WO2017036376A1

WO2017036376A1 - Data access method, code calling method, and virtual machine monitor

Info

Publication number: WO2017036376A1
Application number: PCT/CN2016/097246
Authority: WO
Inventors: 李辉; 陈兴蜀; 张相锋
Original assignee: 华为技术有限公司
Priority date: 2015-09-06
Filing date: 2016-08-29
Publication date: 2017-03-09
Also published as: CN106502759A; CN106502759B

Abstract

A data access method, a code calling method, and a virtual machine monitor (VMM). The data access method comprises: a VMM captures a page table interrupt event (S201); the VMM determines via a prestored page table interrupt processing function whether or not a target kernel module has the permission to access kernel data in a K-SPACE (S202); when the VMM determines via the prestored page table interrupt processing function that the target kernel module has the permission to access the kernel data in the K-SPACE, the VMM creates in an MPGT a mapping of the permission of the target kernel module to access the kernel data in the K-SPACE, thus allowing the target kernel module to have the permission to access the kernel data in the K-SPACE (S203). The method facilitates increased security of system kernel data access and code calling.

Description

Data access method, code calling method and virtual machine monitor

The present invention claims the priority of the prior application filed on September 6, 2015, entitled "A Data Access Method, Code Calling Method, and Virtual Machine Monitor", Application No. 201510559382.6, the contents of which are incorporated herein by reference. The way is incorporated into this text.

Technical field

The invention relates to the technical field of computer memory management, and particularly relates to a data access method, a code calling method and a virtual machine monitor VMM.

Background technique

Modern operating systems almost support dynamic insertion and unloading of modules, which allows the operating system kernel to extend functionality as needed. When the target kernel module is inserted into the operating system kernel, its behavior is no longer monitored and restricted. The loaded target kernel module runs at the same privilege level as the operating system kernel. The target kernel module can arbitrarily call the code provided by the operating system kernel and modify the operating system kernel data, thus causing the operating system kernel integrity to face security threats.

Taking the driver module in the operating system kernel as an example, at present, developers generally add a driver isolation layer between the operating system kernel and the driver module to achieve the purpose of isolating the operating system kernel and the driver module, but The driver isolation layer is located in the operating system kernel space and is at the same privilege level as the driver module in the operating system kernel space. Therefore, the driver module can modify the permission mapping relationship in the page table of the driver module, and the modified permission. The mapping relationship can disable the isolation function of the driver isolation layer, making the operating system in an unsafe state, and the driver isolation layer will isolate the driver modules of each core device, which will seriously affect the system performance.

Summary of the invention

The embodiment of the invention provides a data access method, a code calling method and a VMM, so as to improve the security of the system kernel data access and code calling.

A first aspect of the embodiments of the present invention discloses a data access method, including:

The virtual machine monitor VMM captures a page table interrupt event, which is determined by the central processing unit CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module. The virtual page kernel space corresponding to the kernel data in the K-SPACE is not created in the space page table MPGT, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and An isolation space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

When the VMM determines, by the pre-stored page table interrupt processing function, that the target kernel module has permission to access kernel data in the K-SPACE, the VMM creates the target kernel module in the MPGT to The access rights mapping of kernel data in K-SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.

In a first possible implementation manner of the first aspect of the present disclosure, the VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has the right to access the kernel data in the K-SPACE, including:

The VMM obtains a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel data in the K-SPACE;

Determining, by the VMM, an event type of the page table interrupt event;

The VMM determines, according to the preset authority determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

With reference to the first aspect of the embodiments of the present invention or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect of the embodiments of the present disclosure, the method is configured before the VMM captures a page table interrupt event. Also includes:

The VMM, according to the pre-stored space page table of the virtual machine kernel space, the target kernel module The virtual address distribution information of the block is mapped to physical address distribution information, wherein the target kernel module is a kernel module selected from N kernel modules inserted in the virtual machine kernel space and needs to be isolated, and the N is positive Integer

The VMM separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

The VMM marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information, wherein the KPGT is used to support a kernel in the K-SPACE The operation of the module, the kernel module in the K-SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules

With reference to the first aspect of the embodiment of the present invention or the first or second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect of the embodiment of the present invention, the target is created in the MPGT The kernel module maps access rights to the kernel data in the M-SPACE such that the target kernel module has access to the kernel data in the M-SPACE.

A second aspect of the embodiment of the present invention discloses a VMM, including:

An event capture unit, configured to capture a page table interrupt event, where the page table interrupt event is determined by the CPU after detecting an access request for kernel data in the kernel space K-SPACE sent by the target kernel module, and determining an isolated space page The file MPGT is generated without creating an access authority mapping of the target kernel module to the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space. M-SPACE, the M-SPACE includes the target kernel module and the MPGT, the MPGT is used to support operation of the target kernel module;

a permission determining unit, configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

a permission creation unit, configured to create the target in the MPGT when the permission determination unit determines that the target kernel module has permission to access kernel data in the K-SPACE through a pre-stored page table interrupt processing function The kernel module maps access rights to the kernel data in the K-SPACE such that the target kernel module has access to the kernel data in the K-SPACE.

In the first possible implementation manner of the second aspect of the embodiment of the present invention, the authority determining unit is specific Used for:

Acquiring a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquiring virtual address distribution information of the kernel data in the K-SPACE;

Determining the type of event of the page table interrupt event;

Determining, according to the preset authority determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

With reference to the second aspect of the embodiment of the present invention or the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect of the embodiment, the VMM further includes:

An address mapping unit, configured to map virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space before the event capture unit captures a page table interrupt event The target kernel module is a kernel module selected from N kernel modules inserted in the virtual machine kernel space, and the N is a positive integer;

a space separating unit, configured to separate the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

a page table creation unit, configured to mark a space page table of the virtual machine kernel space as a kernel space page table KPGT, and create the MPGT based on the physical address distribution information, wherein the KPGT is used to support the K- The kernel module in the SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules.

With reference to the second aspect of the embodiment of the present invention or the first or second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect of the embodiment of the present invention, the MPGT is created in the MPGT. The target kernel module maps access rights to the kernel data in the M-SPACE such that the target kernel module has access to the kernel data in the M-SPACE.

In the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, the VMM determines whether the target kernel module has access to the kernel data in the K-SPACE through the pre-stored page table interrupt processing function, and finally, when the VMM passes the pre-stored page table. When the interrupt handler determines that the target kernel module has access to the kernel data in K-SPACE, the VMM creates the target kernel module in the MPGT for K-SPACE. The access rights mapping of the kernel data is such that the target kernel module has access to the kernel data in the K-SPACE. Since the above page table interrupt event is that the CPU detects the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determines that the target kernel module is not created in the isolated space page table MPGT, the K- In the case of the access rights mapping of kernel data in SPACE, it can be seen that the target kernel module has no permission to directly access the kernel data in the K-SPACE space, thereby avoiding the target kernel module from accessing K-SPACE without security. The kernel data in the kernel helps to improve the security of system kernel data access.

At the same time, because the VMM has higher running rights than the virtual machine operating system, in the virtualized environment, the VMM with higher privilege level is isolated from the virtual machine in execution permission, and is not directly attacked by the virtual machine. .

At the same time, because VMM has client platform independence, it can isolate kernel modules of several different types of guest operating systems at the same time.

A third aspect of the embodiment of the present invention discloses a code calling method, including:

The virtual machine monitor VMM captures a page table interrupt event, which is determined by the central processing unit CPU after detecting the target kernel module's call request for the kernel code in the kernel space K-SPACE, and determines the isolated space page The table MPGT is generated without creating the call permission mapping of the target kernel module to the kernel code in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space. M-SPACE, the M-SPACE includes the target kernel module and the MPGT, the MPGT is used to support operation of the target kernel module;

The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE;

When the VMM determines, by the pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM is configured according to the target kernel module in the K-SPACE a call permission mapping of kernel code, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to a kernel space stack K-STACK, such that the target kernel module is based on The switched K-STACK calls the kernel code in the K-SPACE.

In a first possible implementation manner of the third aspect of the embodiment of the present invention, the VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE, including:

The VMM obtains a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel code in the K-SPACE;

The VMM determines, according to the obtained preset permission judgment policy and the virtual address distribution information, whether the target kernel module has permission to access the kernel code in the K-SPACE.

With reference to the third aspect of the embodiment of the present invention or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect of the embodiment, the VMM performs a page table page table switching operation, including:

The VMM switches the page table currently loaded by the VMM from the MPGT to a kernel space page table KPGT, wherein the KPGT is used to support operation of a kernel module in the K-SPACE, in the K-SPACE And including the basic kernel module in the virtual machine kernel space, a kernel module other than the target kernel module among the N kernel modules inserted in the virtual machine kernel space, and the KPGT, where the N is greater than 1. A positive integer.

With reference to the third aspect of the embodiment of the present invention or the first or second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect of the embodiment of the present invention, the VMM performs a stack switching operation, including :

The VMM copies the code parameters stored in the M-STACK for transferring the kernel code in the K-SPACE and the return address RIP for calling the kernel code in the K-SPACE;

Writing, by the VMM, the code parameter and the RIP in the K-STACK;

The VMM converts a stack currently used by the virtual machine kernel space from an esp-old location to an esp-new location, where the esp-old location is a storage location of the RIP in the M-STACK, The esp-new location is the storage location of the RIP in the K-STACK.

With reference to the third aspect of the embodiment of the present invention or the first or second or the third possible implementation manner of the third aspect, in the fourth possible implementation manner of the third aspect of the embodiment of the present invention, the VMM capture page Before the table interrupt event, the method further includes:

The VMM sets the target kernel module according to the pre-stored space page table of the virtual machine kernel space. The virtual address distribution information is mapped to physical address distribution information, wherein the target kernel module is a kernel module selected from N kernel modules inserted in the virtual machine kernel space and needs to be isolated, and the N is greater than 1. Positive integer

The VMM marks the space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information.

With reference to the third aspect of the embodiment of the present invention or the first or second or the third or the fourth possible implementation manner of the third aspect, in the fifth possible implementation manner of the third aspect of the embodiment of the present invention, The calling privilege mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT, so that the target kernel module has permission to invoke the kernel code in the M-SPACE.

A fourth aspect of the embodiment of the present invention discloses a VMM, including:

An event capture unit, configured to capture a page table interrupt event, wherein the page table interrupt event is determined by the central processing unit CPU after detecting a call request of the target kernel module for kernel code in the kernel space K-SPACE The page table MPGT is generated without creating a call permission mapping of the target kernel module to the kernel code in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and isolation a space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

a permission determining unit, configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE;

a switching unit, configured to: when the authority determining unit determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, according to the target kernel module, the K a call permission mapping of kernel code in -SPACE, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to a kernel space stack K-STACK, such that The target kernel module calls the kernel code in the K-SPACE based on the K-STACK after the handover.

In the first possible implementation manner of the fourth aspect of the embodiment of the present invention, the authority determining unit is specific Used for:

Acquiring a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquiring virtual address distribution information of the kernel code in the K-SPACE;

Determining, according to the obtained preset permission judgment policy and the virtual address distribution information, whether the target kernel module has permission to access the kernel code in the K-SPACE.

With reference to the fourth aspect of the embodiments of the present invention or the first possible implementation manner of the fourth aspect, in the second possible implementation manner of the fourth aspect of the embodiments of the present disclosure, the switching unit is specifically configured to:

Converting a page table currently loaded by the VMM from the MPGT to a kernel space page table KPGT, wherein the KPGT is configured to support operation of a kernel module in the K-SPACE, the K-SPACE including the The base kernel module in the virtual machine kernel space, the kernel module other than the target kernel module among the N kernel modules inserted in the virtual machine kernel space, and the KPGT, the N is a positive integer greater than 1.

With reference to the fourth aspect of the embodiment of the present invention or the first or second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect of the embodiment, the switching unit is specifically configured to:

Copying a code parameter stored in the M-STACK for transferring the kernel code in the K-SPACE and a return address RIP for calling the kernel code in the K-SPACE;

Writing the code parameter and the RIP in the K-STACK;

Converting the stack currently used by the virtual machine kernel space from an esp-old location to an esp-new location, wherein the esp-old location is a storage location of the RIP in the M-STACK, the esp- The new location is the storage location of the RIP in the K-STACK.

With reference to the fourth aspect of the embodiment of the present invention or the first or second or the third possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect of the embodiments of the present invention, the VMM further includes :

An address mapping unit, configured to: before the event capture unit captures the page table interrupt event, map the virtual address distribution information of the target kernel module to the physical address distribution information according to the pre-stored space page table of the virtual machine kernel space, where The target kernel module is a kernel module selected from N kernel modules inserted in the virtual machine kernel space, and the N is a positive integer greater than 1.

a page table creation unit that marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information.

With reference to the fourth aspect or the fourth or fourth or the third or the fourth possible implementation manner of the fourth embodiment, the fifth possible implementation manner of the fourth aspect of the embodiment of the present invention The calling privilege mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT, so that the target kernel module has permission to invoke the kernel code in the M-SPACE.

In the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM determines that the target kernel module has permission to invoke the kernel code in the K-SPACE through the pre-stored page table interrupt processing function, the VMM is based on the target kernel module pair K. Calling permission mapping of kernel code in -SPACE, performing page table switching operation and stack switching operation to switch stack of virtual machine kernel space from isolation space stack M-STACK to kernel space stack K-STACK, so that the target kernel The module calls the kernel code in the K-SPACE based on the K-STACK after switching. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code is generated by the call permission mapping. It can be seen that the target kernel module has no permission to directly call the kernel code, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown, which is beneficial to the system. The security of the kernel code call.

DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are merely the present invention. Some of the embodiments can be obtained by those of ordinary skill in the art in view of the drawings without any inventive effort.

FIG. 1.1 is a schematic structural diagram of a typical bare metal mode virtualization platform deployment according to an embodiment of the present invention;

FIG. 1.2 is a schematic structural diagram of a typical host mode virtualization platform deployed according to an embodiment of the present invention;

2 is a schematic flowchart of a data access method according to an embodiment of the present invention;

3 is a schematic flowchart diagram of another data access method according to an embodiment of the present invention;

4 is a schematic flowchart of a data access method according to an embodiment of the present invention;

FIG. 5 is a schematic flowchart diagram of a code calling method according to an embodiment of the present invention; FIG.

6 is a schematic flowchart diagram of another code calling method disclosed in an embodiment of the present invention;

FIG. 7 is a schematic flowchart diagram of still another code calling method according to an embodiment of the present invention; FIG.

FIG. 8 is a schematic structural diagram of a VMM for controlling access to kernel data in a K-SPACE by a target kernel module in an M-SPACE according to an embodiment of the present invention; FIG.

9 is a schematic structural diagram of a VMM for controlling a kernel code in a K-SPACE by a target kernel module in an M-SPACE according to an embodiment of the present invention;

10 is a schematic structural diagram of a physical device of a VMM according to an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of a physical device of a VMM according to an embodiment of the present invention.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.

The embodiment of the invention provides a data access method, a code calling method and a virtual machine monitor (VMM), so as to improve the security of the system kernel data access and code call.

In order to facilitate the understanding of the embodiments of the present invention, the network architecture of the embodiment of the present invention is described below. Referring to FIG. 1.1 and FIG. 1.2, FIG. 1.1 is a schematic diagram of a typical bare-machine mode virtualization platform deployment architecture disclosed in the embodiment of the present invention, and FIG. 1.2 is a typical host mode virtualization flat disclosed in the embodiment of the present invention. Platform deployment architecture diagram. As shown in Figure 1.1 and Figure 1.2, the virtual machine operating systems in both modes run on the VMM. The VMM has higher execution privileges than the virtual machine operating system, and the two are isolated from each other. The virtual machine operating system kernel can be further divided into code parts, data parts, stacks required for kernel operations, and dynamically loadable kernel modules. In the typical bare metal virtualization mode (such as Xen) shown in Figure 1.1, the VMM runs directly on the physical machine, operates on physical hardware, and provides services to the virtual machine upwards. In the typical host mode (such as KVM) shown in Figure 1.2, the VMM runs on the host operating system, and its virtualization function needs to be implemented by means of the host. The host directly controls the underlying hardware resources.

Referring to FIG. 2, FIG. 2 is a schematic flowchart of a data access method according to an embodiment of the present invention. As shown in FIG. 2, the data access method is described from one side of the VMM, and specifically includes the following steps:

S201, the VMM captures a page table interrupt event, where the page table interrupt event is determined by the CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determining the isolation space page table MPGT The target kernel module is not created with the access authority mapping of the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space M-SPACE The M-SPACE includes the target kernel module and the MPGT, and the MPGT is configured to support operation of the target kernel module;

In the embodiment of the present invention, the access authority mapping of the target kernel module to the kernel data in the M-SPACE is created in the MPGT, so that the target kernel module has the right to access the kernel data in the M-SPACE. .

S202. The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE.

In the embodiment of the present invention, the specific manner in which the VMM determines whether the target kernel module has the right to access the kernel data in the K-SPACE through the pre-stored page table interrupt processing function is:

The VMM first acquires a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel data in the K-SPACE; secondly, the VMM determines the page. The event type of the table interrupt event; finally, the VMM determines, according to the preset authority judgment policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

S203. When the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to access kernel data in the K-SPACE, the VMM creates the target kernel module pair in the MPGT. The access rights mapping of the kernel data in the K-SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.

It can be seen that, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, the VMM determines whether the target kernel module has access to the kernel data in the K-SPACE through the pre-stored page table interrupt processing function, and finally, when the VMM passes When the pre-stored page table interrupt processing function determines that the target kernel module has permission to access the kernel data in the K-SPACE, the VMM creates an access authority mapping of the target kernel module to the kernel data in the K-SPACE in the MPGT, so that the target kernel module Have access to kernel data in K-SPACE. Since the above page table interrupt event is that the CPU detects the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determines that the target kernel module is not created in the isolated space page table MPGT, the K- In the case of the access rights mapping of kernel data in SPACE, it can be seen that the target kernel module has no permission to directly access the kernel data in the K-SPACE space, thereby avoiding the target kernel module from accessing K-SPACE without security. The kernel data in the kernel helps to improve the security of system kernel data access.

Optionally, in the embodiment of the present invention, before the VMM captures the page table interrupt event, the following operations may also be performed to create a kernel space isolation mechanism for the target kernel module:

The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is from the virtual machine kernel space a kernel module selected to be isolated among the inserted N kernel modules, where N is a positive integer;

The VMM marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information, wherein the KPGT is used to support a kernel in the K-SPACE The operation of the module, the kernel module in the K-SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules.

Referring to FIG. 3, FIG. 3 is a schematic flowchart of a data access method according to an embodiment of the present invention. As shown in FIG. 3, the data access method is described from one side of the VMM, and specifically includes the following steps:

S301, the virtual machine monitor VMM captures a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module. And generating, in the isolated space page table MPGT, the access authority mapping of the target kernel module to the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K- SPACE and an isolated space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

S302, the VMM acquires a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel data in the K-SPACE;

S303. The VMM determines an event type of the page table interrupt event.

S304. The VMM determines, according to the preset permission determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

S305. When the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to access kernel data in the K-SPACE, the VMM creates the target kernel module pair in the MPGT. The access rights mapping of the kernel data in the K-SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.

It can be seen that in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, the VMM The pre-stored page table interrupt processing function determines whether the target kernel module has permission to access the kernel data in K-SPACE. Finally, when the VMM uses the pre-stored page table interrupt processing function to determine that the target kernel module has permission to access the kernel in K-SPACE. In the case of data, the VMM creates an access authority mapping of the target kernel module to the kernel data in the K-SPACE in the MPGT, so that the target kernel module has access to the kernel data in the K-SPACE. Since the above page table interrupt event is that the CPU detects the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determines that the target kernel module is not created in the isolated space page table MPGT, the K- In the case of the access rights mapping of kernel data in SPACE, it can be seen that the target kernel module has no permission to directly access the kernel data in the K-SPACE space, thereby avoiding the target kernel module from accessing K-SPACE without security. The kernel data in the kernel helps to improve the security of system kernel data access.

Referring to FIG. 4, FIG. 4 is a schematic flowchart of a data access method according to an embodiment of the present invention. As shown in FIG. 4, the data access method is described from one side of the VMM, and specifically includes the following steps:

S401. The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is from the virtual machine kernel space. a kernel module selected to be isolated among the inserted N kernel modules, where N is a positive integer;

S402, the VMM separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

S403. The VMM marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information, where the KPGT is used to support the K-SPACE. The kernel module in the K-SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules;

In the embodiment of the present invention, an access authority mapping of the target kernel module to the kernel data in the M-SPACE is created in the MPGT, so that the target kernel module has the right to access the Kernel data in M-SPACE.

S404, the VMM captures a page table interrupt event, where the page table interrupt event is determined by the CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determining the isolation space page table MPGT The target kernel module is not created with the access authority mapping of the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space M-SPACE The M-SPACE includes the target kernel module and the MPGT, and the MPGT is configured to support operation of the target kernel module;

S405, the VMM acquires a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel data in the K-SPACE;

S406. The VMM determines an event type of the page table interrupt event.

S407. The VMM determines, according to the preset permission determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

In the embodiment of the present invention, the foregoing authority judgment policy may be preset and stored in the memory space by the user, and the event type corresponding to the page table interrupt event includes a data read type and a data write type.

For example, suppose that the target kernel module has the following sub-policy in the authority judging policy corresponding to the data read type of the kernel data in the K-SPACE: if the target kernel module requests the core data of the data read from the memory management unit of the CPU as In the interrupt vector table in K-SPACE, the memory management unit rejects the current data read request of the target kernel module.

S408, when the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to access kernel data in the K-SPACE, the VMM creates the target kernel module pair in the MPGT. The access rights mapping of the kernel data in the K-SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.

Further, in the embodiment of the present invention, before the VMM maps the virtual address distribution information of the target kernel module to the physical address distribution information according to the spatial page table of the pre-stored virtual machine kernel space, the VMM may also perform the following operations:

The VMM obtains virtual address distribution information of the target kernel module sent by the client proxy module in the virtual machine kernel space in the virtual machine kernel space.

The client agent module is configured in the K-SAPCE, and is configured to obtain virtual address distribution information of the target kernel module in the virtual machine kernel space, and send the obtained virtual address distribution information to the VMM, so that the VMM is based on the virtual The address distribution information establishes an isolated address space of the above target kernel module. The specific implementation manners for obtaining the virtual address distribution information by the foregoing client agent include the following two types:

When it is detected that the target kernel module has not started running in the virtual machine, the client agent module intercepts the related system call invoked when the target kernel module is inserted, and the related system call invoked when the target kernel module is inserted is detected. When the client agent module obtains the virtual address distribution information {virt1, virt2} of the target kernel module after loading into the virtual machine kernel space. For example, the Windows virtual machine can obtain a memory image insertion event in the virtual machine by registering a callback function, and determine whether the target kernel module is loaded into the virtual machine kernel space according to the image name.

The above client proxy module is detected when it is detected that the target kernel module has started running in the virtual machine. The block needs to traverse the kernel module linked list in the virtual machine kernel space to obtain the virtual address distribution information {virt1, virt2} of the target kernel module in the virtual machine kernel space.

It can be seen that, in the embodiment of the present invention, the client agent module is located in the K-SPACE, and the target kernel module in the M-SPACE runs in a different kernel space, and thus is not attacked by the target kernel module, which is beneficial to further improve. The security of the system kernel.

Further, in the embodiment of the present invention, after the VMM creates the isolated space page table MPGT based on the physical address distribution information, the VMM may further perform the following operations:

The VMM deletes an access authority mapping of kernel data in the M-SPACE of the kernel module in the K-SPACE stored in the KPGT, so that the kernel module in the K-SPACE cannot directly access the M-SPACE The kernel data in the library further enhances the security of the system kernel data access.

Referring to FIG. 5, FIG. 5 is a schematic flowchart of a code invoking method according to an embodiment of the present invention. As shown in FIG. 5, the code calling method is described from one side of the VMM, and specifically includes the following steps:

S501, the virtual machine monitor VMM captures a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting the target kernel module calling request for the kernel code in the kernel space K-SPACE The virtual page kernel space corresponding to the kernel code in the K-SPACE is not created in the space page table MPGT, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and An isolation space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

In the embodiment of the present invention, a call permission mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT, so that the target kernel module has permission to invoke the kernel in the M-SPACE. Code.

S502. The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE.

In the embodiment of the present invention, the VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE:

The VMM acquires a preset right corresponding to the page table interrupt event by using a pre-stored page table interrupt function Limiting the judgment strategy, and obtaining virtual address distribution information of the kernel code in the K-SPACE;

S503, when the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM according to the target kernel module to the K-SPACE a call permission mapping of the kernel code in the table, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, such that the target core The module calls the kernel code in the K-SPACE based on the K-STACK after switching.

In the embodiment of the present invention, the specific implementation manner of the VMM performing the page table page table switching operation is:

The specific implementation manner of the above VMM performing a stack switching operation is:

Writing, by the VMM, the code parameter and the RIP in the K-STACK;

It can be seen that, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM determines that the target kernel module has permission to invoke the kernel code in the K-SPACE through the pre-stored page table interrupt processing function, the VMM is based on the target. The kernel module calls the permission mapping of the kernel code in the K-SPACE, performs a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, so that The target kernel module invokes the kernel code in the K-SPACE based on the K-STACK after the handover. Among them, in the above page table The interrupt event is that the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module does not create the call permission of the kernel code in the K-SPACE in the isolated space page table MPGT. In the case of mapping, it can be seen that the target kernel module has no permission to directly call the kernel code in K-SPACE, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown, which is beneficial to the system. The security of the kernel code call.

Optionally, in the embodiment of the present invention, before the VMM captures the page table interrupt event, the following operations may also be performed to create an isolation mechanism for the target kernel module:

The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is inserted from the virtual machine kernel space a kernel module selected from the N kernel modules to be isolated, wherein N is a positive integer greater than one;

Referring to FIG. 6 , FIG. 6 is a schematic flowchart of a code invoking method according to an embodiment of the present invention. As shown in FIG. 6 , the code calling method is described from one side of the VMM, and specifically includes the following steps:

S601, the virtual machine monitor VMM captures a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting the target kernel module calling request for the kernel code in the kernel space K-SPACE The virtual page kernel space corresponding to the kernel code in the K-SPACE is not created in the space page table MPGT, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and Isolated space M-SPACE, said The M-SPACE includes the target kernel module and the MPGT, and the MPGT is configured to support operation of the target kernel module;

S602, the VMM acquires a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel code in the K-SPACE;

S603, the VMM determines, according to the obtained preset permission judgment policy and the virtual address distribution information, whether the target kernel module has permission to access the kernel code in the K-SPACE;

S604, when the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM is configured according to the target kernel module to the K-SPACE. a call permission mapping of the kernel code in the table, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, such that the target core The module calls the kernel code in the K-SPACE based on the K-STACK after switching.

Writing, by the VMM, the code parameter and the RIP in the K-STACK;

It can be seen that, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM determines that the target kernel module has permission to invoke the kernel code in the K-SPACE through the pre-stored page table interrupt processing function, the VMM is based on the target. The kernel module calls the permission mapping of the kernel code in the K-SPACE, performs a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, so that The target kernel module invokes the kernel code in the K-SPACE based on the K-STACK after the handover. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code's call permission mapping is generated. It can be seen that the target kernel module has no permission to directly call the kernel code in K-SPACE, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown. It is beneficial to improve the security of system kernel code calls.

It can be seen that, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM determines that the target kernel module has permission to invoke the kernel code in the K-SPACE through the pre-stored page table interrupt processing function, the VMM is based on the target. The kernel module calls the permission mapping of the kernel code in the K-SPACE, performs a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, so that The target kernel module invokes the kernel code in the K-SPACE based on the K-STACK after the handover. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code is generated by the call permission mapping. It can be seen that the target kernel module has no permission to directly call the kernel code, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown, which is beneficial to the system. The security of the kernel code call.

Referring to FIG. 7, FIG. 7 is a schematic flowchart of a code invoking method according to an embodiment of the present invention. As shown in FIG. 7, the code calling method is described from one side of a VMM, and specifically includes the following steps:

S701. The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to the pre-stored space page table of the virtual machine kernel space, where the target kernel module is from the virtual machine kernel space. a kernel module selected to be isolated among the inserted N kernel modules, where N is a positive integer greater than one;

S702, the VMM separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

S703, the VMM marks the space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information;

S704, the virtual machine monitor VMM captures a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting the target kernel module calling request for the kernel code in the kernel space K-SPACE The virtual page kernel space corresponding to the kernel code in the K-SPACE is not created in the space page table MPGT, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and Isolated space M-SPACE, said The M-SPACE includes the target kernel module and the MPGT, and the MPGT is configured to support operation of the target kernel module;

S705. The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE.

S706. When the VMM determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM is configured according to the target kernel module to the K-SPACE. a call permission mapping of the kernel code in the table, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, such that the target core The module calls the kernel code in the K-SPACE based on the K-STACK after switching.

Writing, by the VMM, the code parameter and the RIP in the K-STACK;

It can be seen that, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM determines that the target kernel module has permission to invoke the kernel code in the K-SPACE through the pre-stored page table interrupt processing function, the VMM is based on the target. The kernel module calls the permission mapping of the kernel code in the K-SPACE, performs a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, so that The target kernel module is based on The switched K-STACK calls the kernel code in the K-SPACE. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code's call permission mapping is generated. It can be seen that the target kernel module has no permission to directly call the kernel code in K-SPACE, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown. It is beneficial to improve the security of system kernel code calls.

Further, in the embodiment of the present invention, after the target kernel module in step S706 calls the kernel code in the K-SPACE based on the stack switched to K-STACK, the code execution execution process needs to be from K. -SPACE returns to the target kernel module, including the following process:

The kernel module CPU to which the kernel code in the above K-SPACE belongs executes the ret instruction, and the request is returned to the target kernel module;

The memory management module in the CPU detects the above ret instruction, and determines whether the KPGT creates a call permission mapping of the kernel module in the K-SPACE to the kernel code in the target kernel module;

The memory management module in the CPU determines that the KPGT does not create a call permission mapping of the kernel module in the K-SPACE to the kernel code in the target kernel module, and generates a page table interrupt event M3.

The VMM captures the above page table interrupt event M3, responds to the page table interrupt event M3, and determines whether the kernel module in the K-SPACE has permission to call the kernel code of the target kernel module through the pre-stored page table interrupt processing function, and if it is determined that there is permission The VMM creates a call permission mapping of the kernel module in the K-SPACE to the kernel code of the target kernel module in the KPGT, switches the currently loaded page table from the KPGT to the MPGT, and performs a stack switching operation to virtualize The stack loaded by the kernel space is switched back to the kernel space stack M-STACK by the isolated space stack K-STACK. At this point, the execution flow returns to M-SPACE, and the kernel code can continue to be called in the target kernel space.

Further, in the embodiment of the present invention, after performing the stack switching operation, the VMM may further perform the following operations: the VMM deletes the kernel in the K-SPACE stored in the KPGT and the kernel in the M-SPACE The call permission mapping for the code.

Further, in the embodiment of the present invention, after the VMM deletes the call permission mapping of the kernel code in the M-SPACE of the kernel module in the K-SPACE stored in the KPGT, in the K-SPACE The kernel module requests to call the kernel code in the target kernel module. The specific execution process is as follows:

The CPU detects the code call instruction issued by the kernel module in the K-SPACE for the kernel code in the target kernel module, and determines whether the KPGT creates a call permission mapping of the kernel module of the target kernel module in the K-SPACE kernel module. ;

The CPU determines that the KPGT does not create a call permission mapping of the kernel module of the K-SPACE to the kernel code of the target kernel module, and generates a page table interrupt event M1;

The VMM captures the above page table interrupt event M1, and determines whether the kernel module in the K-SPACE has permission to call the kernel code of the target kernel module through the pre-stored page table interrupt processing function. If it is determined that there is permission, the VMM is based on the VMM. The kernel module in the K-SPACE maps the call permission of the kernel code of the target kernel module, switches the page table currently loaded by the VMM from the KPGT to the MPGT, and performs a stack switch operation to load the virtual machine kernel space The stack is switched from the isolated space stack K-STACK to the kernel space stack M-STACK. At this time, the system code execution flow is in M-SPACE, and the kernel code of the target kernel module is executed.

Further optionally, after the target kernel module in the above M-SPACE executes the kernel code invoked by the kernel module in the K-SPACE, the virtual machine code calling execution process needs to be returned from the target kernel module to the K-SPACE, including The following steps:

The CPU detects the return ret command issued by the target kernel module, and determines whether the target permission of the target kernel module to the kernel code in the K-SPACE is created in the MPGT;

The CPU determines that the calling kernel mapping of the target kernel module to the kernel code in the K-SPACE is not created in the MPGT, and generates a page table interrupt event M2;

The VMM captures the above page table interrupt event M2, and determines whether the target kernel module has permission to invoke the kernel code in the kernel module in the K-SPACE through the pre-stored page table interrupt processing function. Determining that there is permission, the VMM switches the page table currently loaded by the VMM from the MPGT to the KPGT, and performs a stack switch according to the calling authority mapping of the target kernel module to the kernel code in the K-SPACE. The operation is to switch the stack loaded by the virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK. At this time, the code of the virtual machine calls the execution flow and returns to the K-SPACE.

Referring to FIG. 8, FIG. 8 is a schematic structural diagram of a VMM according to an embodiment of the present invention, which is used to control access of kernel data in a K-SPACE by a target kernel module in an M-SPACE, as shown in FIG. An event capture unit 801, a rights determination unit 802, and a rights creation unit 803, where

The event capture unit 801 is configured to capture a page table interrupt event, and the page table interrupt event is determined by the CPU after detecting an access request for kernel data in the kernel space K-SPACE sent by the target kernel module. And generating, in the isolated space page table MPGT, the access authority mapping of the target kernel module to the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE And an isolation space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

The authority determining unit 802 is configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

The permission creation unit 803 is configured to create in the MPGT when the permission determination unit determines that the target kernel module has permission to access kernel data in the K-SPACE through a pre-stored page table interrupt processing function. The target kernel module maps access rights to the kernel data in the K-SPACE such that the target kernel module has permission to access kernel data in the K-SPACE.

It is to be understood that the functions of the functional modules of the VMM in the embodiments of the present invention may be specifically implemented according to the method in the foregoing method embodiments. For the specific implementation process, refer to the related description of the foregoing method embodiments, and details are not described herein again.

Optionally, in the embodiment of the present invention, the foregoing authority determining unit 802 is specifically configured to:

Determining the type of event of the page table interrupt event;

Optionally, in the embodiment of the present invention, the foregoing VMM further includes:

a space separating unit, configured to separate the virtual machine kernel space based on the physical address distribution information For the M-SPACE and the K-SPACE;

Referring to FIG. 9, FIG. 9 is a schematic structural diagram of a VMM according to an embodiment of the present invention, for controlling a call of a target kernel module in an M-SPACE to a kernel code in a K-SPACE, as shown in FIG. An event capture unit 901, a rights determination unit 902, and a switching unit 903, where

The event capture unit 901 is configured to capture a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting a call request of the target kernel module for the kernel code in the kernel space K-SPACE. And generating, in the isolated space page table MPGT, the target kernel module does not create a call permission mapping of the kernel code in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K- SPACE and an isolated space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

In the embodiment of the present invention, the call authority mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT, so that the target kernel module has permission to invoke the kernel code in the M-SPACE. .

The authority determining unit 902 is configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE;

The switching unit 903 is configured to: when the authority determining unit determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, according to the target kernel module pair The call permission mapping of the kernel code in the K-SPACE, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolation space stack M-STACK to the kernel space stack K-STACK, The target kernel module is caused to call the kernel code in the K-SPACE based on the K-STACK after the handover.

It can be seen that in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM When the pre-stored page table interrupt processing function determines that the target kernel module has permission to call the kernel code in the K-SPACE, the VMM performs the page table switching operation and the stack according to the calling authority mapping of the target kernel module to the kernel code in the K-SPACE. Switching operation to switch the stack of virtual machine kernel space from the isolated space stack M-STACK to the kernel space stack K-STACK, such that the target kernel module invokes the K-SPACE based on the K-STACK after the handover Kernel code. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code's call permission mapping is generated. It can be seen that the target kernel module has no permission to directly call the kernel code in K-SPACE, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown. It is beneficial to improve the security of system kernel code calls.

Optionally, in the embodiment of the present invention, the foregoing authority determining unit 902 is specifically configured to:

Optionally, in the embodiment of the present invention, the foregoing switching unit 903 is specifically configured to:

Writing the code parameter and the RIP in the K-STACK;

Referring to FIG. 10, FIG. 10 is a schematic structural diagram of a VMM according to an embodiment of the present invention. As shown in FIG. 10, the VMM may include: at least one processor 1001, such as a CPU, at least one memory 1002, and at least one communication bus 1003. . The communication bus 1003 is used to implement connection communication between the processor 1001 and the memory 1002, wherein the memory 1002 may include a high speed RAM memory, and may also include a non-volatile memory such as at least one disk memory.

In some implementations, the memory 1002 stores the following elements (executable modules or data structures, or a subset of them, or their extended set):

An operating system 10021, including various system programs for implementing various basic services and processing hardware-based tasks;

The application 10022 includes various applications such as a device control service program and a device identification service program for implementing various application services.

Specifically, the processor 1001 is configured to invoke a program stored in the memory 1002 to perform the following operations:

The processor 1001 captures a page table interrupt event, and the page table interrupt event is determined by the CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module, and determining the isolated space page table MPGT The virtual machine kernel space corresponding to the VMM and the isolated space M- SPACE, the M-SPACE includes the target kernel module and the MPGT, and the MPGT is configured to support operation of the target kernel module;

The processor 1001 determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

The processor 1001, when the pre-stored page table interrupt processing function determines that the target kernel module has permission to access the kernel data in the K-SPACE, creates the target kernel module in the MPGT to the K- The access rights mapping of the kernel data in the SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.

At the same time, because the VMM has higher running rights than the virtual machine operating system, in the virtualized environment, the VMM with higher privilege level is isolated from the virtual machine in execution permission, Will be directly attacked by the virtual machine.

Optionally, in the embodiment of the present invention, the processor 1001 determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has the right to access the kernel data in the K-SPACE: the processor 1001 first Acquiring a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquiring virtual address distribution information of the kernel data in the K-SPACE; secondly, the processor 1001 determines that the page table is interrupted The event type of the event; finally, the processor 1001 determines, according to the preset authority determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.

Optionally, in the embodiment of the present invention, before the processor 1001 captures the page table interrupt event, the following operations may also be performed to create a kernel space isolation mechanism for the target kernel module:

The processor 1001 maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is from the virtual machine kernel space. a kernel module selected to be isolated among the N kernel modules inserted, and the N is a positive integer;

The processor 1001 separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

The processor 1001 marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information, wherein the KPGT is used to support the K-SPACE. The operation of the kernel module, the kernel module in the K-SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules.

Referring to FIG. 11, FIG. 11 is a schematic structural diagram of a code invoking device according to an embodiment of the present invention. As shown in FIG. 11, the code invoking device may include: at least one processor 1001, such as a CPU, at least one memory 1002, at least A communication bus 1003. The communication bus 1003 is used to implement connection communication between the processor 1001 and the memory 1002, wherein the memory 1002 may include a high speed RAM memory, and may also include a non-volatile memory, such as at least one magnetic Disk storage.

The processor 1001 captures a page table interrupt event, and the page table interrupt event is determined by the central processing unit CPU after detecting the target kernel module's call request for the kernel code in the kernel space K-SPACE, and determines the isolated space page table. The virtual machine kernel space corresponding to the VMM corresponding to the kernel code in the K-SPACE is generated in the MPGT, and the K-SPACE and the isolation space M are included. - SPACE, the M-SPACE includes the target kernel module and the MPGT, the MPGT is used to support operation of the target kernel module;

The processor 1001 determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE;

The processor 1001, when the VMM determines, by the pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM according to the target kernel module to the K a call permission mapping of kernel code in -SPACE, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to a kernel space stack K-STACK, such that The target kernel module calls the kernel code in the K-SPACE based on the K-STACK after the handover.

Optionally, in the embodiment of the present invention, the VMM first captures the page table interrupt event, and secondly, when the VMM uses the pre-stored page table interrupt processing function to determine that the target kernel module has permission to invoke the K-SPACE. In the kernel code, the VMM performs a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to the kernel space according to the target permission of the target kernel module to the kernel code in the K-SPACE. The K-STACK is stacked such that the target kernel module invokes the kernel code in the K-SPACE based on the K-STACK after the handover. The page table interrupt event is that after the CPU detects the call request of the target kernel module for the kernel code in the kernel space K-SPACE, and determines that the target kernel module is not created in the isolated space page table MPGT in the K-SPACE The kernel code's call permission mapping is generated. It can be seen that the target kernel module has no permission to directly call the kernel code in K-SPACE, which can avoid the target kernel module inadvertently calling the kernel code in K-SPACE if the security is unknown. It is beneficial to improve the security of system kernel code calls.

Optionally, in the embodiment of the present invention, before the processor 1001VMM captures the page table interrupt event, the following operations may also be performed to create an isolation mechanism for the target kernel module:

The processor 1001 maps virtual address distribution information of the target kernel module to physical address distribution information according to the pre-stored space page table of the virtual machine kernel space, where the target kernel module is inserted from the virtual machine kernel space. a kernel module selected from the N kernel modules to be isolated, wherein N is a positive integer greater than one;

The processor 1001 marks the space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information.

Optionally, in the embodiment of the present invention, the processor 1001 determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE: 1001 obtains the page table interrupt event pair by using a pre-stored page table interrupt function Determining the policy by the preset authority, and obtaining the virtual address distribution information of the kernel code in the K-SPACE; determining whether the target kernel module has the content according to the obtained preset permission judgment policy and the virtual address distribution information Permission to access the kernel code in the K-SPACE.

Optionally, in the embodiment of the present invention, the processor 1001 performs a page table page table switching operation, where the processor 1001 switches the page table currently loaded by the VMM from the MPGT to a kernel space page table. KPGT, wherein the KPGT is used to support operation of a kernel module in the K-SPACE, the K-SPACE includes a base kernel module in the virtual machine kernel space, and the virtual machine kernel space is inserted Among the N kernel modules, except for the kernel module other than the target kernel module and the KPGT, the N is a positive integer greater than one.

Optionally, in the embodiment of the present invention, the processor 1001 performs a stack switching operation, where the processor 1001 copies the code parameters stored in the M-STACK for transmitting the kernel code in the K-SPACE. And a return address RIP for calling the kernel code in the K-SPACE; writing the code parameter and the RIP in the K-STACK; and using the stack currently used by the virtual machine kernel space by esp- The old position is changed to an esp-new position, wherein the esp-old position is a storage location of the RIP in the M-STACK, and the esp-new position is the RIP in the K-STACK storage location.

A person skilled in the art may understand that all or part of the various steps of the foregoing embodiments may be performed by a program to instruct related hardware. The program may be stored in a computer readable storage medium, and the storage medium may include: Flash disk, Read-Only Memory (ROM), Random Access Memory (RAM), disk or optical disk.

The module isolation, data access, code calling method, related device and system disclosed in the embodiments of the present invention are described in detail. The principles and implementation manners of the present invention are described in the following examples. The description is only for helping to understand the method of the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in specific embodiments and application scopes. The contents of this specification are not to be construed as limiting the invention.

Claims

A data access method, comprising:

The virtual machine monitor VMM captures a page table interrupt event, which is determined by the central processing unit CPU after detecting the access request for the kernel data in the kernel space K-SPACE sent by the target kernel module. The virtual page kernel space corresponding to the kernel data in the K-SPACE is not created in the space page table MPGT, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and An isolation space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

The VMM determines, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

When the VMM determines, by the pre-stored page table interrupt processing function, that the target kernel module has permission to access kernel data in the K-SPACE, the VMM creates the target kernel module in the MPGT to The access rights mapping of kernel data in K-SPACE is such that the target kernel module has access to the kernel data in the K-SPACE.
The data access method according to claim 1, wherein the VMM determines, by the pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE, including:

The VMM obtains a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel data in the K-SPACE;

Determining, by the VMM, an event type of the page table interrupt event;

The VMM determines, according to the preset authority determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.
The data access method according to any one of claims 1 to 2, wherein before the VMM captures a page table interrupt event, the method further includes:

The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is from the virtual machine kernel space The kernel module selected from the inserted N kernel modules to be isolated Block, the N is a positive integer;

The VMM separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

The VMM marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information, wherein the KPGT is used to support a kernel in the K-SPACE The operation of the module, the kernel module in the K-SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules.
The data access method according to any one of claims 1 to 3, wherein an access authority mapping of the target kernel module to kernel data in the M-SPACE is created in the MPGT, so that the The target kernel module has access to the kernel data in the M-SPACE.
A virtual machine monitor VMM, comprising:

An event capture unit, configured to capture a page table interrupt event, where the page table interrupt event is determined by the CPU after detecting an access request for kernel data in the kernel space K-SPACE sent by the target kernel module, and determining an isolated space page The file MPGT is generated without creating an access authority mapping of the target kernel module to the kernel data in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space. M-SPACE, the M-SPACE includes the target kernel module and the MPGT, the MPGT is used to support operation of the target kernel module;

a permission determining unit, configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to access kernel data in the K-SPACE;

a permission creation unit, configured to create the target in the MPGT when the permission determination unit determines that the target kernel module has permission to access kernel data in the K-SPACE through a pre-stored page table interrupt processing function The kernel module maps access rights to the kernel data in the K-SPACE such that the target kernel module has access to the kernel data in the K-SPACE.
The VMM according to claim 5, wherein the authority determining unit is specifically configured to:

Acquiring a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquiring virtual address distribution information of the kernel data in the K-SPACE;

Determining the type of event of the page table interrupt event;

Determining, according to the preset authority determination policy, the virtual address distribution information, and the event type, whether the target kernel module has permission to access kernel data in the K-SPACE.
The VMM according to claim 5 or 6, wherein the VMM further comprises:

An address mapping unit, configured to map virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space before the event capture unit captures a page table interrupt event The target kernel module is a kernel module selected from N kernel modules inserted in the virtual machine kernel space, and the N is a positive integer;

a space separating unit, configured to separate the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

a page table creation unit, configured to mark a space page table of the virtual machine kernel space as a kernel space page table KPGT, and create the MPGT based on the physical address distribution information, wherein the KPGT is used to support the K- The kernel module in the SPACE includes a base kernel module in the virtual machine kernel space and a kernel module other than the target kernel module among the N kernel modules.
The VMM according to any one of claims 5-7, wherein an access authority mapping of the target kernel module to kernel data in the M-SPACE is created in the MPGT to cause the target kernel The module has access to the kernel data in the M-SPACE.
A code calling method, comprising:

The virtual machine monitor VMM captures a page table interrupt event, which is determined by the central processing unit CPU after detecting the target kernel module's call request for the kernel code in the kernel space K-SPACE, and determines the isolated space page The table MPGT is generated without creating the call permission mapping of the target kernel module to the kernel code in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and the isolation space. M-SPACE, the M-SPACE includes the target kernel module and the MPGT, the MPGT is used to support operation of the target kernel module;

Determining, by the pre-stored page table interrupt processing function, whether the target kernel module has the right Limit the kernel code in the K-SPACE;

When the VMM determines, by the pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, the VMM is configured according to the target kernel module in the K-SPACE a call permission mapping of kernel code, performing a page table switching operation and a stack switching operation to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to a kernel space stack K-STACK, such that the target kernel module is based on The switched K-STACK calls the kernel code in the K-SPACE.
The code calling method according to claim 9, wherein the VMM determines, by the pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE, including:

The VMM obtains a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquires virtual address distribution information of the kernel code in the K-SPACE;

The VMM determines, according to the obtained preset permission judgment policy and the virtual address distribution information, whether the target kernel module has permission to access the kernel code in the K-SPACE.
The code calling method according to any one of claims 9 to 10, wherein the VMM performs a page table page table switching operation, including:

The VMM switches the page table currently loaded by the VMM from the MPGT to a kernel space page table KPGT, wherein the KPGT is used to support operation of a kernel module in the K-SPACE, in the K-SPACE And including the basic kernel module in the virtual machine kernel space, a kernel module other than the target kernel module among the N kernel modules inserted in the virtual machine kernel space, and the KPGT, where the N is greater than 1. A positive integer.
The code calling method according to any one of claims 9 to 11, wherein the VMM performs a stack switching operation, including:

The VMM copies the code parameters stored in the M-STACK for transferring the kernel code in the K-SPACE and the return address RIP for calling the kernel code in the K-SPACE;

Writing, by the VMM, the code parameter and the RIP in the K-STACK;

The VMM converts a stack currently used by the virtual machine kernel space from an esp-old location to an esp-new location, wherein the esp-old location is a storage location of the RIP in the M-STACK The esp-new location is a storage location of the RIP in the K-STACK.
The code calling method according to any one of claims 9 to 12, wherein before the VMM captures a page table interrupt event, the method further includes:

The VMM maps virtual address distribution information of the target kernel module to physical address distribution information according to a pre-stored space page table of the virtual machine kernel space, where the target kernel module is inserted from the virtual machine kernel space a kernel module selected from the N kernel modules to be isolated, wherein N is a positive integer greater than one;

The VMM separates the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

The VMM marks the space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information.
The code calling method according to any one of claims 9 to 13, wherein a call permission mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT, so that the The target kernel module has permission to call the kernel code in the M-SPACE.
A virtual machine monitor VMM, comprising:

An event capture unit, configured to capture a page table interrupt event, wherein the page table interrupt event is determined by the central processing unit CPU after detecting a call request of the target kernel module for kernel code in the kernel space K-SPACE The page table MPGT is generated without creating a call permission mapping of the target kernel module to the kernel code in the K-SPACE, wherein the virtual machine kernel space corresponding to the VMM includes the K-SPACE and isolation a space M-SPACE, the M-SPACE including the target kernel module and the MPGT, the MPGT being used to support operation of the target kernel module;

a permission determining unit, configured to determine, by using a pre-stored page table interrupt processing function, whether the target kernel module has permission to invoke the kernel code in the K-SPACE;

a switching unit, configured to: when the authority determining unit determines, by using a pre-stored page table interrupt processing function, that the target kernel module has permission to invoke the kernel code in the K-SPACE, according to the target kernel module, the K Calling permission mapping of kernel code in -SPACE, performing page table switching operations and stack switching operations to switch the stack of the virtual machine kernel space from the isolated space stack M-STACK to The kernel space stack K-STACK is such that the target kernel module invokes the kernel code in the K-SPACE based on the K-STACK after the handover.
The VMM according to claim 15, wherein the authority determining unit is specifically configured to:

Acquiring a preset permission judgment policy corresponding to the page table interrupt event by using a pre-stored page table interrupt function, and acquiring virtual address distribution information of the kernel code in the K-SPACE;

Determining, according to the obtained preset permission judgment policy and the virtual address distribution information, whether the target kernel module has permission to access the kernel code in the K-SPACE.
The VMM according to any one of claims 15 or 16, wherein the switching unit is specifically configured to:

Converting a page table currently loaded by the VMM from the MPGT to a kernel space page table KPGT, wherein the KPGT is configured to support operation of a kernel module in the K-SPACE, the K-SPACE including the The base kernel module in the virtual machine kernel space, the kernel module other than the target kernel module among the N kernel modules inserted in the virtual machine kernel space, and the KPGT, the N is a positive integer greater than 1.
The VMM according to any one of claims 15 or 17, wherein the switching unit is specifically configured to:

Copying a code parameter stored in the M-STACK for transferring the kernel code in the K-SPACE and a return address RIP for calling the kernel code in the K-SPACE;

Writing the code parameter and the RIP in the K-STACK;

Converting the stack currently used by the virtual machine kernel space from an esp-old location to an esp-new location, wherein the esp-old location is a storage location of the RIP in the M-STACK, the esp- The new location is the storage location of the RIP in the K-STACK.
The VMM according to any one of claims 15 or 18, wherein the VMM further comprises:

An address mapping unit, configured to: before the event capture unit captures the page table interrupt event, map the virtual address distribution information of the target kernel module to the physical address distribution information according to the pre-stored space page table of the virtual machine kernel space, where The target kernel module is from the virtual machine kernel space a kernel module selected to be isolated among the inserted N kernel modules, where N is a positive integer greater than one;

a space separating unit, configured to separate the virtual machine kernel space into the M-SPACE and the K-SPACE based on the physical address distribution information;

a page table creation unit that marks a space page table of the virtual machine kernel space as a kernel space page table KPGT, and creates the MPGT based on the physical address distribution information.
The VMM according to any one of claims 15 to 19, wherein a call permission mapping of the target kernel module to the kernel code in the M-SPACE is created in the MPGT to cause the target kernel The module has permission to call the kernel code in the M-SPACE.