CN114265775A - Hardware-assisted virtualization environment core detection method and system - Google Patents
Hardware-assisted virtualization environment core detection method and system Download PDFInfo
- Publication number
- CN114265775A CN114265775A CN202111576319.5A CN202111576319A CN114265775A CN 114265775 A CN114265775 A CN 114265775A CN 202111576319 A CN202111576319 A CN 202111576319A CN 114265775 A CN114265775 A CN 114265775A
- Authority
- CN
- China
- Prior art keywords
- vmcall
- operate
- detection program
- virtualization environment
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 21
- 230000002035 prolonged effect Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 9
- 230000003068 static effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a hardware-assisted virtualization environment core detection method and a system, wherein the method comprises the following steps: s1: when the detection program has common authority to operate the VMCALL, actively performing VMExit based on the VMCALL virtualization extension instruction, sending call to a Hypercall processing function in the Hypervisor, and judging whether the virtualization environment exists according to a default return value; s2: when the detection program has privilege authority to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register to obtain different return values, and judging whether the virtualization environment exists or not according to the return values; s3: when a program is detected to have privilege authority to operate on the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualization environment exists or not is judged; s4: when the detection program has privilege authority to operate on the L2C, the detection program can judge whether the virtualization environment exists or not by expelling the specific Cache group of the L2C according to the expelling condition of the Cache group.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a hardware-assisted virtualization environment core detection method and system.
Background
Software analysis techniques include static analysis and dynamic analysis. Static analysis obtains the disassembled codes of the software to be analyzed by performing operations such as decompilation and the like on the executable program, and further analyzes the software logic and specific behaviors by analyzing the disassembled codes. Static analysis does not need to actually run programs, so the method is a very convenient and fast software analysis method, but analysis of the reinforced software is difficult to process, and static analysis of some operation flows cannot be analyzed. Dynamic analysis actually runs programs in an isolated environment usually by means of virtualization technology, obtains different execution paths through different inputs, and analyzes execution branches and results to deconstruct execution logic of software. By constantly adjusting the inputs, the internal execution logic of the software to be analyzed can be known more completely, but advanced software can hide own behavior intentionally when being discovered to be dynamically analyzed, thereby misleading the analysis result. Many software will be confused or reinforced to different degrees in order to prevent being cracked or analyzed, and it is usually necessary to detect the running environment in order to avoid dynamic analysis, hide own behavior in time or terminate running. Therefore, how to determine whether the program runs in the user virtual machine or in the local bare metal OS environment becomes a problem to be solved urgently.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides a method and a system for detecting a hardware-assisted virtualization environment core.
The technical solution of the invention is as follows: a hardware assisted virtualization environment core detection method comprises the following steps:
step S1: when the detection program has common authority to operate the VMCALL, actively performing VM Exit based on the VMCALL virtualization extension instruction, sending call to a Hypercall processing function in the Hypervisor, and judging whether a virtualization environment exists according to a default return value;
step S2: when the detection program has privilege authority to operate the VMCALL, calling the VMCALL and transferring parameters through a general register, so that return values of specific Hypercall processing functions corresponding to different VMCALL parameters can be obtained, and whether the virtualization environment exists or not is judged according to the return values;
step S3: when a program is detected to have privilege authority to operate on the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualization environment exists or not is judged;
step S4: when the detection program has privilege authority to operate on the L2C, a specific Cache group of the L2C is evicted, and whether the virtualization environment exists is judged according to the eviction condition of the Cache group.
Compared with the prior art, the invention has the following advantages:
1. since traditional virtualization detects some traces of fingerprints that appear on the virtual machine when implemented primarily based on Hypervisor, these fingerprints are easily removed by Hypervisor updates; and the mainstream Hypervisor realization is almost established on the basis of hardware-assisted virtualization acceleration at present, so that the isolation is stronger and the virtualization fingerprints are fewer. In order to solve the problem, the invention discloses a core detection method of a hardware-assisted virtualization environment, which is established on the basis of hardware-assisted virtualization expansion and micro-architecture characteristics and does not depend on the trace of a Hypervisor, so that the core detection method is not easy to avoid or remove.
2. The invention can select different modules according to different authorities owned by the user program, and has wider applicability and higher expandability.
3. The invention utilizes the virtualization detection based on the PP technology and only depends on the property of the virtual environment SLAT, thereby being not only suitable for a hardware-assisted full virtualization environment, but also suitable for a paravirtualization or sandbox environment.
Drawings
FIG. 1 is a flowchart illustrating a method for detecting a hardware-assisted virtualization environment core according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating the access before and after setting of a CD bit according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an L2C eviction detection in an embodiment of the invention;
fig. 4 is a block diagram illustrating a core detection system of a hardware-assisted virtualization environment according to an embodiment of the present invention.
Detailed Description
The invention provides a hardware-assisted virtualization environment core detection method, which has wider applicability and expansibility, and has better detection stability due to the hardware-assisted virtualization expansion and micro-architecture characteristics based on the bottom layer.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings.
For a better understanding of the following examples, the techniques used and the partial noun abbreviations are explained as follows:
the system virtualization technology is widely used in cloud environment and local environment, not only greatly improves the utilization rate of resources, but also provides a virtualization operation environment isolated from a host system. Typical Hypervisor managers are open sourced such as KVM, Xen, etc., commercial closed sourced such as HyperV, VMware work, etc., and are also called hypervisors. Since the hardware-assisted virtualization mechanism provides hardware support for virtualization, the hardware-assisted-based full virtualization technology provides better security isolation protection and higher performance. Intel VT-x, AMD-V, and ARM Virtualization, all provide support for hardware-assisted Virtualization.
The side channel timing attack based on the CPU Cache is an attack form widely used in the field of side channel attack, an attacker indirectly deduces the memory access mode of a victim by timing the access duration of the shared Cache mapped by the memory of the victim program to access a specific area and utilizing the difference of the access duration, thereby obtaining the confidential code or data of the victim. PP is a typical attack technology for a Cache side channel, and is mainly divided into three steps: an attacker constructs an eviction set, and accesses a corresponding memory in the eviction set to fill one or more specific Cache groups; then waiting for a preset time so that the victim can access the memory mapped to the same Cache group; and the attacker reads the memory corresponding to the Cache group filled by the attacker again, and measures and analyzes the access time for reading the memory corresponding to the Cache group.
Example one
As shown in fig. 1, a method for detecting a hardware-assisted virtualization environment core according to an embodiment of the present invention includes the following steps:
step S1: when the detection program has common authority to operate the VMCALL, actively performing VM Exit based on the VMCALL virtualization extension instruction, sending call to a Hypercall processing function in the Hypervisor, and judging whether a virtualization environment exists according to a default return value;
step S2: when the detection program has privilege authority to operate the VMCALL, calling the VMCALL and transferring parameters through a general register, so that return values of specific Hypercall processing functions corresponding to different VMCALL parameters can be obtained, and whether the virtualization environment exists or not is judged according to the return values;
step S3: when a program is detected to have privilege authority to operate on the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualization environment exists or not is judged;
step S4: when the detection program has privilege authority to operate on the L2C, the detection program can judge whether the virtualization environment exists or not by expelling the specific Cache group of the L2C according to the expelling condition of the Cache group.
In the embodiment of the method, a hardware auxiliary virtualization mechanism and micro-architecture characteristics of the processor are comprehensively utilized, the permission which can be possessed by the detection program is considered, different detection modes are provided according to different permissions, and integration can be conveniently carried out. When the detection program only has the common right, the VM Exit is actively carried out based on the VMCALL virtualization extension instruction, and the call is sent to the Hypercall processing function in the Hypervisor, so that a call result is obtained. When the detection program can apply privilege right, VMCALL privilege level detection, CR0 privilege level detection and L2C privilege level detection can be called according to actual conditions, so that a calling result is obtained. And analyzing the calling result to determine whether the detection program runs in the user virtual machine or the local bare metal OS environment.
In one embodiment, the step S1: when the detection program has a common authority to operate the VMCALL, the VM Exit is actively carried out based on the VMCALL virtualization extension instruction, the call is sent to a Hypercall processing function in the Hypervisor, and whether the virtualization environment exists or not is judged according to a default return value, which specifically comprises the following steps:
when a detection program has common authority to operate the VMCALL, actively calling the VMCALL in a local environment can cause hardware abnormity to cause program error, and the VMCALL can be smoothly executed when called in a virtual machine, and a default return value can be obtained after the VMCALL is trapped in a Hypervisor through VM Exit, so that whether a virtualization environment exists or not is judged according to the default return value;
when the detection program has the common authority, a hardware virtualization extension instruction VMCALL and a corresponding Hypercall mechanism are mainly utilized. The virtualization platform provided by Intel VT-x has two operating environments, namely a VRM mode and a VNRM mode. Like the OS providing the system call interface to the user space, Hypervisor operating under the VRM based on hardware assisted virtualization needs to provide some specific interfaces to the virtual machine calls operating under the VNRM, which are presented in the form of Hypercall. The VMCALL instruction is actively called in the detection program in a compiled form, the CPU generates VM Exit immediately after detecting the VMCALL and switches the CPU to the VRM mode for execution, and the running environment enters into the Hypervisor at the moment. When the Hypercall processing function in the Hypervisor detects that the privilege level from the front of the vCPU is not the highest privilege level, the privilege level is transmitted to the default return result of the virtual register, and the detection program in the virtual machine obtains the return value from the virtual register after the CPU generates the VM Entry. When the detection program runs in the local environment, the detection program can cause hardware exception to interrupt running without returning value because the detection program does not support the instruction in the VNRM mode. Thus, it is possible to distinguish whether to run in a virtualized environment based on different execution scenarios and return values.
In one embodiment, the step S2: when the detection program has privilege authority to operate on the VMCALL, the VMCALL is called and parameters are transferred through the general register, return values of specific Hypercall processing functions corresponding to different VMCALL parameters can be obtained, and whether the virtualization environment exists or not is judged according to the return values, which specifically comprises the following steps:
when the detection program has privilege authority to operate the VMCALL, attaching a specific parameter value to a virtual register when calling the VMCALL instruction, calling different Hypercall processing functions according to different parameter values, and obtaining different return values; when the detection program runs in a local environment, errors can be caused due to incompatibility of instructions, and a return value cannot be obtained; and judging whether the virtualized environment exists or not according to the return value.
When the detection program runs in the kernel state of the OS and has privilege authority to operate the VMCALL, the virtualization is detected by using the difference of instruction sets supported by the VMCALL in different CPU modes, so that finer-grained detection can be realized. The detection program actively calls the VMCALL instruction in a compiled form, simultaneously analyzes register parameters corresponding to different Hypercall processing functions according to a mainstream Hypervisor open source code and a document description, and attaches specific parameter values to a virtual register through the VMCALL instruction during calling. After the CPU generates VM Exit, the Hypervisor detects that the privilege level from the front of the vCPU belongs to the highest privilege level, then the parameter value in the virtual register is obtained from the VMCS, different Hypercall processing functions are called according to different parameter values and different values are returned, and the detection program in the virtual machine obtains the return value from the virtual register after the CPU generates VM Entry. Different expected return values can be obtained as long as different parameters are passed in the virtual machine internal detection program. However, when the detection program runs in the local environment, the return value cannot be obtained because of an error caused by incompatibility of the instructions.
In one embodiment, the step S3: when detecting that a program has privilege right to operate on the CR0, the CD bit of the CR0 register is changed to check the impact on the system performance, thereby determining whether a virtualized environment exists, specifically including:
when the detection program has privilege authority to operate the CR0, setting the CD bit of the CR0 register in the virtualization environment does not actually affect the physical CPU; when the detection program runs in a local environment, the setting of the CD bit can actually affect a physical CPU, so that the state of a physical Cache is changed, and the memory access time is prolonged; and judging whether the virtualized environment exists or not by comparing the access time before and after setting the CD.
The CD bit on the CR0 register controls whether the code or data of the system global can be cached and accelerated by the Cache in the CPU, and the change of the CD bit has obvious difference to the system performance. As shown in fig. 2, when the detection program has the privilege right to operate the CR0, the memory data may be accessed densely for a plurality of times, and the total time for accessing the memory is recorded; then, setting the CD position by a detection program so as to prevent the Cache from caching the memory content, then intensively accessing the memory data again, and recording the total time of accessing the memory for the second time; the two times are then compared. If the detection program runs in a virtualization environment, when the CD bit of the CR0 is modified, the virtual vCR0 provided by Hypervisor to the virtual machine is modified, and the virtual machine can complete the modification of the set, but the modification has no influence on the physical CPU. However, when the detection program runs in the local environment, the setting of the CD bit by the program in the kernel state will actually affect the CPU, which may result in a significantly longer memory access time. By comparing the memory access time of two times before and after setting, whether the system runs in a virtual environment or a local environment can be distinguished.
In one embodiment, the step S4: when the detection program has privilege right to operate on L2C, the detection program, through evicting a specific Cache group of L2C, according to the eviction condition of the Cache group, determines whether a virtualization environment exists, specifically including:
when the detection program has privilege right to operate the L2C and runs in a local environment, a real physical memory address is obtained through a pagemap interface, so that a Cache group is correctly positioned and indexed, an obvious peak value can be obtained in the average access time of the target Cache group, when the detection program runs in a virtualization environment, the obtained physical address is not the address of the real physical memory, and the positioned Cache group is not an expected target Cache group; by comparing the average access time of the target Cache group with the average access time of all the Cache groups, the detection program can judge the operating environment where the target Cache group is located.
In the step, different understandings of the physical addresses in virtualization and local environment are utilized, the L2C is subjected to eviction based on the PP technology, and the difference between the memory access time mapped to the target Cache set and the memory access time of other Cache sets is observed. As shown in fig. 3, the detection program first needs to apply for a virtual memory on the function stack, and then obtains a physical address of the corresponding virtual memory through the pagemap interface. The Cache set of L2C is indexed by physical memory address, since the typical Cache Line size is 64 bytes, i.e., indexed by the lowest bits 0-5, the Cache set starts indexing from bit 6 of the physical address. The eviction sets corresponding to all Cache groups, namely a group of memory addresses mapped to the same Cache group, are obtained by continuously searching and storing the eviction sets corresponding to the Cache groups. The detection program selects one Cache group as a target observation group, randomly selects one Cache group and finds another set of eviction sets for the group by using the same method. The detection program firstly accesses all the eviction sets, and the access process caches the memory blocks to the corresponding Cache groups in the CPU, and replaces the previous content on the L2C; then, one or more addresses of the eviction set corresponding to the target Cache group are accessed, so that new memory contents are cached in the target Cache group and original contents are replaced; then sequentially accessing all the eviction sets, and timing the time for accessing the eviction sets; the above procedure was repeated and the average time was counted. When the detection program runs in a local environment, the virtual machine internal program obtains a real physical memory address through the pagemap interface, and the Cache group can be correctly indexed through specified bits of the physical memory address. However, when the detection program runs in the virtualization environment, the physical address acquired by the internal program of the virtual machine is not the address of the real physical memory, and meanwhile, because the virtual machine is used as a process on the host machine and has cross-core scheduling, the virtualization environment also has more noise influence and can pollute the Cache. Under the influence of various factors, the average access time of all Cache groups observed in a virtualization environment is very disordered and irregular; however, in a local environment, since the Cache groups can be correctly positioned, it can be observed that the average access time of the target Cache group has an obvious peak value, and the average access time of other Cache groups is lower. By comparing the average access time of the target Cache group with the average access time of all the Cache groups, the detection program can judge the operating environment where the target Cache group is located.
Since traditional virtualization detects some traces of fingerprints that appear on the virtual machine when implemented primarily based on Hypervisor, these fingerprints are easily removed by Hypervisor updates; and the mainstream Hypervisor realization is almost established on the basis of hardware-assisted virtualization acceleration at present, so that the isolation is stronger and the virtualization fingerprints are fewer. In order to solve the problem, the invention discloses a core detection method of a hardware-assisted virtualization environment, which is established on the basis of hardware-assisted virtualization expansion and micro-architecture characteristics and does not depend on the trace of a Hypervisor, so that the core detection method is not easy to avoid or remove. The invention can select different modules according to different authorities owned by the user program, and has wider applicability and higher expandability. The invention utilizes the virtualization detection based on the PP technology and only depends on the property of the virtual environment SLAT, thereby being not only suitable for a hardware-assisted full virtualization environment, but also suitable for a paravirtualization or sandbox environment.
Example two
As shown in fig. 4, an embodiment of the present invention provides a hardware-assisted virtualization environment core detection system, including the following modules:
the VMCALL general permission detection module 51 is configured to, when the detection program has a general permission to operate the VMCALL, actively perform VM Exit based on the VMCALL virtualization extension instruction, send a call to a Hypercall processing function in the Hypervisor, and determine whether a virtualization environment exists according to a default return value;
the VMCALL privilege permission detection module 52 is configured to, when the detection program has the privilege permission to operate the VMCALL, call the VMCALL and transfer the parameter through the general register, obtain a return value of a specific Hypercall processing function corresponding to different VMCALL parameters, and determine whether the virtualized environment exists according to the return value;
a CR0 privilege detection module 53, configured to check the impact on system performance by changing the CD bit of the CR0 register when detecting that the program has privilege to operate on CR0, so as to determine whether a virtualized environment exists;
and the L2C privilege authority detection module 54 is configured to, when the detection program has privilege authority to operate on the L2C, evict a specific Cache group of the L2C, and determine whether a virtualized environment exists according to the eviction condition of the Cache group.
The above examples are provided only for the purpose of describing the present invention, and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalent substitutions and modifications can be made without departing from the spirit and principles of the invention, and are intended to be within the scope of the invention.
Claims (6)
1. A hardware assisted virtualization environment core detection method is characterized by comprising the following steps:
step S1: when the detection program has common authority to operate the VMCALL, actively performing VMExit based on the VMCALL virtualization extension instruction, sending call to a Hypercall processing function in the Hypervisor, and judging whether the virtualization environment exists according to a default return value;
step S2: when the detection program has privilege authority to operate the VMCALL, calling the VMCALL and transferring parameters through a general register, so that return values of specific Hypercall processing functions corresponding to different VMCALL parameters can be obtained, and whether the virtualization environment exists or not is judged according to the return values;
step S3: when a program is detected to have privilege authority to operate on the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualization environment exists or not is judged;
step S4: when the detection program has privilege authority to operate on the L2C, a specific Cache group of the L2C is evicted, and whether the virtualization environment exists is judged according to the eviction condition of the Cache group.
2. The hardware assisted virtualization environment core detection method according to claim 1, wherein the step S1: when the detection program has a common authority to operate the VMCALL, actively performing VMExit based on the VMCALL virtualization extension instruction, sending a call to a Hypercall processing function in the Hypervisor, and judging whether a virtualization environment exists according to a default return value, wherein the method specifically comprises the following steps:
when a detection program has common authority to operate the VMCALL, actively calling the VMCALL in a local environment can cause hardware exception, thereby causing program errors; and the method can be smoothly executed when the VMCALL is called in the virtualization environment, and a default return value can be obtained after the VMExit is trapped in the Hypervisor, so that whether the virtualization environment exists or not is judged according to the default return value.
3. The hardware assisted virtualization environment core detection method according to claim 1, wherein the step S2: when the detection program has privilege authority to operate on the VMCALL, the VMCALL is called and different parameters are transferred through the general register, return values of a specific Hypercall processing function corresponding to the different VMCALL parameters can be obtained, and whether the virtualization environment exists or not is judged according to the return values, which specifically includes:
when a detection program has privilege authority to operate the VMCALL, attaching a specific parameter value to a virtual register when calling a VMCALL instruction, calling different Hypercall processing functions according to different parameter values, and obtaining different return values; when the detection program runs in a local environment, errors can be caused due to instruction incompatibility, and a return value cannot be obtained; and judging whether the virtualized environment exists or not according to the return value.
4. The hardware assisted virtualization environment core detection method according to claim 1, wherein the step S3: when detecting that a program has privilege right to operate on the CR0, the CD bit of the CR0 register is changed to check the impact on the system performance, thereby determining whether a virtualized environment exists, specifically including:
when the detection program has privilege authority to operate the CR0, setting the CD bit of the CR0 register in the virtualization environment does not actually affect the physical CPU; when the detection program runs in a local environment, setting of a CD bit can actually affect a physical CPU, so that the state of a physical Cache is changed, and the memory access time is prolonged; and judging whether the virtualized environment exists or not by comparing the access time before and after setting the CD.
5. The hardware assisted virtualization environment core detection method according to claim 1, wherein the step S4: when a detection program has privilege authority to operate on L2C, a specific Cache group of L2C is evicted, and whether a virtualization environment exists is judged according to the eviction condition of the Cache group, wherein the method specifically comprises the following steps:
when the detection program runs in a local environment, the real physical memory address is obtained through the pagemap interface, so that the Cache group is correctly positioned and indexed, the average memory access time of the target Cache group has an obvious peak value, when the detection program runs in a virtualization environment, the obtained physical address is not the address of the real physical memory, therefore, the positioned Cache group is not the expected target Cache group, and the detection program can judge the running environment by comparing the average access time of the target Cache group with the average access time of all the Cache groups.
6. A hardware assisted virtualization environment core detection system is characterized by comprising the following modules:
the VMCALL common authority detection module is used for actively carrying out VMExit based on the VMCALL virtualization extension instruction when the detection program has common authority to operate the VMCALL, sending call to a Hypercall processing function in the Hypervisor, and judging whether the virtualization environment exists or not according to a default return value;
the VMCALL privilege authority detection module is used for calling the VMCALL and transmitting parameters through a general register when a detection program has privilege authority to operate the VMCALL, so that return values of specific Hypercall processing functions corresponding to different VMCALL parameters can be obtained, and whether the virtualized environment exists or not is judged according to the return values;
the CR0 privilege authority detection module is used for checking the influence on the system performance by changing the CD bit of the CR0 register when the detection program has the privilege authority to operate on the CR0, thereby judging whether the virtualization environment exists;
and the L2C privilege authority detection module is used for judging whether the virtualized environment exists or not according to the eviction condition of a Cache group by evicting the specific Cache group of the L2C.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111576319.5A CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111576319.5A CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114265775A true CN114265775A (en) | 2022-04-01 |
| CN114265775B CN114265775B (en) | 2024-05-24 |
Family
ID=80828541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111576319.5A Active CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114265775B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116515A (en) * | 2011-09-28 | 2013-05-22 | 西门子公司 | Method and virtualisation software for producing independent time sources for virtual runtime environments |
| CN104025050A (en) * | 2011-12-28 | 2014-09-03 | Ati科技无限责任公司 | Changing between virtual machines on a graphics processing unit |
| CN106406974A (en) * | 2015-07-30 | 2017-02-15 | 中兴通讯股份有限公司 | High-performance timer implementation method used for virtual machine, and virtual machine |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN111782335A (en) * | 2019-04-03 | 2020-10-16 | Sap欧洲公司 | Extended application mechanism through in-process operating system |
| CN112416508A (en) * | 2019-08-23 | 2021-02-26 | 无锡江南计算技术研究所 | CPU virtualization method based on privilege instruction library |
| CN112464231A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Threat detection method and system based on virtual machine |
-
2021
- 2021-12-21 CN CN202111576319.5A patent/CN114265775B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116515A (en) * | 2011-09-28 | 2013-05-22 | 西门子公司 | Method and virtualisation software for producing independent time sources for virtual runtime environments |
| CN104025050A (en) * | 2011-12-28 | 2014-09-03 | Ati科技无限责任公司 | Changing between virtual machines on a graphics processing unit |
| CN106406974A (en) * | 2015-07-30 | 2017-02-15 | 中兴通讯股份有限公司 | High-performance timer implementation method used for virtual machine, and virtual machine |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN111782335A (en) * | 2019-04-03 | 2020-10-16 | Sap欧洲公司 | Extended application mechanism through in-process operating system |
| CN112416508A (en) * | 2019-08-23 | 2021-02-26 | 无锡江南计算技术研究所 | CPU virtualization method based on privilege instruction library |
| CN112464231A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Threat detection method and system based on virtual machine |
Non-Patent Citations (3)
| Title |
|---|
| 刘维杰;王丽娜;谈诚;徐来;: "基于VMFUNC的虚拟机自省触发机制", 计算机研究与发展, no. 10, 15 October 2017 (2017-10-15) * |
| 吴宇明;刘宇涛;陈海波;: "基于AMD硬件内存加密机制的关键数据保护方案", 信息安全学报, no. 01, 15 January 2018 (2018-01-15) * |
| 杨晓晖;许烨;: "基于硬件虚拟化的虚拟机内核完整性保护", 河北大学学报(自然科学版), no. 02, 25 March 2018 (2018-03-25) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114265775B (en) | 2024-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8954959B2 (en) | Memory overcommit by using an emulated IOMMU in a computer system without a host IOMMU | |
| US11436155B2 (en) | Method and apparatus for enhancing isolation of user space from kernel space | |
| JP6411494B2 (en) | Page fault injection in virtual machines | |
| US7376949B2 (en) | Resource allocation and protection in a multi-virtual environment | |
| EP2691851B1 (en) | Method and apparatus for transparently instrumenting an application program | |
| US8631170B2 (en) | Memory overcommit by using an emulated IOMMU in a computer system with a host IOMMU | |
| CN110196757B (en) | TLB filling method and device of virtual machine and storage medium | |
| US8887139B2 (en) | Virtual system and method of analyzing operation of virtual system | |
| US11797678B2 (en) | Memory scanning methods and apparatus | |
| US20080235757A1 (en) | Detecting attempts to change memory | |
| US9424427B1 (en) | Anti-rootkit systems and methods | |
| US20170286672A1 (en) | System, Apparatus And Method For Filtering Memory Access Logging In A Processor | |
| EP3783513A1 (en) | Apparatus, system and method to define memory information leak zones in a computing system | |
| CN114265775B (en) | Hardware-assisted virtualized environment core detection method and system | |
| Che et al. | Performance combinative evaluation of typical virtual machine monitors | |
| Mittal et al. | Efficient virtualization on embedded power architecture® platforms | |
| Sun et al. | Kernel code integrity protection based on a virtualized memory architecture | |
| US20240020377A1 (en) | Build system monitoring for detecting abnormal operations | |
| Tao et al. | Detection of Hardware-Assisted Virtualization Based on Low-Level Feature | |
| CN113268726A (en) | Program code execution behavior monitoring method and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |