WO2017185202A1 - Virtualisation system monitoring method and apparatus - Google Patents
Virtualisation system monitoring method and apparatus Download PDFInfo
- Publication number
- WO2017185202A1 WO2017185202A1 PCT/CN2016/080124 CN2016080124W WO2017185202A1 WO 2017185202 A1 WO2017185202 A1 WO 2017185202A1 CN 2016080124 W CN2016080124 W CN 2016080124W WO 2017185202 A1 WO2017185202 A1 WO 2017185202A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- host
- domain
- client
- running state
- state
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Definitions
- the present invention relates to the field of virtualization technologies, and in particular, to a virtualization system monitoring method and apparatus.
- FIG. 1 is a schematic diagram of a virtualized system architecture in the prior art.
- the bottom layer of the virtualized system architecture is a hardware system, which mainly includes a processor, a memory, an input and output device, and the like.
- a security-independent software runtime environment virtualization layer running a virtual machine monitor (abbreviated as VMM or Hypervisor) at the virtualization layer.
- the main functions of the Hypervisor are: managing the real physical hardware platform and providing a corresponding virtual hardware platform for each virtual client.
- the Hypervisor implements the aforementioned functions through a virtualization layer host (Host) that runs the host operating system (Host OS) and runs various hypervisors.
- One or more clients are also running on the virtualization layer.
- Each client that is, a virtual machine in the virtualization system, can have its own operating system (Guest OS) and run various program applications separately.
- Guest OS operating system
- the existing virtualization system monitoring method mainly uses a monitoring program running in a virtualization layer host or a monitoring program running in a client on the virtualization layer to virtualize the system. Monitor to prevent the virtualization system from being tampered with.
- the existing virtualization system monitoring method is usually implemented by the host machine or a certain client, and the host machine and the virtual machine itself have the possibility of being tampered with, the existing monitoring of the virtualized system has a security hole.
- the embodiment of the present application proposes a technical solution for solving the above problem, and the monitoring of the virtualization system is implemented by the trusted zone TrustZone.
- an embodiment of the present application provides a virtualization system monitoring method, where the method includes:
- the trusted zone TrustZone obtains the running status information of the domain domain in the virtualization system
- the Domain is a host and/or a client.
- the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain including:
- the method further includes:
- the TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
- the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain including:
- the operating state information according to the domain and the legality of the domain determines the running status of the domain, including:
- the method further includes:
- the TrustZone sends a second control instruction to the host, and the host controls the host in an illegal running state according to the second control instruction.
- the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain including:
- the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
- the embodiment of the present application provides a virtualization system monitoring apparatus, where the apparatus includes:
- An information acquisition module where the information acquisition module is located in the trusted zone TrustZone, and is used to obtain running state information of the domain domain in the virtualization system;
- a state determining module located in the TrustZone, and is configured to determine an operating state of the domain according to the operating state information of the domain and the legal state information of the domain.
- the Domain is a host and/or a client.
- the state determining module is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is an illegal running state when the two do not match. ;
- the device also includes:
- An instruction sending module where the instruction sending module is located at the TrustZone, and is configured to send the first control to the host after the state determining module determines that the operating state of the client is an illegal running state Instruction
- control module is located at the host, and is configured to control a client in an illegal running state according to the first control instruction sent by the instruction sending module.
- the state determining module is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state when the two are matched.
- the state determining module is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host is an illegal running state when the two do not match. ;
- the device also includes:
- An instruction sending module the instruction sending module is located at the TrustZone, and configured to send a second control instruction to the host after the state determining module determines that the running state of the host is an illegal running state;
- control module is located at the host, and is configured to control, according to the second control instruction sent by the instruction sending module, a host that is in an illegal running state.
- the state determining module is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host machine is a legal running state when the two are matched.
- the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
- the trusted zone TrustZone obtains the running state information of the domain domain in the virtualized system; and determines the running state of the domain according to the operating state information of the domain and the legal state information of the domain.
- This application is based on the security architecture TrustZone to monitor the domain in the virtualized system, which makes up for the security vulnerabilities in the virtualization system monitoring process.
- FIG. 1 is a schematic diagram showing the architecture of a virtualization system in the prior art
- FIG. 2 is a schematic diagram showing a system architecture in some embodiments of the present application.
- FIG. 3 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 1 of the present application;
- FIG. 4 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 2 of the present application;
- FIG. 5 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 3 of the present application.
- FIG. 6 is a schematic flowchart of a method for monitoring a virtualization system in Embodiment 4 of the present application.
- FIG. 7 is a schematic flowchart diagram of another virtualization system monitoring method in Embodiment 4 of the present application.
- FIG. 8 is a schematic structural diagram of a fifth virtualization system monitoring apparatus according to Embodiment 5 of the present application.
- the present application proposes that the trusted zone TrustZone obtains the running state information of the domain domain in the virtualized system; and determines the running state of the domain according to the operating state information of the domain and the legal state information of the domain.
- This application implements the monitoring of the domain in the virtualized system based on the security architecture TrustZone, and makes up for the security vulnerabilities in the monitoring process of the virtualized system.
- two parallel execution environments can be isolated on the SoC (System on Chip) by a combination of hardware and software: a common non-secure execution environment and a secure privacy environment.
- the non-secure execution environment is called the Rich Execution Environment (REE), which implements the mobile terminal operating system;
- the secure secret environment is called the trusted execution ring.
- TEE Trusted Execution Environment
- TrustZone is ARM's security architecture for implementing TEE on SoCs for consumer electronics security. It can run the TrustZone OS (TrustZone OS) and run various security applications in the operating system. In this proposal, the virtualization technology and the trusted environment technology are merged to produce the architecture shown in Figure 2.
- the virtualization layer Host and each virtual machine in the virtualization system are located in the REE, while the TrustZone architecture itself and the TrustZone-based architecture.
- the running TrustZone OS and monitoring program is located in the TEE.
- This proposal is based on the security architecture TrustZone to implement monitoring of virtual machines and/or virtualization layer hosts in a virtualized system in TEE.
- Embodiment 1 is a diagrammatic representation of Embodiment 1:
- FIG. 3 is a schematic flowchart of a method for monitoring a virtualization system according to Embodiment 1 of the present invention. As shown in FIG. 3, the method for monitoring a virtualization system includes:
- Step 301 The trusted zone TrustZone obtains running state information of the domain domain in the virtualization system.
- Step 302 Determine an operating state of the domain according to the running state information of the domain and the legal state information of the domain.
- the domain is a domain in the virtualization system, that is, a domain that can be independently operated in the virtualization system, and usually runs on the virtualization layer, and can be used to implement a host or a client.
- a domain in a virtualization system implemented by virtualization software or components such as Xen, KVM, VMware, or hyper-v is similar. This embodiment does not limit the implementation manner of the virtualization system.
- each domain After the terminal is powered on or running, each domain can obtain its own running status information. TrustZone can obtain the running status information of these domains periodically or passively. The status information should be relatively low-level and not subject to each domain. The information that changes in legal operation and does not change with the various applications running on each domain should normally be read-only. Status information if Tampering will cause the domain to be in an illegal state.
- a monitoring program is run on the TrustZone architecture, and the monitoring program determines that the running state of the domain is a legal state or an illegal state according to the obtained running state information of the domain and the legal state information of the domain.
- the legal status information of the domain is the initial state information that is obtained when the device is shipped from the factory or when the virtualization system is initialized and stored in the secure storage area of the Trustzone.
- the initial state information is generally considered to be legal and has not been tampered with. According to the obtained running status information of the domain and the initial legal status information, it can be known whether the running status information of the current domain has been tampered with, that is, whether the current running status of the domain is an illegal state.
- the security architecture TrustZone is used to implement the monitoring of the domain in the virtualized system, thereby avoiding the tampering of the monitoring entity and making up for the security vulnerability in the monitoring process of the virtualized system.
- the Domain is a host and/or a client.
- the host and client are important implementations of the Domain and are the focus of security monitoring in the virtualization system.
- the client and the host machine can be separately monitored based on the security architecture TrustZone, and the client and the host machine can be monitored at the same time, and the monitoring can be performed in a certain period.
- the client is monitored based on the security architecture TrustZone, which can more reliably determine whether the client's running status is legal or illegal, so as to control the client in an illegal state.
- the host can be monitored. It is more reliable to determine whether the running state of the host is a legal state or an illegal state. Only the running state of the host is a legal state, and the client managed by the host can ensure that it is not tampered by the host, and when the client it manages is due to certain After the cause has been tampered with, it is necessary to reliably control the tampered client through the host running in the legal state; based on the security architecture TrustZone to monitor both the client and the host, it is possible to further determine that the operating state of the virtualized system is legal. Status or illegal status.
- the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
- a domain with a kernel layer in a virtualization system for example, a virtualization layer host or each client in a KVM-based virtualization system
- its running state information can be calculated by a code segment in its kernel layer, such as calculation.
- the hash value of the code segment corresponding to the legal state information of the domain pre-stored in the TrustZone in this case is a hash value calculated by the initial code segment in the domain kernel layer in the initial situation.
- a code segment usually refers to a memory area used to store program execution code. This part of the area is determined before the program is run, and is usually read-only. It is generally considered that the code segment in the kernel layer of the domain has not changed. Was tampered with.
- Embodiment 2 is a diagrammatic representation of Embodiment 1:
- FIG. 4 is a schematic diagram showing the monitoring process of the virtualization system in the second embodiment of the present invention, showing the process of monitoring the clients in the virtualization system.
- the second embodiment similar or overlapping with the above embodiment 1, reference may be made to the description of the first embodiment.
- the process includes:
- Step 401 The trusted zone TrustZone obtains running state information of the client in the virtualization system.
- Step 402 determining whether the running state information of the client and the legal state information of the client match, if not, then go to step 403, if yes, go to step 405;
- Step 403 Determine that an operating state of the client is an illegal running state.
- Step 404 The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
- Step 405 Determine that the running state of the client is a legal running state.
- step 401 the implementation manner may refer to the description of step 301 and its preferred solution in the first embodiment.
- each running client can obtain its own running status information through its own status module, and the status module can send the running status information to the TrustZone actively or passively.
- the sending process can be sent directly to the TrustZone implementation by the client, or each client can send its own running status information to the virtualization layer.
- the host summarizes the running status information of each client and sends it to TrustZone.
- step 402 the implementation manner may refer to step 302 and its preferred side in the foregoing embodiment 1. Description of the case.
- step 403 it is determined that the running state of the client is an illegal running state, and the monitoring result obtained by the client based on the security architecture TrustZone is illegal, and after determining that a client is in an illegal running state, TrustZone can also perform alarm prompts or corresponding control operations for the illegal running status.
- the first control instruction sent by the TrustZone to the host is for the client in the illegal running state, and is intended to control the client to prevent the hacked client from running an illegal application or Affect the host machine and even affect the safe operation of the entire virtualized system.
- the control instructions may be to shut down the client, limit the client's invocation of certain hardware, restrict the operation of certain applications of the client, or prompt the user to indicate subsequent operations by the user, and the like.
- the control instructions are executed by the host.
- step 405 it is determined that the running state of the client is a legal running state, and the monitoring result obtained by the client based on the security architecture TrustZone is legally stable, and after determining that a client is in a legal running state, TrustZone can also repeat the above steps in a certain period of time to monitor the operation of the client.
- Embodiment 3 is a diagrammatic representation of Embodiment 3
- FIG. 5 is a schematic diagram showing the monitoring process of the virtualization system in the third embodiment of the present invention, showing the process of monitoring the host in the virtualization system.
- the third embodiment similar or overlapping with the above embodiment one or two, reference may be made to the description of the first embodiment or the second embodiment.
- the process includes:
- Step 501 The trusted zone TrustZone obtains running state information of the host in the virtualization system.
- Step 502 it is determined whether the operating state information of the host and the legal state information of the host match, if not, then go to step 503, if yes, go to step 505;
- Step 503 Determine that an operating state of the host is an illegal running state.
- Step 504 The TrustZone sends a second control instruction to the host, according to the host.
- the second control instruction controls the host in an illegal operating state
- Step 505 Determine that the running state of the host is a legal running state.
- step 501 the implementation manner may refer to the description of step 301 and its preferred solution in the first embodiment.
- the host in the virtualization system can obtain the running status information of the host through its own status module, and the status module can send the running status information to the TrustZone actively or passively.
- step 502 the implementation manner may refer to the description of step 302 and its preferred solution in the first embodiment.
- step 503 it is determined that the running state of the host is an illegal running state, and the monitoring result obtained by the host based on the security architecture TrustZone is illegal, and the host is determined to be illegal in the virtualized system.
- TrustZone can also perform alarm prompts or corresponding control operations for the illegal running status.
- the second control instruction sent by the TrustZone to the host is for the host in the illegal running state, and is intended to control the host to prevent the tampering host from running an illegal application or Each client that affects its management, even affects the safe operation of the entire virtualized system.
- the control instruction may be to shut down the host, limit the host's call to certain hardware, limit the operation of certain applications of the host, or prompt the user to indicate subsequent operations by the user, and the like.
- the control instructions are executed by the host.
- step 505 it is determined that the running state of the host is a legal running state, and the monitoring result obtained by the security architecture TrustZone based on the host is legally stable, and after determining that a host is in a legal running state, TrustZone can also repeat the above steps in a certain period of time to monitor the operation of the host at all times.
- the foregoing embodiment 2 and the third embodiment can be implemented in parallel in the same scenario, that is, for the same virtualization system, the TrustZone can separately monitor the client, for example, performing the above steps 401-405 and 501 in parallel in the same or different cycles. 505.
- the running status information of each client may be sent to the TrustZone after being aggregated by the host; and, by the above step 404, it is known that when the client is found to be in an illegal running state, the first execution of the TrustZone by the host is required.
- the control instruction controls the client, and it can be seen that in the process of monitoring the client, the host is required to be in a normal running state to implement summary client state information or execute the first control instruction. It can be seen that combining the above embodiments 2 and 3 in the same scenario can ensure the reliability of the client monitoring process. In addition, because the monitoring of the client and the host is parallel, the user can customize the monitoring cycle to achieve more flexible monitoring of the virtualized system.
- the period of the monitoring process of the host may be shorter than the period of the client monitoring process (steps 401-405);
- the monitoring process of each client may have different execution cycles.
- Embodiment 4 is a diagrammatic representation of Embodiment 4:
- FIG. 6 is a schematic diagram showing the monitoring process of the virtualization system in the fourth embodiment of the present invention, showing the process of simultaneously monitoring the client and the host in the virtualization system.
- FIG. 6 similar or overlapping with the above embodiments 1 to 3, reference may be made to the descriptions of the first to third embodiments.
- the process includes:
- Step 601 The trusted zone TrustZone obtains running state information of the client and the host in the virtualization system.
- Step 602a it is determined whether the operating state information of the client and the legal state information of the client match, if not, then go to step 603a, if yes, go to step 605a;
- Step 603a Determine that an operating state of the client is an illegal running state.
- Step 604a The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
- Step 605a Determine that the running state of the client is a legal running state.
- Step 602b determining whether the operating state information of the host machine and the legal state information of the host match, if not, then to step 603b, if yes, then to step 605b;
- Step 603b determining that the running state of the host machine is an illegal running state
- Step 604b The TrustZone sends a second control instruction to the host, and the host controls the host in an illegal running state according to the second control instruction.
- Step 605b Determine that the running state of the host is a legal running state.
- step 601 the implementation manner may refer to the description of step 301 and its preferred embodiment in the first embodiment, the description of step 401 in the second embodiment, and the description of step 501 in the third embodiment.
- both the client and the host in the virtualization system can obtain their own running status information through their own status module.
- the host machine can take the active status information of each client and itself together or Passively sent to TrustZone.
- steps 602a-605a are the same as steps 402-405 described above, and steps 602b-605b are identical to steps 502-505 described above. Both steps a and b need to be performed, but the order is not limited.
- the b group step is performed first, and after determining that the running state of the host machine is a legal running state, performing the group a step to determine that the monitoring or monitoring of the client is reliable (as shown in FIG. 7). .
- the running state information of the client and the host are acquired at the same time to determine the running state, and the running states of the two can be determined more reliably.
- the method in the second embodiment since the running state information of the client is summarized and forwarded by the host, the client may be in a legal running state, but the host is in an illegal running state. Illegal tampering with the status of the client's running status information.
- the running state information of the client and the host is obtained at the same time. If the client is in an illegal running state and the host is in a legal running state, the security risk of the virtualized system can be more reliably confirmed as being in an illegal running state. Client.
- the running state information of the client and the host is acquired at the same time to determine the running state, and the illegal client can be controlled more reliably. For example, when it is determined by the method in the second embodiment that a certain client is in an illegal running state and is controlled by the host, whether the current host is in a legal running state is uncertain. In this embodiment, the client and the host are simultaneously acquired. The running status information, if it is determined that the client is in an illegal running state and the host is in a legal running state, can reliably control the client in the illegal running state through the host machine.
- Embodiment 5 is a diagrammatic representation of Embodiment 5:
- FIG. 8 is a schematic structural diagram of a virtualization system monitoring apparatus according to Embodiment 5 of the present invention. As shown in the figure, the virtualization system monitoring apparatus 800 may include:
- the information obtaining module 821 is located in the trusted zone TrustZone 820, and is configured to obtain running state information of the domain domain in the virtualization system.
- the state determining module 822 is located at the TrustZone 820, and is configured to determine an operating state of the domain according to the operating state information of the domain and the legal state information of the domain.
- the Domain is a host and/or a client.
- the status determining module 822 is configured to determine, according to the running status information of the client and the legal status information of the client, that the running status of the client is illegal. status;
- the device 800 further includes:
- the instruction sending module 823 is located at the TrustZone 820, and is configured to send a first control instruction to the host machine 810 after the state determining module 822 determines that the running state of the client is an illegal running state;
- the control module 811 is located at the host 810, and is configured to control a client in an illegal running state according to the first control instruction sent by the instruction sending module 823.
- the state determining module 822 is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state when the two are matched.
- the state determining module 822 is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the operating state of the host machine is illegally running when the two do not match. status;
- the device 800 further includes:
- the instruction sending module 823 is located at the TrustZone 820, and is configured to send a second control instruction to the host 810 after the state determining module 822 determines that the running state of the host is an illegal running state;
- the control module 811 is located at the host 810, and is configured to control a host in an illegal running state according to the second control instruction sent by the instruction sending module 823.
- the state determining module 822 is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host is a legal running state when the two are matched.
- the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
- embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
- computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
Abstract
Provided in the present invention are a virtualisation system monitoring method and apparatus, the method comprising: TrustZone acquiring operating state information of a domain in a virtualisation system; and determining the operating state of the domain on the basis of the operating state information and legitimacy state information of the domain. Based on the security architecture TrustZone, the present application implements monitoring of domains in a virtualisation system, compensating for the security vulnerabilities in virtualisation system monitoring processes.
Description
本发明涉及虚拟化技术领域,特别涉及一种虚拟化系统监测方法和装置。The present invention relates to the field of virtualization technologies, and in particular, to a virtualization system monitoring method and apparatus.
为提升移动终端安全,现有技术中存在通过虚拟化技术实现多个操作系统或虚拟机同时运行在移动终端的方案,虚拟化技术带来的隔离性可实现单一终端上多个操作系统的隔离,避免各操作系统上的进程对其他操作系统产生不利影响,典型的应用场景为通过虚拟化技术在手机等移动设备上实现企业系统和个人系统的分离,防范个人系统上的进程给企业带来的潜在危害,满足一些具有安全要求的企业对“自带设备”(BYOD)的需求。In order to improve the security of the mobile terminal, there are solutions in the prior art that multiple operating systems or virtual machines are simultaneously run on the mobile terminal through virtualization technology. The isolation brought by the virtualization technology can achieve isolation of multiple operating systems on a single terminal. To prevent the process on each operating system from adversely affecting other operating systems. The typical application scenario is to separate the enterprise system and the personal system on the mobile device such as a mobile phone through virtualization technology, and prevent the process on the personal system from bringing the enterprise to the enterprise. The potential hazard meets the needs of some companies with security requirements for "Bring Your Own Device" (BYOD).
图1为现有技术中虚拟化系统架构示意图,虚拟化系统架构中处于底层的是硬件系统,主要包括处理器、内存和输入输出设备等。在硬件系统之上为安全独立的软件运行环境虚拟化层,在虚拟化层运行虚拟机监控器(缩写为VMM或称为Hypervisor)。Hypervisor的主要职能是:管理真实的物理硬件平台,并为每个虚拟客户机提供对应的虚拟硬件平台。Hypervisor通过虚拟化层宿主机(Host)实现前述职能,宿主机可运行宿主机操作系统(Host OS),并运行各种虚拟机管理程序。虚拟化层上还运行了一个或多个客户机(Guest),各客户机即虚拟化系统中的虚拟机,可具有各自的操作系统(Guest OS)并分别运行各种程序应用。FIG. 1 is a schematic diagram of a virtualized system architecture in the prior art. The bottom layer of the virtualized system architecture is a hardware system, which mainly includes a processor, a memory, an input and output device, and the like. On top of the hardware system is a security-independent software runtime environment virtualization layer, running a virtual machine monitor (abbreviated as VMM or Hypervisor) at the virtualization layer. The main functions of the Hypervisor are: managing the real physical hardware platform and providing a corresponding virtual hardware platform for each virtual client. The Hypervisor implements the aforementioned functions through a virtualization layer host (Host) that runs the host operating system (Host OS) and runs various hypervisors. One or more clients are also running on the virtualization layer. Each client, that is, a virtual machine in the virtualization system, can have its own operating system (Guest OS) and run various program applications separately.
随着终端虚拟化技术的发展,虚拟化系统也面临着严峻的安全问题。目前越来越多的恶意攻击指向虚拟机,导致虚拟机或虚拟机中的程序被恶意窜改造成安全漏洞。增强虚拟机的安全性和构建可信的虚拟化环境已经成为业界的迫切需求。现有的虚拟化系统监测方法主要通过虚拟化层宿主机中运行的监测程序或者在虚拟化层上的某一客户机中运行的监测程序对虚拟化系统
进行监测,以防止虚拟化系统被篡改。With the development of terminal virtualization technology, virtualization systems are also facing serious security problems. At present, more and more malicious attacks point to virtual machines, causing programs in virtual machines or virtual machines to be maliciously transformed into security holes. Enhancing the security of virtual machines and building trusted virtualized environments has become an urgent need in the industry. The existing virtualization system monitoring method mainly uses a monitoring program running in a virtualization layer host or a monitoring program running in a client on the virtualization layer to virtualize the system.
Monitor to prevent the virtualization system from being tampered with.
现有技术的不足主要在于:The shortcomings of the prior art mainly lie in:
因为现有的虚拟化系统监测方法中,监测通常由宿主机或某一客户机实现,而宿主机和虚拟机本身具有被篡改的可能,所以现有的对虚拟化系统的监测存在安全漏洞。Because the existing virtualization system monitoring method is usually implemented by the host machine or a certain client, and the host machine and the virtual machine itself have the possibility of being tampered with, the existing monitoring of the virtualized system has a security hole.
发明内容Summary of the invention
本申请实施例提出了解决上述问题的技术方案,由可信区TrustZone实现对虚拟化系统的监测。The embodiment of the present application proposes a technical solution for solving the above problem, and the monitoring of the virtualization system is implemented by the trusted zone TrustZone.
在一个方面,本申请实施例提供了一种虚拟化系统监测方法,其特征在于,所述方法包括:In one aspect, an embodiment of the present application provides a virtualization system monitoring method, where the method includes:
可信区TrustZone获取虚拟化系统中域Domain的运行状态信息;The trusted zone TrustZone obtains the running status information of the domain domain in the virtualization system;
根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。Determining an operating status of the domain according to the running status information of the domain and the legal status information of the domain.
优选的,所述Domain为宿主机和/或客户机。Preferably, the Domain is a host and/or a client.
优选的,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:Preferably, the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain, including:
根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,确定所述客户机的运行状态为非法运行状态;Determining, according to the running state information of the client and the legal state information of the client, that the running status of the client is an illegal running state;
在确定所述客户机的运行状态为非法运行状态之后,还包括:After determining that the running state of the client is an illegal running state, the method further includes:
TrustZone向宿主机发送第一控制指令,所述宿主机根据所述第一控制指令对处于非法运行状态的客户机进行控制。The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
优选的,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:Preferably, the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain, including:
根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者匹配时,确定所述客户机的运行状态为合法运行状态。And determining, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state.
优选的,所述根据所述Domain的运行状态信息和所述Domain的合法状
态信息确定所述Domain的运行状态,包括:Preferably, the operating state information according to the domain and the legality of the domain
The status information determines the running status of the domain, including:
根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,确定所述宿主机的运行状态为非法运行状态;Determining, according to the running state information of the host machine and the legal state information of the host machine, that the running status of the host machine is an illegal running state;
在确定所述宿主机的运行状态为非法运行状态之后,还包括:After determining that the running state of the host is an illegal running state, the method further includes:
TrustZone向所述宿主机发送第二控制指令,所述宿主机根据所述第二控制指令对处于非法运行状态的宿主机进行控制。The TrustZone sends a second control instruction to the host, and the host controls the host in an illegal running state according to the second control instruction.
优选的,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:Preferably, the determining, according to the running state information of the domain and the legal state information of the domain, the operating state of the domain, including:
根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者匹配时,确定所述宿主机的运行状态为合法运行状态。And determining, according to the running state information of the host and the legal state information of the host, that the running state of the host is a legal running state when the two are matched.
优选的,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。Preferably, the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
在另一个方面,本申请实施例提供了一种虚拟化系统监测装置,其特征在于,所述装置包括:In another aspect, the embodiment of the present application provides a virtualization system monitoring apparatus, where the apparatus includes:
信息获取模块,所述信息获取模块位于可信区TrustZone,用于获取虚拟化系统中域Domain的运行状态信息;An information acquisition module, where the information acquisition module is located in the trusted zone TrustZone, and is used to obtain running state information of the domain domain in the virtualization system;
状态确定模块,所述状态确定模块位于TrustZone,用于根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。a state determining module, where the state determining module is located in the TrustZone, and is configured to determine an operating state of the domain according to the operating state information of the domain and the legal state information of the domain.
优选的,所述Domain为宿主机和/或客户机。Preferably, the Domain is a host and/or a client.
优选的,所述状态确定模块,具体用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,确定所述客户机的运行状态为非法运行状态;Preferably, the state determining module is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is an illegal running state when the two do not match. ;
所述装置还包括:The device also includes:
指令发送模块,所述指令发送模块位于TrustZone,用于在所述状态确定模块确定所述客户机的运行状态为非法运行状态之后,向宿主机发送第一控
制指令;An instruction sending module, where the instruction sending module is located at the TrustZone, and is configured to send the first control to the host after the state determining module determines that the operating state of the client is an illegal running state
Instruction
控制模块,所述控制模块位于所述宿主机,用于根据所述指令发送模块发送的第一控制指令对处于非法运行状态的客户机进行控制。a control module, the control module is located at the host, and is configured to control a client in an illegal running state according to the first control instruction sent by the instruction sending module.
优选的,所述状态确定模块,用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者匹配时,确定所述客户机的运行状态为合法运行状态。Preferably, the state determining module is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state when the two are matched.
优选的,所述状态确定模块,具体用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,确定所述宿主机的运行状态为非法运行状态;Preferably, the state determining module is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host is an illegal running state when the two do not match. ;
所述装置还包括:The device also includes:
指令发送模块,所述指令发送模块位于TrustZone,用于在所述状态确定模块确定所述宿主机的运行状态为非法运行状态之后,向所述宿主机发送第二控制指令;An instruction sending module, the instruction sending module is located at the TrustZone, and configured to send a second control instruction to the host after the state determining module determines that the running state of the host is an illegal running state;
控制模块,所述控制模块位于所述宿主机,用于根据所述指令发送模块发送的第二控制指令对处于非法运行状态的宿主机进行控制。And a control module, the control module is located at the host, and is configured to control, according to the second control instruction sent by the instruction sending module, a host that is in an illegal running state.
优选的,所述状态确定模块,用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者匹配时,确定所述宿主机的运行状态为合法运行状态。Preferably, the state determining module is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host machine is a legal running state when the two are matched.
优选的,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。Preferably, the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
本申请的有益效果如下:The beneficial effects of the application are as follows:
本申请中可信区TrustZone获取虚拟化系统中域Domain的运行状态信息;根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。本申请基于安全架构TrustZone实现对虚拟化系统中域的监测,弥补了虚拟化系统监测过程中的安全漏洞。In this application, the trusted zone TrustZone obtains the running state information of the domain domain in the virtualized system; and determines the running state of the domain according to the operating state information of the domain and the legal state information of the domain. This application is based on the security architecture TrustZone to monitor the domain in the virtualized system, which makes up for the security vulnerabilities in the virtualization system monitoring process.
下面将参照附图描述本发明的具体实施例,其中:Specific embodiments of the present invention will be described below with reference to the accompanying drawings, in which:
图1示出了现有技术中虚拟化系统架构示意图;FIG. 1 is a schematic diagram showing the architecture of a virtualization system in the prior art;
图2示出了本申请某些实施例中系统架构示意图;2 is a schematic diagram showing a system architecture in some embodiments of the present application;
图3示出了本申请实施例一中虚拟化系统监测方法的流程示意图;FIG. 3 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 1 of the present application;
图4示出了本申请实施例二中虚拟化系统监测方法的流程示意图;FIG. 4 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 2 of the present application;
图5示出了本申请实施例三中虚拟化系统监测方法的流程示意图;FIG. 5 is a schematic flowchart diagram of a method for monitoring a virtualization system according to Embodiment 3 of the present application;
图6示出了本申请实施例四中虚拟化系统监测方法的流程示意图;6 is a schematic flowchart of a method for monitoring a virtualization system in Embodiment 4 of the present application;
图7示出了本申请实施例四中另一种虚拟化系统监测方法的流程示意图;FIG. 7 is a schematic flowchart diagram of another virtualization system monitoring method in Embodiment 4 of the present application;
图8示出了本申请实施例五虚拟化系统监测装置的结构示意图。FIG. 8 is a schematic structural diagram of a fifth virtualization system monitoring apparatus according to Embodiment 5 of the present application.
为了使本发明的技术方案及优点更加清楚明白,以下结合附图对本发明的示例性实施例进行进一步详细的说明,显然,所描述的实施例仅是本发明的一部分实施例,而不是所有实施例的穷举。并且在不冲突的情况下,本说明中的实施例及实施例中的特征可以互相结合。The embodiments of the present invention are further described in detail with reference to the accompanying drawings, in which FIG. An exhaustive example. And in the case of no conflict, the features in the embodiments and the embodiments in the description can be combined with each other.
发明人在发明过程中注意到:现有的虚拟化系统监测方法中,监测通常由宿主机或某一客户机实现,而宿主机和虚拟机本身具有被篡改的可能,所以现有的对虚拟化系统的监测存在安全漏洞。The inventor noticed in the process of invention that in the existing virtualization system monitoring method, the monitoring is usually implemented by the host machine or a certain client, and the host machine and the virtual machine itself have the possibility of being tampered, so the existing pair virtual There are security vulnerabilities in the monitoring of the system.
针对上述不足,本申请提出了可信区TrustZone获取虚拟化系统中域Domain的运行状态信息;根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。本申请基于安全架构TrustZone实现对虚拟化系统中域的监测,弥补了虚拟化系统监测过程中的安全漏洞,下面进行说明。For the above-mentioned deficiencies, the present application proposes that the trusted zone TrustZone obtains the running state information of the domain domain in the virtualized system; and determines the running state of the domain according to the operating state information of the domain and the legal state information of the domain. This application implements the monitoring of the domain in the virtualized system based on the security architecture TrustZone, and makes up for the security vulnerabilities in the monitoring process of the virtualized system.
在移动终端可通过混合使用硬件和软件的方法在SoC(System on Chip,系统级芯片)上隔离出两个平行的执行环境:普通的非保密执行环境和安全的保密环境。其中,称非保密执行环境为富执行环境REE(Rich Execution Environment),它执行移动终端操作系统;安全的保密环境被称为可信执行环
境TEE(Trusted Execution Environment),它提供隔离的执行环境,安全等级更高。In the mobile terminal, two parallel execution environments can be isolated on the SoC (System on Chip) by a combination of hardware and software: a common non-secure execution environment and a secure privacy environment. Among them, the non-secure execution environment is called the Rich Execution Environment (REE), which implements the mobile terminal operating system; the secure secret environment is called the trusted execution ring.
TEE (Trusted Execution Environment), which provides an isolated execution environment with a higher level of security.
TrustZone是ARM针对消费电子设备安全所提出的一种在SoC上实现TEE的安全架构,能够运行TrustZone操作系统(TrustZone OS),并在该操作系统中运行各种安全应用。本提案中将虚拟化技术和可信环境技术融合,产生如图2所示的架构,其中虚拟化系统中的虚拟化层Host和各虚拟机均位于REE中,而TrustZone架构本身以及基于TrustZone架构运行的TrustZone OS和监测程序位于TEE中。TrustZone is ARM's security architecture for implementing TEE on SoCs for consumer electronics security. It can run the TrustZone OS (TrustZone OS) and run various security applications in the operating system. In this proposal, the virtualization technology and the trusted environment technology are merged to produce the architecture shown in Figure 2. The virtualization layer Host and each virtual machine in the virtualization system are located in the REE, while the TrustZone architecture itself and the TrustZone-based architecture. The running TrustZone OS and monitoring program is located in the TEE.
本提案基于安全架构TrustZone实现在TEE中对虚拟化系统中的虚拟机和/或虚拟化层主机的监测。This proposal is based on the security architecture TrustZone to implement monitoring of virtual machines and/or virtualization layer hosts in a virtualized system in TEE.
为了便于本发明的实施,下面以实例进行说明。In order to facilitate the implementation of the present invention, the following description will be made by way of examples.
实施例一:Embodiment 1:
图3示出了本发明实施例一中虚拟化系统监测方法的流程示意图,如图3所示,所述虚拟化系统监测方法包括:FIG. 3 is a schematic flowchart of a method for monitoring a virtualization system according to Embodiment 1 of the present invention. As shown in FIG. 3, the method for monitoring a virtualization system includes:
步骤301、可信区TrustZone获取虚拟化系统中域Domain的运行状态信息;Step 301: The trusted zone TrustZone obtains running state information of the domain domain in the virtualization system.
步骤302、根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。Step 302: Determine an operating state of the domain according to the running state information of the domain and the legal state information of the domain.
在步骤301中,Domain为虚拟化系统中的域,即虚拟化系统中可独立运行的域,通常运行在虚拟化层之上,可用于实现宿主机或客户机等。需要说明的是通过Xen、KVM、VMware或hyper-v等虚拟化软件或组件实现的虚拟化系统中域的概念是相似的,本实施例对虚拟化系统的实现方式不作限制。In step 301, the domain is a domain in the virtualization system, that is, a domain that can be independently operated in the virtualization system, and usually runs on the virtualization layer, and can be used to implement a host or a client. It should be noted that the concept of a domain in a virtualization system implemented by virtualization software or components such as Xen, KVM, VMware, or hyper-v is similar. This embodiment does not limit the implementation manner of the virtualization system.
在终端开机后或运行过程中,各Domain可获取自身的运行状态信息,TrustZone可主动或被动的周期性获取这些Domain的运行状态信息,所述状态信息应当是相对底层的,不因各Domain受到的合法操作而改变,也不随各Domain运行的各种应用程序而改变的信息,通常应为只读的。状态信息若被
篡改将导致所述Domain处于非法运行状态。After the terminal is powered on or running, each domain can obtain its own running status information. TrustZone can obtain the running status information of these domains periodically or passively. The status information should be relatively low-level and not subject to each domain. The information that changes in legal operation and does not change with the various applications running on each domain should normally be read-only. Status information if
Tampering will cause the domain to be in an illegal state.
在步骤302中,TrustZone架构上运行有监测程序,所述监测程序根据获取的Domain的运行状态信息与Domain的合法状态信息确定所述Domain的运行状态为合法状态或非法状态。In step 302, a monitoring program is run on the TrustZone architecture, and the monitoring program determines that the running state of the domain is a legal state or an illegal state according to the obtained running state information of the domain and the legal state information of the domain.
其中Domain的合法状态信息是设备出厂时,或者虚拟化系统初始化时获取到的,并存储在Trustzone的安全存储区中的初始状态信息,初始状态信息通常被认为是合法并且未经篡改的。根据获取的Domain的运行状态信息与初始的合法状态信息可获知当前Domain的运行状态信息是否已被篡改,即当前Domain的运行状态是否为非法状态。The legal status information of the domain is the initial state information that is obtained when the device is shipped from the factory or when the virtualization system is initialized and stored in the secure storage area of the Trustzone. The initial state information is generally considered to be legal and has not been tampered with. According to the obtained running status information of the domain and the initial legal status information, it can be known whether the running status information of the current domain has been tampered with, that is, whether the current running status of the domain is an illegal state.
本实施例基于安全架构TrustZone实现对虚拟化系统中域的监测,避免了监测主体被篡改,弥补了虚拟化系统监测过程中的安全漏洞。In this embodiment, the security architecture TrustZone is used to implement the monitoring of the domain in the virtualized system, thereby avoiding the tampering of the monitoring entity and making up for the security vulnerability in the monitoring process of the virtualized system.
优选的,在上述步骤中所述Domain为宿主机和/或客户机。Preferably, in the above step, the Domain is a host and/or a client.
在虚拟化系统中,宿主机和客户机是Domain的重要实现形式,也是虚拟化系统中安全监控重点。本实施例中可基于安全架构TrustZone分别对客户机和宿主机进行监测,也可以同时对客户机和宿主机进行监测,监测可以以一定周期进行。In a virtualized system, the host and client are important implementations of the Domain and are the focus of security monitoring in the virtualization system. In this embodiment, the client and the host machine can be separately monitored based on the security architecture TrustZone, and the client and the host machine can be monitored at the same time, and the monitoring can be performed in a certain period.
基于安全架构TrustZone对客户机进行监测,能够更可靠的确定客户机的运行状态为合法状态或非法状态,以便对处于非法运行状态的客户机进行控制;基于安全架构TrustZone对宿主机进行监测,能够更可靠的确定宿主机的运行状态为合法状态或非法状态,只有宿主机的运行状态为合法状态,由其管理的客户机才能确保不被宿主机篡改,并且当其管理的客户机因某些原因被篡改后,需要通过运行状态为合法状态的宿主机对被篡改的客户机进行可靠控制;基于安全架构TrustZone同时对客户机和宿主机进行监测,能够进一步确定虚拟化系统的运行状态为合法状态或非法状态。The client is monitored based on the security architecture TrustZone, which can more reliably determine whether the client's running status is legal or illegal, so as to control the client in an illegal state. Based on the security architecture TrustZone, the host can be monitored. It is more reliable to determine whether the running state of the host is a legal state or an illegal state. Only the running state of the host is a legal state, and the client managed by the host can ensure that it is not tampered by the host, and when the client it manages is due to certain After the cause has been tampered with, it is necessary to reliably control the tampered client through the host running in the legal state; based on the security architecture TrustZone to monitor both the client and the host, it is possible to further determine that the operating state of the virtualized system is legal. Status or illegal status.
优选的,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。
Preferably, the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
对于虚拟化系统中具有kernel层的Domain(例如基于KVM实现的虚拟化系统中的虚拟化层主机或各客户机等),其运行状态信息可以由其kernel层中的代码段计算得到,例如计算所述代码段的哈希值,相应的此种情况下TrustZone中预存的所述Domain的合法状态信息是由初始情况下所述域kernel层中初始代码段计算得到的哈希值。代码段通常指用来存放程序执行代码的一块内存区域,这部分区域在程序运行前就已经确定,并且通常属于只读,通常认为域的kernel层中的代码段未改变,则所述域未被篡改。For a domain with a kernel layer in a virtualization system (for example, a virtualization layer host or each client in a KVM-based virtualization system), its running state information can be calculated by a code segment in its kernel layer, such as calculation. The hash value of the code segment, corresponding to the legal state information of the domain pre-stored in the TrustZone in this case is a hash value calculated by the initial code segment in the domain kernel layer in the initial situation. A code segment usually refers to a memory area used to store program execution code. This part of the area is determined before the program is run, and is usually read-only. It is generally considered that the code segment in the kernel layer of the domain has not changed. Was tampered with.
实施例二:Embodiment 2:
图4示出了本发明实施例二中虚拟化系统监测流程示意图,示出了对虚拟化系统中客户机进行监测的流程。本实施例二与上述实施例一相似或重复之处可参照上述实施例一的描述。FIG. 4 is a schematic diagram showing the monitoring process of the virtualization system in the second embodiment of the present invention, showing the process of monitoring the clients in the virtualization system. For the second embodiment, similar or overlapping with the above embodiment 1, reference may be made to the description of the first embodiment.
如图4所示,所述流程包括:As shown in FIG. 4, the process includes:
步骤401、可信区TrustZone获取虚拟化系统中客户机的运行状态信息;Step 401: The trusted zone TrustZone obtains running state information of the client in the virtualization system.
步骤402、判断所述客户机的运行状态信息和所述客户机的合法状态信息是否匹配,若不匹配则至步骤403,若匹配则至步骤405; Step 402, determining whether the running state information of the client and the legal state information of the client match, if not, then go to step 403, if yes, go to step 405;
步骤403、确定所述客户机的运行状态为非法运行状态;Step 403: Determine that an operating state of the client is an illegal running state.
步骤404、TrustZone向宿主机发送第一控制指令,所述宿主机根据所述第一控制指令对处于非法运行状态的客户机进行控制;Step 404: The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
步骤405、确定所述客户机的运行状态为合法运行状态。Step 405: Determine that the running state of the client is a legal running state.
在步骤401中,实现方式可参考上述实施例一中对步骤301和其优选方案的说明。在终端开机后,每个运行中的客户机均能够通过自身的状态(status)模块获得自身的运行状态信息,所述状态模块能够将所述运行状态信息主动或被动的发送至TrustZone,具体的发送过程可由客户机直接发送至TrustZone实现,也可由各客户机将自身运行状态信息发送至虚拟化层,由宿主机汇总各客户机的运行状态信息后再发送至TrustZone。In step 401, the implementation manner may refer to the description of step 301 and its preferred solution in the first embodiment. After the terminal is powered on, each running client can obtain its own running status information through its own status module, and the status module can send the running status information to the TrustZone actively or passively. The sending process can be sent directly to the TrustZone implementation by the client, or each client can send its own running status information to the virtualization layer. The host summarizes the running status information of each client and sends it to TrustZone.
在步骤402中,实现方式可参考上述实施例一中对步骤302和其优选方
案的说明。当根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,至步骤403;当判断二者匹配时,至步骤405。In step 402, the implementation manner may refer to step 302 and its preferred side in the foregoing embodiment 1.
Description of the case. When it is judged that the two do not match according to the running state information of the client and the legal state information of the client, go to step 403; when it is judged that the two match, go to step 405.
在步骤403中,确定所述客户机的运行状态为非法运行状态,基于安全架构TrustZone获得的所述客户机为非法运行状态的监测结果将更加可靠,在确定某一客户机处于非法运行状态之后,TrustZone还可针对该非法运行状态进行报警提示或相应的控制等操作。In step 403, it is determined that the running state of the client is an illegal running state, and the monitoring result obtained by the client based on the security architecture TrustZone is illegal, and after determining that a client is in an illegal running state, TrustZone can also perform alarm prompts or corresponding control operations for the illegal running status.
在步骤404中,由TrustZone向宿主机发送的第一控制指令是针对所述处于非法运行状态的客户机的,旨在对所述客户机进行控制,避免被篡改的客户机运行非法应用程序或者影响宿主机,甚至影响整个虚拟化系统的安全运行。所述控制指令可以为关闭所述客户机、限制所述客户机对某些硬件的调用、限制所述客户机某些应用程序的运行、或者提示用户由用户指示后续操作等。所述控制指令由宿主机执行。In step 404, the first control instruction sent by the TrustZone to the host is for the client in the illegal running state, and is intended to control the client to prevent the hacked client from running an illegal application or Affect the host machine and even affect the safe operation of the entire virtualized system. The control instructions may be to shut down the client, limit the client's invocation of certain hardware, restrict the operation of certain applications of the client, or prompt the user to indicate subsequent operations by the user, and the like. The control instructions are executed by the host.
在步骤405中,确定所述客户机的运行状态为合法运行状态,基于安全架构TrustZone获得的所述客户机为合法运行状态的监测结果将更加可靠,在确定某一客户机处于合法运行状态后,TrustZone还可以以一定周期重复上述步骤,时刻监测客户机的运行情况。In step 405, it is determined that the running state of the client is a legal running state, and the monitoring result obtained by the client based on the security architecture TrustZone is legally stable, and after determining that a client is in a legal running state, TrustZone can also repeat the above steps in a certain period of time to monitor the operation of the client.
实施例三:Embodiment 3:
图5示出了本发明实施例三中虚拟化系统监测流程示意图,示出了对虚拟化系统中宿主机进行监测的流程。本实施例三与上述实施例一或二相似或重复之处可参照上述实施例一或二的描述。FIG. 5 is a schematic diagram showing the monitoring process of the virtualization system in the third embodiment of the present invention, showing the process of monitoring the host in the virtualization system. For the third embodiment, similar or overlapping with the above embodiment one or two, reference may be made to the description of the first embodiment or the second embodiment.
如图5所示,所述流程包括:As shown in FIG. 5, the process includes:
步骤501、可信区TrustZone获取虚拟化系统中宿主机的运行状态信息;Step 501: The trusted zone TrustZone obtains running state information of the host in the virtualization system.
步骤502、判断所述宿主机的运行状态信息和所述宿主机的合法状态信息是否匹配,若不匹配则至步骤503,若匹配则至步骤505; Step 502, it is determined whether the operating state information of the host and the legal state information of the host match, if not, then go to step 503, if yes, go to step 505;
步骤503、确定所述宿主机的运行状态为非法运行状态;Step 503: Determine that an operating state of the host is an illegal running state.
步骤504、TrustZone向宿主机发送第二控制指令,所述宿主机根据所述
第二控制指令对处于非法运行状态的宿主机进行控制;Step 504: The TrustZone sends a second control instruction to the host, according to the host.
The second control instruction controls the host in an illegal operating state;
步骤505、确定所述宿主机的运行状态为合法运行状态。Step 505: Determine that the running state of the host is a legal running state.
在步骤501中,实现方式可参考上述实施例一中对步骤301和其优选方案的说明。在终端开机后,虚拟化系统中的宿主机能够通过自身的状态(status)模块获得宿主机的运行状态信息,所述状态模块能够将所述运行状态信息主动或被动的发送至TrustZone。In step 501, the implementation manner may refer to the description of step 301 and its preferred solution in the first embodiment. After the terminal is powered on, the host in the virtualization system can obtain the running status information of the host through its own status module, and the status module can send the running status information to the TrustZone actively or passively.
在步骤502中,实现方式可参考上述实施例一中对步骤302和其优选方案的说明。当根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,至步骤503;当判断二者匹配时,至步骤505。In step 502, the implementation manner may refer to the description of step 302 and its preferred solution in the first embodiment. When it is determined that the two do not match according to the running state information of the host and the legal state information of the host, the process proceeds to step 503; when it is determined that the two match, the process proceeds to step 505.
在步骤503中,确定所述宿主机的运行状态为非法运行状态,基于安全架构TrustZone获得的所述宿主机为非法运行状态的监测结果将更加可靠,在确定虚拟化系统中的宿主机处于非法运行状态之后,TrustZone还可针对该非法运行状态进行报警提示或相应的控制等操作。In step 503, it is determined that the running state of the host is an illegal running state, and the monitoring result obtained by the host based on the security architecture TrustZone is illegal, and the host is determined to be illegal in the virtualized system. After the running status, TrustZone can also perform alarm prompts or corresponding control operations for the illegal running status.
在步骤504中,由TrustZone向宿主机发送的第二控制指令是针对所述处于非法运行状态的宿主机的,旨在对所述宿主机进行控制,避免被篡改的宿主机运行非法应用程序或者影响其管理的各客户机,甚至影响整个虚拟化系统的安全运行。所述控制指令可以为关闭所述宿主机、限制所述宿主机对某些硬件的调用、限制所述宿主机某些应用程序的运行、或者提示用户由用户指示后续操作等。所述控制指令由宿主机执行。In step 504, the second control instruction sent by the TrustZone to the host is for the host in the illegal running state, and is intended to control the host to prevent the tampering host from running an illegal application or Each client that affects its management, even affects the safe operation of the entire virtualized system. The control instruction may be to shut down the host, limit the host's call to certain hardware, limit the operation of certain applications of the host, or prompt the user to indicate subsequent operations by the user, and the like. The control instructions are executed by the host.
在步骤505中,确定所述宿主机的运行状态为合法运行状态,基于安全架构TrustZone获得的所述宿主机为合法运行状态的监测结果将更加可靠,在确定某一宿主机处于合法运行状态后,TrustZone还可以一定周期重复上述步骤,时刻监测宿主机的运行情况。In step 505, it is determined that the running state of the host is a legal running state, and the monitoring result obtained by the security architecture TrustZone based on the host is legally stable, and after determining that a host is in a legal running state, TrustZone can also repeat the above steps in a certain period of time to monitor the operation of the host at all times.
上述实施例二和实施例三可在同一场景中并行实施,即对同一虚拟化系统,TrustZone可分别对客户机进行监控,例如以相同或不同的周期并行执行上述步骤401-405和步骤501-505。
The foregoing embodiment 2 and the third embodiment can be implemented in parallel in the same scenario, that is, for the same virtualization system, the TrustZone can separately monitor the client, for example, performing the above steps 401-405 and 501 in parallel in the same or different cycles. 505.
由上述步骤401可知,各客户机的运行状态信息可能需要宿主机汇总后发送至TrustZone;并且由上述步骤404可知当发现处于非法运行状态的客户机时,需要由宿主机执行TrustZone发送的第一控制指令对所述客户机进行控制,可见在对客户机进行监测的流程中,需要宿主机处于正常运行状态,以实现汇总客户机状态信息或执行第一控制指令。可见将上述实施例二和三结合在同一场景中实施能够确保客户机监测流程的可靠性。此外,因为对客户机和对宿主机的监控是并行的,用户可自定义监控的周期,实现对虚拟化系统更灵活的监控。例如当对虚拟化系统整体的安全性能要求较高时,对宿主机的监测流程(上述步骤501-505)的周期可短于客户机的监测流程(上述步骤401-405)的周期;当对各客户机的的安全性能要求各不相同时,各客户机的监测流程可具有不同的执行周期。It can be seen from the above step 401 that the running status information of each client may be sent to the TrustZone after being aggregated by the host; and, by the above step 404, it is known that when the client is found to be in an illegal running state, the first execution of the TrustZone by the host is required. The control instruction controls the client, and it can be seen that in the process of monitoring the client, the host is required to be in a normal running state to implement summary client state information or execute the first control instruction. It can be seen that combining the above embodiments 2 and 3 in the same scenario can ensure the reliability of the client monitoring process. In addition, because the monitoring of the client and the host is parallel, the user can customize the monitoring cycle to achieve more flexible monitoring of the virtualized system. For example, when the overall security performance requirements of the virtualization system are high, the period of the monitoring process of the host (steps 501-550) may be shorter than the period of the client monitoring process (steps 401-405); When the security performance requirements of each client are different, the monitoring process of each client may have different execution cycles.
实施例四:Embodiment 4:
图6示出了本发明实施例四中虚拟化系统监测流程示意图,示出了对虚拟化系统中客户机和宿主机同时进行监测的流程。本实施例四与上述实施例一至三相似或重复之处可参照上述实施例一至三的描述。FIG. 6 is a schematic diagram showing the monitoring process of the virtualization system in the fourth embodiment of the present invention, showing the process of simultaneously monitoring the client and the host in the virtualization system. For the fourth embodiment, similar or overlapping with the above embodiments 1 to 3, reference may be made to the descriptions of the first to third embodiments.
如图6所示,所述流程包括:As shown in FIG. 6, the process includes:
步骤601、可信区TrustZone获取虚拟化系统中客户机和宿主机的运行状态信息;Step 601: The trusted zone TrustZone obtains running state information of the client and the host in the virtualization system.
步骤602a、判断所述客户机的运行状态信息和所述客户机的合法状态信息是否匹配,若不匹配则至步骤603a,若匹配则至步骤605a; Step 602a, it is determined whether the operating state information of the client and the legal state information of the client match, if not, then go to step 603a, if yes, go to step 605a;
步骤603a、确定所述客户机的运行状态为非法运行状态; Step 603a: Determine that an operating state of the client is an illegal running state.
步骤604a、TrustZone向宿主机发送第一控制指令,所述宿主机根据所述第一控制指令对处于非法运行状态的客户机进行控制; Step 604a: The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
步骤605a、确定所述客户机的运行状态为合法运行状态。 Step 605a: Determine that the running state of the client is a legal running state.
步骤602b、判断所述宿主机的运行状态信息和所述宿主机的合法状态信息是否匹配,若不匹配则至步骤603b,若匹配则至步骤605b;
Step 602b, determining whether the operating state information of the host machine and the legal state information of the host match, if not, then to step 603b, if yes, then to step 605b;
步骤603b、确定所述宿主机的运行状态为非法运行状态; Step 603b, determining that the running state of the host machine is an illegal running state;
步骤604b、TrustZone向宿主机发送第二控制指令,所述宿主机根据所述第二控制指令对处于非法运行状态的宿主机进行控制; Step 604b: The TrustZone sends a second control instruction to the host, and the host controls the host in an illegal running state according to the second control instruction.
步骤605b、确定所述宿主机的运行状态为合法运行状态。 Step 605b: Determine that the running state of the host is a legal running state.
在步骤601中,实现方式可参考上述实施例一中对步骤301和其优选方案的说明以及实施例二中对步骤401的说明和实施例三中对步骤501的说明。在终端开机后,虚拟化系统中的客户机和宿主机均能够通过自身的状态(status)模块获得各自的的运行状态信息,宿主机可将各客户机和自身的运行状态信息一并主动或被动的发送至TrustZone。In step 601, the implementation manner may refer to the description of step 301 and its preferred embodiment in the first embodiment, the description of step 401 in the second embodiment, and the description of step 501 in the third embodiment. After the terminal is powered on, both the client and the host in the virtualization system can obtain their own running status information through their own status module. The host machine can take the active status information of each client and itself together or Passively sent to TrustZone.
后续步骤602a-605a与上述步骤402-405相同,步骤602b-605b与上述步骤502-505相同。a和b两组步骤均需要执行,但不限定其先后顺序。 Subsequent steps 602a-605a are the same as steps 402-405 described above, and steps 602b-605b are identical to steps 502-505 described above. Both steps a and b need to be performed, but the order is not limited.
优选的,先执行b组步骤,在确定所述宿主机的运行状态为合法运行状态后,再执行a组步骤,以确定对客户机的监测或监控均是可靠的(如图7所示)。Preferably, the b group step is performed first, and after determining that the running state of the host machine is a legal running state, performing the group a step to determine that the monitoring or monitoring of the client is reliable (as shown in FIG. 7). .
本实施例中同时获取客户机和宿主机的运行状态信息进行运行状态判断,能够更加可靠的确定二者的运行状态。例如当以实施例二中的方法判断某一客户机处于非法运行状态时,由于客户机的运行状态信息由宿主机汇总和转发,可能存在客户机处于合法运行状态,但宿主机处于非法运行状态,非法的篡改了其转发的客户机运行状态信息的情况。本实施例中同时获取客户机和宿主机的运行状态信息,若判断客户机处于非法运行状态而宿主机处于合法运行状态,则能够更加可靠的确认虚拟化系统的安全隐患为该处于非法运行状态的客户机。In this embodiment, the running state information of the client and the host are acquired at the same time to determine the running state, and the running states of the two can be determined more reliably. For example, when the method in the second embodiment is used to determine that a certain client is in an illegal running state, since the running state information of the client is summarized and forwarded by the host, the client may be in a legal running state, but the host is in an illegal running state. Illegal tampering with the status of the client's running status information. In this embodiment, the running state information of the client and the host is obtained at the same time. If the client is in an illegal running state and the host is in a legal running state, the security risk of the virtualized system can be more reliably confirmed as being in an illegal running state. Client.
并且本实施例中同时获取客户机和宿主机的运行状态信息进行运行状态判断,能够更加可靠的对非法客户机进行控制。例如当以实施例二中的方法判断某一客户机处于非法运行状态并由宿主机对其进行控制时,当前的宿主机是否处于合法运行状态是不确定的。本实施例中同时获取客户机和宿主机
的运行状态信息,若判断客户机处于非法运行状态而宿主机处于合法运行状态,则能够可靠的通过宿主机对该处于非法运行状态的客户机检修控制。In the embodiment, the running state information of the client and the host is acquired at the same time to determine the running state, and the illegal client can be controlled more reliably. For example, when it is determined by the method in the second embodiment that a certain client is in an illegal running state and is controlled by the host, whether the current host is in a legal running state is uncertain. In this embodiment, the client and the host are simultaneously acquired.
The running status information, if it is determined that the client is in an illegal running state and the host is in a legal running state, can reliably control the client in the illegal running state through the host machine.
实施例五:Embodiment 5:
基于同一发明构思,本发明实施例中还提供了一种虚拟化系统监测装置,由于这些设备解决问题的原理与一种虚拟化系统监测方法相似,因此这些设备的实施可以参见方法的实施,重复之处不再赘述。图8示出了本发明实施例五中虚拟化系统监测装置的结构示意图,如图所示,所述虚拟化系统监测装置800可以包括:Based on the same inventive concept, a virtualized system monitoring apparatus is also provided in the embodiment of the present invention. Since the principle of solving the problem of these devices is similar to that of a virtualized system monitoring method, the implementation of these devices can be referred to the implementation of the method, and the method is repeated. It will not be repeated here. FIG. 8 is a schematic structural diagram of a virtualization system monitoring apparatus according to Embodiment 5 of the present invention. As shown in the figure, the virtualization system monitoring apparatus 800 may include:
信息获取模块821,所述信息获取模块821位于可信区TrustZone 820,用于获取虚拟化系统中域Domain的运行状态信息;The information obtaining module 821 is located in the trusted zone TrustZone 820, and is configured to obtain running state information of the domain domain in the virtualization system.
状态确定模块822,所述状态确定模块822位于TrustZone 820,用于根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。The state determining module 822 is located at the TrustZone 820, and is configured to determine an operating state of the domain according to the operating state information of the domain and the legal state information of the domain.
优选的,所述Domain为宿主机和/或客户机。Preferably, the Domain is a host and/or a client.
优选的,所述状态确定模块822,具体用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,确定所述客户机的运行状态为非法运行状态;Preferably, the status determining module 822 is configured to determine, according to the running status information of the client and the legal status information of the client, that the running status of the client is illegal. status;
所述装置800还包括:The device 800 further includes:
指令发送模块823,所述指令发送模块位于TrustZone 820,用于在所述状态确定模块822确定所述客户机的运行状态为非法运行状态之后,向宿主机810发送第一控制指令;The instruction sending module 823 is located at the TrustZone 820, and is configured to send a first control instruction to the host machine 810 after the state determining module 822 determines that the running state of the client is an illegal running state;
控制模块811,所述控制模块位于所述宿主机810,用于根据所述指令发送模块823发送的第一控制指令对处于非法运行状态的客户机进行控制。The control module 811 is located at the host 810, and is configured to control a client in an illegal running state according to the first control instruction sent by the instruction sending module 823.
优选的,所述状态确定模块822,用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者匹配时,确定所述客户机的运行状态为合法运行状态。
Preferably, the state determining module 822 is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state when the two are matched.
优选的,所述状态确定模块822,具体用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,确定所述宿主机的运行状态为非法运行状态;Preferably, the state determining module 822 is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the operating state of the host machine is illegally running when the two do not match. status;
所述装置800还包括:The device 800 further includes:
指令发送模块823,所述指令发送模块位于TrustZone 820,用于在所述状态确定模块822确定所述宿主机的运行状态为非法运行状态之后,向所述宿主机810发送第二控制指令;The instruction sending module 823 is located at the TrustZone 820, and is configured to send a second control instruction to the host 810 after the state determining module 822 determines that the running state of the host is an illegal running state;
控制模块811,所述控制模块位于所述宿主机810,用于根据所述指令发送模块823发送的第二控制指令对处于非法运行状态的宿主机进行控制。The control module 811 is located at the host 810, and is configured to control a host in an illegal running state according to the second control instruction sent by the instruction sending module 823.
优选的,所述状态确定模块822,用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者匹配时,确定所述宿主机的运行状态为合法运行状态。Preferably, the state determining module 822 is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the running state of the host is a legal running state when the two are matched.
优选的,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。Preferably, the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
为了描述的方便,以上所述装置的各部分以功能分为各种模块分别描述。当然,在实施本发明时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For the convenience of description, the various parts of the above-described apparatus are separately described by functions into various modules. Of course, the functions of the various modules or units may be implemented in one or more software or hardware in the practice of the invention.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、
嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a general purpose computer, a special purpose computer,
An processor of an embedded processor or other programmable data processing device to generate a machine such that instructions executed by a processor of a computer or other programmable data processing device are generated for implementation in a flow or a flow of flowcharts and/or Or a block diagram of a device in a box or a function specified in a plurality of boxes.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。
While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
Claims (14)
- 一种虚拟化系统监测方法,其特征在于,所述方法包括:A method for monitoring a virtualization system, the method comprising:可信区TrustZone获取虚拟化系统中域Domain的运行状态信息;The trusted zone TrustZone obtains the running status information of the domain domain in the virtualization system;根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。Determining an operating status of the domain according to the running status information of the domain and the legal status information of the domain.
- 如权利要求1所述的方法,其特征在于,所述Domain为宿主机和/或客户机。The method of claim 1 wherein said Domain is a host and/or a client.
- 如权利要求2所述的方法,其特征在于,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:The method according to claim 2, wherein the determining the operating state of the domain according to the operating state information of the domain and the legal state information of the domain includes:根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,确定所述客户机的运行状态为非法运行状态;Determining, according to the running state information of the client and the legal state information of the client, that the running status of the client is an illegal running state;在确定所述客户机的运行状态为非法运行状态之后,还包括:After determining that the running state of the client is an illegal running state, the method further includes:TrustZone向宿主机发送第一控制指令,所述宿主机根据所述第一控制指令对处于非法运行状态的客户机进行控制。The TrustZone sends a first control instruction to the host, and the host controls the client in an illegal running state according to the first control instruction.
- 如权利要求3所述的方法,其特征在于,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:The method of claim 3, wherein the determining the operating state of the domain according to the operating state information of the domain and the legal state information of the domain comprises:根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者匹配时,确定所述客户机的运行状态为合法运行状态。And determining, according to the running state information of the client and the legal state information of the client, that the running state of the client is a legal running state.
- 如权利要求2所述的方法,其特征在于,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:The method according to claim 2, wherein the determining the operating state of the domain according to the operating state information of the domain and the legal state information of the domain includes:根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,确定所述宿主机的运行状态为非法运行状态;Determining, according to the running state information of the host machine and the legal state information of the host machine, that the running status of the host machine is an illegal running state;在确定所述宿主机的运行状态为非法运行状态之后,还包括:After determining that the running state of the host is an illegal running state, the method further includes:TrustZone向所述宿主机发送第二控制指令,所述宿主机根据所述第二控 制指令对处于非法运行状态的宿主机进行控制。TrustZone sends a second control instruction to the host, the host according to the second control The instruction controls the host that is in an illegal state.
- 如权利要求5所述的方法,其特征在于,所述根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态,包括:The method according to claim 5, wherein the determining the operating state of the domain according to the operating state information of the domain and the legal state information of the domain includes:根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者匹配时,确定所述宿主机的运行状态为合法运行状态。And determining, according to the running state information of the host and the legal state information of the host, that the running state of the host is a legal running state when the two are matched.
- 如权利要求1至6中任一项所述的方法,其特征在于,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。The method according to any one of claims 1 to 6, wherein the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that characterizes the operating state of the domain.
- 一种虚拟化系统监测装置,其特征在于,所述装置包括:A virtualization system monitoring device, the device comprising:信息获取模块,所述信息获取模块位于可信区TrustZone,用于获取虚拟化系统中域Domain的运行状态信息;An information acquisition module, where the information acquisition module is located in the trusted zone TrustZone, and is used to obtain running state information of the domain domain in the virtualization system;状态确定模块,所述状态确定模块位于TrustZone,用于根据所述Domain的运行状态信息和所述Domain的合法状态信息确定所述Domain的运行状态。a state determining module, where the state determining module is located in the TrustZone, and is configured to determine an operating state of the domain according to the operating state information of the domain and the legal state information of the domain.
- 如权利要求8所述的装置,其特征在于,所述Domain为宿主机和/或客户机。The apparatus of claim 8 wherein said Domain is a host and/or a client.
- 如权利要求9所述的装置,其特征在于,The device of claim 9 wherein:所述状态确定模块,具体用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者不匹配时,确定所述客户机的运行状态为非法运行状态;The state determining module is configured to determine, according to the running state information of the client and the legal state information of the client, that the running state of the client is an illegal running state when the two do not match;所述装置还包括:The device also includes:指令发送模块,所述指令发送模块位于TrustZone,用于在所述状态确定模块确定所述客户机的运行状态为非法运行状态之后,向宿主机发送第一控制指令; An instruction sending module, the instruction sending module is located at the TrustZone, and configured to send a first control instruction to the host after the state determining module determines that the running state of the client is an illegal running state;控制模块,所述控制模块位于所述宿主机,用于根据所述指令发送模块发送的第一控制指令对处于非法运行状态的客户机进行控制。a control module, the control module is located at the host, and is configured to control a client in an illegal running state according to the first control instruction sent by the instruction sending module.
- 如权利要求10所述的装置,其特征在于,所述状态确定模块,用于根据所述客户机的运行状态信息和所述客户机的合法状态信息,判断二者匹配时,确定所述客户机的运行状态为合法运行状态。The device according to claim 10, wherein the state determining module is configured to determine the client when the two are matched according to the running state information of the client and the legal state information of the client. The running status of the machine is legal.
- 如权利要求9所述的装置,其特征在于,The device of claim 9 wherein:所述状态确定模块,具体用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者不匹配时,确定所述宿主机的运行状态为非法运行状态;The state determining module is configured to determine, according to the running state information of the host machine and the legal state information of the host, that the operating state of the host is an illegal running state when the two do not match;所述装置还包括:The device also includes:指令发送模块,所述指令发送模块位于TrustZone,用于在所述状态确定模块确定所述宿主机的运行状态为非法运行状态之后,向所述宿主机发送第二控制指令;An instruction sending module, the instruction sending module is located at the TrustZone, and configured to send a second control instruction to the host after the state determining module determines that the running state of the host is an illegal running state;控制模块,所述控制模块位于所述宿主机,用于根据所述指令发送模块发送的第二控制指令对处于非法运行状态的宿主机进行控制。And a control module, the control module is located at the host, and is configured to control, according to the second control instruction sent by the instruction sending module, a host that is in an illegal running state.
- 如权利要求12所述的装置,其特征在于,所述状态确定模块,用于根据所述宿主机的运行状态信息和所述宿主机的合法状态信息,判断二者匹配时,确定所述宿主机的运行状态为合法运行状态。The device according to claim 12, wherein the state determining module is configured to determine the sink when the two are matched according to the running state information of the host and the legal state information of the host The running status of the host is legal.
- 如权利要求8至13中任一项所述的装置,其特征在于,所述Domain的运行状态信息为根据所述Domain核心kernel层代码段计算得到的表征所述Domain运行状态的信息。 The device according to any one of claims 8 to 13, wherein the running state information of the domain is information that is calculated according to the domain core kernel layer code segment and that represents the running state of the domain.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201680002935.0A CN107454961A (en) | 2016-04-25 | 2016-04-25 | A kind of virtualization system monitoring method and device |
| PCT/CN2016/080124 WO2017185202A1 (en) | 2016-04-25 | 2016-04-25 | Virtualisation system monitoring method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2016/080124 WO2017185202A1 (en) | 2016-04-25 | 2016-04-25 | Virtualisation system monitoring method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2017185202A1 true WO2017185202A1 (en) | 2017-11-02 |
Family
ID=60160607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2016/080124 WO2017185202A1 (en) | 2016-04-25 | 2016-04-25 | Virtualisation system monitoring method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107454961A (en) |
| WO (1) | WO2017185202A1 (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793651A (en) * | 2014-02-22 | 2014-05-14 | 西安电子科技大学 | Kernel integrity detection method based on Xen virtualization |
| CN104063788A (en) * | 2014-07-16 | 2014-09-24 | 武汉大学 | Mobile platform credibility payment system and method |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350044B (en) * | 2008-09-02 | 2010-07-14 | 中国科学院软件研究所 | Method for constructing virtual environment trust |
| CN103902884B (en) * | 2012-12-28 | 2017-03-15 | 中国电信股份有限公司 | Virtual-machine data protection system and method |
-
2016
- 2016-04-25 WO PCT/CN2016/080124 patent/WO2017185202A1/en active Application Filing
- 2016-04-25 CN CN201680002935.0A patent/CN107454961A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793651A (en) * | 2014-02-22 | 2014-05-14 | 西安电子科技大学 | Kernel integrity detection method based on Xen virtualization |
| CN104063788A (en) * | 2014-07-16 | 2014-09-24 | 武汉大学 | Mobile platform credibility payment system and method |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| MENG, JIANGTAO ET AL.: "Novel Approach for Protecting Integrity of Kernel Based on Reference Monitor", vol. 26, no. 5, 31 May 2006 (2006-05-31), pages chapter 1 - chapter 3 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107454961A (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9465652B1 (en) | Hardware-based mechanisms for updating computer systems | |
| EP2815349B1 (en) | Roots-of-trust for measurement of virtual machines | |
| US9870324B2 (en) | Isolating guest code and data using multiple nested page tables | |
| EP2864876B1 (en) | Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features | |
| US9319380B2 (en) | Below-OS security solution for distributed network endpoints | |
| Nanavati et al. | Cloud security: A gathering storm | |
| US11693952B2 (en) | System and method for providing secure execution environments using virtualization technology | |
| WO2015176048A1 (en) | Aspects of hardware virtualization, hypervisors, code detection | |
| JP2014525105A (en) | Firmware-based Trusted Platform Module (TPM) for ARM® Trust Zone implementation | |
| JP2017511554A (en) | Access isolation for multi-operating system devices | |
| US11620411B2 (en) | Elastic launch for trusted execution environments | |
| US9824225B1 (en) | Protecting virtual machines processing sensitive information | |
| US12032680B2 (en) | Preserving confidentiality of tenants in cloud environment when deploying security services | |
| WO2015084144A1 (en) | A system and method to secure virtual machine images in cloud computing | |
| US10839069B2 (en) | Protecting artificial intelligence models using virtual secure mode | |
| US20230297406A1 (en) | Confidential computing using multi-instancing of parallel processors | |
| WO2016164424A1 (en) | Isolating guest code and data using multiple nested page tables | |
| US9135436B2 (en) | Execution stack securing process | |
| JP2022539465A (en) | Black-box security for containers | |
| US20220129593A1 (en) | Limited introspection for trusted execution environments | |
| WO2017185202A1 (en) | Virtualisation system monitoring method and apparatus | |
| US11513825B2 (en) | System and method for implementing trusted execution environment on PCI device | |
| US20210209224A1 (en) | Proof of code compliance and protected integrity using a trusted execution environment | |
| Ma et al. | A virtual machine cloning approach based on trusted computing | |
| Schwarz et al. | Affordable Separation on Embedded Platforms: Soft Reboot Enabled Virtualization on a Dual Mode System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16899717 Country of ref document: EP Kind code of ref document: A1 |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 16899717 Country of ref document: EP Kind code of ref document: A1 |
|
| 32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 30/04/2019) |