CN111737656B - Application program-oriented privileged hardware resource access method and electronic equipment - Google Patents
Application program-oriented privileged hardware resource access method and electronic equipment Download PDFInfo
- Publication number
- CN111737656B CN111737656B CN202010473124.7A CN202010473124A CN111737656B CN 111737656 B CN111737656 B CN 111737656B CN 202010473124 A CN202010473124 A CN 202010473124A CN 111737656 B CN111737656 B CN 111737656B
- Authority
- CN
- China
- Prior art keywords
- mode
- root mode
- privileged
- root
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012545 processing Methods 0.000 claims description 33
- 230000006870 function Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 11
- 230000005856 abnormality Effects 0.000 claims description 10
- 230000001960 triggered effect Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 2
- 238000003672 processing method Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 101100452681 Arabidopsis thaliana INVD gene Proteins 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000007727 signaling mechanism Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Remote Sensing (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Radar, Positioning & Navigation (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an application program-oriented privileged hardware resource access method and electronic equipment, wherein the method divides a CPU operation mode into a root mode and a non-root mode, and each mode has a corresponding kernel mode and a corresponding user mode. The method comprises the following steps: running the application in a kernel mode other than the root mode; and restricting execution of unauthorized privileged instructions by the application. Wherein the unauthorized privileged instruction refers to an instruction for accessing a privileged hardware resource to which the application is not entitled. The invention improves the performance, safety and universality of the application program for accessing the privileged hardware resources.
Description
Technical Field
The present invention relates to the field of computer system security and system virtualization technologies, and in particular, to an application program-oriented privileged hardware resource access method and an electronic device.
Background
With the widespread use of various computer devices, attack means against computer systems are increasing. In order to cope with various security threats in the real world, higher demands are being placed on the security of computer systems. Currently, some researchers have proposed increasing the security of computer systems by restricting access to privileged hardware resources by applications because when an application is attacked by an attacker, the fewer resources the application has, the fewer resources the attacker can utilize, and thus the attacker's ability will be restricted, protecting the computer system from greater security threats. Still other researchers use privileged hardware resources to enhance the capabilities of applications to achieve stronger defense mechanisms, such as more accurate control flow integrity checks with hardware Intel processor trace units (Intel Processor Trace, IPT) in Intel processors that record path information, protection against return address-oriented programming attacks with last branch record units (Last Branch Recording, LBR), detection of cache-based side channel attacks in systems with performance monitoring units (Performance Monitoring Unit, PMU), etc.
Because in existing operating system designs, applications in the user state cannot directly access privileged hardware resources, the use of privileged hardware resources is accomplished primarily through the use of kernel modules or the use of virtual devices. The method for using the kernel module comprises the steps of loading the kernel module into a kernel in the running process of an operating system, and running the kernel module in a kernel mode, so that privileged hardware resources can be accessed in the kernel module; the method of using the virtual device requires that a developer create a virtual device in the system, when an application program accesses the privileged hardware resource, the developer first communicates with the virtual device, then completes the access to the privileged hardware resource in the virtual device, and finally returns the result to the application program by the virtual device. The method using the kernel module generally has better performance (i.e. higher access efficiency), but the method has lower universality because the process of writing the kernel module is complex, and the kernel modules realizing different functions can not coexist in the same computer system due to conflicts. The manner in which virtual devices are used is generally highly secure, however, it requires a trapping kernel to execute a large amount of kernel code, which results in poor performance (i.e., low access efficiency) and is not suitable for scenarios requiring frequent access to privileged hardware resources; in addition, the manner of using the virtual device requires that different virtual devices are created for different scenes, and thus the versatility thereof is also low.
There is also a way to use privileged hardware resources that puts applications into kernel mode for operation, which is better performing and more versatile (e.g., dune, which consists of small kernel modules). However, this approach is less secure because all privileged hardware resources in kernel mode are exposed to the application, and once the application is controlled by the attacker, the attacker will have the right to use all privileged hardware resources, with which he can make more damaging attacks, resulting in the application and thus the whole computer system being affected.
Disclosure of Invention
In order to solve the above-mentioned problems in the prior art, according to one embodiment of the present invention, there is provided an application-oriented privileged hardware resource access method, which divides a CPU operation mode into a root mode and a non-root mode, wherein each mode has a corresponding kernel mode and user mode. The method comprises the following steps: running the application in a kernel mode other than the root mode; and restricting execution of unauthorized privileged instructions by the application, wherein the unauthorized privileged instructions refer to instructions for accessing privileged hardware resources that the application does not have access to.
In the above method, restricting the execution of the unauthorized privileged instruction by the application may include: in response to intercepting an unauthorized privileged instruction that triggers a virtual machine dip, execution of the unauthorized privileged instruction is stopped. The method may further include: in response to determining that the unauthorized privileged instruction is a conditional collapse instruction, the unauthorized privileged instruction is configured to trigger virtual machine collapse upon execution.
The method may further include: configuring the unauthorized privileged instruction to raise an exception upon execution to trigger virtual machine subsidence and restricting execution of the unauthorized privileged instruction by the application includes: the execution of the unauthorized privileged instruction is stopped in response to intercepting the unauthorized privileged instruction that triggered the virtual machine dip causing the exception.
In the above method, restricting the execution of the unauthorized privileged instruction by the application may include: invalidating the execution result of the unauthorized privileged instruction.
The method may further include configuring the memory in the non-root mode by: copying a user space part of a highest-level page table in the root mode to the non-root mode; and multiplexing other stages of page tables except the highest stage of page table in the root mode by the non-root mode.
The method may further include: triggering the virtual machine to sink at the entry of the system call; after the virtual machine sags, calling a system call processing function in the root mode to process system call; and returning from the root mode to the non-root mode.
The method may further include: triggering the virtual machine to sink when an interrupt or abnormality occurs; after the virtual machine sags, calling an interrupt processing function in the root mode to process the interrupt, or calling an exception processing function in the root mode to process the exception; and returning from the root mode to the non-root mode.
In the above method, returning from the root mode to the non-root mode includes: determining whether a signal to be processed exists, wherein the signal is used for notifying the occurrence of an asynchronous event; in response to determining that there is a signal to process, deploying a signal stack to store a register state, and returning to the non-root mode; executing a signal processing function in the non-root mode and re-triggering virtual machine subsidence; restoring a previous register according to a register state stored on the signal stack in the root mode; and returning to the non-root mode to continue running the application.
According to one embodiment of the present invention, there is also provided an electronic device including a processor and a memory for storing one or more computer programs, which when executed by the processor, cause the electronic device to implement the above-described application-oriented privileged hardware resource access method.
The embodiment of the invention provides the following beneficial effects:
1. the application program is operated in a kernel mode of a non-root mode by utilizing a hardware-assisted virtualization technology, so that the application program can directly access the privileged hardware resources, and the access efficiency is higher. Meanwhile, the application program can only access the pre-customized privileged hardware resources with access right, so that the application program can not bring extra attack surface to an attacker when running in the kernel mode, thereby ensuring the running safety of the application program in the kernel mode. In addition, the application program runs in a non-root mode and is effectively isolated from the host operating system running in the root mode, so that any attack of the application program cannot influence the host operating system, and the safety of the host operating system is ensured. A developer can customize the privileged hardware resources by using the configuration file of the application program, so that the universality is higher.
2. The memory configuration in the virtualized environment is provided, and the system call processing, the exception and interrupt processing and the signal processing in the running process of the application program are optimized, so that the application program can run correctly in the kernel mode of the non-root mode. The application program can not access the memory of the kernel space in the non-root mode, so that the security is ensured, and an EPT mechanism is not required, so that the memory access efficiency of the application program is improved; in addition, the system call, the exception and the interrupt are transferred to the root mode for processing, so that the additional security threat to the application program is avoided, and the security is further improved.
Drawings
The exemplary embodiments will be described in detail below with reference to the attached drawing figures, which are intended to depict the exemplary embodiments and should not be interpreted as limiting the intended scope of the claims. The drawings are not considered to be drawn to scale unless specifically indicated.
FIG. 1 illustrates a block diagram of a privileged hardware customization platform according to one embodiment of the invention;
FIG. 2 illustrates a flowchart of a method for application-oriented privileged hardware resource access according to one embodiment of the invention;
FIG. 3 illustrates a memory layout in a virtualized environment, in accordance with one embodiment of the invention;
fig. 4 shows a flow chart of a processing method for a signal according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail by the following examples with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
As described above, in order to enable an application program in a user mode to access privileged hardware resources, the current commonly used mode of using a kernel module or virtual device has the problems of poor performance, low universality and the like; the method of directly operating the application program in kernel mode (e.g. Dune) to directly access the privileged hardware resource will add excessive rights to the application program, so that the attacker obtains a larger attack surface, resulting in lower security. In order to solve the problems, the invention utilizes a hardware-assisted virtualization technology to run the application program in a kernel mode of a non-root mode, so that the application program can directly access privileged hardware resources and does not bring larger attack surface to an attacker.
Currently, hardware-assisted virtualization techniques include, but are not limited to, intel VT-x and AMD-V. Taking Intel's VT-x as an example, a Virtual Machine Monitor (VMM) and a Guest operating system (Guest OS) respectively run in different CPU operation modes, that is, in VMX Root mode (or VMX Root mode, host mode, root mode, hereinafter collectively referred to as Root mode) and VMX Non-Root mode (or VMX Non-Root mode, guest mode, non-Root mode, hereinafter collectively referred to as Non-Root mode), respectively, both the Root mode and the Non-Root mode have corresponding CPU operation levels 0-3 (Ring 0-Ring 3). In general, the core instruction of the Guest OS may directly reach the computer system hardware for execution without going through the VMM. When the Guest OS executes to a special instruction (e.g., a privileged instruction to access a privileged hardware resource), the system switches to the VMM to have the VMM process the special instruction. In hardware-assisted virtualization techniques, a virtual machine control structure (Virtual Machine Control Structure, VMCS) is utilized to save states in both CPU operation modes in order to enable transitions between CPU operation modes, e.g., a VMM may configure the VMCS to determine which instruction or which exception in a non-root mode may cause a virtual machine to sag (VM-Exit, indicating a transition of a CPU operation mode from a non-root mode to a root mode); in addition, virtual machine sinking may also be triggered manually by a VMCALL instruction.
The invention provides a privileged hardware customizing platform by utilizing the hardware auxiliary virtualization technology, and particularly, the privileged hardware customizing platform utilizes Intel VT-x. FIG. 1 schematically illustrates a block diagram of the privileged hardware customization platform, as shown in FIG. 1, with an application running in a non-root mode (more precisely, in a kernel mode of the non-root mode) and a host operating system running in a root mode (more precisely, in a kernel mode of the root mode). The host operating system is loaded with a previously written kernel module which is used for starting an application program, and performing system call processing, exception and interrupt processing, signal processing and the like.
Based on the privileged hardware customization platform, according to one embodiment of the invention, an application-oriented privileged hardware resource access method is provided. The method utilizes hardware-assisted virtualization techniques to divide the CPU operation modes into a root mode and a non-root mode to provide two types of VMX operations, where each mode has a respective kernel mode and user mode (in other words, each mode has a respective CPU running level Ring0-Ring 3).
FIG. 2 schematically illustrates a flow chart of a method of application-oriented privileged hardware resource access according to one embodiment of the invention, as shown in FIG. 2, the method comprising the steps of:
1. the application is run in a kernel mode that is not root mode.
First, a kernel module is loaded in the host operating system, and the kernel module starts virtualization and creates a virtual device. After the virtualization is turned on, two CPU operation modes, namely a non-root mode and a root mode, are provided, and the current system environment (comprising the kernel and all processes) runs in the root mode.
The application is in a user state in a root mode when started, and then communicates with the virtual device created by the kernel module to transmit its running information, and the kernel module creates and configures a virtualized environment according to the running information, and then switches the processor to run in a kernel state (Ring 0) in a non-root mode. At this time, the code running in the virtualized environment is the code of the application program, and the application program runs in a kernel mode other than the root mode.
2. The execution of unauthorized privileged instructions by the application is restricted, wherein unauthorized privileged instructions refer to instructions for accessing privileged hardware resources that the application is not entitled to access.
To ensure security, an application can only access privileged hardware resources for which a developer has customized, and not have access to other privileged hardware resources. In one embodiment, a developer may implement customization of privileged hardware resources through a configuration file, e.g., recording in the configuration file of an application which privileged hardware resource(s) the application has access to. In this way, it can be determined from its configuration file at the start-up of an application whether the application is able to access a privileged hardware resource(s).
Access to privileged hardware resources is accomplished through corresponding privileged instructions, which may be categorized according to one embodiment of the invention as shown in Table 1, different privilege instruction protection methods are performed for different classes of privileged instructions that may be used to limit execution of unauthorized privileged instructions by an application.
TABLE 1
| Privilege instruction classification | Privileged instruction name |
| Hardware correlation | HLT/INVD/INVPLG et al |
| Descriptor table correlation | LGDT/LIDT/LLDT etc |
| Control register/Debug register correlation | MOV CR0/CR3/DR0, etc |
| Module-specifying register correlation | RDMSR/WRMSR/SWAPGS, etc |
| Input-output correlation | IN/INS/OUT/OUTS, etc |
| Segment correlation | LAR/LDS/LES/MOV DS and the like |
| Virtualization correlation | VMLAUNCH/VMRESUME and the like |
| Other privileged instructions | CLI/STI and the like |
Table 2 shows another classification example of privileged instructions, wherein the privileged instructions are divided into three categories, EXIT, INV and EXP, respectively.
TABLE 2
Based on the classification example shown in table 2, according to one embodiment of the present invention, the following three privilege instruction protection methods are provided for three classes of privilege instructions, respectively, to limit execution of unauthorized privilege instructions in the kernel mode of the non-root mode:
(1) in response to intercepting a privileged instruction that triggers a virtual machine dip (e.g., the EXIT class privileged instruction shown in table 2), execution of the privileged instruction is stopped.
In current hardware-assisted virtualization techniques, the VMM in root mode is able to monitor critical behavior in the virtual machine. When the EXIT type privileged instruction shown in table 2 is executed in the kernel mode of the non-root mode, if the virtual machine is triggered to sink, the VMM may intercept the EXIT type privileged instruction, and after the interception, the kernel module may stop the execution of the privileged instruction.
The EXIT class privilege instructions shown in table 2 may be further divided into unconditional and conditional dip instructions. Wherein execution of an unconditional collapse instruction (such as the privileged instructions shown in rows 1-2 of Table 2) must trigger virtual machine collapse, and execution of a conditional collapse instruction (such as the privileged instructions shown in rows 3-9 of Table 2) will trigger virtual machine collapse depending on the corresponding configuration in the VMCS. To limit the execution of conditional trap instructions by an application in kernel mode other than root mode, according to one embodiment of the present invention, conditional trap instructions in the EXIT class privileged instructions are configured to trigger virtual machine traps when executed, thereby enabling the VMM to intercept these privileged instructions in order to stop their execution.
(2) The privileged instructions (e.g., EXP-type privileged instructions shown in table 2) are configured to raise an exception upon execution to trigger virtual machine sinking, and to stop execution of the privileged instructions in response to intercepting the privileged instructions that raise an exception to trigger virtual machine sinking.
Specifically, for the EXP-type privileged instruction shown in table 2, it is configured to raise an exception upon execution, triggering virtual machine sinking by the exception. According to one embodiment of the invention, initiating an exception includes:
■ Triggering #UD abnormality
For example, for the privileged instructions shown in line 20 of Table 2, the kernel module may be operable to stop execution of the privileged instructions by shutting down their support in the VMCS, thereby enabling the VMM in root mode to intercept execution of the privileged instructions by raising a #UD exception when executing the privileged instructions.
■ Initiation of #GP abnormality
For example, for the privileged instructions associated with the segment operations shown in lines 16-18 of Table 2, the segment descriptor cache of the segment register is filled with the correct segment descriptor information using the segment descriptor cache structure, and the segment descriptor table is set to null. More specifically, the contents of all segment registers, including selector and corresponding segment descriptor information, are set in the Guest field of the VMCS, which will be directly loaded into the Guest segment registers upon entering the non-root mode, while the values of the base and limit fields in the GDTR and LDTR registers in the Guest field are set to 0. When the application program executes the segment switching operation, the processor causes #GP exception when accessing the segment descriptor table, thereby triggering the virtual machine to sink. After capturing the #gp exception, the kernel module may check whether the segment switching operation is legal (legal segment switching operation refers to taking the level of authority that the application should execute as a target segment that the CPL can access legally, instead of a segment that can be accessed under Ring 0), if the rule is legal, perform analog execution on the corresponding instruction (to fill the requested segment information into the corresponding segment register in the VMCS, and return to the non-root mode); if not, execution of the privileged instruction is stopped.
■ Initiating #PF abnormalities
For example, for the privileged instructions (e.g., SYSEXIT or SYSRET) shown in Table 2 at line 19 that cause a segment switch, execution of these privileged instructions would set CPL to 3 and run under Ring 3. According to one embodiment of the invention, the CPU is caused to raise a #PF exception by a fetching operation when executing the next instruction of a privileged instruction (SYSEXIT or SYSRET) by mapping the code of the application into a supervisor-mode page and configuring the processor to be unable to fetch instructions from the supervisor-mode page in user mode. After intercepting a privileged instruction that triggers a virtual machine dip by raising a #pf exception, the kernel module may stop execution of the privileged instruction.
(3) Invalidating execution results of privileged instructions
The INV-like privileged instructions shown in table 2 are used to invalidate their execution results, thereby preventing an attacker from using these privileged instructions to obtain information or alter any kernel state.
Taking the example of the CR0 and CR4 register-related read-write instructions shown in Table 2, line 10, where the CR0 and CR4 registers each have a set of guest/host masks and read shadow, all bits of guest/host masks are set to 1, and all bits of read shadow are set to 0, so that an attacker reads the CR0/CR4 registers with values of 0, and writes to both registers do not actually modify the CR0 and CR4 registers.
Compared with the existing method for accessing the privileged hardware resources, in the method for accessing the privileged hardware resources for the application program, the hardware-assisted virtualization technology is utilized to run the application program in a kernel mode of a non-root mode, so that the application program can directly access the privileged hardware resources, and the access efficiency is higher. Meanwhile, the application program can only access the privileged hardware resources customized by the developer in advance, so that the application program can not bring extra attack surface to an attacker when running in the kernel mode, and the running safety of the application program in the kernel mode is ensured. Since the application program runs in the non-root mode and is effectively isolated from the host operating system running in the root mode, any attack on the application program will not affect the host operating system, which ensures the security of the host operating system. In addition, a developer can customize the privileged hardware resources by configuring the configuration file of the application program, so that the method has higher universality.
In the above embodiment, the application program is run in the user mode of the root mode at the time of startup, and then is switched to the kernel mode of the non-root mode. To ensure that an application can function properly in non-root mode (e.g., system calls can be handled in root mode as described below), virtual memory in non-root mode is typically required to be consistent with maintaining in root mode, in one embodiment, the non-root mode and the root mode may use the same page table by multiplexing the page tables. However, if the page table in the root mode is directly multiplexed in the non-root mode, the application program can access the address of the kernel space when running in the non-root mode, resulting in lower security.
For security reasons, according to a preferred embodiment of the present invention, when the kernel module creates and configures a virtualized environment according to the running information of the application, the memory under the virtualized environment is configured. Wherein the page table in non-root mode is obtained by copying the user space portion of the highest level page table in root mode to non-root mode and multiplexing the other level page tables in root mode, as shown in fig. 3. Through configuration, the kernel space part of the highest-level page table in the non-root mode is empty, so that the access of the application program running in the non-root mode to the kernel space memory can be limited, and the safety is further ensured. Besides ensuring security, an extended page table (Extended Page Table, EPT) mechanism in a hardware-assisted virtualization technology can be avoided, so that the address translation process in the EPT is reduced, and the access efficiency of an application program is improved.
Taking 64-bit X86 as an example, the page table is generally divided into four stages of PML4, PDPT, PD and PT, in order to ensure that an application program can operate correctly in the non-root mode, 2, 3, 4-stage page tables in the root mode are multiplexed in the non-root mode, and the highest-stage page table PML4 in the root mode is copied (512 entries in PML4, the first 256 entries point to the user space and the last 256 entries point to the kernel space), to obtain the highest-stage page table PML4' in the non-root mode. PML4' total 512 entries, with the first 256 entries (0-255) pointing to user space, entries 256-510 being empty, and entry 511 being indexed to VSYSCALL page (VSYSCALL for accelerating system calls requesting data from the kernel). Thus, a configuration of a four-stage page table in a non-root mode is realized.
In addition, the page table in root mode may be updated during the running of the application. After the update of the highest-level page table in the root mode is monitored, the highest-level page table in the non-root mode can be synchronously operated. Since the highest-level page table in the root mode and the highest-level page table in the non-root mode obtained by copying are dispersed in two pages, in order to ensure the consistency of the two pages when the application program runs, according to one embodiment of the invention, the two pages can be set to be read-only permission to realize synchronous operation.
In the above embodiment, when an application running in the kernel mode of the non-root mode needs to request a higher authority service from the host operating system kernel through a system call, the code of the system call process may be introduced in the non-root mode, but this may cause an attacker to attack with these codes after hijacking the application. In response to this problem, according to a preferred embodiment of the present invention, system calls executed by the application program at runtime are forwarded to the root mode for processing. Considering that the instructions SYSCALL and SYSRET which are generally used for executing the system call cannot realize the switching between the non-root mode and the root mode, in order to enable the system call to be correctly forwarded to the root mode for processing, based on the memory configuration in the virtualized environment shown in fig. 3, a processing method for the system call is provided, which comprises the following steps:
■ Executing a VMCALL instruction at the entry of the system call to trigger virtual machine subsidence;
■ After the virtual machine sags, processing the system call in the root mode, namely, calling a corresponding system call processing function by the kernel module according to the system call number to finish the processing of the system call. The user space part of the highest-level page table in the non-root mode is the same as that of the highest-level page table in the root mode, so that the processing of the system call can be completed by calling the corresponding system call processing function in the root mode;
■ Returning to the non-root mode from the root mode.
Specifically, the processing method for the system call comprises the following steps: a code page is opened up in the memory space of the application program, the code page is in a kernel state of a non-root mode and stores the following two instructions:
SyscallEntry:VMCALL
JMP*%RCX
meanwhile, the value of the ia32_lstar_msr register in the non-root mode is set to SyscallEntry. When the application program executes the SYSCALL instruction, the address of the next instruction of the instruction is stored in the RCX register, and the entry SystemEntry of the system call is acquired from the IA32_LSTAR_MSR register, so that the VMCALL is executed. Execution of the VMCALL causes the virtual machine to collapse, i.e., the CPU switches from non-root mode to root mode, and passes control to the kernel module. And the kernel module calls the original system call processing function in the host operating system kernel according to the system call number. After the system call processing function is executed, the kernel module executes a VMRESUME instruction, switches from a root mode to a non-root mode, and starts execution from JMP%RCX. Since RCX stores the next instruction address of the SYSCALL instruction, JMP%rcx jumps to the next instruction of the SYSCALL, thereby completing a system call.
The processing method for the system call can ensure that codes for the system call processing are not introduced in a non-root mode, and can prevent an attacker from realizing attack by utilizing the codes after hijacking the application program, thereby further improving the running safety of the application program.
When an application is running in a kernel mode other than the root mode, according to one embodiment of the present invention, there is also provided a processing method for an interrupt (e.g., an external interrupt) or an exception (e.g., a page exception, a divide-by-0 exception, an illegal instruction exception, etc.), similar to the processing method for a system call, that forwards an interrupt or exception at the time of running the application to the root mode for processing. The processing method for the interrupt or the exception comprises the following steps:
■ Configuring the VMCS (specifically, configuring a virtual machine execution control field in the VMCS, i.e., VM-Execution Controls Field, such that interrupts or exceptions occurring in non-root mode trigger virtual machine sinking;
■ Triggering the virtual machine to sink when an interrupt or abnormality occurs;
■ After the virtual machine sags, interrupts or exceptions are handled in root mode. The kernel module calls a corresponding interrupt processing function according to the interrupt number to complete the processing of the interrupt; aiming at the exception, a kernel module calls a corresponding exception handling function according to the exception number to finish handling the exception;
■ Returning to the non-root mode from the root mode.
The interrupt or abnormality processing method can isolate the interrupt or abnormality processing from the running of the application program, and the application program cannot sense the occurrence of the interrupt or abnormality, so that an attacker cannot attack the interrupt or abnormality processing, and the application program is prevented from bringing additional security threat, thereby further improving the security.
When the application program runs in the kernel mode of the non-root mode, according to one embodiment of the invention, a signal processing method is further provided, and the signal processing method is used for ensuring that a signal mechanism can work normally. Wherein the signaling is used to signal the occurrence of an asynchronous event, and the signaling mechanism is indicative of an asynchronous interprocess communication mechanism. Referring to fig. 4, the processing method for signals includes:
■ After a system call process or an exception or interrupt process, it is determined whether there is a signal to be processed. Specifically, the kernel module invokes a signal_pending () function to check whether a signal to be processed exists in the signal queue.
■ If there is no signal to be processed, the processor returns to the non-root mode from the root mode and ends the signal processing; if there is a signal to be processed, the next step is performed.
■ The signal stack is deployed by the kernel module. Specifically, invoking the do_signal () function completes the save and switch work of the user state context (i.e., all register states) on the signal stack, and sets the user state new context into the Guest state field of the VMCS.
■ Execution resumes virtual machine instruction (VMRESUME) returns to non-root mode.
■ The signal processing function is performed in a non-root mode.
■ After the signal processing function is executed, the SIGRETURN system call is called, and the virtual machine sinking is triggered again.
■ In root mode, the previous registers are restored by the kernel module based on the state of the registers saved on the signal stack, and the virtualization environment is reconfigured.
■ Executing VMRESUME returns to non-root mode where the application continues to run.
It should be noted that some example methods are depicted as flowcharts. Although the flowchart depicts operations as being performed sequentially, it will be appreciated that many of the operations can be performed in parallel, concurrently or synchronously. In addition, the order of operations may be rearranged. The process may terminate when the operation is completed, but may also have additional steps not included in the figures or embodiments.
The above-described methods may be implemented in hardware, software, firmware, middleware, pseudocode, hardware description language, or any combination thereof. When implemented in software, firmware, middleware or pseudocode, the program code or code segments to perform the tasks can be stored in a computer readable medium such as a storage medium and the processor can perform the tasks.
It should be appreciated that the exemplary embodiments implemented in software are typically encoded on some form of program storage medium or implemented over some type of transmission medium. The program storage medium may be any non-transitory storage medium, such as a magnetic disk (e.g., a floppy disk or a hard disk) or an optical disk (e.g., a compact disk read only memory or "CD ROM"), and may be read-only or random access. Similarly, the transmission medium may be twisted wire pairs, coaxial cable, optical fiber, or some other suitable transmission medium known to the art.
While the invention has been described in terms of preferred embodiments, the invention is not limited to the embodiments described herein, but encompasses various changes and modifications that may be made without departing from the scope of the invention.
Claims (10)
1. An application-oriented privileged hardware resource access method, wherein a CPU operating mode is divided into a root mode and a non-root mode, each mode having a corresponding kernel mode and user mode, the method comprising:
running the application in a kernel mode of a non-root mode to enable the application to directly access privileged hardware resources;
acquiring a configuration file of the application program, wherein the configuration file indicates privileged hardware resources which the application program has access to when running in a kernel mode of a non-root mode; and
and limiting the execution of unauthorized privileged instructions of the application program in a kernel mode of a non-root mode according to the configuration file, wherein the unauthorized privileged instructions are instructions for accessing privileged hardware resources which the application program does not have access to.
2. The method of claim 1, wherein restricting execution of unauthorized privileged instructions by the application comprises:
in response to intercepting an unauthorized privileged instruction that triggers a virtual machine dip, execution of the unauthorized privileged instruction is stopped.
3. The method according to claim 2, wherein the method further comprises:
in response to determining that the unauthorized privileged instruction is a conditional collapse instruction, the unauthorized privileged instruction is configured to trigger virtual machine collapse upon execution.
4. The method according to claim 1, wherein the method further comprises:
configuring unauthorized privileged instructions to raise exceptions upon execution to trigger virtual machine subsidence; and
wherein restricting execution of unauthorized privileged instructions by the application comprises:
the execution of the unauthorized privileged instruction is stopped in response to intercepting the unauthorized privileged instruction that triggered the virtual machine dip causing the exception.
5. The method of claim 1, wherein restricting execution of unauthorized privileged instructions by the application comprises:
invalidating the execution result of the unauthorized privileged instruction.
6. The method of any of claims 1-5, further comprising configuring the memory in non-root mode by:
copying a user space part of a highest-level page table in the root mode to the non-root mode; and
the non-root mode multiplexes other stage page tables except the highest stage page table in the root mode.
7. The method of claim 6, wherein the method further comprises:
triggering the virtual machine to sink at the entry of the system call;
after the virtual machine sags, calling a system call processing function in the root mode to process system call; and
returning from the root mode to the non-root mode.
8. The method of claim 6, wherein the method further comprises:
triggering the virtual machine to sink when an interrupt or abnormality occurs;
after the virtual machine sags, calling an interrupt processing function in the root mode to process the interrupt, or calling an exception processing function in the root mode to process the exception; and
returning from the root mode to the non-root mode.
9. The method of claim 7 or 8, wherein returning from the root mode to the non-root mode comprises:
determining whether a signal to be processed exists, wherein the signal is used for notifying the occurrence of an asynchronous event;
in response to determining that there is a signal to process, deploying a signal stack to store a register state, and returning to the non-root mode;
executing a signal processing function in the non-root mode and re-triggering virtual machine subsidence;
restoring a previous register according to a register state stored on the signal stack in the root mode; and
returning to the non-root mode to continue running the application.
10. An electronic device comprising a processor and a memory for storing one or more computer programs, which when executed by the processor, cause the electronic device to implement the method of any of claims 1-9.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910462140 | 2019-05-30 | ||
| CN2019104621403 | 2019-05-30 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111737656A CN111737656A (en) | 2020-10-02 |
| CN111737656B true CN111737656B (en) | 2023-10-27 |
Family
ID=72646505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010473124.7A Active CN111737656B (en) | 2019-05-30 | 2020-05-29 | Application program-oriented privileged hardware resource access method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737656B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225344B (en) * | 2021-05-10 | 2022-09-30 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
| CN103270491A (en) * | 2011-12-06 | 2013-08-28 | 华为技术有限公司 | Hardware resource protection method and system, and virtual machine manager |
| CN104424034A (en) * | 2013-09-04 | 2015-03-18 | 华为技术有限公司 | Hardware resource access method and hardware resource access device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8479196B2 (en) * | 2009-09-22 | 2013-07-02 | International Business Machines Corporation | Nested virtualization performance in a computer system |
-
2020
- 2020-05-29 CN CN202010473124.7A patent/CN111737656B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102521531A (en) * | 2011-11-24 | 2012-06-27 | 华中科技大学 | Password protection system based on hardware virtualization |
| CN103270491A (en) * | 2011-12-06 | 2013-08-28 | 华为技术有限公司 | Hardware resource protection method and system, and virtual machine manager |
| CN104424034A (en) * | 2013-09-04 | 2015-03-18 | 华为技术有限公司 | Hardware resource access method and hardware resource access device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111737656A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9400885B2 (en) | Computer security systems and methods using virtualization exceptions | |
| KR102116571B1 (en) | Systems And Methods for Exposing A Result Of A Current Processor Instruction Upon Exiting A Virtual Machine | |
| US10140448B2 (en) | Systems and methods of asynchronous analysis of event notifications for computer security applications | |
| US9507727B2 (en) | Page fault injection in virtual machines | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| CN110574009B (en) | Apparatus and method for managing use of capabilities | |
| Gu et al. | Harmonizing performance and isolation in microkernels with efficient intra-kernel isolation and communication | |
| US11727110B2 (en) | Verifying stack pointer | |
| US9596261B1 (en) | Systems and methods for delivering context-specific introspection notifications | |
| US20160048458A1 (en) | Computer Security Systems and Methods Using Hardware-Accelerated Access To Guest Memory From Below The Operating System | |
| US20150379265A1 (en) | Systems And Methods For Preventing Code Injection In Virtualized Environments | |
| CN111737656B (en) | Application program-oriented privileged hardware resource access method and electronic equipment | |
| US20200117458A1 (en) | Apparatus and method for controlling a change in instruction set | |
| US9531735B1 (en) | Systems and methods for delivering introspection notifications from a virtual machine | |
| US11216280B2 (en) | Exception interception | |
| CN114090273B (en) | Inter-process communication method, device and computer storage medium | |
| JP7369720B2 (en) | Apparatus and method for triggering actions | |
| CN117222990A (en) | Techniques for access to memory using capability constraints | |
| CN118069403A (en) | Processing method of abnormal instruction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |