JP2012093917A - Virtual control program, information processing apparatus, and virtual control method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow a VMM to use a network device without depending upon the type of the network device.SOLUTION: On an information processing apparatus having a physical network device which is physically present, a virtual control program which controls the operation of a virtual machine makes a guest OS, including a physical device driver controlling the physical network device, operate on a virtual machine. Further, the virtual control program provides a virtual network device, obtained by virtualizing a network device controlled by the device driver that the guest OS has, for the guest OS. Furthermore, the virtual control program makes guest OS connect the virtual network device and physical network device so that data communication between the virtual network device and physical network device is carried out through a virtual device driver corresponding to the virtual network device, and the physical device driver.

Description

  The present invention relates to a virtual control program, an information processing apparatus, and a virtual control method.

  Conventionally, a virtualization technique for operating a virtual machine (hereinafter sometimes referred to as “VM”) on a physical machine is known. Specifically, in the virtualization technology, one or more VMs are generated and controlled on a physical machine by a virtual control program called a virtual machine monitor (hereinafter sometimes referred to as “VMM”). An OS called a guest OS (Operating System) is operated on the VM. Note that the VMM may be referred to as a “hypervisor” or a “virtualized OS”.

  In such a virtualization technology, a guest OS operating on a VM may have a device driver that controls a device provided in a physical machine. For example, when the physical machine is provided with a network device such as a NIC (Network Interface Card), the guest OS has a device driver that controls the network device. Thereby, the guest OS can recognize the network device provided in the physical machine, and can use the network device.

Takahiro Shinagawa et al., "BitVisor: A Thin Hypervisor for Enforcing I / O Device Security", Proceedings of the 2009 ACM SIGPLAN / SIGOPS international conference on Virtual execution environments, March 11-13, 2009, Washington, DC, USA

  By the way, in recent years, a technology that requires recognition of a network device provided in a physical machine is known not only for a guest OS but also for a VMM. For example, a technique has been proposed in which the VMM recognizes a network device so that the VMM monitors data input / output between the guest OS and the network device. In such a technique, it is considered that a VPN (Virtual Private Network) function, a disk encryption function, and the like are realized by the VMM.

  However, in the above-described conventional technology, the VMM cannot recognize all network devices provided in the physical machine. This is because the VMM does not necessarily have device drivers corresponding to all network devices provided in the physical machine. If the VMM cannot recognize the network device, it cannot realize various functions such as the VPN function and the disk encryption function as in the above example. As described above, the conventional technology has a problem that the VMM cannot use the network device depending on the type of the network device provided in the physical machine.

  Note that a device driver corresponding to a network device provided in the physical machine may be mounted on the VMM. However, since there are many types of network devices, preparing a VMM device driver corresponding to each network device causes a problem that the number of work steps increases.

  The present invention has been made in view of the above, and provides a virtual control program, an information processing apparatus, and a virtual control method that allow a VMM to use a network device without depending on the type of the network device. Objective.

  In order to solve the above-described problems and achieve the object, a virtual control program according to the present invention controls the operation of a virtual machine on an information processing apparatus having a physical network device that is a physically existing network device. A network device that is a virtual control program, operates a guest OS including a physical device driver that controls the physical network device on the virtual machine, and is controlled by the device driver of the guest OS with respect to the guest OS Provides a virtualized virtual network device, and data distribution between the virtual network device and the physical network device is performed via a virtual device driver corresponding to the virtual network device and the physical device driver. like The guest OS and the virtual network device a process for connecting the physical network device to execute the information processing apparatus.

  The virtual control program, the information processing apparatus, and the virtual control method according to the present invention have an effect that the VMM can use the network device without depending on the type of the network device.

FIG. 1 is a schematic diagram illustrating functions realized by the information processing apparatus according to the first embodiment. FIG. 2 is a schematic diagram illustrating functions realized by the information processing apparatus according to the second embodiment. FIG. 3 is a flowchart illustrating a packet transmission processing procedure performed by the information processing apparatus according to the second embodiment. FIG. 4 is a flowchart illustrating a packet reception processing procedure performed by the information processing apparatus according to the second embodiment. FIG. 5 is a schematic diagram illustrating functions realized by the information processing apparatus according to the third embodiment. FIG. 6 is a flowchart illustrating the access request transmission processing procedure performed by the information processing apparatus according to the third embodiment. FIG. 7 is a flowchart illustrating the access result packet reception processing procedure performed by the information processing apparatus according to the third embodiment. FIG. 8 is a diagram illustrating a computer that executes a virtual control program.

  Hereinafter, embodiments of a virtual control program, an information processing apparatus, and a virtual control method according to the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this Example.

  First, the information processing apparatus according to the first embodiment will be described with reference to FIG. FIG. 1 is a schematic diagram illustrating functions realized by the information processing apparatus according to the first embodiment. The information processing apparatus 100 illustrated in FIG. 1 is, for example, a PC (Personal Computer) or a server, and transmits and receives packets to and from the outside via the network 10. Note that the information processing apparatus 100 according to the first embodiment employs a virtualization technology.

  As illustrated in FIG. 1, the information processing apparatus 100 includes hardware 110, a VMM 120 that implements a VM, and a guest OS 130 that operates on the VM. The hardware 110 is a physically existing device.

  In the example illustrated in FIG. 1, the hardware 110 includes a physical NIC 111 as an example of a physical device. The physical NIC 111 transmits and receives packets to and from the network 10. In the following, a physically existing network device such as the physical NIC 111 may be referred to as a “physical network device”.

  The VMM 120 operates the guest OS 130 on the VM. Further, the VMM 120 provides the guest OS 130 with a virtual network device in which a network device controlled by a device driver included in the guest OS 130 is virtualized. Specifically, the VMM 120 provides a virtual network device in which a physical network device controlled by a device driver that many OSs have as standard is virtualized. In other words, the VMM 120 provides a virtual network device that can be recognized by the guest OS 130 to the guest OS 130.

  In the example illustrated in FIG. 1, the VMM 120 provides a virtual NIC 121 as a virtual network device to the guest OS 130. The virtual NIC 121 is a network device in which a NIC that is normally supported by the guest OS 130 is virtualized. That is, for example, the guest OS 130 can recognize the virtual NIC 121 provided by the VMM 120 without installing a new device driver.

  Here, an example of an opportunity when a virtual network device is provided by the VMM 120 will be described. For example, the guest OS 130 performs a process of searching for hardware by referring to a PCI (Peripheral Component Interconnect) configuration register at startup. At this time, the VMM 120 in the first embodiment intercepts the access to the PCI configuration register by the guest OS 130 and behaves as if the network device exists, thereby providing the guest OS 130 with a virtual network device. In other words, the VMM 120 provides a virtual network device when, for example, a process for searching for hardware is performed by the guest OS 130.

  The guest OS 130 is an OS operated on the VM by the VMM 120, and includes a virtual NIC device driver 131 and a physical NIC device driver 132. The virtual NIC device driver 131 is a device driver that controls the virtual NIC 121. The physical NIC device driver 132 is a device driver that controls the physical NIC 111. As described above, the VMM 120 provides the virtual NIC 121 that is controlled by the device driver that the guest OS 130 has as a standard. Therefore, the virtual NIC device driver 131 is a device driver that the guest OS 130 has as a standard.

  Here, the VMM 120 in the first embodiment allows the guest OS 130 to communicate with the virtual NIC 121 so that data distribution between the virtual NIC 121 and the physical NIC 111 is performed via the virtual NIC device driver 131 and the physical NIC device driver 132. The physical NIC 111 is connected. Specifically, the VMM 120 bridge-connects the virtual NIC 121 and the physical NIC 111 to the guest OS 130.

  Thus, the packet input to the virtual NIC 121 is transferred to the physical NIC 111 by the virtual NIC device driver 131 and the physical NIC device driver 132. The packet input to the physical NIC 111 is transferred to the virtual NIC 121 by the virtual NIC device driver 131 and the physical NIC device driver 132. The bridge connection function is generally installed in many OSs having a network function.

  As described above, in the information processing apparatus 100 according to the first embodiment, the VMM 120 provides the guest OS 130 with the virtual NIC 121 and bridge-connects the physical NIC 111 and the virtual NIC 121. Thereby, the VMM 120 in the first embodiment can use the physical NIC 111 without requiring a device driver corresponding to the physical NIC 111. In other words, the VMM 120 in the first embodiment can use the physical NIC 111 without depending on the type of the physical NIC 111. As a result, the VMM 120 can monitor the packets input / output to / from the physical NIC 111, so that various functions such as a VPN function and a disk encryption function can be realized.

  Here, in the example illustrated in FIG. 1, the information processing apparatus 100 does not include the virtual NIC 121 and the virtual NIC device driver 131. Further, it is assumed that the VMM 120 cannot recognize the physical NIC 111. In this case, in order for the VMM 120 to recognize the physical NIC 111, it is necessary to install a device driver corresponding to the physical NIC 111 in the VMM 120. However, in the information processing apparatus 100 according to the first embodiment, the virtual NIC 121 that can be recognized by the guest OS 130 is provided by the VMM 120 and the virtual NIC 121 and the physical NIC 111 are bridge-connected, so that a device driver corresponding to the physical NIC 111 is attached to the VMM 120. It becomes possible for the VMM 120 to use the physical NIC 111 without being mounted on the physical NIC.

  An application example of the information processing apparatus 100 according to the first embodiment will be described. For example, it is assumed that the VMM 120 is not installed in the information processing apparatus 100 and a predetermined OS is operating in the information processing apparatus 100. At this time, the OS operating in the information processing apparatus 100 includes the physical NIC device driver 132 corresponding to the physical NIC 111 and recognizes the physical NIC 111. In such a state, the VMM 120 may be introduced into the information processing apparatus 100.

  In such a case, in the information processing apparatus 100 according to the first embodiment, the VMM 120 provides the virtual NIC 121 to the guest OS 130 and bridges the virtual NIC 121 and the physical NIC 111. Therefore, even if the VMM 120 cannot recognize the physical NIC 111, the VMM 120 can use the physical NIC 111 without requiring a device driver for the physical NIC 111. That is, when the VMM 120 is newly introduced into an existing information processing apparatus, even if the VMM 120 does not support the physical NIC 111, the VMM 120 in the first embodiment does not require a device driver for the physical NIC 111. The physical NIC 111 can be used.

  In the first embodiment, the VMM provides the virtual NIC, and the virtual NIC and the physical NIC are bridge-connected to the guest OS, so that the VMM uses the physical network device without depending on the type of the physical network device. An example that can be done. In the second embodiment, an example in which the security function is provided by the VMM in addition to the technique in the first embodiment will be described.

[Configuration Example of Information Processing Apparatus According to Second Embodiment]
First, the information processing apparatus according to the second embodiment will be described with reference to FIG. FIG. 2 is a schematic diagram illustrating functions realized by the information processing apparatus according to the second embodiment. In addition, below, the detailed description is abbreviate | omitted as attaching | subjecting the same code | symbol to the site | part which has the function similar to the already shown component part.

  The information processing apparatus 200 illustrated in FIG. 2 is applied with a virtualization technology that operates a VM, as with the information processing apparatus 100 illustrated in FIG. The information processing apparatus 200 is connected to the tunnel construction unit 11 as shown in FIG. The tunnel construction unit 11 is realized by, for example, a network device such as a router, and performs encapsulation that adds a packet header for transfer to a packet and decapsulation that deletes the packet header for transfer. The processing by the tunnel construction unit 11 will be described later together with the tunnel construction unit 224 of the information processing apparatus 200.

  Such an information processing apparatus 200 includes hardware 110, a VMM 220, and a guest OS 230, as shown in FIG. The VMM 220 operates the guest OS 230 on the VM. Further, the VMM 220 provides the first virtual NIC 221 and the second virtual NIC 222 to the guest OS 230.

  The first virtual NIC 221 and the second virtual NIC 222 are virtual network devices in which network devices controlled by device drivers included in the guest OS 230 are virtualized. That is, the VMM 220 provides the guest OS 230 with the first virtual NIC 221 and the second virtual NIC 222 in which network devices that the guest OS 230 supports as standard are virtualized. In other words, the guest OS 230 can recognize the first virtual NIC 221 and the second virtual NIC 222 without mounting a new device driver, for example.

  In addition, the VMM 220 bridge-connects the first virtual NIC 221 and the physical NIC 111 to the guest OS 230. Thereby, a packet input to the first virtual NIC 221 is transferred to the physical NIC 111, and a packet input to the physical NIC 111 is transferred to the first virtual NIC 221. As described above, the first virtual NIC 221 is bridge-connected to the physical NIC 111 in the same manner as the virtual NIC 121 illustrated in FIG. The second virtual NIC 222 is provided to the guest OS 230 as a packet input port.

  Further, the VMM 220 includes an intrusion detection unit 223 and a tunnel construction unit 224. The intrusion detection unit 223 detects whether an illegal packet has entered by monitoring packets transmitted and received between the information processing apparatus 200 and the outside via the network 10. The tunnel construction unit 224 performs encapsulation that adds a packet header for transfer to a packet and decapsulation that deletes the packet header for transfer. The intrusion detection unit 223 and the tunnel construction unit 224 will be described in detail after the description of the guest OS 230.

  The guest OS 230 is an OS operated on the VM by the VMM 220, and includes a virtual NIC device driver 231, a physical NIC device driver 232, a virtual NIC device driver 233, and an application unit 234.

  The virtual NIC device driver 231 is a device driver that controls the first virtual NIC 221. The physical NIC device driver 232 is a device driver that controls the physical NIC 111. The virtual NIC device driver 233 is a device driver that controls the second virtual NIC 222.

  The virtual NIC device driver 231 corresponds to the virtual NIC device driver 131 shown in FIG. 1, and the physical NIC device driver 232 corresponds to the physical NIC device driver 132 shown in FIG. Further, since the VMM 220 provides the first virtual NIC 221 and the second virtual NIC 222 that are controlled by the device driver that the guest OS 230 has as a standard, the virtual NIC device driver 231 and the virtual NIC device driver 233 are provided by the guest OS 130. This is a standard device driver.

  The application unit 234 is various applications that operate on the guest OS 230. The application unit 234 illustrated in FIG. 2 may send and receive packets to and from the network 10. Here, when transmitting a packet to the network 10, the application unit 234 according to the second embodiment outputs a transmission target packet to the virtual NIC device driver 233.

  Here, as described above, since the first virtual NIC 221 and the physical NIC 111 are bridge-connected, the packet output to the second virtual NIC 222 by the application unit 234 is the intrusion detection unit 223, the tunnel construction unit 224, And output to the physical NIC 111 via the first virtual NIC 221. The packet input from the first virtual NIC 221 to the physical NIC 111 is transmitted to the network 10 via the tunnel construction unit 11.

  Data transmitted from the network 10 to the information processing apparatus 200 is input to the physical NIC 111 via the tunnel construction unit 11. Data input from the tunnel construction unit 11 to the physical NIC 111 is input to the application unit 234 via the first virtual NIC 221, the tunnel construction unit 224, the intrusion detection unit 223, and the second virtual NIC 222. .

  Here, processing performed by the intrusion detection unit 223 included in the VMM 220 will be described in detail. First, the application unit 234 inputs a transmission target packet to the virtual NIC device driver 233 as described above. When the transmission target packet is input from the application unit 234, the virtual NIC device driver 233 inputs the transmission target packet to the second virtual NIC 222 via an I / O (Input / Output) port or the like. The VMM 220 monitors access to the I / O port. When a transmission target packet is input to the second virtual NIC 222, the VMM 220 inputs packet information related to the transmission target packet to the intrusion detection unit 223.

  In such a case, the intrusion detection unit 223 analyzes the transmission target packet input to the second virtual NIC 222 and determines whether the data is unauthorized data. For example, the intrusion detection unit 223 holds a transmission message pattern that can be transmitted to the information processing apparatus 200 by a malicious attacker in the storage unit. The intrusion detection unit 223 determines whether the transmission target packet input to the second virtual NIC 222 matches the transmission message pattern stored in the storage unit. The intrusion detection unit 223 discards the transmission target packet when the transmission target packet matches the transmission message pattern. On the other hand, the intrusion detection unit 223 outputs the transmission target packet to the tunnel construction unit 224 when the transmission target packet does not match the transmission message pattern.

  The intrusion detection unit 223 may hold, for example, a message pattern permitted to be transmitted / received by the information processing apparatus 200 in the storage unit. In such a case, the intrusion detection unit 223 determines whether or not the transmission target packet input to the second virtual NIC 222 matches the message pattern stored in the storage unit. The intrusion detection unit 223 discards the transmission target packet when the transmission target packet does not match the message pattern. On the other hand, the intrusion detection unit 223 outputs the transmission target packet to the tunnel construction unit 224 when the transmission target packet matches the message pattern.

  The intrusion detection unit 223 receives a received packet received by the physical NIC 111 from the tunnel construction unit 224 when a packet is transmitted from the network 10 to the information processing apparatus 200. In such a case, the intrusion detection unit 223 analyzes the received packet and determines whether it is illegal data. For example, as in the above example, the intrusion detection unit 223 determines whether or not the data is illegal by matching the received packet with a malicious transmission message pattern. For example, the intrusion detection unit 223 determines whether or not the data is illegal data by matching the received packet with a message pattern that is permitted to be transmitted and received by the information processing apparatus 200.

  Subsequently, processing by the tunnel construction unit 224 and the tunnel construction unit 11 will be described in detail. The tunnel construction unit 224 determines that the packet to be transmitted is encapsulated by the tunnel construction unit 224 in order to determine whether or not the packet transmitted to and received from the tunnel construction unit 11 is an illegal packet. Packet identification processing is performed by giving the identification information shown. Similarly, the tunnel construction unit 11 performs packet encapsulation processing by giving identification information indicating that the tunnel construction unit 11 has encapsulated the packet received from the outside. Then, tunnel construction unit 11 transmits the encapsulated packet to information processing apparatus 200. For example, the tunnel construction unit 224 and the tunnel construction unit 11 perform the encapsulation process by adding a time stamp, an electronic signature, or the like indicating the year, month, day, hour, minute, and second when the encapsulation process is executed to the packet.

  When the tunnel construction unit 224 receives the packet, the tunnel construction unit 224 checks the time stamp and verifies the signature based on the time stamp and the electronic signature added to the packet. Thereby, the tunnel construction unit 224 determines whether or not the packet has been subjected to the encapsulation processing by the tunnel construction unit 11. Similarly, when the tunnel construction unit 11 receives a packet, the tunnel construction unit 11 determines whether or not the packet has been encapsulated by the tunnel construction unit 224 by performing time stamp check and signature verification. The tunnel construction unit 224 according to the second embodiment discards a packet that has not passed through the tunnel construction unit 11 as an illegal packet, and receives a packet that has passed through the tunnel construction unit 11 as a valid packet. The tunnel construction unit 11 discards a packet that has not passed through the tunnel construction unit 224 as an illegal packet, receives a packet that has passed through the tunnel construction unit 224 as a valid packet, and transmits the packet to the outside. Thereby, the tunnel construction unit 224 and the tunnel construction unit 11 can prevent a packet that has not passed through both from circulating outside.

  In the second embodiment, the tunnel construction unit 224 and the tunnel construction unit perform a tunneling process in order to prevent the packets that have not passed through the tunnel construction unit 224 and the tunnel construction unit 11 from being distributed outside. An example of constructing a secure line called a tunnel between the tunnel construction unit 224 and the tunnel construction unit 11 will be described.

  Specifically, the tunnel construction unit 224 according to the second embodiment performs first exchange by exchanging encryption keys with the tunnel construction unit 11 when the information processing apparatus 200 is activated or connected to the network. A tunnel is constructed between the virtual NIC 221 and the tunnel construction unit 11. When the transmission target packet is input from the intrusion detection unit 223, the tunnel construction unit 224 encapsulates the transmission target packet. For example, the tunnel construction unit 224 encapsulates the transmission target packet based on IPsec (Security Architecture for Internet Protocol), SSL (Secure Sockets Layer), or the like. Then, tunnel construction unit 224 outputs the encapsulated transmission target packet to first virtual NIC 221.

  The virtual NIC device driver 231 uses the network bridge function of the guest OS 230 to transfer the transmission target packet input to the first virtual NIC 221 by the tunnel construction unit 224 to the physical NIC device driver 232. As a result, the transmission target packet is input to the physical NIC 111. Then, the transmission target packet input to the physical NIC 111 is transmitted to the tunnel construction unit 11 located outside the information processing apparatus 200.

  The tunnel construction unit 11 determines whether the transmission target packet received from the physical NIC 111 is a packet encapsulated in the VMM 220. When the tunnel construction unit 11 determines that the transmission target packet is a packet encapsulated in the VMM 220, the tunnel construction unit 11 decapsulates the transmission target packet. That is, the tunnel construction unit 11 returns the transmission target packet to the transmission target packet before being encapsulated by the tunnel construction unit 224. The tunnel construction unit 11 transmits the decapsulated transmission target packet to the network 10. On the other hand, when the tunnel construction unit 11 determines that the transmission target packet is not a packet encapsulated in the VMM 220, the tunnel construction unit 11 discards the transmission target packet.

  Further, when a packet addressed to the information processing apparatus 200 is transmitted from the network 10, the tunnel construction unit 11 encapsulates the packet and transmits the packet to the physical NIC 111. When a packet is transmitted from the tunnel construction unit 11 to the physical NIC 111, an interrupt process occurs in the physical NIC device driver 232, and a received packet received by the physical NIC 111 is transmitted to the physical NIC device driver 232. Then, the physical NIC device driver 232 transfers the received packet received from the physical NIC 111 to the virtual NIC device driver 231 by the network bridge function of the guest OS 230. As a result, the received packet is input to the first virtual NIC 221.

  The tunnel construction unit 224 determines whether the received packet input to the first virtual NIC 221 is a packet encapsulated in the tunnel construction unit 11. When the tunnel construction unit 224 determines that the received packet is a packet encapsulated in the tunnel construction unit 11, the tunnel construction unit 224 decapsulates the received packet. That is, the tunnel construction unit 224 returns the received packet to the packet before being encapsulated by the tunnel construction unit 11. Then, tunnel construction unit 224 inputs the received packet after decapsulation to intrusion detection unit 223. On the other hand, when the tunnel construction unit 224 determines that the received packet is not a packet encapsulated in the tunnel construction unit 11, the tunnel construction unit 224 discards the received packet.

  The tunneling process by the tunnel construction unit 224 and the tunnel construction unit 11 described above is an example of a process for realizing that packets that have not passed through the tunnel construction unit 224 and the tunnel construction unit 11 are not distributed to the outside. The construction unit 224 and the tunnel construction unit 11 do not necessarily need to perform a tunneling process. That is, the tunnel construction unit 224 and the tunnel construction unit 11 add identification information indicating whether or not both are encapsulated to the packet without performing a tunneling process, and based on the identification information when the packet is received. Thus, it may be determined whether or not the received packet is an illegal packet.

[Packet Transmission Processing by Information Processing Apparatus According to Second Embodiment]
Next, a procedure of packet transmission processing by the information processing apparatus 200 according to the second embodiment will be described with reference to FIG. FIG. 3 is a flowchart illustrating a packet transmission processing procedure performed by the information processing apparatus 200 according to the second embodiment.

  As illustrated in FIG. 3, the VMM 220 of the information processing device 200 determines whether communication with the second virtual NIC 222 has occurred by monitoring access to the I / O port (step S <b> 101). Then, the intrusion detection unit 223 of the VMM 220 performs intrusion detection processing when a transmission target packet is input from the application unit 234 to the second virtual NIC 222 (Yes in step S101), for example (step S102). For example, the intrusion detection unit 223 determines whether or not the transmission target packet is an illegal packet by matching the transmission target packet with a malicious transmission message pattern (step S103). When the transmission target packet is an illegal packet (Yes at Step S103), the intrusion detection unit 223 discards the transmission target packet (Step S104).

  On the other hand, if the transmission target packet is not an illegal packet (No at Step S103), the intrusion detection unit 223 outputs the transmission target packet to the tunnel construction unit 224. The tunnel construction unit 224 encapsulates the transmission target packet input from the intrusion detection unit 223 (step S105). Then, the tunnel construction unit 224 outputs the encapsulated transmission target packet to the first virtual NIC 221 (step S106).

  Then, the virtual NIC device driver 231 transfers the transmission target packet to the physical NIC 111 by transferring the transmission target packet input to the first virtual NIC 221 by the tunnel construction unit 224 to the physical NIC device driver 232 (step S110). S107). The transmission target packet transmitted from the information processing device 200 to the network 10 is decapsulated by the tunnel construction unit 11 and then transmitted to the network 10. As a result, the information processing apparatus 200 transmits the transmission target packet from the physical NIC 111 to the network 10 (step S108).

[Packet Reception Processing by Information Processing Device According to Second Embodiment]
Next, a procedure of packet reception processing by the information processing apparatus 200 according to the second embodiment will be described with reference to FIG. FIG. 4 is a flowchart illustrating a packet reception processing procedure performed by the information processing apparatus 200 according to the second embodiment.

  As shown in FIG. 4, in the information processing apparatus 200, when the physical NIC 111 receives a packet from the network 10 (Yes in step S201), the physical NIC device driver 232 sends the received packet to the virtual NIC device driver 231. By transferring, the received packet is transferred to the first virtual NIC 221 (step S202).

  Subsequently, the tunnel construction unit 224 determines whether the received packet input to the first virtual NIC 221 is a packet encapsulated in the tunnel construction unit 11 (step S203). When the received packet is not a packet encapsulated in the tunnel building unit 11, the tunnel building unit 224 determines that the received packet is an illegal packet (Yes in step S203). Then, tunnel construction unit 224 discards the received packet that is an illegal packet (step S204).

  On the other hand, if the received packet is a packet encapsulated in the tunnel building unit 11, the tunnel building unit 224 determines that the received packet is not an illegal packet (No in step S203), and decapsulates the received packet ( Step S205). Then, tunnel construction unit 224 outputs the received packet after decapsulation to intrusion detection unit 223.

  Then, the intrusion detection unit 223 performs an intrusion detection process on the received packet input from the tunnel construction unit 224 (step S206). Then, when the received packet is an illegal packet (Yes at Step S207), the intrusion detection unit 223 discards the received packet (Step S208).

  On the other hand, if the received packet is not an illegal packet (No at Step S207), the intrusion detection unit 223 outputs the received packet to the second virtual NIC 222 (Step S209). Accordingly, the received packet is input to the application unit 234, for example, via the virtual NIC device driver 233.

[Effect of Example 2]
As described above, in the information processing apparatus 200 according to the second embodiment, the VMM 220 provides the first virtual NIC 221 and causes the guest OS 230 to bridge-connect the first virtual NIC 221 and the physical NIC 111. Further, the VMM 220 provides the second virtual NIC 222 as a port that receives a packet from the application unit 234 or the like. Then, when the guest OS 230 transmits a packet to the network 10, the VMM 220 receives the packet by the second virtual NIC 222. Then, the VMM 220 transfers the packet received in the second virtual NIC 222 to the physical NIC 111 by inputting the packet received in the first virtual NIC 221.

  Accordingly, the VMM 220 of the information processing apparatus 200 according to the second embodiment can input a packet to the physical NIC 111 without receiving a device driver that controls the physical NIC 111, and can receive a packet transmitted to the physical NIC 111. Can do. In other words, the VMM 220 can use the physical NIC 111 without depending on the type of the physical NIC 111.

  In addition, the tunnel construction unit 224 of the information processing apparatus 200 according to the second embodiment performs a tunneling process with the tunnel construction unit 11 provided in an external device such as a router. Accordingly, the information processing apparatus 200 according to the second embodiment distributes packets between the first virtual NIC 221 and the external apparatus without depending on the type of the physical NIC 111 and without requiring a device driver that controls the physical NIC 111. A tunnel can be established for the route. That is, the VMM 220 according to the second embodiment can realize the VPN function and the data encryption function without requiring a device driver for controlling the physical NIC 111.

  For example, with respect to the information processing apparatus 200 according to the second embodiment, it is assumed that it is determined as a system condition that only packets that have passed through a tunnel constructed by the tunnel construction unit 224 and the tunnel construction unit 11 are transmitted and received. . In this case, for example, even if the packet is directly input to the physical NIC device driver 232 by the guest OS 230, the information processing apparatus 200 discards the packet. That is, for example, when the guest OS 230 is infected with malware such as a computer virus or a worm, the information processing apparatus 200 may receive a packet directly input to the physical NIC device driver 232 by the guest OS 230 infected with malware. Such a packet can be discarded.

  In addition, the intrusion detection unit 223 of the information processing apparatus 200 according to the second embodiment detects whether there is an illegal packet in a packet transmitted to or received from the network 10. Thereby, the information processing apparatus 200 according to the second embodiment can prevent malware from entering from the outside, and can prevent malware from being distributed from the information processing apparatus 200 to the outside.

  In general, in an information processing apparatus such as a PC, most of intrusion detection systems and anti-virus software that detect whether an illegal packet has intruded from the outside are executed as an OS kernel driver or application. For this reason, in such an information processing apparatus, there is a possibility that the intrusion detection system or the anti-virus software may be stopped when the execution authority similar to the kernel mode is acquired by malware. As a result, such an information processing apparatus may not be able to detect whether an illegal packet has entered from the outside.

  On the other hand, in the information processing apparatus 200 according to the second embodiment, since the VMM 220 implements the VPN function and the encryption function, even if the kernel mode authority of the guest OS 230 is acquired by malware, the VMM 220 is externally provided. Whether or not an illegal packet has entered can be detected. That is, the information processing apparatus 200 according to the second embodiment can implement security functions such as a VPN function and an encryption function by the VMM 220 regardless of the type of the physical NIC 111.

  In the second embodiment, an example in which security functions such as a VPN function and an encryption function are realized by the VMM is shown. In the third embodiment, an example in which a storage device to which a guest OS is network-connected can be used as a locally connected storage device by providing a virtualized storage device of the VMM will be described.

[Configuration Example of Information Processing Apparatus According to Embodiment 3]
First, the information processing apparatus according to the third embodiment will be described with reference to FIG. FIG. 5 is a schematic diagram illustrating functions realized by the information processing apparatus according to the third embodiment. In addition, below, the detailed description is abbreviate | omitted as attaching | subjecting the same code | symbol to the site | part which has the function similar to the already shown component part.

  The information processing apparatus 300 illustrated in FIG. 5 is applied with a virtualization technology for operating a VM, similar to the information processing apparatus 100 illustrated in FIG. The information processing apparatus 300 is connected to the online storage 20 as shown in FIG. The online storage 20 is a storage device connected to the information processing device 300 via a network.

  Such an information processing apparatus 300 includes hardware 110, a VMM 320, and a guest OS 330, as shown in FIG. The VMM 320 operates the guest OS 330 on the VM. Further, the VMM 320 provides a virtual NIC 321 to the guest OS 330. Similar to the virtual NIC 121 illustrated in FIG. 1, the virtual NIC 321 is a virtual network device in which a network device controlled by a device driver included in the guest OS 330 is virtualized. That is, the guest OS 330 can recognize the virtual NIC 321 without mounting a new device driver, for example.

  Further, the VMM 320 bridges the virtual NIC 321 and the physical NIC 111 to the guest OS 330. Thereby, a packet input to the virtual NIC 321 is transferred to the physical NIC 111, and a packet input to the physical NIC 111 is transferred to the virtual NIC 321.

  In addition, the VMM 320 provides virtual hardware obtained by virtualizing physically existing physical hardware to the guest OS 330. In the example illustrated in FIG. 5, the VMM 320 provides a virtual HDD (Hard Disk Drive) 322 as an example of virtual hardware. The virtual HDD 322 is a device in which the HDD is virtualized. That is, the VMM 320 provides the virtual HDD 322 so that the guest OS 330 recognizes that the HDD is installed in the information processing apparatus 300.

  The virtual HDD 322 is preferably controlled by a device driver that the guest OS 330 has as a standard. Thereby, the guest OS 330 can recognize the virtual HDD 322 without installing a new device driver.

  The online storage providing unit 323 provides a function that enables the online storage 20 connected to the information processing apparatus 300 via a network. Specifically, the online storage providing unit 323 accesses the online storage 20 by communicating with the online storage 20 when receiving an access request to the online storage 20 from the guest OS 330. The online storage providing unit 323 will be described in detail after the guest OS 330 is described.

  The guest OS 330 is an OS operated on the VM by the VMM 320, and includes a virtual NIC device driver 331, a physical NIC device driver 332, a virtual HDD device driver 333, and an application unit 334.

  The virtual NIC device driver 331 corresponds to the virtual NIC device driver 131 illustrated in FIG. 1 and is a device driver that controls the virtual NIC 321. The physical NIC device driver 332 corresponds to the physical NIC device driver 132 illustrated in FIG. 1 and is a device driver that controls the physical NIC 111. The virtual HDD device driver 333 is a device driver that controls the virtual HDD 322.

  The application unit 334 is various applications that operate on the guest OS 330. The application unit 334 illustrated in FIG. 5 may read / write data from / to the online storage 20. Here, the application unit 334 in the third embodiment outputs an access request to the virtual HDD device driver 333 when accessing the online storage 20.

  Here, the processing by the online storage providing unit 323 included in the VMM 320 will be described in detail. First, the application unit 334 inputs an access request to the virtual HDD device driver 333 when accessing the online storage 20 as described above. The virtual HDD device driver 333 inputs the access request input from the application unit 334 to the virtual HDD 322. The VMM 320 monitors access to the I / O port. When an access request is input to the virtual HDD 322, the VMM 320 transfers the access request to the online storage providing unit 323.

  When an access request is input from the virtual HDD 322, the online storage providing unit 323 communicates with the online storage 20 and outputs a packet including the access request to the virtual NIC 321. Hereinafter, a packet including an access request may be referred to as an “access request packet”.

  Then, the virtual NIC device driver 331 transfers the access request packet input to the virtual NIC 321 by the online storage providing unit 323 to the physical NIC device driver 332 by the network bridge function of the guest OS 330. As a result, the access request packet is input to the physical NIC 111. Then, the access request packet input to the physical NIC 111 is transmitted to the online storage 20. Thereby, the online storage 20 performs data read processing and write processing in accordance with the access request packet.

  Further, when the online storage 20 performs a data read process or a data write process, the online storage 20 transmits a result of the process to the physical NIC 111. In the following, the result of the data read process or data write process by the online storage 20 may be referred to as an “access result packet”.

  When the access result packet is transmitted from the online storage 20 to the physical NIC 111, the physical NIC device driver 332 transfers the access result packet to the virtual NIC device driver 331 by the network bridge function of the guest OS 330. As a result, the access result packet is input to the virtual NIC 321. Then, the online storage providing unit 323 transmits the access result packet input to the virtual NIC 321 to the application unit 334 via the virtual HDD 322.

[Access Request Transmission Processing by Information Processing Device According to Embodiment 3]
Next, an access request transmission process performed by the information processing apparatus 300 according to the third embodiment will be described with reference to FIG. FIG. 6 is a flowchart illustrating the access request transmission processing procedure performed by the information processing apparatus 300 according to the third embodiment.

  As illustrated in FIG. 6, the VMM 320 of the information processing apparatus 300 determines whether communication to the virtual HDD 322 has occurred by monitoring access to the I / O port (step S301). For example, when an access request packet is input from the application unit 334 to the virtual HDD 322 (Yes in step S301), the online storage providing unit 323 of the VMM 320 outputs the access request packet to the virtual NIC 321 (step S302).

  Then, the virtual NIC device driver 331 transfers the access request packet input to the virtual NIC 321 to the physical NIC device driver 332 by the network bridge function of the guest OS 330, thereby transferring it to the physical NIC 111 (step S303). As a result, the information processing apparatus 300 transmits an access request packet from the physical NIC 111 to the online storage 20 (step S304). Note that the online storage 20 performs data read processing and data write processing in accordance with the access request packet received from the information processing apparatus 300.

[Access Result Packet Reception Processing by Information Processing Device According to Embodiment 3]
Next, a procedure of access result packet reception processing by the information processing apparatus 300 according to the third embodiment will be described with reference to FIG. FIG. 7 is a flowchart illustrating the access result packet reception processing procedure performed by the information processing apparatus 300 according to the third embodiment.

  As illustrated in FIG. 7, in the information processing apparatus 300, when the physical NIC 111 receives an access result packet from the online storage 20 (Yes in step S401), the physical NIC device driver 332 uses the network bridge function of the guest OS 330. By transferring the access result packet to the virtual NIC device driver 331, the access result packet is transferred to the virtual NIC 321 (step S402).

  Then, the online storage providing unit 323 outputs the access result packet input to the virtual NIC 321 to the virtual HDD 322 (Step S403). As a result, the access result packet transmitted from the online storage 20 to the information processing apparatus 300 is transmitted to the application unit 334.

[Effect of Example 3]
As described above, in the information processing apparatus 300 according to the third embodiment, the VMM 320 provides the virtual NIC 321 and causes the guest OS 330 to bridge-connect the virtual NIC 321 and the physical NIC 111. Further, the VMM 320 provides the virtual HDD 322 as a port for receiving an access request packet from the application unit 334 to the online storage 20. Then, the VMM 320 transfers the access request packet to the physical NIC 111 by inputting the access request packet received from the application unit 334 to the virtual NIC 321. Further, the VMM 320 receives the access result packet received from the online storage 20 to the physical NIC 111 by the virtual NIC 321.

  Accordingly, the VMM 320 of the information processing apparatus 300 according to the third embodiment can input an access request packet to the physical NIC 111 without requiring a device driver that controls the physical NIC 111. In other words, the VMM 320 can use the physical NIC 111 without depending on the type of the physical NIC 111. In the example illustrated in FIG. 5, the VMM 320 of the information processing apparatus 300 can cause the guest OS 330 to use the online storage 20 as a locally connected storage apparatus.

  Further, the information processing apparatus 300 according to the third embodiment can use the online storage 20 as a locally connected storage apparatus by the same VMM 320 even when the type of the guest OS 330 is changed.

  By the way, the virtual control program, the information processing apparatus, and the virtual control method according to the present invention may be implemented in various different forms other than the above-described embodiments. Therefore, in the fourth embodiment, another embodiment of the virtual control program, the information processing apparatus, and the virtual control method according to the present invention will be described.

Virtual hardware
In the third embodiment, the VMM 320 provides the virtual HDD 322 as an example of virtual hardware. However, the VMM 320 may provide virtual hardware in which hardware other than the HDD is virtualized. For example, when a printer is connected to the information processing apparatus 300 over a network, the VMM 320 may provide a virtual printer in which the printer is virtualized as virtual hardware. In such a case, the VMM 320 can cause the guest OS 330 to use the network printer as a locally connected printer.

[System configuration, etc.]
Each component of each illustrated device is functionally conceptual, and does not necessarily need to be the same as the physically illustrated component. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the intrusion detection unit 223 and the tunnel construction unit 224 illustrated in FIG. 2 may be integrated as one processing unit.

  In addition, all or some of the processes described as being automatically performed among the processes described in the present embodiment can be manually performed. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

[Virtual control program]
The processing executed by the information processing apparatuses 100, 200, and 300 according to the first to third embodiments is realized by a virtual control program described in a language that can be executed by a computer. In such a case, the effects described in the first to third embodiments can be obtained by the computer executing the virtual control program. The virtual control program is recorded on a computer-readable recording medium, and the virtual control program recorded on the recording medium is read by the computer and executed, thereby realizing the same processing as in the first to third embodiments. May be. Hereinafter, an example of a computer that executes a virtual control program that realizes the same function as the information processing apparatuses 100, 200, and 300 will be described.

  FIG. 8 is a diagram illustrating a computer 1000 that executes a virtual control program. As shown in FIG. 8, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network. Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1051 and a keyboard 1052 are connected to the serial port interface 1050. For example, a display 1061 is connected to the video adapter 1060.

  Here, as illustrated in FIG. 8, the hard disk drive 1031 stores, for example, a program for realizing an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. The VMMs 120, 220, and 320 and the guest OSs 130, 230, and 330 described in the first to third embodiments are realized by a virtual control program stored in the hard disk drive 1031, for example. Specifically, the CPU 1020 reads a virtual control program and program data 1094 stored in the hard disk drive 1031 to the RAM 1012 as necessary, and executes various procedures.

  Note that the virtual control program is not limited to being stored in the hard disk drive 1031, but may be stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. Alternatively, the virtual control program may be stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network) and read by the CPU 1020 via the network interface 1070. .

DESCRIPTION OF SYMBOLS 10 Network 11 Tunnel construction part 20 Online storage 100 Information processing apparatus 110 Hardware 111 Physical NIC
120 VMM
121 Virtual NIC
130 Guest OS
131 Device driver for virtual NIC 132 Device driver for physical NIC 200 Information processing device 220 VMM
221 First virtual NIC
222 Second virtual NIC
223 Intrusion detection unit 224 Tunnel construction unit 230 Guest OS
231 Device driver for virtual NIC 232 Device driver for physical NIC 233 Device driver for virtual NIC 234 Application unit 300 Information processing device 320 VMM
321 Virtual NIC
322 Virtual HDD
323 Online storage provider 330 Guest OS
331 Device driver for virtual NIC 332 Device driver for physical NIC 333 Device driver for virtual HDD 334 Application unit 1000 Computer 1010 Memory 1011 ROM
1012 RAM
1020 CPU
1030 Hard disk drive interface 1031 Hard disk drive 1040 Disk drive interface 1041 Disk drive 1050 Serial port interface 1051 Mouse 1052 Keyboard 1060 Video adapter 1061 Display 1070 Network interface 1080 Bus 1092 Application program 1093 Program module 1094 Program data

Claims (7)

A virtual control program for controlling the operation of a virtual machine on an information processing apparatus having a physical network device that is a physically existing network device,
Operating a guest OS including a physical device driver for controlling the physical network device on the virtual machine;
Providing the guest OS with a virtual network device in which a network device controlled by a device driver of the guest OS is virtualized;
The guest OS is provided with the virtual network device such that data distribution between the virtual network device and the physical network device is performed via the virtual device driver corresponding to the virtual network device and the physical device driver. A virtual control program that causes the information processing apparatus to execute a process of connecting the physical network device. The virtual control program is
A first virtual network device connected to the physical network device as the virtual network device is provided, and a second virtual network device that is a virtualized network device different from the first virtual network device is provided ,
When the virtual machine transmits a packet to the outside, the second virtual network device accepts a transmission target packet to be transmitted to the outside from the virtual machine, and inputs the transmission target packet to the first virtual network device. Thus, the transmission target packet is transmitted to the outside through the physical network device connected to the first virtual network device,
When a packet is received from the outside by the physical network device, a received packet transferred to the first virtual network device connected to the physical network device is transmitted via the second virtual network device. The virtual control program according to claim 1, which causes the information processing apparatus to execute processing to be transmitted to a virtual machine. The virtual control program is
It is determined whether the packet received by the physical network device is a packet encapsulated by a predetermined external device, and when the received packet is a packet encapsulated by the external device, A received packet output from the first virtual network device is decapsulated and output to the second virtual network device. If the received packet is not a packet encapsulated by the external device, the received packet is discarded. ,
When the packet is input from the virtual machine to the second virtual network device, the information processing apparatus further executes processing to encapsulate the packet and output the packet to the first virtual network device. The virtual control program according to claim 2. The virtual control program is
Monitoring the packet input / output to / from the first virtual network device or the second virtual network device to detect whether an illegal packet has entered, further causing the information processing apparatus to further execute processing The virtual control program according to claim 2 or 3. The virtual control program is
Providing the virtual network device and providing virtual hardware in which physical hardware connected to the physical network device is virtualized;
When the virtual machine transmits / receives data to / from the physical hardware, the virtual hardware receives data to be transmitted to the physical hardware from the virtual machine and inputs the data to the virtual network device. The data is transmitted to the physical hardware via the physical network device connected to the virtual network device,
When data is received from the physical hardware by the physical network device, received data transferred to the virtual network device connected to the physical network device is transferred to the virtual machine via the virtual hardware. The virtual control program according to claim 1, which causes the information processing apparatus to execute a process of transmitting. An information processing apparatus on which a virtual machine operates,
A physical network device that is a physically existing network device;
A virtual control unit for operating a guest OS including a physical device driver for controlling the physical network device on the virtual machine,
The virtual control unit
Providing the guest OS with a virtual network device in which a network device controlled by a device driver of the guest OS is virtualized;
The guest OS is provided with the virtual network device such that data distribution between the virtual network device and the physical network device is performed via the virtual device driver corresponding to the virtual network device and the physical device driver. An information processing apparatus for connecting the physical network device. A virtual control method for controlling the operation of a virtual machine on an information processing apparatus having a physical network device that is a physically existing network device,
The information processing apparatus is
An operation step of operating a guest OS including a physical device driver for controlling the physical network device on the virtual machine;
Providing a guest network with a virtual network device in which a network device controlled by a device driver of the guest OS is virtualized;
The guest OS is provided with the virtual network device such that data distribution between the virtual network device and the physical network device is performed via the virtual device driver corresponding to the virtual network device and the physical device driver. A virtual control method comprising: performing a connection step of connecting the physical network device.

Images