileged instructions (e.g., EXP-class privileged instructions shown in table 2) are configured to raise an exception upon execution to trigger virtual machine sag, in response to intercepting a privileged instruction that raises an exception to trigger virtual machine sag, execution of that privileged instruction is halted.
In particular, for the EXP-class privileged instructions shown in Table 2, they are configured to raise an exception when executed, thereby triggering virtual machine subsidence by the exception. According to one embodiment of the invention, raising the exception comprises:
■ raising # UD Exception
For example, for privileged instructions shown in line 20 of table 2, the VMM in root mode may be able to intercept the execution of these privileged instructions, which the kernel module may be used to stop from executing, by turning off support for them in the VMCS, thereby causing a # UD exception to be raised when these privileged instructions are executed.
■ elicited # GP abnormalities
For example, for privileged instructions related to segment operations as shown in Table 2, lines 16-18, the segment descriptor cache is populated with the correct segment descriptor information and the segment descriptor table is set to empty, using the segment descriptor cache structure. More specifically, the contents of all segment registers are set in the Guest field of the VMCS, including the selector (selector) and corresponding segment descriptor information, which will be directly loaded into the Guest segment registers upon entering non-root mode, while setting the values of the base and limit fields in the GDTR and LDTR registers in the Guest field to 0. When an application performs a segment switch operation, the processor will raise a # GP exception when accessing the segment descriptor table, which triggers a virtual machine sag. After intercepting the # GP exception, the kernel module may check whether the segment switching operation is legal (the legal segment switching operation refers to taking the privilege level that the application program should execute as the target segment that the CPL can legally access, but not the segment that can be accessed under Ring0), if so, perform simulated execution on the corresponding instruction (to fill the requested segment information into the corresponding segment register in the VMCS, and return to the non-root mode); if not, execution of the privileged instruction is stopped.
■ cause # PF Exception
For example, for privileged instructions causing a segment switch (e.g., SYSEXIT or SYSRET) shown in row 19 of table 2, execution of these privileged instructions would set CPL to 3 and run under Ring 3. According to one embodiment of the invention, a # PF exception is raised by a fetch operation when a next instruction of a privileged instruction (SYSEXIT or SYSRET) is executed by a CPU by mapping code of an application to a supervisor mode page (supervisor-mode page) and configuring the processor to be unable to fetch instructions from the supervisor mode page in a user mode. After intercepting the privileged instruction that caused the # PF exception to trigger the virtual machine trap, the kernel module may stop execution of the privileged instruction.
Invalidating results of execution of privileged instructions
The INV class privileged instructions shown in table 2 are invalidated from their execution, preventing attackers from using these privileged instructions to obtain information or to change any kernel state.
Taking the CR0 and CR4 registers associated with read-write instructions as shown in line 10 of Table 2, for example, where the CR0 and CR4 registers each have a set of guest/host mask and read reads, all bits of the guest/host mask are set to 1, and all bits of the read reads are set to 0, an attacker reading the CR0/CR4 registers are all 0, and writing both registers does not actually modify the values of the CR0 and CR4 registers.
Compared with the existing method for accessing privileged hardware resources, in the privileged hardware resource access method for the application program provided by the embodiment, the application program is operated in a kernel state of a non-root mode by using a hardware auxiliary virtualization technology, so that the direct access of the application program to the privileged hardware resources is realized, and the access efficiency is higher. Meanwhile, the application program can only access privileged hardware resources customized in advance by developers, so that when the application program runs in the kernel mode, no additional attack surface is brought to attackers, and the running safety of the application program in the kernel mode is ensured. Since the application program runs in the non-root mode, the application program is effectively isolated from the host operating system running in the root mode, any attack on the application program cannot affect the host operating system, and the safety of the host operating system is ensured. In addition, developers can customize privileged hardware resources by the application program by configuring the configuration file of the application program, so the method has higher universality.
In the above embodiment, the application program is in the user mode of the root mode at the time of starting, and then switches to the kernel mode of the non-root mode to run. To ensure that the application is able to operate correctly in the non-root mode (e.g., to handle system calls in the root mode, as described below), the virtual memory in the non-root mode typically needs to be kept consistent with that in the root mode. However, if the page table in the root mode is directly multiplexed in the non-root mode, the application program can access the address of the kernel space when running in the non-root mode, resulting in low security.
For security, according to a preferred embodiment of the present invention, when the kernel module creates and configures the virtualization environment according to the running information of the application program, the memory in the virtualization environment is configured. The page table in non-root mode is obtained by copying the user space part of the highest level page table in root mode to non-root mode and multiplexing other level page tables in root mode, as shown in fig. 3. Through configuration, the kernel space part of the highest level page table in the non-root mode is empty, so that the access of an application program running in the non-root mode to the kernel space memory can be limited, and the safety is further ensured. Besides, the security is ensured, an Extended Page Table (EPT) mechanism in a hardware-assisted virtualization technology can be avoided, the address translation process in the EPT is reduced, and therefore the access efficiency of the application program is improved.
Taking X86 with 64 bits as an example, the page table is generally divided into four levels, PML4, PDPT, PD and PT, in order to ensure that the application program can operate correctly in the non-root mode, the 2, 3 and 4 level page tables in the root mode are multiplexed in the non-root mode, and the highest level page table PML4 in the root mode is copied (512 entries in total are used in PML4, the first 256 entries point to the user space, and the last 256 entries point to the kernel space), so as to obtain the highest level page table PML 4' in the non-root mode. There are 512 entries in the PML 4', where the first 256 entries (0-255) point to user space, 256-510 empty, and 511 index into a VSYSCALL page (VSYSCALL is used to speed up system calls requesting data from the kernel). Therefore, the configuration of the four-level page table in the non-root mode is realized.
In addition, during the running of the application program, the page table in the root mode may be updated. After monitoring the update of the highest-level page table in the root mode, the highest-level page table in the non-root mode can be synchronized. Since the highest-level page table in the root mode and the copied highest-level page table in the non-root mode are dispersed in two pages, in order to ensure consistency of the two pages during the operation of the application program, according to an embodiment of the present invention, the two pages may be set to the read-only permission to implement the synchronous operation.
In the above embodiment, when an application running in the kernel mode of the non-root mode needs to request a service with higher authority from the kernel of the host operating system through a system call, codes processed by the system call may be introduced in the non-root mode, but this may cause an attacker to attack with the codes after hijacking the application. To address this problem, in accordance with a preferred embodiment of the present invention, system calls executed while an application is running are handed over to root mode for processing. Considering that the instructions SYSCALL and SYSRET generally used for executing a system call cannot implement switching between a non-root mode and a root mode, in order to enable the system call to be correctly handed over to the root mode for processing, based on the memory configuration in the virtualization environment shown in fig. 3, a processing method for the system call is provided, which includes:
■ executing a VMCALL instruction at the entry of a system call to trigger a virtual machine dip;
■ after the virtual machine sinks, the system call is processed in root mode, that is, the kernel module calls the corresponding system call processing function according to the system call number to complete the processing of the system call. The user space part of the highest page table in the non-root mode is the same as that of the highest page table in the root mode, so that the corresponding system call processing function is called in the root mode to complete the processing of the system call;
■ return from root mode to non-root mode.
Specifically, the processing method for the system call includes: opening up a code page in the memory space of an application program, wherein the code page is in a kernel state of a non-root mode and stores the following two instructions:
SyscallEntry:VMCALL
JMP*%RCX
meanwhile, the value of the IA32_ LSTAR _ MSR register in non-root mode is set to SyscallEntry. When the application program executes the SYSCALL instruction, the address of the next instruction of the instruction is stored in the RCX register, and the entry SyscalEntry of the system call is obtained from the IA32_ LSTAR _ MSR register, so that the VMCALL is executed. Execution of the VMCALL causes the virtual machine to sag, i.e., the CPU switches from non-root mode to root mode and passes control to the kernel module. And the kernel module calls the original system call processing function in the kernel of the host operating system according to the system call number. After the system call processing function is executed, the kernel module executes the VMRESUME instruction, switches from the root mode to the non-root mode, and starts to execute from JMP% RCX. Since RCX stores the address of the next instruction of the SYSCALL instruction, JMP% RCX jumps to the next instruction of the SYSCALL instruction, thereby completing a system call.
The processing method aiming at the system call can ensure that codes processed by the system call cannot be introduced in the non-root mode, and can prevent an attacker from utilizing the codes to realize attack after hijacking the application program, thereby further improving the running safety of the application program.
When the application program runs in the kernel mode in the non-root mode, according to an embodiment of the present invention, a processing method for an interrupt (e.g., an external interrupt) or an exception (e.g., a page exception, a divide-by-0 exception, an illegal instruction exception, etc.) is further provided, and the interrupt or the exception during the running of the application program is handed over to the root mode for processing, similar to the processing method for a system call. The processing method for the interrupt or the exception comprises the following steps:
■ configure the VMCS (specifically, configure the virtual machine execution control Field in the VMCS, i.e., VM-ExecutionControls Field, so that an interrupt or exception occurring in non-root mode triggers a virtual machine sag;
■ trigger a virtual machine sag when an interrupt or exception occurs;
■ after the virtual machine sags, interrupts or exceptions are handled in root mode. For the interrupt, the kernel module calls a corresponding interrupt processing function according to the interrupt number so as to complete the processing of the interrupt; aiming at the exception, the kernel module calls a corresponding exception handling function according to the exception number to finish the handling of the exception;
■ return from root mode to non-root mode.
The processing method aiming at the interrupt or the exception can isolate the processing of the interrupt or the exception from the operation of the application program, and the application program cannot sense the occurrence of the interrupt or the exception, so that an attacker cannot attack the processing of the interrupt or the exception, thereby avoiding bringing extra security threat to the application program and further improving the security.
When the application program runs in the kernel mode of the non-root mode, according to an embodiment of the present invention, a signal processing method is further provided for ensuring that a signal mechanism can work normally. Wherein the signal is used to notify the occurrence of an asynchronous event, and the signaling mechanism indicates an asynchronous interprocess communication mechanism. Referring to fig. 4, the processing method for a signal includes:
■ after system call processing or exception or interrupt processing, it is determined whether there is a signal pending. Specifically, a signal _ pending () function is called by the kernel module to check whether a signal to be processed exists in the signal queue.
■ if there is no signal to process, the processor returns from the root mode to the non-root mode and ends signal processing; if there is a signal to be processed, the next step is performed.
■ the signal stack is deployed by the kernel module. Specifically, calling do _ signal () function completes the save and switch work of the user-state context (i.e., all register states) on the signal stack, and sets the user-state new context into the Guest state domain of the VMCS.
■ execute the resume virtual machine instruction (VMRESUME) to return to non-root mode.
■ perform signal processing functions in non-root mode.
■ after the signal processing function is executed, the SIGROURN system call is called to re-trigger the virtual machine to sag.
■ in root mode, the previous registers are restored by the kernel module according to the register state saved on the signal stack and the virtualization environment is reconfigured.
■ executing the VMRESUME returns to the non-root mode in which the application continues to run.
It should be noted that some exemplary methods are depicted as flowcharts. Although a flowchart may describe the operations as being performed serially, it can be appreciated that many of the operations can be performed in parallel, concurrently, or with synchronization. In addition, the order of the operations may be rearranged. A process may terminate when an operation is completed, but may have additional steps not included in the figure or embodiment.
The above-described methods may be implemented by hardware, software, firmware, middleware, pseudocode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware, or pseudo code, the program code or code segments to perform the tasks may be stored in a computer readable medium such as a storage medium, and a processor may perform the tasks.
It should be appreciated that the software-implemented exemplary embodiment is typically encoded on some form of program storage medium or implemented over some type of transmission medium. The program storage medium may be any non-transitory storage medium such as a magnetic disk (e.g., a floppy disk or a hard drive) or an optical disk (e.g., a compact disk read only memory or "CD ROM"), and may be read only or random access. Similarly, the transmission medium may be twisted wire pairs, coaxial cable, optical fiber, or some other suitable transmission medium known to the art.
Although the present invention has been described by way of preferred embodiments, the present invention is not limited to the embodiments described herein, and various changes and modifications may be made without departing from the scope of the present invention.
Claims (10)
1. An application-oriented privileged hardware resource access method in which a CPU operating mode is divided into a root mode and a non-root mode, each mode having a corresponding kernel mode and user mode, the method comprising:
running the application in a kernel mode of a non-root mode; and
restricting execution of an unauthorized privileged instruction by the application, wherein the unauthorized privileged instruction is an instruction for accessing a privileged hardware resource to which the application does not have access.
2. The method of claim 1, wherein restricting execution of unauthorized privileged instructions by the application comprises:
in response to intercepting an unauthorized privileged instruction that triggers a virtual machine to sink, execution of the unauthorized privileged instruction is halted.
3. The method of claim 2, further comprising:
in response to determining that the unauthorized privileged instruction is a conditional dip instruction, configuring the unauthorized privileged instruction to trigger a virtual machine dip when executed.
4. The method of claim 1, further comprising:
configuring an unauthorized privileged instruction to raise an exception when executed to trigger a virtual machine sag; and
wherein restricting execution of unauthorized privileged instructions by the application comprises:
in response to intercepting an unauthorized privileged instruction that triggers a virtual machine to sink causing an exception, execution of the unauthorized privileged instruction is halted.
5. The method of claim 1, wherein restricting execution of unauthorized privileged instructions by the application comprises:
invalidating an execution result of the unauthorized privileged instruction.
6. The method according to any of claims 1-5, further comprising configuring the memory in non-root mode by:
copying a user space portion of a highest level page table in the root mode to the non-root mode; and
the non-root mode multiplexes page tables of other levels except a highest level page table in the root mode.
7. The method of claim 6, further comprising:
triggering the virtual machine to sink at the entrance of the system call;
after the virtual machine sinks, calling a system call processing function under the root mode to process a system call; and
returning from the root mode to the non-root mode.
8. The method of claim 6, further comprising:
triggering the virtual machine to sink when an interrupt or exception occurs;
after the virtual machine sinks, calling an interrupt processing function in the root mode to process an interrupt, or calling an exception handling function in the root mode to process an exception; and
returning from the root mode to the non-root mode.
9. The method of claim 7 or 8, wherein returning from the root mode to the non-root mode comprises:
determining whether there is a signal to be processed, wherein the signal is used to notify that an asynchronous event occurs;
in response to determining that there is a signal to process, deploying a signal stack to store register state and returning to the non-root mode;
executing a signal processing function in the non-root mode and re-triggering a virtual machine sag;
restoring a previous register according to a register state stored on the signal stack in the root mode; and
and returning to the non-root mode to continue running the application program.
10. An electronic device, characterized in that the electronic device comprises a processor and a memory for storing one or more computer programs, which when executed by the processor, cause the electronic device to implement the method of any of claims 1 to 9.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2019104621403 | 2019-05-30 | ||
| CN201910462140 | 2019-05-30 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111737656A true CN111737656A (en) | 2020-10-02 |
| CN111737656B CN111737656B (en) | 2023-10-27 |
Family
ID=72646505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010473124.7A Active CN111737656B (en) | 2019-05-30 | 2020-05-29 | Application program-oriented privileged hardware resource access method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737656B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225344A (en) * | 2021-05-10 | 2021-08-06 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110072428A1 (en) * | 2009-09-22 | 2011-03-24 | International Business Machines Corporation | Nested Virtualization Performance In A Computer System |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
| CN103270491A (en) * | 2011-12-06 | 2013-08-28 | 华为技术有限公司 | Hardware resource protection method and system, and virtual machine manager |
| CN104424034A (en) * | 2013-09-04 | 2015-03-18 | 华为技术有限公司 | Hardware resource access method and hardware resource access device |
-
2020
- 2020-05-29 CN CN202010473124.7A patent/CN111737656B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110072428A1 (en) * | 2009-09-22 | 2011-03-24 | International Business Machines Corporation | Nested Virtualization Performance In A Computer System |
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
| CN103270491A (en) * | 2011-12-06 | 2013-08-28 | 华为技术有限公司 | Hardware resource protection method and system, and virtual machine manager |
| CN104424034A (en) * | 2013-09-04 | 2015-03-18 | 华为技术有限公司 | Hardware resource access method and hardware resource access device |
| US20160224399A1 (en) * | 2013-09-04 | 2016-08-04 | Huawei Technologies Co., Ltd. | Method and Apparatus for Accessing Hardware Resource |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225344A (en) * | 2021-05-10 | 2021-08-06 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111737656B (en) | 2023-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11841939B2 (en) | Technologies for object-oriented memory management with extended segmentation | |
| KR102116571B1 (en) | Systems And Methods for Exposing A Result Of A Current Processor Instruction Upon Exiting A Virtual Machine | |
| US9400885B2 (en) | Computer security systems and methods using virtualization exceptions | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| KR101955189B1 (en) | Page fault injection in virtual machines to cause mapping of swapped-out memory pages into vm virtualized memory | |
| US10140448B2 (en) | Systems and methods of asynchronous analysis of event notifications for computer security applications | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| Gu et al. | Harmonizing performance and isolation in microkernels with efficient intra-kernel isolation and communication | |
| CN111737656B (en) | Application program-oriented privileged hardware resource access method and electronic equipment | |
| US11216280B2 (en) | Exception interception | |
| CN114090273B (en) | Inter-process communication method, device and computer storage medium | |
| JP7369720B2 (en) | Apparatus and method for triggering actions | |
| CN114090273A (en) | Method and device for interprocess communication and computer storage medium | |
| CN117222990A (en) | Techniques for access to memory using capability constraints | |
| TW202409842A (en) | Exception return state lock parameter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |