CN114816668A - Virtual machine kernel monitoring method, device, equipment and storage medium - Google Patents

Virtual machine kernel monitoring method, device, equipment and storage medium Download PDF

Info

Publication number
CN114816668A
CN114816668A CN202210473199.4A CN202210473199A CN114816668A CN 114816668 A CN114816668 A CN 114816668A CN 202210473199 A CN202210473199 A CN 202210473199A CN 114816668 A CN114816668 A CN 114816668A
Authority
CN
China
Prior art keywords
virtual machine
kernel
system calling
vmm
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210473199.4A
Other languages
Chinese (zh)
Inventor
马希鹏
马乔
刘奖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202210473199.4A priority Critical patent/CN114816668A/en
Publication of CN114816668A publication Critical patent/CN114816668A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present specification provides a virtual machine kernel monitoring method, apparatus, device and storage medium, where the method includes: the VMM acquires the eBPF program, analyzes the eBPF program into at least one system calling instruction, packages the system calling instruction into a corresponding system calling message and then sends the system calling message to the kernel of the target virtual machine from the outside of the target virtual machine; and the kernel of the target virtual machine receives the system message, mounts each system calling instruction to the target function, executes the system calling instruction when the target function is called, and returns the execution result to the VMM.

Description

Virtual machine kernel monitoring method, device, equipment and storage medium
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a virtual machine kernel monitoring method, device, equipment and storage medium.
Background
When the virtualization technology is widely applied, a virtual machine which is operated on a physical host machine by a cloud manufacturer is generally used for providing actual services for users. Due to the isolation of virtualization technologies, information between the host machine and the virtual machine is opaque. In this case, it is necessary to monitor the security inside the virtual machine to ensure the data security of the company and the user. The safety monitoring can be realized by adding a kernel monitoring module in the virtual machine and running a monitoring program configured in the monitoring module, but the monitoring flexibility and the monitoring universality are low; the method can also be realized by using an eBPF program, but an interface is reserved for the installation of the eBPF program and a corresponding user mode client is additionally arranged.
Disclosure of Invention
In order to overcome the problems in the related art, the present specification provides a virtual machine kernel monitoring method, apparatus, device, and storage medium.
According to a first aspect of embodiments of the present specification, there is provided a virtual machine kernel monitoring method, including:
the method comprises the steps that a VMM acquires an eBPF program, analyzes the eBPF program into at least one system calling instruction, packages the system calling instruction into a corresponding system calling message and then sends the system calling message to a kernel of a target virtual machine from the outside of the target virtual machine;
and the kernel of the target virtual machine receives the system calling message, mounts each system calling instruction to a target function, executes the system calling instruction when the target function is called, and returns an execution result to the VMM.
According to a second aspect of the embodiments of the present specification, there is provided a virtual machine kernel monitoring method, applied to a VMM, the method including:
acquiring an eBPF program;
parsing the eBPF program into at least one system call instruction;
packaging each system calling instruction into a corresponding system calling message and then sending the system calling message to a kernel of a target virtual machine from the outside of the target virtual machine;
and receiving an execution result corresponding to the system calling instruction returned by the kernel of the target virtual machine.
According to a third aspect of the embodiments of the present specification, there is provided a virtual machine kernel monitoring method, applied to a virtual machine kernel, the method including:
receiving a system calling message sent by a VMM (virtual machine monitor), wherein at least one system calling instruction in an eBPF (enhanced binary phase function) program is encapsulated in the system calling message;
and mounting each system calling instruction to a target function so as to execute the system calling instruction when the target function is called, and returning an execution result to the VMM.
According to a fourth aspect of the embodiments of the present specification, there is provided a virtual machine kernel monitoring apparatus, applied to a VMM, including:
the acquisition module is used for acquiring the eBPF program;
the analysis module is used for analyzing the eBPF program into at least one system calling instruction;
the first sending module is used for encapsulating each system calling instruction into a corresponding system calling message and then sending the system calling message to the kernel of the target virtual machine from the outside of the target virtual machine;
and the first receiving module is used for receiving an execution result corresponding to the system calling instruction returned by the kernel of the target virtual machine.
According to a fifth aspect of embodiments of the present specification, there is provided a virtual machine kernel monitoring apparatus, which is applied to a virtual machine kernel, and includes:
the second receiving module is used for receiving a system calling message sent by the VMM, and at least one system calling instruction in the eBPF program is encapsulated in the system calling message;
the mounting module is used for mounting each system calling instruction to a target function;
the execution module is used for executing the system calling instruction when the target function is called;
and the second sending module is used for returning the execution result to the VMM.
According to a sixth aspect of embodiments herein, there is provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method provided by any one of the first to third aspects when executing the program.
According to a seventh aspect of embodiments herein, there is provided a computer-readable storage medium storing a computer program for instructing associated hardware to perform the method provided by any one of the first to third aspects.
The technical scheme provided by the embodiment of the specification can have the following beneficial effects:
in this embodiment of the present specification, the VMM converts the eBPF program into an instruction executable by the virtual machine kernel and a system call event, and sends the instruction and the system call event to the virtual machine kernel in a message manner, and the virtual machine kernel directly executes the corresponding system call event and mounts each instruction to the target function, so as to implement loading of the eBPF program on the virtual machine kernel. By adopting a mode of injecting a system calling event and an instruction of the eBPF program which needs to be executed by the kernel from the outside of the virtual machine, the virtual machine operating system does not need to reserve an interface for installing the eBPF program and configure a user mode client for enabling the eBPF program to realize a monitoring function, thereby improving the safety of the running environment of the virtual machine. In addition, the monitoring program is separated from the virtual machine, and various monitoring tasks can be executed only by modifying the monitoring program without modifying the kernel of the virtual machine, so that the monitoring flexibility and the monitoring universality are improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is an interaction diagram illustrating a virtual machine kernel monitoring method according to an exemplary embodiment of the present disclosure.
Fig. 2A is a schematic diagram illustrating an eBPF program loaded and mounted to a virtual machine kernel in this specification.
FIG. 2B is a diagram illustrating loading and mounting of a system call instruction in an eBPF program to a virtual machine kernel, according to an illustrative embodiment of the present specification.
Fig. 3 is an interaction diagram of a virtual machine kernel monitoring method according to another exemplary embodiment shown in this specification.
Fig. 4A is a flowchart illustrating a virtual machine kernel monitoring method applied to a VMM according to an example embodiment of the present specification.
Fig. 4B is a flowchart illustrating a virtual machine kernel monitoring method applied to a virtual machine kernel according to an exemplary embodiment.
Fig. 5 is a hardware structure diagram of a computer device in which a virtual machine kernel monitoring apparatus is located according to an embodiment of the present disclosure.
Fig. 6A is a block diagram illustrating a virtual machine kernel monitoring device for a VMM according to an example embodiment of the present specification.
Fig. 6B is a block diagram of a virtual machine core monitoring apparatus for a virtual machine core according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, terms of art to which one or more embodiments of the present specification relate will be described.
Virtual Machine (Virtual Machine): the complete computer system which has the complete hardware system function and runs in a completely isolated environment is simulated by software, so that the work which can be finished in a real computer can be realized.
Host machine: the virtual machine must be run on the physical computer, and the physical computer running the virtual machine is the host of the virtual machine.
VMM (virtual Machine monitor): a virtual machine manager, an intermediate software layer running between a physical server and an operating system, may allow multiple operating systems and applications to share hardware for creating and running virtual machines, allocating computer resources for the virtual machines.
ebpf (extended Berkeley Packet filter): a sandbox program is provided that runs in a Linux kernel without modifying the native code or loading kernel modules.
per f: a performance analysis tool provided by a Linux kernel can be used for searching hot spots of a function level and an instruction level and analyzing the CPU occupancy rate of a hot spot function in a program, thereby positioning the performance bottleneck.
per f buffer: the perf is a buffer for temporarily storing event data.
epoll: an I/O event notification mechanism is an implementation of IO multiplexing implemented by a linux kernel.
Vsock: and the virtio-vsock channel is used for communication between the virtual machine and the VMM for managing the virtual machine.
The safety monitoring client side: run on the host machine.
When the virtualization technology is widely applied, a virtual machine which is operated on a physical host machine by a cloud manufacturer is generally used for providing actual services for users. Due to the isolation of virtualization technologies, information between the host machine and the virtual machine is opaque. In this case, it is necessary to monitor the security inside the virtual machine to ensure the data security of the company and the user.
The monitoring of the virtual machine kernel needs to consider two points, one is how to run a given monitoring program inside the virtual machine, and the other is how to transmit the generated monitoring data to the security monitoring client located in the host machine in real time and efficiently. The running of the monitoring program can be realized by adding a kernel monitoring module in the virtual machine and running the monitoring program configured in the monitoring module. However, once the monitoring program configured in the kernel monitoring module is set, only one monitoring task can be executed, dynamic adjustment cannot be performed at any time, and flexibility and universality are not provided. In addition, the eBPF program may be used to monitor the virtual machine kernel, but an interface for installing the eBPF program needs to be reserved by the operating system, and a user-mode client is configured inside the virtual machine, which results in a risk of the virtual machine being attacked on the one hand, and increases a new process inside the virtual machine on the other hand, which increases the complexity of the architecture, and is not favorable for subsequent technical evolution.
In view of this, the embodiments of the present disclosure provide a method for monitoring a virtual kernel, in which an eBPF program is used as a monitoring program to monitor a virtual kernel configured with a Linux operating system. And encapsulating each system calling instruction in the eBPF program into a system calling message by the VMM (virtual machine), and sending the system calling message to the kernel of the virtual machine from the outside of the virtual machine, wherein the kernel of the virtual machine mounts the received system calling instruction on a target function, thereby providing a monitoring environment for the generation of monitoring data. The eBPF program is converted into the system calling instruction executable by the kernel of the virtual machine and is imported from the outside of the virtual machine, so that the safety of the running environment of the virtual machine is improved, and different monitoring tasks can be completed by modifying the system calling instruction in the eBPF program, and the method has flexibility and universality.
The following provides a detailed description of examples of the present specification.
As shown in fig. 1, fig. 1 is an interaction diagram of a virtual machine kernel monitoring method according to an exemplary embodiment, where the interaction diagram includes the following steps:
step 102, the VMM120 acquires an eBPF program;
the safety monitoring client installed on the host machine is also arranged in the virtual machine kernel monitoring process, the monitoring program can be issued by the safety monitoring client, and monitoring data generated in the monitoring process needs to be transmitted to the safety monitoring client to judge the running state of the virtual machine kernel. In one embodiment of the present description, the eBPF program is sent to the VMM by a security monitoring client installed on the host.
Step 104, the VMM120 parses the eBPF program into at least one system call instruction;
step 106, after encapsulating each system call instruction into a corresponding system call message, VMM120 sends the system call message to kernel 130 of the target virtual machine from outside of the target virtual machine;
step 108, receiving the system calling message by the kernel 130 of the target virtual machine, and mounting each system calling instruction to a target function;
in step 110, the kernel 130 of the target virtual machine executes the system call instruction when the target function is called, and returns the execution result to the VMM 120.
The eBPF program runs in the virtual machine kernel, that is, the virtual machine kernel executes each system call instruction included in the eBPF program, so in the embodiment of the present specification, the monitoring task can also be realized in a manner that the virtual machine kernel executes the system call instruction by sending the system call instruction in the eBPF program to the virtual machine kernel. Before each system calling instruction in the eBPF is executed, the loading and the mounting of the system calling instruction of the eBPF in a virtual machine kernel are firstly realized.
The eBPF program can be written by adopting C language and can be flexibly adjusted according to different monitoring tasks. Fig. 2A is a schematic diagram illustrating the implementation of the eBPF program loading and mounting to the virtual machine kernel, which generally includes the following operations: before loading to the virtual machine kernel, the eBPF program 210 needs to be compiled into the eBPF bytecode 220 by LLVM or Clang, and then the eBPF bytecode 220 is loaded to the virtual machine kernel by BPF system call and a data storage area Map240 is created for the virtual machine kernel; and then, the virtual machine kernel performs security verification on the eBPF bytecode 220, after the verification is passed, the eBPF bytecode 220 is compiled into eBPF machine code 230, namely an eBPF system call instruction, and finally, each system call instruction in the eBPF program is mounted on a specified hook function 250.
The Program refers to each system call instruction in the eBPF Program 210, and the Map240 is configured to store an execution result after each system call instruction in the eBPF Program 210 is executed and data required for execution, for example, a count value is incremented by one every time the eBPF Program 210 is executed, a current count value is stored in the Map240 after each execution, and the count value is incremented by one on the basis of the current count value when the eBPF Program is executed next time. User 260 may also access Map240 and read the data therein. The eBPF Program automatically assigns a corresponding file descriptor (fd) to Map240 and Program after loading successfully in the virtual machine kernel. The file descriptor is used as an identifier of the Map and the Program, and is used as a parameter of a function when data in the Map or a code corresponding to the Program needs to be added, deleted and modified, for example, the data stored in the Map240 can be viewed by using the file descriptor of the Map as a parameter of a read () function. The mounted hook function 250 is the object monitored by the eBPF program 210. When the hook function is called, the system call instruction in the eBPF program 210 mounted thereon is executed, and the relevant data generated when the hook function 250 is called is monitored and the monitored data is stored for subsequent feedback to the security monitoring client.
In summary, the eBPF program needs to undergo the processes of loading, verifying, compiling and mounting before running, and can be implemented by writing the relevant program in the virtual machine kernel, but at the same time, the eBPF program has the disadvantages of increasing the virtual machine kernel process and increasing the complexity of the virtual machine architecture.
Fig. 2B is a schematic diagram illustrating a process of loading and mounting a system call instruction in an eBPF program to a virtual machine kernel according to an embodiment of the present specification, in the embodiment of the present specification, a process of loading and mounting the system call instruction in the eBPF program to the virtual machine kernel basically follows the above process, except that before loading, the VMM performs security verification on the eBPF program 210 and compiles the eBPF program into an eBPF machine code 230 to obtain the eBPF system call instruction, then the VMM packages each system call instruction into a system message and sends the system message to the virtual machine kernel, and the virtual machine kernel mounts the eBPF system call instruction to a hook function after receiving the system message. In order to enable the VMM to have the function of compiling the eBPF program, as an embodiment, a libbpf library may be integrated into the VMM, and the libbpf library is modified to adapt to the VMM and output a system call event corresponding to the compiled instruction, which does not exclude that a person skilled in the art realizes this function by other technical means. The loading of the eBPF program in the virtual machine kernel is realized by adopting a mode that the VMM sends a system calling event corresponding to the execution instruction, and the corresponding program does not need to be additionally configured in the virtual machine kernel, so that the loading efficiency of the eBPF program is improved.
The communication mode between the VMM and the virtual machine kernel is various, any network communication mode can be adopted for communication, the system call event is encapsulated according to a corresponding communication protocol, and for example, communication can be realized through a dedicated vsock channel between the VMM and the virtual machine kernel. In an embodiment of the present specification, the VMM establishes a vsock channel with the kernel of the target virtual machine, and the vsock channel is used for communication between the VMM and the kernel of the target virtual machine.
After receiving a system call message sent by the VMM, the kernel of the target virtual machine mounts a system call instruction encapsulated in the system message to a hook function (target function) specified in the kernel of the virtual machine. In an embodiment of the present specification, after the mount is successful, the target virtual machine kernel returns file descriptors of a Map segment and a Program segment of the eBPF Program to the VMM.
When the target function is called, the virtual machine executes the instruction mounted on the virtual machine, and captures data generated when the target function is called, wherein the captured data is monitoring data. The monitoring data can be stored in the Map, however, the monitoring data stored in the Map can be read only by active access of the user and screening, which is not beneficial to feeding back the monitoring data to the security monitoring client timely and efficiently. In view of the above, the embodiments of the present disclosure create a dedicated storage area for the monitoring data and create a notification mechanism for issuing a notification when the monitoring data is generated, so as to improve transmission efficiency of the acquired monitoring data. In an embodiment of the present specification, before executing a system call instruction, after encapsulating a system call event for creating a buffer and creating a notification mechanism into a corresponding system call message, the VMM sends the system call event to a kernel of a target virtual machine from outside the target virtual machine; the buffer area is used for storing monitoring data generated when a system calling instruction is executed, and the notification mechanism is used for sending a notification to the VMM after the monitoring data is detected to be generated.
It should be noted that the operations to be performed to create the buffer for storing the monitoring data are not limited to creating one buffer, but also need to provide a way to write the monitoring data into the buffer and enable the virtual machine to store the monitoring data in the provided way when executing the system call instructions in the eBPF program. That is, the instruction corresponding to the monitoring data stored in the eBPF program needs to be written according to a specific storage method. Furthermore, the creation of notification mechanisms requires the provision of monitored objects in addition to the use of tools with monitoring and notification capabilities. The storage of the monitoring data and the notification of the generation of the monitoring data can be realized by the perf tool and the epoll instance respectively. In another embodiment of the present specification, the step performed after the kernel of the target virtual machine receives the system call event for creating the buffer and creating the notification mechanism and encapsulates the system call event into the corresponding system call message includes: creating a perf event and epoll instance; allocating a corresponding buffer area for the perf event; writing the file descriptor of the perf event into a Map of the eBPF program, so that the generated monitoring data is stored into a buffer area corresponding to the perf event by calling the file descriptor of the perf event when a system calling instruction is executed; and writing the file descriptor of the perf event into the epoll instance so as to inform the VMM of the file descriptor of the called perf event through the epoll instance.
At least one CPU exists on one virtual machine, and any one CPU can call a kernel to load target functions of various instructions in the eBPF program in the running process. In this case, the user needs to distinguish which CPU the monitoring data is generated from, and can implement the method by binding a perf event for each CPU, and creating the perf event according to the number of virtual machine CPUs. In another embodiment of the present specification, the number of CPUs of the target virtual machine is at least one, and each CPU binds one perf event. The virtual machine will automatically allocate file descriptors to the perf event and epoll instance when the perf event and epoll instance are successfully created, and return the file descriptors and the addresses of the buffers allocated by the perf events to the VMM. Note that, here, the Address of the buffer is a Physical Address (GPA) on the virtual machine.
The file descriptor of the perf event is written into the Map field of the eBPF program, so that the virtual machine acquires fd of the perf event from the Map when executing the instruction of storing the monitoring data in the eBPF program so as to write the monitoring data in the corresponding buffer. It should be noted that, storing the monitoring data in the above manner requires writing the instruction corresponding to the output manner in the eBPF program, that is, the instruction for storing the monitoring data in the eBPF program acquired in step 102 is written in such a manner that the monitoring data is stored in the data buffer corresponding to the perf event.
Writing the file descriptor of the perf event into the epoll instance is to use the perf event as a detection object of epoll, and once the file descriptor of the perf event is called epoll, it is known that data is written into the buffer corresponding to the perf event. Therefore, the generation of the monitoring data can be known without frequently accessing the storage area of the monitoring data by a user. However, epoll does not actively notify the VMM upon detecting the generation of the monitoring data, and does so after the user sends a request to it. In an embodiment of the present application, the VMM packages a system call corresponding to the wait instruction into a system call message and sends the system call message to the virtual machine kernel, and the epoll instance returns a file descriptor of a perf event that generates monitoring data within a preset time period to the VMM after receiving the instruction, for example, returns a file descriptor of a perf event that generates monitoring data within 5 minutes from receiving the wait instruction to the VMM.
The VMM, as a device for creating and allocating computer resources to the virtual machine, stores thereon a mapping relationship between a physical Address (GPA) of the virtual machine and a virtual Address (HVA) of the Host machine. That is to say, after acquiring the file descriptor of the perf event storing the monitoring data, the VMM may acquire, through the stored mapping relationship between the GPA and the HVA, the HVA address of the buffer corresponding to the perf event, thereby directly accessing the HVA address to acquire the monitoring data. In one embodiment of the present specification, the monitoring data is obtained by directly accessing the HVA address of the buffer by the VMM, and then sent to the security monitoring client. Therefore, the defect that the complexity of the architecture is increased due to the fact that the agent client is additionally arranged in the virtual machine to send the monitoring data from the inside of the virtual machine to the monitoring client is overcome.
Next, the virtual machine kernel monitoring method proposed by the embodiment of the present disclosure is described by another embodiment (as shown in fig. 3), where all instructions executed by the virtual machine kernel are sent to the virtual machine kernel via the vsock channel by the VMM340 after encapsulating the corresponding system call event into a system call message.
Step 301, VMM340 establishes a vsock channel with virtual machine kernel 350;
step 302, the security monitoring client 330 sends the eBPF program to the VMM 340;
step 303, the VMM340 parses the eBPF program into a plurality of system call instructions;
step 304, VMM340 encapsulates each parsed system call instruction into a system call message and sends the system call message to virtual machine kernel 350;
step 305, virtual machine kernel 350 mounts each received system call instruction to a designated hook function and returns file descriptors of Map segment and Program segment to VMM 340;
step 306, the VMM340 returns the received Map segment and Program segment information to the security monitoring client 330 for standby;
in step 307, VMM340 sends a system call message to virtual machine kernel 350, which includes the instruction: creating a perf event according to the number of CPUs;
step 308, after executing the received instruction, the virtual machine kernel 350 returns the file descriptor of each perf event to the VMM 340;
in step 309, VMM340 sends a system call message to virtual machine kernel 350, where the message includes the instruction: allocating a buffer address for each perf event;
step 310, after executing the received instruction, the virtual machine kernel 350 returns the GPA address of the buffer corresponding to each perf event to the VMM 340;
in step 311, VMM340 sends a system call message to virtual machine kernel 350, which includes the instruction: creating an epoll instance;
step 312, the virtual machine kernel 350 executes the received instruction and returns the file descriptor of the epoll instance to the VMM 340;
in step 313, VMM340 sends a system call message to virtual machine kernel 350, which includes instructions: writing file descriptors of the individual perf events into Map and epoll instances;
in step 314, VMM340 sends a system call message to virtual machine kernel 350, which includes the instruction: epoll instance wait instruction;
step 315, after the designated hook function is called, monitoring data is generated, the virtual machine kernel 350 stores the monitoring data into a buffer corresponding to the perf event and sends a file descriptor of the perf event storing the monitoring data to the VMM340 through the epoll instance;
in step 316, VMM340 obtains the HVA address of the buffer corresponding to the received perf event according to the stored memory mapping relationship, accesses the HVA address to read the monitoring data, and sends the monitoring data to security monitoring client 330.
As shown in fig. 4A, corresponding to the foregoing method embodiment, this specification embodiment further provides a virtual machine kernel monitoring method, applied to a VMM, including:
step 401, acquiring an eBPF program;
step 403, analyzing the eBPF program into at least one system call instruction;
step 405, encapsulating each system call instruction into a corresponding system call message and then sending the system call message to the kernel of the target virtual machine from the outside of the target virtual machine;
step 407, receiving an execution result corresponding to the system call instruction returned by the kernel of the target virtual machine.
In some embodiments of the present specification, the VMM is further configured to encapsulate a system call event for creating the buffer and creating the notification mechanism into a corresponding system call message, and then send the system call message to a kernel of the target virtual machine from outside the target virtual machine; the buffer area is used for storing monitoring data generated when a system calling instruction is executed, and the notification mechanism is used for sending a notification to the VMM after the monitoring data is detected to be generated.
In some embodiments of the present description, the VMM is further configured to establish a vsock channel with the kernel of the target virtual machine, and to communicate with the kernel of the virtual machine through the vsock channel.
In some embodiments of the present description, the VMM is further configured to access the HVA address of the buffer and obtain the monitor data.
In addition, as shown in fig. 4B, an embodiment of the present disclosure further provides a virtual machine kernel monitoring method, which is applied to a virtual machine kernel, and includes:
step 402, receiving a system call message sent by a VMM, wherein the system call message is packaged with at least one system call instruction in an eBPF program;
step 404, mounting each system call instruction to a target function;
at step 406, the system call instruction is executed when the target function is called, and the execution result is returned to the VMM.
In some embodiments of the present specification, the virtual machine kernel is further configured to perform the following steps after receiving a system call event for creating a buffer and creating a notification mechanism and encapsulating the system call event into a corresponding system call message:
creating a perf event and epoll instance; allocating a corresponding buffer area for the perf event;
writing the file descriptor of the perf event into a Map of the eBPF program so as to store the generated monitoring data into a buffer corresponding to the perf event by calling the file descriptor of the perf event when the system calling instruction is executed;
writing the file descriptor of the perf event into the epoll instance to notify the VMM of the file descriptor of the invoked perf event through the epoll instance; the buffer area is used for storing monitoring data generated when the system calling instruction is executed, and the notification mechanism is used for sending notification to the VMM after the monitoring data is detected to be generated.
In some embodiments of the present description, the virtual machine core is also used to establish a vsock channel with the VMM.
Corresponding to the embodiments of the method, the present specification also provides embodiments of the apparatus and the terminal applied thereto.
The embodiment of the virtual machine kernel monitoring device in the specification can be applied to electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a device in a logical sense, the device is formed by reading a corresponding computer program instruction in a non-volatile memory into an internal memory through a processor with security protection. From a hardware aspect, as shown in fig. 5, which is a hardware structure diagram of an electronic device where a security protection apparatus is located in an embodiment of this specification, except for the processor 510, the memory 530, the network interface 520, and the nonvolatile memory 540 shown in fig. 5, an electronic device where an apparatus 531 is located in an embodiment may also include other hardware according to an actual function of the electronic device, and details of this are not repeated.
As shown in fig. 6A, fig. 6A is a block diagram of a virtual machine kernel monitoring apparatus for a VMM according to an exemplary embodiment of the present specification, the apparatus comprising:
an obtaining module 610, configured to obtain an eBPF program;
the parsing module 620 is configured to parse the eBPF program into at least one system call instruction;
a first sending module 630, configured to encapsulate each system call instruction into a corresponding system call message, and send the system call message to a kernel of a target virtual machine from outside the target virtual machine;
the first receiving module 640 is configured to receive an execution result corresponding to the system call instruction returned by the kernel of the target virtual machine.
As shown in fig. 6B, fig. 6B is a block diagram of a virtual machine kernel monitoring apparatus for a virtual machine kernel according to an exemplary embodiment, the apparatus includes:
a second receiving module 650, configured to receive a system call message sent by the VMM, where the system call message is encapsulated with at least one system call instruction in the eBPF program;
a mounting module 660, configured to mount each system call instruction to a target function;
an execution module 670, configured to execute the system call instruction when the target function is called;
a second sending module 680, configured to return the execution result to the VMM.
The implementation process of the functions and actions of each of the modules is specifically described in the implementation process of the corresponding steps in the method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
Accordingly, the present specification also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method according to any of the method embodiments when executing the program. The present specification also provides a computer-readable storage medium having a computer program stored thereon for instructing associated hardware to perform the method of any of the above method embodiments.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims (12)

1. A virtual machine kernel monitoring method, the method comprising:
the method comprises the steps that a VMM acquires an eBPF program, analyzes the eBPF program into at least one system calling instruction, packages the system calling instruction into a corresponding system calling message and then sends the system calling message to a kernel of a target virtual machine from the outside of the target virtual machine;
and the kernel of the target virtual machine receives the system calling message, mounts each system calling instruction to a target function, executes the system calling instruction when the target function is called, and returns an execution result to the VMM.
2. The method of claim 1, prior to executing the system call instruction, the method further comprising:
the VMM packages a system calling event for creating a buffer zone and a notification mechanism into a corresponding system calling message and then sends the system calling message to a kernel of a target virtual machine from the outside of the target virtual machine; the buffer area is used for storing monitoring data generated when the system calling instruction is executed, and the notification mechanism is used for sending a notification to the VMM after the monitoring data is detected to be generated.
3. The method of claim 2, wherein the step performed after the kernel of the target virtual machine receives the system call event for creating the buffer and creating the notification mechanism and packages the system call event into the corresponding system call message comprises:
creating a perf event and epoll instance;
allocating a corresponding buffer area for the perf event;
writing the file descriptor of the perf event into a Map of the eBPF program so as to store the generated monitoring data into a buffer corresponding to the perf event by calling the file descriptor of the perf event when the system calling instruction is executed;
writing the file descriptor of the perf event into the epoll instance, so as to notify the VMM of the file descriptor of the invoked perf event through the epoll instance.
4. The method of claim 3, wherein the target virtual machine has at least one CPU, and each CPU binds one of the perf events.
5. The method of claim 1, further comprising: and the VMM establishes a vsock channel with the kernel of the target virtual machine, and the vsock channel is used for communication between the VMM and the kernel of the target virtual machine.
6. The method of claim 2, further comprising:
and the VMM accesses the HVA address of the buffer area and then acquires the monitoring data.
7. A virtual machine kernel monitoring method is applied to a VMM and comprises the following steps:
acquiring an eBPF program;
parsing the eBPF program into at least one system call instruction;
packaging each system calling instruction into a corresponding system calling message and then sending the system calling message to a kernel of a target virtual machine from the outside of the target virtual machine;
and receiving an execution result corresponding to the system calling instruction returned by the kernel of the target virtual machine.
8. A virtual machine kernel monitoring method is applied to a virtual machine kernel, and comprises the following steps:
receiving a system calling message sent by a VMM (virtual machine monitor), wherein at least one system calling instruction in an eBPF (enhanced binary phase function) program is encapsulated in the system calling message;
and mounting each system calling instruction to a target function so as to execute the system calling instruction when the target function is called, and returning an execution result to the VMM.
9. A virtual machine kernel monitoring device applied to a VMM (virtual machine monitor), comprising:
the acquisition module is used for acquiring the eBPF program;
the analysis module is used for analyzing the eBPF program into at least one system calling instruction;
the first sending module is used for encapsulating each system calling instruction into a corresponding system calling message and then sending the system calling message to the kernel of the target virtual machine from the outside of the target virtual machine;
and the first receiving module is used for receiving an execution result corresponding to the system calling instruction returned by the kernel of the target virtual machine.
10. A virtual machine kernel monitoring device is applied to a virtual machine kernel, and the device comprises:
the second receiving module is used for receiving a system calling message sent by the VMM, and at least one system calling instruction in the eBPF program is encapsulated in the system calling message;
the mounting module is used for mounting each system calling instruction to a target function;
the execution module is used for executing the system calling instruction when the target function is called;
and the second sending module is used for returning the execution result to the VMM.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1-8 when executing the program.
12. A computer readable storage medium having stored thereon a computer program for instructing associated hardware to perform the method of any one of claims 1 to 8.
CN202210473199.4A 2022-04-29 2022-04-29 Virtual machine kernel monitoring method, device, equipment and storage medium Pending CN114816668A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210473199.4A CN114816668A (en) 2022-04-29 2022-04-29 Virtual machine kernel monitoring method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210473199.4A CN114816668A (en) 2022-04-29 2022-04-29 Virtual machine kernel monitoring method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114816668A true CN114816668A (en) 2022-07-29

Family

ID=82510694

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210473199.4A Pending CN114816668A (en) 2022-04-29 2022-04-29 Virtual machine kernel monitoring method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114816668A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116257841A (en) * 2023-02-16 2023-06-13 北京未来智安科技有限公司 Function processing method and device based on Kubernetes

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116257841A (en) * 2023-02-16 2023-06-13 北京未来智安科技有限公司 Function processing method and device based on Kubernetes
CN116257841B (en) * 2023-02-16 2024-01-26 北京未来智安科技有限公司 Function processing method and device based on Kubernetes

Similar Documents

Publication Publication Date Title
CN109933443B (en) Inter-process communication method and device, computer equipment and readable storage medium
US20180039507A1 (en) System and method for management of a virtual machine environment
US9658941B2 (en) Methods and systems of function-specific tracing
US8032899B2 (en) Providing policy-based operating system services in a hypervisor on a computing system
US8635595B2 (en) Method and system for managing non-compliant objects
US7840967B1 (en) Sharing data among isolated applications
CN114205342B (en) Service debugging routing method, electronic equipment and medium
US10466985B2 (en) Hybrid deoptimization mechanism for class hierarchy analysis
US9417973B2 (en) Apparatus and method for fault recovery
CN107977260B (en) Task submitting method and device
CN114816668A (en) Virtual machine kernel monitoring method, device, equipment and storage medium
CN114510321A (en) Resource scheduling method, related device and medium
CN115086166A (en) Computing system, container network configuration method, and storage medium
WO2019117767A1 (en) Method, function manager and arrangement for handling function calls
CN108496157B (en) System and method for providing runtime trace using an extended interface
CN113986466A (en) Cloud computing-oriented GPU virtualization system and method
CN109558235A (en) A kind of dispatching method of processor, device and computer equipment
CN105550050A (en) Hardware communication method and apparatus
CN116225397A (en) Script processing method and device, electronic equipment and readable storage medium
CN114756435A (en) Log reading method, server, computer device and storage medium
CN115167985A (en) Virtualized computing power providing method and system
Feske et al. Design of the Bastei OS architecture
CN114610381A (en) Method, device, equipment and storage medium for calling method service
CN113741912A (en) Model management system, method, device and equipment
CN110502325B (en) Task running method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination