CN114625452A - Method for calling host machine function by program and program running system - Google Patents

Method for calling host machine function by program and program running system Download PDF

Info

Publication number
CN114625452A
CN114625452A CN202210513563.5A CN202210513563A CN114625452A CN 114625452 A CN114625452 A CN 114625452A CN 202210513563 A CN202210513563 A CN 202210513563A CN 114625452 A CN114625452 A CN 114625452A
Authority
CN
China
Prior art keywords
program
function
kernel
host
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210513563.5A
Other languages
Chinese (zh)
Other versions
CN114625452B (en
Inventor
杨斌
汤伟
秦晓康
许雄
何杰
陈勇
孙宜进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202210513563.5A priority Critical patent/CN114625452B/en
Publication of CN114625452A publication Critical patent/CN114625452A/en
Application granted granted Critical
Publication of CN114625452B publication Critical patent/CN114625452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the specification provides a method for calling a host machine function by a program and a program running system, wherein the method comprises the following steps: acquiring and executing a first program, wherein the first program comprises a call for a first function interface of a program virtual machine; the program virtual machine is provided with a first interface set, wherein the first interface set comprises a plurality of interfaces, the plurality of interfaces respectively correspond to host machine API functions in a preset host machine API function subset, and the first function interface belongs to the first interface set; after the first function interface is called, the program virtual machine sends the access of the host machine API function corresponding to the first function interface to a first OS kernel running in a host machine user mode, wherein a first function set is preset in the first OS kernel; the first OS kernel determines whether the first function set comprises a second function corresponding to the host API function; and if the determination result is yes, forwarding the access to a second OS kernel running in the host kernel state.

Description

Method for calling host machine function by program and program running system
Technical Field
One or more embodiments of the present specification relate to the field of virtual machines and security containers, and in particular, to a method for a program to call a host function and a program running system.
Background
As previously mentioned, cloud computing is currently utilized in many industries for business and production activities. In a cloud computing scenario, a user is often provided with a service by running an application in a virtual machine or container. However, direct access to host computing resources by third-party applications in a virtual machine or container often poses systematic security risks to the host. Currently, different cloud computing service providers adopt different technical solutions to overcome the above system security risks.
Disclosure of Invention
Embodiments in the present specification are directed to a method for a program to call a host function, and a program running system. By the method, the system call of the application program to the host operating system is greatly reduced, and the system security risk in the application running process is reduced. Moreover, the system call of the application does not need to be intercepted, the performance consumption caused by intercepting the system call does not exist, and the defects in the prior art are overcome.
According to a first aspect, there is provided a method for a program to call a host function, comprising:
acquiring and executing a first program, wherein the first program comprises a call for a first function interface of a program virtual machine; the program virtual machine is provided with a first interface set, wherein the first interface set comprises a plurality of interfaces, the plurality of interfaces respectively correspond to host machine API functions in a preset host machine API function subset, and the first function interface belongs to the first interface set;
after the first function interface is called, the program virtual machine sends the access of the host machine API function corresponding to the first function interface to a first OS kernel running in a host machine user mode, wherein a first function set is preset in the first OS kernel;
the first OS kernel determines whether a first function set comprises a second function corresponding to the host machine API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
In one possible embodiment, the method further comprises:
and if so, executing a second function by the first OS kernel according to the access.
In a possible implementation manner, the first program is generated based on a virtual instruction set of the program virtual machine through a preset first compiler according to a pre-acquired source code.
In one possible embodiment, the first program is applied with a preset memory access limit through compiling by the first compiler.
In one possible implementation, the memory access restriction includes prohibiting access by a first program to the program virtual machine and to a runtime space of the first OS kernel.
In one possible implementation, the memory access restriction includes prohibiting access to a kernel space of the host.
In one possible embodiment, the program virtual machine is a bytecode virtual machine.
According to a second aspect, there is provided a virtual machine program execution system comprising:
the system comprises a program virtual machine, a host machine API function subset and a host machine API function subset, wherein a first interface set is arranged in the program virtual machine and comprises a plurality of interfaces, the plurality of interfaces respectively correspond to the host machine API functions in the preset host machine API function subset, and the first interface set comprises a first function interface;
the first OS kernel runs in a host user mode and is preset with a first function set;
the program virtual machine is further configured to send, to the first OS kernel, access to a host API function corresponding to a first function interface after the first program calls the first function interface;
the first OS kernel is further configured to determine whether the first function set includes a second function corresponding to the host API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
In a possible implementation manner, the first OS kernel is further configured to execute a second function according to the access if the determination result is negative.
In a possible implementation manner, the first program is generated based on a virtual instruction set of the first program virtual machine through a preset first compiler according to a pre-acquired source code.
In one possible embodiment, the first program is applied with a preset memory access limit through compiling by the first compiler.
In one possible implementation, the memory access restriction includes prohibiting a first program from accessing the program virtual machine and the runtime space of the first OS kernel.
In one possible implementation, the memory access restriction includes prohibiting access to a kernel space of the host.
In one possible embodiment, the program virtual machine is a bytecode virtual machine.
According to a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
According to a fourth aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of the first aspect.
By using one or more of the methods, apparatuses, computing devices, and storage media in the above aspects, system security risks and performance consumption during application running can be reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating a method of a program making a system call;
FIG. 2 is a schematic diagram illustrating another method for a program to make a system call;
FIG. 3 is a schematic diagram illustrating a method for a program to call a host function according to an embodiment of the present disclosure;
FIG. 4 is a flow diagram illustrating a method for a program to call a host function according to an embodiment of the present description;
fig. 5 is a block diagram illustrating a program execution system according to an embodiment of the present specification.
Detailed Description
The solution provided by the present specification will be described below with reference to the accompanying drawings.
As previously mentioned, cloud computing services are currently utilized in many industries for business and production activities. In a cloud computing service, a large-scale application is often split into a plurality of service at function level, and through mutual calling among the services, better service flexibility is provided while application functions are realized. Each service instance can run in one container instance, and can be expanded or reduced more quickly, so that a high-performance and on-demand service mode is provided for users. In one technical solution, the split service runs in a container, wherein a function of a third party can directly access a host resource. The problem with this is that direct access to the host resources poses a significant system security risk to the provider of the cloud computing service. Therefore, a cloud computing service provider or an operator needs to avoid that a third-party application directly accesses a host resource of the third-party application, and avoid a security risk brought to the whole system by malicious operation of the application. The kernel function of the operating system is usually called by the user program through system call, and as an interface exposed to the user by the kernel of the operating system, the more the number and the wider the variety of the system calls are used, the higher the chance of the application program attacking the system is, and the higher the possibility of bringing harm to the host system is.
In order to reduce the risk brought by system call, some cloud computing service operators adopt a new technical scheme. Fig. 1 is a schematic diagram illustrating a method for a program to make a system call. The scheme shown in fig. 1 mainly implements isolation of application in the virtual machine from access to hardware resources of the host machine by using the virtual machine implemented based on a hardware virtualization technology. And system calls initiated by Applications (APP) in the virtual machine (or in a plurality of containers supported in one virtual machine) are intercepted in the virtual machine, and then forwarded to a client operating system kernel in the virtual machine for processing, instead of being sent to an operating system kernel of the physical machine for processing. By the method, the system call of the application in the virtual machine to the physical host system can be blocked, and the damage to the host system is prevented.
Fig. 2 is a schematic diagram showing another method for a program to make a system call. Unlike the scheme shown in FIG. 1, this scheme does not perform isolation of host hardware resources by virtual machines. The main idea is that all system calls of an application program are intercepted and sent to a user-mode Operating System (OS) kernel running on a host, the user-mode kernel can execute most of the system calls, and send the rest of the system calls to an operating system kernel of the host (the OS kernel running in the host kernel mode) for processing. By the method, the number and the types of system calls processed by the host kernel can be reduced, the chance of attacking the system by the application program is reduced, and the possibility of harm brought to the system by the application program is further reduced.
However, both of the above solutions have a problem in that they require intercepting all system calls of an application and forwarding them to different target components for processing at different system levels, for example, in a virtual machine or on a host, and the interception and forwarding of a large number of system calls causes large performance consumption.
In order to reduce performance consumption in an application system calling process while ensuring security of a host system, embodiments of the present specification provide a method for calling a host function by a program. Fig. 3 is a schematic diagram illustrating a method for calling a host function by a program according to an embodiment of the present disclosure. As shown in fig. 3, first, the source code of the application program is acquired. In different embodiments, the program source code may be written in different programming languages, which are not limited in this specification. The source code is compiled by a predetermined compiler into an Application (APP) in the form of an intermediate representation ir (intermediate representation), which may run on a predetermined program virtual machine (or, alternatively, the APP may run in dependence on such a program virtual machine). The program virtual machine may provide an Interface corresponding to a part of an Application Programming Interface (API) function, so as to be called by an APP running on the program virtual machine. When the APP calls the interface in the execution process, the program virtual machine may forward the call to an operating system kernel that runs in the host user mode in advance (for convenience of description, the user mode kernel is also referred to as the first OS kernel in this specification). The first OS kernel may have a first set of functions therein, and if the called API function has a corresponding function in the first set of functions, the user-mode kernel directly executes the corresponding function. If the called API function of the APP has no corresponding function in the first function set, the kernel sends the call of the API function to an operating system kernel of the host itself (and an operating system kernel running in a kernel state of the host, which is also referred to as a second OS kernel for convenience of description), and the second OS kernel executes the API function.
The method has the following advantages: on one hand, in the existing cloud computing scheme, the APP is generally composed of binary machine code, and it can directly make a system call by accessing a system API function. Therefore, in order to prevent the danger caused by the application of the direct system call and improve the system security, no matter the scheme for performing the system call based on the virtual machine shown in fig. 1 or the scheme for performing the system call based on the user mode kernel shown in fig. 2, all the direct system calls of the APP are intercepted and forwarded, but a large amount of system calls are intercepted and forwarded, which causes a large amount of performance consumption. In the solution for calling the host function by the program provided in the embodiment of the present specification, because the APP in the intermediate representation IR form is essentially composed of the virtual instruction of the program virtual machine, the APP itself does not have the capability of directly accessing the API function of the system, and can only indirectly access the API function of the system by calling the interface provided by the program virtual machine, and it is not necessary to intercept the direct system call of the APP and forward the call. Therefore, the method has no performance consumption of intercepting the system call and forwarding the system call. In the second aspect, the application needs to perform the system call indirectly through the virtual machine interface, in other words, the application can perform the system call only within the range of the corresponding interface provided by the virtual machine, how many kinds of interfaces for the system call are provided by the virtual machine, and how many kinds of system calls are performed indirectly by the application. Therefore, the range of indirect system calls which can be performed by the APP can be reduced by limiting the type of the system call corresponding to the virtual machine interface, the number of final system calls to the OS kernel is reduced, and the system risk brought by the final system calls is reduced. In the third aspect, the virtual machine firstly sends the calling of the API function to the user mode kernel, the function is directly executed through the user mode kernel when the user mode kernel can execute the function calling, and the calling is forwarded to the real host kernel for execution only when the user mode kernel cannot execute the calling, so that the number of system calls to the real host kernel is reduced, and the system risk caused by the system calls is reduced. On the basis, the types of the API functions which can be executed by the user mode kernel can be adjusted, and the number of system calls to the real host kernel is further reduced.
The details of the process are further set forth below. Fig. 4 is a flowchart illustrating a method for a program to call a host function according to an embodiment of the present disclosure. As shown in fig. 4, the method at least comprises the following steps:
step 21, acquiring and executing a first program, wherein the first program comprises a call for a first function interface of a program virtual machine; the program virtual machine is provided with a first interface set, wherein the first interface set comprises a plurality of interfaces, the plurality of interfaces respectively correspond to host machine API functions in a preset host machine API function subset, and the first function interface belongs to the first interface set;
step 22, after the first function interface is called, the program virtual machine sends the access of the host machine API function corresponding to the first function interface to a first OS kernel running in a host machine user mode, where the first OS kernel is preset with a first function set;
step 23, the first OS kernel determines whether the first function set includes a second function corresponding to the host API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
First, in step 21, a first program is acquired and executed.
The first program is an intermediate language (IR form) program composed of virtual instructions of the program virtual machine and operating depending on the program virtual machine. In the first program, a call to a function interface (e.g., a first function interface) in the program virtual machine may be included. In one embodiment, the first program may be generated based on a virtual instruction set of a program virtual machine through a preset first compiler according to a pre-acquired source code. In different embodiments, the first program may be a specific program for different specific business purposes, which is not limited in this specification.
A Virtual Machine (Virtual Machine) generally refers to an emulated computer system that is emulated by software. Generally, virtual machines can be divided into system virtual machines and program virtual machines. A system virtual machine generally refers to a complete computer system having complete hardware system functions, which is simulated by software and runs in a completely isolated environment, and in which a complete Operating System (OS) is supported to be executed. Typical system virtual machines include, for example, Visual Box, VMware, which can be an emulation of a physical computer, providing a software platform that can run a complete operating system. In addition, for example, the virtual machine in the scheme shown in fig. 1 is a system virtual machine, and the system virtual machine is usually implemented by a hardware virtualization function. Program virtual machines, otherwise known as programming language layer virtual machines, aim to provide a platform independent programming environment that abstracts details of the underlying hardware or operating system and allows programs to run language virtual machine instructions In the same way on any platform, through Just-In-Time (JIT) techniques, thus achieving cross-platform characteristics of applications. Typical representatives of procedural virtual machines include, for example, the Java virtual machine, which is specifically designed for executing a single computer program and does not provide full Operating System (OS) functional support. In this step, the first program is used as a program virtual machine, and in different embodiments, the first program may be a different specific program virtual machine, which is not limited in this specification. In one embodiment, the program virtual machine may be a bytecode virtual machine. Generally, a program virtual machine or a system virtual machine may be installed on a host machine, which is also referred to as a host machine. In different embodiments, different specific types of hosts may be employed. In one embodiment, the host may be one of a physical machine, a cloud host, or a cloud server.
The program virtual machine may be provided with a first interface set, where the first interface set includes a plurality of interfaces, the plurality of interfaces respectively correspond to host API functions in a preset host API function subset, and the first function interface belongs to the first interface set. As described above, the first program itself does not have the capability of directly accessing the system API, but can only indirectly access the system API by calling the interface provided by the program virtual machine, and therefore, the kind of the system API that the first program can indirectly access can be limited by limiting the interface provided by the program virtual machine. In different embodiments, the first interface set in the program virtual machine may correspond to different host API function subsets, which is not limited in this specification. In one embodiment, the security levels of all API functions of the host may be determined, and then whether to provide a corresponding interface of the API function in the program virtual machine may be determined according to the security levels of the API functions. In different embodiments, the security level of the API function may be determined according to different specific ways, which is not limited in this specification.
In order to further improve the security of the first program, the memory access logic in the source code may be checked during the compilation of the source code into the first program, and based on the result of the check, the generated memory area of the first program that is not secure from access may be prevented. Therefore, in one embodiment, the first program may be applied with a predetermined memory access limit through the compiling by the first compiler. In a particular embodiment, the memory access restriction may include prohibiting a first program from accessing the program virtual machine and the runtime space of the first OS kernel. In another particular embodiment, the memory access restriction may include prohibiting access to a kernel space of the host.
After the first function interface is called, in step 22, the program virtual machine sends the access of the host API function corresponding to the first function interface to the first OS kernel running in the host user mode.
In this step, after calling a first function interface in the process of executing a first program, the program virtual machine sends the access of the host API function corresponding to the first function interface to the first OS kernel in the host user mode.
The OS kernel, which generally refers to the kernel of an operating system, is a hardware-based first-level software extension that provides the most basic functions of the operating system, and generally, is responsible for managing the processes, memory, device drivers, files, network systems, and the like of the system. Typically, the OS Kernel runs in the Kernel Mode (Kernel Mode) of the host CPU, or simply, in the host Kernel Mode. The common application program runs in a User Mode (User Mode) of the host CPU, or in short, in a host User Mode. The difference is that the first OS kernel is not a kernel of the host operating system itself running in the host kernel mode, but is an operating system kernel running in the host user mode and not depending on the hardware virtualization technology, and the kernel does not necessarily implement all the functions of the kernel of the host itself, but can implement only part of the functions of the kernel of the host itself.
As described above, in the existing scheme for performing a system call based on a user mode kernel, all system calls of an application to an operating system are generally intercepted and handed over to the user mode kernel, and the user mode kernel may complete some of the system calls by itself and send the rest of the system calls to an operating system kernel (host kernel mode) of a host. In contrast, in the solution for the program to perform the system call provided in the embodiment of the present disclosure, the application does not directly initiate the system call to the kernel of the operating system, so that the application does not need to intercept the direct call to the operating system and forward the call to the kernel of the first OS, and the program virtual machine may send the system call sent by the application through the virtual machine interface to the kernel of the first OS. This greatly reduces the performance consumption due to intercepting all system calls and forwarding.
Thereafter, in step 43, the first OS kernel determines whether the first function set includes a second function corresponding to the host API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
As described above, the first OS kernel is an OS kernel operating in a host user mode, and can implement a part of functions of the host kernel, so that the first OS kernel may have a first function set in advance, and the functions in the first function set may have corresponding host API functions (i.e., API functions of a host operating system) respectively. In other words, the first set of functions is essentially a set of corresponding functions of a portion of API functions of the host operating system running in the host kernel state in the first OS kernel.
In this step, the first OS kernel may determine whether there is a second function corresponding to the host API function corresponding to the first function interface in the first function set. Specifically, the second function may be a function in the first OS kernel that implements the same function as the host API function. If the second function is not found in the first set of functions, the first OS kernel forwards access to the host API function to the second OS kernel.
The second OS kernel is an OS kernel operating in a host kernel mode, that is, an OS kernel of the host itself in the true sense. As previously described, the first OS kernel only runs in the host user state and may implement only part of the kernel functionality. Thus, when the first OS kernel determines that it cannot execute the called host API function, the call to the host API function may be forwarded to the second OS kernel for execution.
In an embodiment, the second OS kernel may perform security detection on the system call, forwarded by the first OS kernel, to the host API function through Seccomp (Secure Computing Mode), and execute the API function after the detection is passed, which specific manner is used to configure Seccomp in this specification is not limited.
If the first OS kernel implements the function of the called API function, it may also directly execute the corresponding function of the API function in the first OS kernel. Therefore, in an embodiment, if the determination result is yes, that is, the second function is included in the first function set, the first OS kernel may execute the second function according to the access to the host API function. In a specific embodiment, the second function may be executed according to the specific parameter of the access, and the execution result may be returned to the program virtual machine.
According to an embodiment of a further aspect, a virtual machine program running system is also provided. Fig. 5 is a block diagram illustrating a virtual machine program operating system according to an embodiment of the present disclosure, where, as shown in fig. 5, the apparatus 500 includes:
a program virtual machine 51, in which a first interface set is provided, where the first interface set includes a plurality of interfaces, the plurality of interfaces respectively correspond to host API functions in a preset host API function subset, and the first interface set includes the first function interface;
a first OS kernel 52 running in a host user state and pre-set with a first function set;
the program virtual machine is further configured to send, to the first OS kernel, access to a host API function corresponding to a first function interface after the first program calls the first function interface;
the first OS kernel is further used for determining whether the first function set comprises a second function corresponding to the host API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
In an embodiment, the first OS kernel may be further configured to execute a second function according to the access if the determination result is negative.
In one embodiment, the first program may be generated based on a virtual instruction set of the first program virtual machine by a preset first compiler according to a pre-acquired source code.
In one embodiment, the first program may be applied with a predetermined memory access limit through compilation by the first compiler.
In one embodiment, the memory access restriction may include prohibiting a first program from accessing the program virtual machine and the runtime space of the first OS kernel.
In one embodiment, the memory access restriction may include prohibiting access to a kernel space of the host.
In one embodiment, the program virtual machine may be a bytecode virtual machine.
A further aspect of the present description provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform any of the methods described above.
Yet another aspect of the present specification provides a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements any of the methods described above.
It is to be understood that the terms "first," "second," and the like, herein are used for descriptive purposes only and not for purposes of limitation, to distinguish between similar concepts.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims (16)

1. A method for calling a host function by a program comprises the following steps:
acquiring and executing a first program, wherein the first program comprises a call for a first function interface of a program virtual machine; the program virtual machine is provided with a first interface set, wherein the first interface set comprises a plurality of interfaces, the plurality of interfaces respectively correspond to host machine API functions in a preset host machine API function subset, and the first function interface belongs to the first interface set;
after the first function interface is called, the program virtual machine sends the access of the host machine API function corresponding to the first function interface to a first OS kernel running in a host machine user mode, wherein a first function set is preset in the first OS kernel;
the first OS kernel determines whether a first function set comprises a second function corresponding to the host machine API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
2. The method of claim 1, further comprising:
and if so, executing a second function by the first OS kernel according to the access.
3. The method according to claim 1, wherein the first program is generated based on a virtual instruction set of a program virtual machine by a preset first compiler according to a pre-acquired source code.
4. The method of claim 3, wherein the first program is applied with a preset memory access limit via compilation by the first compiler.
5. The method of claim 4, wherein the memory access restriction comprises prohibiting access by a first program to a runtime space of the program virtual machine and the first OS kernel.
6. The method of claim 4, wherein the memory access restriction comprises prohibiting access to a kernel space of a host.
7. The method of claim 1, wherein the program virtual machine is a bytecode virtual machine.
8. A program execution system comprising:
the system comprises a program virtual machine, a host machine API function subset and a host machine API function subset, wherein a first interface set is arranged in the program virtual machine and comprises a plurality of interfaces, the plurality of interfaces respectively correspond to the host machine API functions in the preset host machine API function subset, and the first interface set comprises a first function interface;
the first OS kernel runs in a host user mode and is preset with a first function set;
the program virtual machine is further configured to send, to the first OS kernel, access to a host API function corresponding to a first function interface after the first program calls the first function interface;
the first OS kernel is further configured to determine whether the first function set includes a second function corresponding to the host API function; and if the determination result is negative, forwarding the access to a second OS kernel running in the host kernel state.
9. The system of claim 8, wherein,
and the first OS kernel is further used for executing a second function according to the access if the determination result is negative.
10. The system according to claim 8, wherein the first program is generated based on a virtual instruction set of the first program virtual machine by a preset first compiler according to a pre-fetched source code.
11. The system of claim 10, wherein the first program is subject to a predetermined memory access restriction via compilation by the first compiler.
12. The system of claim 11, wherein the memory access restriction comprises prohibiting a first program from accessing a runtime space of the program virtual machine and the first OS kernel.
13. The system of claim 11, wherein the memory access restriction comprises prohibiting access to a kernel space of a host.
14. The system of claim 8, wherein the program virtual machine is a bytecode virtual machine.
15. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
16. A computing device comprising a memory having executable code stored therein and a processor that, when executing the executable code, implements the method of any of claims 1-7.
CN202210513563.5A 2022-05-12 2022-05-12 Method for calling host machine function by program and program running system Active CN114625452B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210513563.5A CN114625452B (en) 2022-05-12 2022-05-12 Method for calling host machine function by program and program running system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210513563.5A CN114625452B (en) 2022-05-12 2022-05-12 Method for calling host machine function by program and program running system

Publications (2)

Publication Number Publication Date
CN114625452A true CN114625452A (en) 2022-06-14
CN114625452B CN114625452B (en) 2022-07-29

Family

ID=81905205

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210513563.5A Active CN114625452B (en) 2022-05-12 2022-05-12 Method for calling host machine function by program and program running system

Country Status (1)

Country Link
CN (1) CN114625452B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070169024A1 (en) * 2005-11-30 2007-07-19 Ulrich Drepper Purpose domain for in-kernel virtual machine for low overhead startup and low resource usage
US20170249263A1 (en) * 2016-02-29 2017-08-31 Red Hat Israel, Ltd. Kernel transitioning in a protected kernel environment
US20180307850A1 (en) * 2017-04-19 2018-10-25 Servicenow, Inc. System for accessing a kernel space of an operating system with access control functionality
CN110362382A (en) * 2019-06-24 2019-10-22 湖南麒麟信安科技有限公司 A kind of vessel safety partition method, system and medium
CN112199165A (en) * 2020-10-28 2021-01-08 支付宝(杭州)信息技术有限公司 Method and device for hot upgrading of virtual machine monitoring program of security container
CN114281431A (en) * 2020-09-28 2022-04-05 阿里巴巴集团控股有限公司 Function calling method, device, medium, embedded equipment and operating system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070169024A1 (en) * 2005-11-30 2007-07-19 Ulrich Drepper Purpose domain for in-kernel virtual machine for low overhead startup and low resource usage
US20170249263A1 (en) * 2016-02-29 2017-08-31 Red Hat Israel, Ltd. Kernel transitioning in a protected kernel environment
US20180307850A1 (en) * 2017-04-19 2018-10-25 Servicenow, Inc. System for accessing a kernel space of an operating system with access control functionality
CN110362382A (en) * 2019-06-24 2019-10-22 湖南麒麟信安科技有限公司 A kind of vessel safety partition method, system and medium
CN114281431A (en) * 2020-09-28 2022-04-05 阿里巴巴集团控股有限公司 Function calling method, device, medium, embedded equipment and operating system
CN112199165A (en) * 2020-10-28 2021-01-08 支付宝(杭州)信息技术有限公司 Method and device for hot upgrading of virtual machine monitoring program of security container

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
殷一鸣等: "基于用户态JVM的安全驱动模型的设计与实现", 《计算机科学》 *
郑豪等: "一种采用驱动隔离的宿主机可靠性方法", 《西安交通大学学报》 *

Also Published As

Publication number Publication date
CN114625452B (en) 2022-07-29

Similar Documents

Publication Publication Date Title
US10698668B1 (en) Custom code transformations during compilation process
KR102206115B1 (en) Behavioral malware detection using interpreter virtual machine
US8938723B1 (en) Use of GPU for support and acceleration of virtual machines and virtual environments
US9117080B2 (en) Process evaluation for malware detection in virtual machines
EP3502944B1 (en) Detecting script-based malware cross reference to related applications
US9804869B1 (en) Evaluating malware in a virtual machine using dynamic patching
CN109074450B (en) Threat defense techniques
US10678918B1 (en) Evaluating malware in a virtual machine using copy-on-write
EP3451221B1 (en) Binary suppression and modification for software upgrades
US20170286644A1 (en) Protection Method and Device for Application Data
US11449615B2 (en) System and method of forming a log when executing a file with vulnerabilities in a virtual machine
KR20210155433A (en) Apparatus and Method for Generating System Call Whitelist of Application Container, Method for Controlling System Call of Application Container
CN111651752B (en) Method for acquiring system call white list required by container
US9122842B2 (en) Apparatus and method for enhancing security in heterogeneous computing environment
US10372472B2 (en) System, method, and computer program product for conditionally preventing use of hardware virtualization
US10628188B2 (en) Disabling just-in-time translation for application functions
CN113176926B (en) API dynamic monitoring method and system based on virtual machine introspection technology
CN114625452B (en) Method for calling host machine function by program and program running system
WO2023133582A1 (en) Intercepted system calls validity check in parallel with their execution
KR20190102678A (en) Apparatus for detecting malicious app and method thereof
CN108459899B (en) Information protection method and device
Rumee et al. MirrorDroid: A framework to detect sensitive information leakage in Android by duplicate program execution
KR101089792B1 (en) Method for providing security for application virtualization
EP4310707A1 (en) System and method for detecting malicious code by an interpreter in a computing device
KR101433644B1 (en) System and method that provides policies for virtualizing arm based operating system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant