WO2019062420A1 - 监控进程的方法和装置 - Google Patents
监控进程的方法和装置 Download PDFInfo
- Publication number
- WO2019062420A1 WO2019062420A1 PCT/CN2018/102476 CN2018102476W WO2019062420A1 WO 2019062420 A1 WO2019062420 A1 WO 2019062420A1 CN 2018102476 W CN2018102476 W CN 2018102476W WO 2019062420 A1 WO2019062420 A1 WO 2019062420A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mapping relationship
- access
- processing unit
- memory
- physical address
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 455
- 238000012544 monitoring process Methods 0.000 title claims abstract description 92
- 230000008569 process Effects 0.000 claims abstract description 371
- 238000013507 mapping Methods 0.000 claims abstract description 307
- 238000012545 processing Methods 0.000 claims abstract description 201
- 230000005856 abnormality Effects 0.000 claims abstract description 47
- 230000006870 function Effects 0.000 claims description 78
- 238000004590 computer program Methods 0.000 claims description 14
- 230000006399 behavior Effects 0.000 description 24
- 244000035744 Hura crepitans Species 0.000 description 12
- 230000002159 abnormal effect Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 229910021421 monocrystalline silicon Inorganic materials 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000004576 sand Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0622—Securing storage systems in relation to access
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/10—Address translation
- G06F12/1009—Address translation using page tables, e.g. page table structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0637—Permissions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0655—Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
- G06F3/0659—Command handling arrangements, e.g. command buffers, queues, command scheduling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0673—Single storage device
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present application relates to the field of computers and, more particularly, to methods and apparatus for monitoring processes.
- a technique is known to realize the behavior of a monitoring process calling an external function by writing a monitor program code to a sample program, generating a process to be monitored after the sample program is run, and then adding a call control to the external function. Point code. Jumps into the monitor code when the external function is called, thereby monitoring and recording the behavior of the monitored process.
- the present application provides a method and apparatus for monitoring a process, which enables monitoring of a process without modifying the code of a sample program or an external function.
- a method of monitoring a process is provided, the method being performed by a computing device, the computing device comprising a processing unit, a memory, and a memory control unit, the method comprising: the processing unit determining the first mapping relationship and the second mapping relationship
- the first mapping relationship and the second mapping relationship both indicate a mapping relationship between the first virtual address and the first physical address and an access rule of the first physical address, and the first mapping relationship indicates the first physical address
- the access rule is a forbidden access
- the second mapping relationship indicates that the access rule of the first physical address is an allowable access, wherein the first physical address is a physical address of the first memory space in the memory, and the first memory space is a memory space other than the second memory space in the memory, the second memory space is a memory space for storing program code for generating the first process; when the first process starts running, the processing unit determines that the target mapping relationship is The first mapping relationship, wherein the target mapping relationship is when the memory control unit controls access to the memory a mapping relationship; when the first process needs to access
- the processing unit may configure a first mapping relationship and a second mapping relationship, where the mapping relationship between the virtual address and the physical address indicated by the first mapping relationship and the second mapping relationship is the same.
- the access rules of the physical address indicated by the first mapping relationship and the second mapping relationship are different.
- the processing unit sets the first mapping relationship of the access rule to prohibit access to a target mapping relationship of the memory control unit to control access to the memory, so that when the code of the first process indicates that the first physical address needs to be accessed, In the memory space, the memory control unit reports the page abnormality information to the processing unit because the target mapping relationship (ie, the first mapping relationship) indicates that the access rule of the first physical address is forbidden.
- the processing unit can trigger monitoring of the first process according to the page abnormality information, and switch the target mapping relationship from the first mapping relationship to the second mapping relationship, and resend the access request. Since the target mapping relationship after the switching (ie, the second mapping relationship) indicates that the access rule of the first physical address is access permitted, the memory control unit can allow access.
- the process can be monitored at an appropriate timing.
- the above method does not need to add additional monitoring in the sample program or the external function.
- the code can improve the efficiency of monitoring the process without affecting the process access to the memory.
- the first virtual address is a client physical address GPA
- the first physical address is a host physical address HPA.
- the first mapping relationship and the second mapping relationship are extended page tables EPT.
- the method of monitoring the process of the embodiment of the present application can be compatible with the prior art, and the utility of the implementation of the present application can be further improved.
- the first mapping relationship and the second mapping relationship further indicate a mapping relationship between the second virtual address and the second physical address and an access rule of the second physical address, and the first mapping relationship indicates the first mapping relationship An access rule of the second physical address is an access permission, and the second mapping relationship indicates that the access rule of the second physical address is a forbidden access, wherein the second physical address is a physical address of the second memory space, and
- the method further includes: when the code stored in the first memory space indicates that the second memory space needs to be accessed, the processing unit sends a second access request to the memory control unit, where The second access request carries the second virtual address; the processing unit receives the second abnormal information sent by the memory control unit, where the second abnormal information is that the memory control unit determines that the second physical address is in the target mapping relationship.
- the access rule is sent when the access is forbidden; the processing unit performs the second monitoring on the first process according to the second abnormal information. Processing, and performing a second switching process on the target mapping relationship, where the second switching process is used to switch the target mapping relationship from the second mapping relationship to the first mapping relationship; the processing unit resends the memory control unit The second access request.
- the processing unit sets the access rule to a second mapping relationship for which access is prohibited during the process of calling the external function, and the memory control unit controls the target mapping relationship for the access to the memory. Therefore, when the external function needs to return the process, the memory control unit reports the page abnormality information to the processing unit because the target mapping relationship (ie, the second mapping relationship) indicates that the access rule of the second physical address is forbidden.
- the processing unit can trigger monitoring of the process according to the page abnormality information, and switch the target mapping relationship from the second mapping relationship to the first mapping relationship, and resend the access request.
- the memory control unit can allow access. It can realize the monitoring of the call return without affecting the process access to the memory, and increases the timing of the monitoring based on the external function of the monitoring process.
- the second virtual address is a client physical address GPA, and the second physical address is a host physical address HPA.
- the processing unit determines, for the first mapping relationship and the second mapping relationship, the processing unit determines, when the first process is created, the second process, where the second process is a parent process of the first process; In the case that the second process needs to be monitored, the processing unit determines an access rule of the second physical address in the first mapping relationship and the second mapping relationship.
- the access rule determined by the first mapping and the second mapping relationship is determined based on whether the parent process needs to be monitored, and the determination of the access rule can be easily implemented.
- the practicability of the implementation of the present application can be further improved.
- the method further includes: at the end of the first process, the processing unit deletes the first mapping relationship and the second mapping relationship. This saves storage space.
- the first memory space is used to store code of an external function
- the external function includes a function other than the process function
- the process function is a function included in the program code that generates the first process.
- the code of the external function includes at least one of a process sharing code and a system kernel code.
- the method and apparatus for monitoring the process can implement the process without modifying the code of the process and the external function.
- the behavior of calling an external function is monitored.
- a method of monitoring a process is provided, the method being performed by a computing device, the computing device comprising a processing unit, a memory, and a memory control unit, the method comprising: the memory control unit receiving a first access request sent by the processing unit The first access request carries the first virtual address, and the first access request is sent by the processing unit when the first process needs to access the first memory space in the memory, where the first memory space is the memory a memory space other than the second memory space, where the second memory space is a memory space for storing program code for generating the first process; the memory control unit determines that the first physical address is under the currently used target mapping relationship When the access rule is forbidden, the first exception information is sent to the processing unit, so that the processing unit performs the first monitoring process on the first process according to the first abnormal information, where the target mapping relationship is at the first When the process starts running, the processing unit determines the first mapping relationship, and the first mapping relationship indicates the first virtual relationship.
- the memory control unit receives a first access request that is resent by the processing unit according to the first abnormality information; and the memory control unit controls the first access request according to the target mapping relationship and the first access request resent by the processing unit An access of the memory space, wherein the target mapping relationship is switched by the processing unit to a second mapping relationship before the memory control unit receives the retransmitted first access request, the second mapping relationship indicating the first virtual address a mapping relationship with the first physical address and an access rule of the first physical address, and the second mapping relationship indicates that the access rule of the first physical address is an access permission.
- the process can be monitored at an appropriate timing. There is no need to add additional monitoring code to the sample program or external functions, which can improve the efficiency of monitoring the process without affecting the process access to the memory.
- the first virtual address is a client physical address GPA
- the first physical address is a host physical address HPA.
- the first mapping relationship and the second mapping relationship are extended page tables EPT.
- the method of monitoring the process of the embodiment of the present application can be compatible with the prior art, and the utility of the implementation of the present application can be further improved.
- the first mapping relationship and the second mapping relationship further indicate a mapping relationship between the second virtual address and the second physical address and an access rule of the second physical address
- the first mapping relationship indicates the first mapping relationship
- the access rule of the second physical address is an access restriction
- the second mapping relationship indicates that the access rule of the second physical address is a forbidden access
- the method further includes: the memory control unit receiving the second access request sent by the processing unit, the second access The request carries the second virtual address; the memory control unit sends the second abnormal information to the processing unit when determining that the access rule of the second physical address in the currently used target mapping relationship is forbidden; the memory control unit Receiving, by the processing unit, a second access request that is retransmitted according to the second abnormality information; the memory control list Controlling access to the second memory space according to the target mapping relationship and the second access request,
- the processing unit sets the access rule to a second mapping relationship that prohibits access as a target mapping relationship of the memory control unit to control access to the memory.
- the memory control unit reports the page abnormality information to the processing unit because the target mapping relationship (ie, the second mapping relationship) indicates that the access rule of the second physical address is forbidden.
- the processing unit can trigger monitoring of the process according to the page abnormality information, and switch the target mapping relationship from the second mapping relationship to the first mapping relationship, and resend the access request.
- the memory control unit can allow access. It can realize the monitoring of the call return without affecting the process access to the memory, and increases the timing of the monitoring based on the external function of the monitoring process.
- the second virtual address is a client physical address GPA, and the second physical address is a host physical address HPA.
- the access rule of the second physical address in the first mapping relationship and the second mapping relationship is determined when the second process needs to be monitored, and the second process is a parent of the first process. process;
- the access rule determined by the first mapping and the second mapping relationship is determined based on whether the parent process needs to be monitored, and the determination of the access rule can be easily implemented.
- the practicability of the implementation of the present application can be further improved.
- the first memory space is used to store code of an external function
- the external function includes a function other than the process function
- the process function is a function included in the program code that generates the first process.
- the code of the external function includes at least one of a process sharing code and a system kernel code.
- the method and apparatus for monitoring the process can implement the process without modifying the code of the process and the external function.
- the behavior of calling an external function is monitored.
- a chip comprising at least one processing unit and at least one memory control unit, the processing unit performing the method of the first aspect and any one of its possible implementations, the memory control unit performing the second aspect described above And any of the possible implementations.
- a computer system comprising: a processor and a memory, the processor comprising at least one processing unit and a memory control unit, the processing unit performing the method of the first aspect and any of its possible implementations,
- the memory control unit performs the method of the second aspect described above and any of its possible implementations.
- the computing system further includes a system bus for connecting the processor (specifically, a memory control unit) and the memory
- a computer program product comprising: a computer program (also referred to as a code, or an instruction) that, when executed by a processor or a processing unit in a chip, causes The processing unit performs the method of the first aspect described above and any of its possible implementations.
- a computer program also referred to as a code, or an instruction
- a computer program product comprising: a computer program (also referred to as a code, or an instruction), when the computer program is executed by a memory or a memory control unit in the chip,
- the memory control unit is caused to perform the method of the second aspect described above and any of its possible implementations.
- a computer readable medium storing a computer program (which may also be referred to as code, or instructions) for processing when it is run on a processing unit in a processor or chip
- the unit performs the method of the first aspect described above and any of its possible implementations.
- a computer readable medium storing a computer program (which may also be referred to as a code, or an instruction) when it is run on a memory control unit in a processor or chip,
- the memory control unit performs the method of the second aspect described above and any of its possible implementations.
- FIG. 1 is a schematic hardware structural diagram of a computer device (or computer system) to which a method and apparatus for monitoring a process of an embodiment of the present application is applied.
- FIG. 2 is a schematic diagram of a virtualized logical architecture of a computer device to which an embodiment of the present application is applied.
- FIG. 3 is a schematic diagram of a memory addressing process based on the logical architecture shown in FIG. 2.
- FIG. 4 is a schematic diagram of classification of codes stored in a memory in an embodiment of the present application.
- FIG. 5 is a schematic interaction diagram of a method for monitoring a process provided by an embodiment of the present application.
- FIG. 6 is a diagram showing an example of an access rule of a physical address of a storage space for an external code recorded in one mapping relationship in the embodiment of the present application.
- FIG. 7 is a schematic diagram showing an example of an access rule of a physical address of a storage space for an internal code recorded in another mapping relationship in the embodiment of the present application.
- FIG. 8 is a schematic diagram of steps performed by a processing unit in a monitoring process of an embodiment of the present application in an embodiment of the present application.
- FIG. 9 is a schematic flowchart of a process of a processing unit creation process in an embodiment of the present application.
- FIG. 10 is a schematic flowchart of a process of a processing unit monitoring process in an embodiment of the present application.
- FIG. 11 is a schematic flowchart of a process in which a processing unit ends a process in an embodiment of the present application.
- a computing device which may also be referred to as a computer system, may include a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer.
- the hardware layer includes hardware such as a processing unit, a memory, and a memory control unit, and then the function and structure of the hardware are described in detail.
- the operating system may be any one or more computer operating systems that implement business processing through a process, such as a Linux operating system, a Unix operating system, an Android operating system, an iOS operating system, or a Windows operating system.
- the application layer includes applications such as browsers, contacts, word processing software, and instant messaging software.
- the computer system may be a handheld device such as a smart phone, or may be a terminal device such as a personal computer.
- the present application is not particularly limited as long as the monitoring process of the embodiment of the present application can be recorded by running the operation.
- the program of the code of the method may monitor the process in accordance with the method of monitoring the process according to the embodiment of the present application.
- the execution body of the method for monitoring a process of the embodiment of the present application may be a computer system or a functional module of a computer system capable of calling a program and executing the program.
- a program is a collection of ordered instructions (or code) used to implement a relatively independent function.
- a process is a process in which a program and its data are run on a computer device.
- the program usually adopts a modular design, which is to disassemble the function of the program into multiple smaller functional modules.
- the program contains at least one function, which is a code segment that implements a functional module. Therefore, a function is a basic unit of modularity of a program function, and can also be regarded as a subroutine.
- FIG. 1 is a schematic structural diagram of a computing device 100 according to an embodiment of the present application.
- the computing device shown in Figure 1 is used to perform a method of monitoring a process.
- Computing device 100 can include at least one processor 110, and memory 120.
- computer device 110 may also include a system bus in which processor 110 and memory 120 are respectively coupled to the system bus.
- the processor 110 is capable of accessing the memory 120 through the system bus.
- the processor 110 can perform data reading and writing or code execution in the memory 120 through the system bus.
- the function of the processor 110 is mainly to explain the instructions (or code) of the computer program and to process the data in the computer software.
- the instructions of the computer program and the data in the computer software may be stored in the memory 120 or the cache unit 116.
- the processor 110 may be an integrated circuit chip with signal processing capability.
- the processor 110 may be a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component.
- the general purpose processor may be a microprocessor or the like.
- the processor 110 can be a Central Processing Unit (CPU).
- Each processor 110 includes at least one processing unit 112 and a memory control unit 114.
- Processing unit 112 which may also be referred to as a core or kernel, is the most important component of the processor.
- the processing unit 112 can be manufactured by single crystal silicon in a certain production process, and all calculations, acceptance commands, storage commands, and processing data of the processor are executed by the core.
- the processing unit can independently run the program instructions, and utilize the capability of parallel computing to speed up the running of the program.
- the various processing units have a fixed logical structure.
- the processing unit may include logic units such as a level one cache, a level two cache, an execution unit, an instruction level unit, and a bus interface.
- the memory control unit 114 is used to control data interaction between the memory 120 and the processing unit 112.
- memory control unit 114 may receive a memory access request from processing unit 112 and control access to memory based on the memory access request.
- the memory control unit may be a memory management unit (MMU) or the like.
- each memory control unit 114 can perform addressing for the memory 120 through the system bus.
- an arbiter (not shown) can be configured in the system bus, which can be responsible for processing and coordinating the contention access of the plurality of processing units 112.
- the processing unit 112 and the memory control unit 114 can communicate through the connection line inside the chip, such as an address line, thereby implementing communication between the processing unit 112 and the memory control unit 114.
- each processor 110 may further include a cache unit 116, wherein the cache is a buffer of data exchange (referred to as a Cache).
- the processing unit 112 wants to read data, it first searches for the required data from the cache, and if it finds it, it executes directly, and if it cannot find it, it finds it from the memory. Since the cache runs much faster than the memory, the role of the cache is to help the processing unit 112 run faster.
- the memory 120 can provide a running space for processes in the computing device 100.
- a computer program (specifically, a program code) for generating a process can be saved in the memory 120, and the process can be saved in the memory 120.
- Data generated during operation such as intermediate data, or process data.
- the memory may also be referred to as an internal memory, and functions to temporarily store arithmetic data in the processor 110 and data exchanged with an external memory such as a hard disk. As long as the computer is running, the processor 110 will transfer the data that needs to be operated to the memory for calculation, and when the operation is completed, the processing unit 112 will transmit the result.
- the memory 120 may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memory.
- the non-volatile memory may be a read-only memory (ROM), a programmable read only memory (PROM), an erasable programmable read only memory (Erasable PROM, EPROM), or an electric Erase programmable read only memory (EEPROM) or flash memory.
- the volatile memory can be a Random Access Memory (RAM) that acts as an external cache.
- RAM Random Access Memory
- many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (Synchronous DRAM).
- SDRAM Double Data Rate SDRAM
- DDR SDRAM Double Data Rate SDRAM
- ESDRAM Enhanced Synchronous Dynamic Random Access Memory
- SLDRAM Synchronous Connection Dynamic Random Access Memory
- DR RAM direct memory bus random access memory
- computing device 100 enumerated above is only an exemplary description, and the application is not limited thereto.
- the computing device 100 of the embodiment of the present application may include various hardware in the computer system in the prior art, for example, Computing device 110 may also include other memory than memory 120, such as a disk storage or the like.
- virtualization techniques may be applied on computing device 100.
- multiple virtual machines can be run simultaneously in the computer device 100, and each virtual machine can run at least one operating system, and each operating system runs multiple programs.
- Virtual Machine refers to a complete computer system that runs through a software and has full hardware system functionality running in a fully isolated environment. Among them, a computer running a physical existence of a virtual machine may be referred to as a host. The physical address of the host's memory can be called the Host Physical Address (HPA).
- HPA Host Physical Address
- An operating system running a virtual machine can be called a guest.
- the process can be assigned a Guest Virtual Address (GVA).
- GVA Guest Virtual Address
- the concept of a guest physical address is introduced.
- This address space is not a real physical address space.
- the client physical address space is a contiguous address space starting from zero, but for the host, the client physical address space is not necessarily contiguous, and the client physical address space may be mapped in several A discontinuous host physical address range. Therefore, in order to implement access to the host's memory by a process in a client, mapping from GVA to GPA to HPA, or address translation, needs to be implemented.
- Figure 3 illustrates one implementation of the above address translation.
- a client address page table (GPT) is configured, and an extended page table (EPT) is configured.
- the page table is a management method of the address space, which is described in the related documents and will not be described in detail here.
- the GPT can be maintained by the client, and the EPT can be maintained by virtualization software on the host, such as a virtual machine monitor (VMM) running on the host. VMM, also known as Hypervisor.
- VMM virtual machine monitor
- the target process generated by the sample program runs in the virtual machine.
- the monitor runs outside of the virtual machine (for example, in another virtual machine), and the monitor is responsible for monitoring and recording the behavior of the sample program (or, or, the target process) during execution.
- process #X when a process in the virtual machine (referred to as process #X) needs to access the host physical address space (recorded as host physical space #X) in the host's memory, the virtual machine is assigned to the virtual process #X.
- the address (the virtual address corresponds to the host physical space #X) is GVA#X
- the client can determine the GPA (referred to as GPA#X) corresponding to GVA#X based on the GPT.
- the memory control unit MMU of the host machine can determine the HPA (referred to as HPA#X) corresponding to the GPA#X based on the EPT, thereby completing the access to the memory space corresponding to the HPA#X.
- HPA#X the HPA#X
- the VMM in the host can record the access behavior of the target process to memory.
- the EPT not only records the mapping relationship between the GPA and the HPA, but also records the access rules (or access rights) of the HPA (specifically, the memory space corresponding to the HPA).
- access rights may include three types: read, write, and execute.
- three fields can be set in the EPT for the memory space indicated by the HPA, which are respectively used to indicate the specific status of the three rights.
- field #0 can be used to carry a bit indicating the read access right (denoted as Bit#0), and the Bit#0 can be used to indicate the memory space corresponding to the HPA (or GPA) (specifically, memory). Whether the data in the space is allowed to be read by the client.
- the Bit #0 may include one bit or a plurality of bits, and the present application is not particularly limited as long as the processing unit 112 can be made to agree with the memory control unit 114 for the interpretation of the different values of Bit#0. For example, when Bit#0 is "0", it can indicate that the memory space is not allowed to be read by the client. For example, when Bit#0 is "1", it can indicate that the memory space is allowed to be read by the client.
- field #1 can be used to carry a bit indicating the write access authority (referred to as Bit#1), and the Bit#1 can be used to indicate whether the memory space corresponding to the HPA (or GPA) is allowed to be written by the client.
- the Bit #1 may include one bit or a plurality of bits, and the present application is not particularly limited as long as the processing unit 112 can be made to agree with the memory control unit 114 for the interpretation of the different values of Bit#1. For example, when Bit#1 is "0”, it can indicate that the memory space is not allowed to be written by the client. For example, when Bit#1 is "1", it can indicate that the memory space is allowed to be written by the client.
- field #2 can be used to carry a bit indicating that the access authority is executed (referred to as Bit#2), and the Bit#2 can be used to indicate the memory space corresponding to the HPA (or GPA) (specifically, Whether the code or instructions stored in the memory space is allowed to be executed by the client.
- the Bit #2 may include one bit or a plurality of bits, and the present application is not particularly limited as long as the processing unit 112 can be made to agree with the memory control unit 114 for the interpretation of different values of Bit#2. For example, when Bit#2 is "0", it can indicate that the memory space is not allowed to be executed by the client. For example, when Bit#2 is "1", it can indicate that the memory space is allowed to be executed by the client.
- Client access to specific physical pages can be controlled by setting the appropriate access rights flags in the EPT page table.
- the client performs a violation of the permission control of the corresponding flag bit, such as reading the physical page content set with the unreadable permission, an EPT violation is triggered.
- the monitoring client can execute a specific physical page by setting a non-execute (NX) of a specific physical page in the EPT page table, that is, setting the Bit#2 flag bit in the EPT page entry corresponding to the physical page.
- NX non-execute
- the behavior of the code For example, when a process in the client calls an external function, the instruction execution will jump to the physical page code of the external function. If the physical page is set with the unexecutable flag, the page exception will be triggered immediately.
- HPA's mapping ie, traditional page tables
- the setting of the access authority is set, that is, the value of the field #2 is set.
- setting an access rule for a certain memory space it specifically refers to setting execution access rights.
- setting an access rule for a certain segment of memory space to prohibit access means prohibiting execution.
- Setting an access rule for a certain segment of memory space to allow access is to allow execution.
- the computer device 100 shown in FIG. 1 of the embodiment of the present application may be a host where the sandbox system is located.
- the virtual machine running on the computer device 100 provides an environment in which the sample program runs, and monitors the access behavior of the target process generated by the sample program through a VMM or a monitoring program running on the secure virtual machine.
- the production of sandbox technology has a certain historical background. With the continuous development of Advanced Persistent Threat (APT) attacks, advanced malicious code is changing with each passing day. Traditional malicious code detection based on signature matching technology has become more and more difficult to deal with.
- the dynamic behavior feature detection technology based on program running time is gradually recognized and adopted by security vendors.
- the sandbox has been proved to be an effective malicious code detection system based on dynamic behavior monitoring. By constructing an isolated real operating environment, monitoring and recording.
- the sample program (specifically, the process generated by the sample process) performs all the actions in the execution process, and submits it to the back-end analysis engine for analysis to determine whether the code of the sample program is malicious code.
- malware Due to the widespread adoption of sandboxed systems, advanced malicious code has also increased the technology against sandbox monitoring. For example, the malicious code detects the running environment during the initial running, determines whether it is currently running in the sandbox system, and if so, directly exits the operation to avoid the behavior monitoring of the sandbox system; on the other hand, the malicious code can also destroy the sand.
- the behavior monitoring mechanism of the box system causes the sandbox monitoring to fail. Therefore, an efficient sandbox system must have strong anti-detection and anti-destructive capabilities.
- the sample program generates a monitored process after being run by the processing unit. During the execution of the monitored process, a series of behaviors are generated. Depending on the semantic complexity of the behavior, there are simple behaviors such as executing specific instructions and external code calls.
- the code stored in the memory can be divided into two types: an internal code and an external code.
- the internal code and the external code are relative to a process generated by the program.
- the internal code refers to the code of the program itself that generates the process, belongs to the process, is the code that is not shared with other processes, such as the segment of the Windows process PE file with executable attributes (usually the TEXT segment) .
- the process is divided into a target process and a non-target process.
- the target process is a process in which the sandbox system needs to monitor its behavior, including the process generated by the sample program, and the child process further generated by the process generated by the sample program.
- Non-target processes are other normal processes running in the system and are not monitored by the sandbox system.
- s-Tall ⁇ s-T1, s-T2,..., s-Ti ⁇ to represent the own code set of all target processes (or sample programs)
- External code refers to the code shared by all processes in the world.
- external code can also include code for external functions.
- the external function may refer to a function other than the process function, which is a function included in the program code of the generated process.
- the code of the external function may include the code of the shared library of the user state (or may also be referred to as process sharing code), such as kernel32.dll, user32.dll in the Windows system, and the c runtime library libc in the Linux system. So and so on.
- the external code can also include all kernel mode code, such as operating system kernel code, device driver code, and the like.
- kernel mode code such as operating system kernel code, device driver code, and the like.
- external code may only exist in the memory 120, and each process maps the shared physical memory to its own virtual address space by means of virtual memory mapping, thereby Implement shared use.
- Sdll represent the user-space shared library code
- Skernel represents the operating system kernel code
- Sdriver1 represents the device driver 1 code
- the external code set Sall ⁇ Skernel, Sdll1, Sdriver2, Sdll2, Sdriver2,..., Sdlln, Sdrivern ⁇ .
- the target process continuously calls external code to obtain the service provided by the system during the execution process.
- the calling external code reflects the behavior of the target process requesting the service from the system.
- the target process when it needs to read a certain file content, it can be implemented by calling the ReadFile function in the shared library kernel32.dll.
- the sandbox backend engine can effectively help detect suspicious malicious target processes, or generate sample programs of suspicious malicious target processes (referred to as suspicious malicious programs in this application).
- the calling behavior of the target process to the external code can be effectively monitored.
- the steps performed by the processing unit in the method for monitoring the process in the embodiment of the present application may be directly implemented by the hardware decoding processing unit, or may be performed by a combination of hardware and software modules in the decoding processing unit.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory, and the processing unit reads the information in the memory, and the steps completed by the processing unit in the method of completing the monitoring process of the embodiment of the present application in combination with the hardware thereof.
- the method 200 of monitoring the process in the embodiment of the present application is described in detail below with reference to FIG. 5 to FIG.
- the method 200 is described in detail by taking a process of calling an external code (referred to as: external code #B) as a process (denoted as process #A).
- external code #B an external code
- process #A a process of calling an external code
- the process may include a target process that needs to be monitored (for example, a process generated by a sample program) and a non-target process that does not need to be monitored (for example, a process generated by a non-sample program), where
- the process #A may be a target process or a non-target process, and is not specifically limited in this application.
- the external code #B may include code for one or more external functions.
- the external code #B can include one or more inter-process shared code.
- the external code #B can include one or more system kernel code.
- the memory space for storing the external code #B in the memory 120 is referred to as: memory space #B; the physical address of the memory space #B is referred to as: physical address #B; the memory space#
- the virtual address of B is written as: virtual address #B. That is, in the embodiment of the present application, the physical address #B may be a physical address of a memory space in which one or more codes in the Sall are stored.
- the memory space of the code for storing the process #A in the memory 120 (or the code for generating the program of the process #A) is described as: memory space #A; the physics of the memory space #A The address is written as: physical address #A; the virtual address of the memory space #A is recorded as: virtual address #A.
- the processing unit 112 may determine the mapping relationship #1 and the mapping relationship #2.
- mapping relationship #1 and the mapping relationship #2 are used to indicate a mapping relationship between the physical address #B and the virtual address #B.
- mapping relationship #1 and the mapping relationship #2 may be one EPT, respectively.
- the physical address #B may be the HPA of the host shown in FIG. 3, and the virtual address #A may be the GPA of the client running the process #A. Also, by way of example and not limitation, in this case, the virtual address #A may be determined based on the GPT in FIG.
- mapping relationship between the physical address #B and the virtual address #B is merely exemplary.
- the application is not limited thereto.
- the mapping relationship may also be a traditional host system.
- GVA virtual address
- HPA physical address
- the following describes the method for monitoring the process in the embodiment of the present application by taking the EPT table as the mapping relationship as an example.
- the foregoing mapping relationship determining method and process may be similar to the prior art, and a detailed description thereof is omitted in order to avoid redundancy.
- mapping relationship #1 and the mapping relationship #2 are also used to indicate an access rule of the physical address #B. Further, the access rule of the physical address #B indicated by the mapping relationship #1 and the mapping relationship #2 is different.
- the access rule of the physical address #B indicated by the mapping relationship #1 is forbidden, and the forbidden access may include that the memory space #B indicated by the physical address #B is prohibited from being read, and the forbidden access may include the physical address.
- the memory space #B indicated by #B is prohibited from being written, or the forbidden access may include the code stored in the memory space #B indicated by the physical address #B being prohibited from being executed.
- the access rules for storing the memory space (memory space #B) of the external code recorded in the mapping relationship #1 are all set to prohibit access.
- the access rule for storing the memory space (memory space #B) of the external code recorded in the mapping relationship #2 is set to allow access.
- a storage space for storing a target mapping relationship may be included in a storage device (for example, a partial memory space of the memory 120) of the computing device 100, where the target mapping relationship is that the memory control unit 114 controls the memory 120.
- the mapping relationship used in the access, that is, the target mapping relationship is one of the mapping relationship #1 and the mapping relationship #2.
- the processing unit 112 when the processing unit 112 detects that the process #A starts running (denoted as time #1), the processing unit 112 may set the target mapping relationship as the mapping relationship #1.
- the memory control unit 114 controls the mapping relationship used when accessing the memory 120 to be the mapping relationship #1.
- Time #2 is the time at which the processing unit 112 performs the switching process #1 on the target mapping relationship.
- the processing unit 112 needs to access the memory space #B in the process of executing the code of the process #A, for example, the process #A
- the code indicates that the external code stored in memory space #B needs to be called (or executed).
- the processing unit 112 determines the virtual address of the memory space #B (ie, virtual address #B), for example, the virtual address #B may be a GPA.
- the processing unit 112 sends an access request #1 to the memory control unit 114, which carries the virtual address #B.
- the memory control unit 114 receives the access request #1, and the memory control unit 114 searches for the physical address corresponding to the virtual address #B (ie, the physical address #B) in the current target mapping relationship (mapping relationship #1).
- the physical address #B may be an HPA.
- the memory control unit 114 can determine that the access rule of the memory space corresponding to the physical address #B (ie, the memory space #B) is the access prohibition based on the current target mapping relationship (the mapping relationship #1).
- the memory control unit 114 triggers a page exception because the memory space #B access rule indicated by the current target mapping relationship (mapping relationship #1) is forbidden. That is, the memory control unit 114 transmits a page abnormality information to the processing unit 112. In order to facilitate understanding and distinction, the page abnormality information transmitted in S530 is recorded as page abnormality information #1.
- the processing unit 112 determines that the memory space in which the external code is stored is accessed according to the page abnormality information #1, or the processing unit 112 may determine the current running process (for example, when the processing unit 112 receives the page abnormality information #1). (Process #A) has made an external code call that needs to be monitored. As an example, processing unit 112 may determine the currently running process based on the CPU context.
- the processing unit 112 can monitor the process #A. Monitoring can be achieved through VMM.
- the contents of the monitoring include, but are not limited to, obtaining the context information of the process #A, the function name of the called external code, the parameter value passed when the call occurs, and the return value, and the like.
- the content and process of monitoring the process by the processing unit may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
- the processing unit 112 may further determine whether the process #A is the target process, and if the determination is yes, monitor the process #A. Thereby, the processing overhead brought by the monitoring process itself can be reduced.
- processing unit 112 may determine the parent process of process #A and determine whether process #A is the target process based on whether the parent process of process #A is the target process, or to determine process# Whether A is needed to be monitored.
- processing unit 112 may determine that process #A is the target process that needs to be monitored.
- processing unit 112 may determine that process #A is not the target process.
- the case where the parent process of the process #A is the target process may be preset by the user or the administrator.
- the case where the parent process of the process #A is the target process may be set by the monitoring program in the computing device 100 after the server determines and delivers to the computing device 100 running the monitoring program.
- the condition in which the parent process of process #A is the target process may be determined by computing device 100 based on the source of the parent process of process #A.
- the processing unit 112 may also determine whether the program that generates the process #A is a sample program, and if the determination is yes, monitor the process #A.
- the case where a program is a sample program may be pre-set by a user or an administrator.
- the case where the one program is a sample program may be set by the monitoring program in the computing device 100 after the server determines and delivers to the computing device 100 running the monitoring program.
- the processing unit 112 performs a switching process on the target mapping relationship based on the page abnormality information #1.
- the switching processing in S250 is referred to as switching processing #1, and the switching processing #1 is used to switch the target mapping relationship from the mapping relationship #1 to the mapping relationship #2.
- the time period having a certain duration after time #2 for example, the time period between time #2 and time #3 (recorded as time period #b), the memory control unit 114 controls the mapping relationship used for access to the memory 120.
- time #3 is the time at which the processing unit 112 performs the switching process #2 on the target mapping relationship.
- the processing unit 112 resends the access request #1 to the memory control unit 114.
- the memory control unit 114 can receive the re-transmitted access request #1 at some time in the period #b, and determine the current target mapping relationship (mapping relationship #2).
- the memory control unit 114 searches for the physical address corresponding to the virtual address #B (ie, the physical address #B) in the current target mapping relationship (the mapping relationship #2). Since the memory space #B access rule indicated by the current target mapping relationship (mapping relationship #2) is to allow access, the memory control unit 114 controls the access of the processing unit 112 to the memory space #B based on the access request #1, for example, reading and Execute the external code stored in memory space #B.
- the external code stored in the memory space #B may return data to the process A.
- the external code stored in memory space #B indicates that access to memory space #A is required.
- mapping relationship #1 and the mapping relationship #2 may also be used to indicate a mapping relationship between the physical address #A and the virtual address #A.
- the mapping relationship #1 and the mapping relationship #2 are also used to indicate an access rule of the physical address #A. Further, the access rule of the physical address #A indicated by the mapping relationship #1 and the mapping relationship #2 is different.
- the current target mapping relationship when the external code returns is the mapping relationship # 2.
- the access rule of the physical address #A indicated by the mapping relationship #2 may be set to prohibit access.
- the forbidden access may include that the memory space #A indicated by the physical address #A is prohibited from being read, or the forbidden access may include that the memory space #A indicated by the physical address #A is prohibited from being written, or, The forbidden access may include that the code stored in the memory space #A indicated by the physical address #A is prohibited from being executed.
- the access rule of the physical address #A indicated by the mapping relationship #1 is set to allow access.
- the allowable access may include the memory space #A indicated by the physical address #A being allowed to be read, or the allowable access may include the memory space #A indicated by the physical address #A allowing to be written, or, The allowable access may include the code stored in the memory space #A indicated by the physical address #A to be executed.
- the access rule of the memory space (memory space #A) for storing the program code of the target process recorded in the mapping relationship #2 is set to prohibit access. Also, although not shown in FIG. 7, the access rule of the memory space (memory space #A) for storing the program code of the target process recorded in the mapping relationship #1 is set to allow access.
- the processing unit 112 executes the code (for example, the external function code) stored in the memory space #B to access the memory space #A.
- the code stored in memory space #B indicates that the code execution result needs to be returned to process #A.
- the processing unit 112 determines the virtual address of the memory space #A corresponding to the process #A (ie, the virtual address #A), and sends an access request #2 to the memory control unit 114, which carries the virtual address# A.
- the virtual address #A can be a GPA.
- the memory control unit 114 receives the access request #2, and the memory control unit 114 searches for the physical address corresponding to the virtual address #A (ie, physical address #A) in the current target mapping relationship (mapping relationship #2).
- the physical address #A can be an HPA.
- the memory control unit 114 can determine that the access rule of the memory space (ie, memory space #A) corresponding to the physical address #A is forbidden based on the current target mapping relationship (mapping relationship #2).
- the memory control unit 114 triggers a page exception because the memory space #A access rule indicated by the current target mapping relationship (mapping relationship #2) is forbidden. That is, the memory control unit 114 transmits a page abnormality information to the processing unit 112. In order to facilitate understanding and differentiation, the page abnormality information transmitted in S590 is recorded as page abnormality information #2.
- the processing unit 112 determines, according to the page exception information #2, that the external code needs to return to the monitored process, or that the processing unit 112 determines that the call of the external code of the currently running process (ie, the process #A) has returned. As an example, processing unit 112 may determine the currently running process based on the CPU context.
- the processing unit 112 can monitor the process #A.
- monitoring please refer to the description in S540 above.
- the processing unit 112 may further determine whether the process #A is the target process, and if the determination is yes, monitor the process #A. Thereby, the processing overhead brought by the monitoring process itself can be reduced.
- the processing unit 112 performs a switching process on the target mapping relationship based on the page abnormality information #2.
- the switching process in S594 is referred to herein as the switching process #2.
- the handover process #2 is used to switch the target mapping relationship from the mapping relationship #2 to the mapping relationship #1.
- mapping relationship #1 The time period between the time period of a certain period of time after the time #3, for example, the time from the time #3 to the next time the target mapping relationship is switched (recorded as the period #c), the memory control unit 114 controls the memory 120
- the mapping used when accessing is mapping relationship #1.
- the processing unit 112 resends the access request #2 to the memory control unit 114.
- the memory control unit 114 can receive the retransmitted access request #2 within the period #c and determine the current target mapping relationship (mapping relationship #1).
- the memory control unit 114 searches for the physical address corresponding to the virtual address #A (ie, physical address #A) in the current target mapping relationship (mapping relationship #1). Since the memory space #A access rule indicated by the current target mapping relationship (mapping relationship #1) is to allow access, the memory control unit 114 writes the processing result of the external code return based on the access of the access request #2 to the memory space #A. Into memory space #A, or say, return to process #A.
- the memory control unit 114 can directly allow memory access based on the access request #2 according to the current target mapping relationship (mapping relationship #2) without performing the above-described switching processing #2.
- FIG. 8 shows an action performed by the processing unit 112 of the embodiment of the present application in the method of monitoring the process of the embodiment of the present application.
- the processing unit 112 can create an initial mapping relationship #1 and a mapping relationship #2.
- the mapping relationship #1 the access rule for storing the memory space of the external code is to prohibit access; relatively, in the mapping relationship #2, the access rule for storing the memory space of the external code is to allow access.
- processing unit 112 may also determine access rules for storing memory space for internal code of the process.
- mapping relationship #2 the access rule for storing the memory space of the internal code of the target process is forbidden access; in contrast, in the mapping relationship #1, the access for storing the memory space of the internal code of the target process The rule is to allow access.
- the monitoring is implemented by triggering an abnormality, and the processing performance of the host is affected to avoid frequently triggering an abnormality.
- the non-target process may be used for storing.
- the access code for the internal code's memory space is set to allow access.
- the exception is not triggered.
- the processing unit 112 may determine whether the created process is a target process according to whether the parent process of the process is a target process when creating a process.
- the processing unit determines whether a new process (for example, a new child process) is created. If it is determined that a new process is created, the new process creation event is processed. If it is determined that no new process is created, then S830 is performed.
- a new process for example, a new child process
- the processing unit determines whether there is an end of the running process, and if it is determined that there is a process end, the process end event is ended, and if it is determined that no process is finished, then S840 is executed.
- the processing unit determines whether a page abnormality occurs, and if it is determined that a page abnormality occurs, the page abnormal event may be processed, and if it is determined that the page abnormality does not occur, S850 may be executed.
- the processing unit determines whether the monitoring process is finished. If it is determined that the monitoring is over, the monitoring is exited, and the mapping relationship #1 and the mapping relationship #2 are deleted. If it is determined that the monitoring is not completed, the process returns to S820.
- FIG. 9 shows an action performed by the processing unit 112 of the embodiment of the present application in processing a new process creation event, which is a detailed description of processing a new process creation event in FIG. 8.
- the processing unit 112 determines a parent process of the new process.
- the processing unit 112 determines whether the parent process is a target process, and if the parent process is a target process, executing S430; if the parent process is not the target process, the processing unit 112 exits the process of creating a new process.
- the processing unit 112 sets the access rule for storing the memory space of the new process internal code in the mapping relationship #2 to prohibit access.
- FIG. 10 is a diagram showing an action performed by the processing unit 112 of the embodiment of the present application in processing a page abnormal event, which is a detailed description of processing a page abnormal event in FIG. 8.
- the processing unit 112 receives the page abnormality information sent by the memory control unit 114, and determines a process that is running when the page abnormality information is received. For example, processing unit 112 may determine the running process identification based on information such as the CPU context to determine the process indicated by the identification.
- the processing unit 112 determines whether the target mapping relationship being used when the page abnormality information is received is the mapping relationship #1;
- the target mapping relationship is not the mapping relationship #1, or if the target mapping relationship is determined to be the mapping relationship #2, it may be further determined whether the access request that triggers the page abnormality is the first memory access request sent by the process.
- the processing unit 112 may determine, according to the condition that the parent process of the process is the target process, the method for saving the process in the mapping relationship #2.
- the access rule of the memory space of the program code for example, if the parent process of the process is the target process, the access rule of the memory space of the program code for saving the process in the relationship #2 is forbidden; if the parent of the process If the process is not the target process, the access rule for storing the memory space of the program code of the process in relation #2 is to allow access.
- the processing unit 112 may determine whether the physical address carried by the access request that triggered the page exception is the physical space of the memory space for saving the program code of the process. address.
- the physical address carried by the access request that triggers the abnormal page is the physical address of the memory space of the program code that saves the process, triggering monitoring of the process, and executing S1050;
- the processing unit may determine whether the running process is a target process when receiving the page exception information
- the processing unit 112 can monitor the process.
- the processing unit 112 can record the behavior of the process calling the external code.
- the monitoring can be implemented by the VMM.
- the monitored content includes, but is not limited to, the context information of the obtained process, the function name of the called external code, the parameter value passed when the call occurs, and the return value.
- the content and process of monitoring the process by the processing unit 112 may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
- the processing unit 112 may switch the target mapping relationship. If the currently used target mapping relationship is the mapping relationship #1, the target mapping relationship is switched to the mapping relationship #2; if the currently used target mapping relationship is the mapping relationship # 2, the target mapping relationship is switched to the mapping relationship #1.
- FIG. 11 shows an action performed by the processing unit 112 in the processing process end event of the embodiment of the present application, which is a detailed description of the processing process end event in FIG. 8.
- the processing unit 112 may determine in S1110. The process that currently needs to end.
- the processing unit 112 determines whether the process that needs to be ended is the target process
- the processing unit 112 may move the process out of the target process set, delete the access rule of the physical address corresponding to the process, and exit the process of the process end event.
- the processing unit may configure a first mapping relationship and a second mapping relationship, where the mapping relationship between the virtual address and the physical address indicated by the first mapping relationship and the second mapping relationship is the same.
- the access rules of the physical address indicated by the first mapping relationship and the second mapping relationship are different.
- the processing unit sets the first mapping relationship of the access rule to prohibit access to the target mapping relationship of the memory control unit to control access to the memory.
- the memory control unit reports to the processing unit because the target mapping relationship (ie, the first mapping relationship) indicates that the access rule of the first physical address is forbidden. Page exception information.
- the processing unit can trigger monitoring of the first process according to the page abnormality information, and switch the target mapping relationship from the first mapping relationship to the second mapping relationship, and resend the access request. Since the target mapping relationship after the switching (ie, the second mapping relationship) indicates that the access rule of the first physical address is access permitted, the memory control unit can access.
- the ability to monitor processes without affecting process access to memory can monitor the behavior of a process calling an external function without modifying the code of the process and the external function.
- the disclosed systems, devices, and methods may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
- the technical solution of the present application which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
- the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Human Computer Interaction (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
- Memory System Of A Hierarchy Structure (AREA)
- Debugging And Monitoring (AREA)
Abstract
本申请提供了一种监控进程的方法和装置,该方法包括:处理单元确定第一映射关系和第二映射关系,该第一映射关系指示第一物理地址的访问规则为禁止访问,该第二映射关系指示第一物理地址的访问规则为允许访问;处理单元确定目标映射关系为该第一映射关系;处理单元向内存控制单元发送第一访问请求;处理单元接收该内存控制单元发送的第一异常信息,该第一异常信息是内存控制单元在确定第一物理地址在目标映射关系下的访问规则为禁止访问时发送的;处理单元根据该第一异常信息,对进程进行监控,并对目标映射关系进行切换;处理单元向该内存控制单元重新发送第一访问请求,从而,能够容易地实现对进程的监控。
Description
本申请要求于2017年9月28日提交中国专利局、申请号为201710897225.5、申请名称为“监控进程的方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及计算机领域,并且,更具体地,涉及监控进程的方法和装置。
随着计算机技术的发展,计算机的安全性成为人们关注的焦点,其中,对进程调用外部函数的行为进行监控是提高计算机安全性的可行的手段。
目前,已知一种技术通过以下原理实现监控进程调用外部函数的行为:向样本程序中写入监控程序代码,所述样本程序运行后生成需要被监控的进程,然后在外部函数中添加调用控制点代码。在外部函数被调用时跳转到监控程序代码中,从而监控并记录所述被监控进程的行为。
但是,该技术需要预先对样本程序和外部函数进行修改(即,添加用于触发监控的代码),增加了监控的成本,并且,可能影响进程和外部函数的正常运行。
因此,希望提供一种技术,能够在不对样本程序和外部函数的代码进行修改的情况下,实现对进程调用外部函数的行为进行监控。
发明内容
本申请提供一种监控进程的方法和装置,能够在无需修改样本程序或外部函数的代码的情况下,实现对进程的监控。
第一方面,提供了一种监控进程的方法,该方法由计算设备执行,该计算设备包括处理单元、内存和内存控制单元,该方法包括:该处理单元确定第一映射关系和第二映射关系,该第一映射关系和该第二映射关系均指示第一虚拟地址与第一物理地址之间的映射关系以及该第一物理地址的访问规则,且该第一映射关系指示该第一物理地址的访问规则为禁止访问,该第二映射关系指示该第一物理地址的访问规则为允许访问,其中,该第一物理地址是该内存中第一内存空间的物理地址,该第一内存空间是该内存中除第二内存空间以外的内存空间,该第二内存空间是用于保存生成该第一进程的程序代码的内存空间;在第一进程开始运行时,该处理单元确定目标映射关系为该第一映射关系,其中,该目标映射关系是该内存控制单元控制针对该内存的访问时使用的映射关系;在该第一进程需要访问该第一内存空间时,该处理单元向该内存控制单元发送第一访问请求,该第一访问请求携带有该第一虚拟地址;该处理单元接收该内存控制单元发送的第一异常信息,该第一异常信息是该内存控制单元在确定该第一物理地址在目标映射关系下的访问规则为禁止访问时发送的;该处理单元根据该第一异常信息,对该第一进程进行第一监控处理,并对该 目标映射关系进行第一切换处理,该第一切换处理用于将该目标映射关系从该第一映射关系切换为该第二映射关系;该处理单元向该内存控制单元重新发送该第一访问请求。
根据本申请实施例的监控进程的方法,处理单元可以配置第一映射关系和第二映射关系,该第一映射关系和第二映射关系指示的虚拟地址与物理地址之间的映射关系相同,该第一映射关系和第二映射关系指示的物理地址的访问规则相异。在进程开始运行时,处理单元将访问规则为禁止访问的第一映射关系设置为内存控制单元控制针对内存的访问的目标映射关系,从而当第一进程的代码指示需要访问第一物理地址对应的内存空间时,由于目标映射关系(即,第一映射关系)指示第一物理地址的访问规则为禁止访问,内存控制单元向处理单元上报页面异常信息。进而处理单元能够根据页面异常信息,触发对第一进程的监控,并将目标映射关系从第一映射关系切换为第二映射关系,并重新发送访问请求。由于切换后的目标映射关系(即,第二映射关系)指示第一物理地址的访问规则为允许访问,因此内存控制单元能够允许访问。通过配置第一映射关系、第二映射关系,以及根据页面异常切换目标映射关系,一方面能够在合适的时机对进程进行监控,另一方面,上述方法无需在样本程序或者外部函数中增加额外监控代码,能够在不影响进程访问内存的情况下,提高了对进程的监控的效率。
可选地,该第一虚拟地址是客户机物理地址GPA,该第一物理地址是宿主机物理地址HPA。
可选地,该第一映射关系和第二映射关系为扩展页表EPT。
从而,能够使本申请实施例的监控进程的方法兼容现有技术,能够进一步提高本申请实施的实用性。
可选地,该第一映射关系和该第二映射关系还指示第二虚拟地址与第二物理地址之间的映射关系以及该第二物理地址的访问规则,且该第一映射关系指示该第二物理地址的访问规则为允许访问,且该第二映射关系指示该第二物理地址的访问规则为禁止访问,其中,该第二物理地址是该第二内存空间的物理地址,以及在对该目标映射关系进行该第一切换处理之后,该方法还包括:在该第一内存空间存储的代码指示需要访问该第二内存空间时,该处理单元向该内存控制单元发送第二访问请求,该第二访问请求携带有该第二虚拟地址;该处理单元接收该内存控制单元发送的第二异常信息,该第二异常信息是该内存控制单元在确定该第二物理地址在目标映射关系下的访问规则为禁止访问时发送的;该处理单元根据该第二异常信息,对该第一进程进行第二监控处理,并对该目标映射关系进行第二切换处理,该第二切换处理用于将该目标映射关系从该第二映射关系切换为该第一映射关系;该处理单元向该内存控制单元重新发送该第二访问请求。
根据本申请实施例的监控进程的方法,通过在进程调用外部函数期间,处理单元将访问规则为禁止访问的第二映射关系设置为内存控制单元控制针对内存的访问的目标映射关系。从而当外部函数需要对进程进行返回时,由于目标映射关系(即,第二映射关系)指示第二物理地址的访问规则为禁止访问,内存控制单元向处理单元上报页面异常信息。处理单元能够根据页面异常信息,触发对进程的监控,并将目标映射关系从第二映射关系切换为第一映射关系,并重新发送访问请求。由于切换后的目标映射关系(即,第一映射关系)指示第二物理地址的访问规则为允许访问,因此内存控制单元能够允许访问。能够在不影响进程访问内存的情况下,实现对调用返回的监控,在监控进程调用外部函数的基础上增加了监控的时机。
可选地,该第二虚拟地址是客户机物理地址GPA,该第二物理地址是宿主机物理地址HPA。
可选地,该处理单元确定针对第一映射关系和第二映射关系,包括:在该第一进程创建时,该处理单元确定第二进程,该第二进程是该第一进程的父进程;在该第二进程需要被监控的情况下,该处理单元确定该第二物理地址在该第一映射关系和该第二映射关系中的访问规则。
根据本申请实施例的监控进程的方法,通过基于父进程是否需要被监控的情况,确定第一映射关和第二映射关系中记载的子进程的访问规则,能够容易地实现访问规则的确定,能够进一步提高本申请实施的实用性。
可选地,该方法还包括:在该第一进程结束时,该处理单元删除该第一映射关系和该第二映射关系。从而能够节约存储空间。
可选地,该第一内存空间用于保存外部函数的代码,该外部函数包括除进程函数之外的函数,该进程函数是生成该第一进程的程序代码所包含的函数。
可选地,该外部函数的代码包括:进程共享代码和系统内核代码中的至少一方。
并且,通过在第一物理地址对应的存储空间内存储外部函数的代码,能够基于本申请实施例的监控进程的方法和装置,在不对进程和外部函数的代码进行修改的情况下,实现对进程调用外部函数的行为进行监控。
第二方面,提供了一种监控进程的方法,该方法由计算设备执行,该计算设备包括处理单元、内存和内存控制单元,该方法包括:该内存控制单元接收处理单元发送的第一访问请求,该第一访问请求携带有第一虚拟地址,该第一访问请求是该处理单元在第一进程需要访问该内存中的第一内存空间时发送的,其中,该第一内存空间是该内存中除第二内存空间以外的内存空间,该第二内存空间是用于保存生成该第一进程的程序代码的内存空间;该内存控制单元在确定第一物理地址在当前使用的目标映射关系下的访问规则为禁止访问时,向该处理单元发送第一异常信息,以便于该处理单元根据该第一异常信息对该第一进程进行第一监控处理,其中,该目标映射关系在该第一进程开始运行时被该处理单元确定为第一映射关系,该第一映射关系指示该第一虚拟地址与第一物理地址之间的映射关系以及该第一物理地址的访问规则,且该第一映射关系指示该第一物理地址的访问规则为禁止访问,该第一物理地址是该第一内存空间的物理地址;该内存控制单元接收处理单元根据该第一异常信息重新发送的第一访问请求;该内存控制单元根据目标映射关系和该处理单元重新发送的第一访问请求,控制针对该第一内存空间的访问,其中,该目标映射关系在该内存控制单元接收到重新发送的第一访问请求之前,被该处理单元切换为第二映射关系,该第二映射关系指示该第一虚拟地址与该第一物理地址之间的映射关系以及该第一物理地址的访问规则,且该第二映射关系指示该第一物理地址的访问规则为允许访问。
根据本申请实施例的监控进程的方法,通过配置第一映射关系、第二映射关系,以及根据页面异常切换目标映射关系,一方面能够在合适的时机对进程进行监控,另一方面,上述方法无需在样本程序或者外部函数中增加额外监控代码,能够在不影响进程访问内存的情况下,提高了对进程的监控的效率。
可选地,该第一虚拟地址是客户机物理地址GPA,该第一物理地址是宿主机物理地址HPA。
可选地,该第一映射关系和第二映射关系为扩展页表EPT。
从而,能够使本申请实施例的监控进程的方法兼容现有技术,能够进一步提高本申请实施的实用性。
可选地,该第一映射关系和该第二映射关系还指示第二虚拟地址与第二物理地址之间的映射关系以及该第二物理地址的访问规则,且该第一映射关系指示该第二物理地址的访问规则为允许访问,该第二映射关系指示该第二物理地址的访问规则为禁止访问,其中,该第二物理地址是该第二内存空间的物理地址,以及该内存控制单元根据目标映射关系和该处理单元重新发送的第一访问请求,控制针对该第一内存空间的访问之后,该方法还包括:该内存控制单元接收处理单元发送的第二访问请求,该第二访问请求携带有该第二虚拟地址;该内存控制单元在确定该第二物理地址在当前使用的目标映射关系下的访问规则为禁止访问时,向该处理单元发送第二异常信息;该内存控制单元接收处理单元根据该第二异常信息重新发送的第二访问请求;该内存控制单元根据目标映射关系和该第二访问请求,控制针对该第二内存空间的访问,其中,处理单元该目标映射关系在该内存控制单元接收到重新发送的第二访问请求之前,被该处理单元切换为该第一映射关系。
根据本申请实施例的监控进程的方法,在进程调用外部函数期间,处理单元将访问规则为禁止访问的第二映射关系设置为内存控制单元控制针对内存的访问的目标映射关系。当外部函数需要对进程进行返回时,由于目标映射关系(即,第二映射关系)指示第二物理地址的访问规则为禁止访问,内存控制单元向处理单元上报页面异常信息。处理单元能够根据页面异常信息,触发对进程的监控,并将目标映射关系从第二映射关系切换为第一映射关系,并重新发送访问请求。由于切换后的目标映射关系(即,第一映射关系)指示第二物理地址的访问规则为允许访问,内存控制单元能够允许访问。能够在不影响进程访问内存的情况下,实现对调用返回的监控,在监控进程调用外部函数的基础上增加了监控的时机。
可选地,该第二虚拟地址是客户机物理地址GPA,该第二物理地址是宿主机物理地址HPA。
可选地,该第二物理地址在该第一映射关系和该第二映射关系中的访问规则是在第二进程需要被监控的情况下确定的,该第二进程是该第一进程的父进程;
根据本申请实施例的监控进程的方法,通过基于父进程是否需要被监控的情况,确定第一映射关和第二映射关系中记载的子进程的访问规则,能够容易地实现访问规则的确定,能够进一步提高本申请实施的实用性。
可选地,该第一内存空间用于保存外部函数的代码,该外部函数包括除进程函数之外的函数,该进程函数是生成该第一进程的程序代码所包含的函数。
可选地,该外部函数的代码包括:进程共享代码和系统内核代码中的至少一方。
并且,通过在第一物理地址对应的存储空间内存储外部函数的代码,能够基于本申请实施例的监控进程的方法和装置,在不对进程和外部函数的代码进行修改的情况下,实现对进程调用外部函数的行为进行监控。
第三方面,提供一种芯片,包括至少一个处理单元和至少一个内存控制单元,该处理单元执行上述第一方面及其任一种可能实现方式中的方法,该内存控制单元执行上述第二方面及其任一种可能实现方式中的方法。
第四方面,提供一种计算机系统,包括,处理器和存储器,该处理器包括至少一个处理单元和内存控制单元,该处理单元执行上述第一方面及其任一种可能实现方式中的方 法,该内存控制单元执行上述第二方面及其任一种可能实现方式中的方法。
可选地,该计算系统还包括系统总线,该系统总线用于连接该处理器(具体地说,是内存控制单元)和存储器
第五方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序(也可以称为代码,或指令),当所述计算机程序被处理器或芯片中的处理单元运行时,使得处理单元执行上述第一方面及其任一种可能实现方式中的方法。
第六方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序(也可以称为代码,或指令),当所述计算机程序被处理器或芯片中的内存控制单元运行时,使得内存控制单元执行上述第二方面及其任一种可能实现方式中的方法。
第七方面,提供了一种计算机可读介质,所述计算机可读介质存储有计算机程序(也可以称为代码,或指令)当其在处理器或芯片中的处理单元上运行时,使得处理单元执行上述第一方面及其任一种可能实现方式中的方法。
第八方面,提供了一种计算机可读介质,所述计算机可读介质存储有计算机程序(也可以称为代码,或指令)当其在处理器或芯片中的内存控制单元上运行时,使得内存控制单元执行上述第二方面及其任一种可能实现方式中的方法。
图1是适用本申请实施例的监控进程的方法和装置的计算机设备(或者说,计算机系统)的示意性硬件结构图。
图2是适用本申请实施例的计算机设备虚拟化逻辑架构的示意图。
图3是基于图2所示的逻辑架构的内存寻址过程的示意图。
图4是本申请实施例中存储在内存中的代码的分类的示意图。
图5是本申请实施例提供的监控进程的方法的示意性交互图。
图6是本申请实施例中的一个映射关系中记录的针对外部代码的存储空间的物理地址的访问规则的一例的示意图。
图7是本申请实施例中的另一个映射关系中记录的针对内部代码的存储空间的物理地址的访问规则的一例的示意图。
图8是本申请实施例中处理单元在本申请实施例的监控进程中执行的步骤的示意图。
图9是本申请实施例中处理单元创建进程的过程的示意性流程图。
图10是本申请实施例中处理单元监控进程的过程的示意性流程图。
图11是本申请实施例中处理单元结束进程的过程的示意性流程图。
下面将结合附图,对本申请中的技术方案进行描述。
首先结合图1对适用本申请实施例的监控进程的方法的计算设备100进行详细说明。
计算设备也可以被称为计算机系统,可以包括硬件层、运行在硬件层之上的操作系统层,以及运行在操作系统层上的应用层。该硬件层包括处理单元、内存和内存控制单元等硬件,随后对该硬件的功能和结构进行详细说明。该操作系统可以是任意一种或多种通过进程(Process)实现业务处理的计算机操作系统,例如,Linux操作系统、Unix操作系 统、Android操作系统、iOS操作系统或windows操作系统等。该应用层包含浏览器、通讯录、文字处理软件、即时通信软件等应用程序。并且,在本申请实施例中,该计算机系统可以是智能手机等手持设备,也可以是个人计算机等终端设备,本申请并未特别限定,只要能够通过运行记录有本申请实施例的监控进程的方法的代码的程序,以根据本申请实施例的监控进程的方法对进程进行监控即可。本申请实施例的监控进程的方法的执行主体可以是计算机系统,或者,是计算机系统中能够调用程序并执行程序的功能模块。
在本申请中,程序是用来实现某种相对独立功能的一组有序指令(或者说,代码)的集合。进程是程序及其数据在计算机设备上的一次运行过程。程序通常采用模块化设计,即将程序的功能细化拆解为多个更小的功能模块。程序中包含至少一个函数,函数是实现一个功能模块的代码段。因此函数是程序功能模块化的基本单元,也可以被视为子程序。
图1是本申请实施例提供的一种计算设备100的架构示意图。图1所示的计算设备用于执行监控进程的方法。计算设备100可以包括:至少一个处理器110,和内存120。
可选地,计算机设备110还可以包括系统总线,其中处理器110和内存120分别与系统总线连接。处理器110能够通过系统总线访问内存120,例如,处理器110能够通过系统总线在内存120中进行数据读写或代码执行。
其中,处理器110的功能主要是解释计算机程序的指令(或者说,代码)以及处理计算机软件中的数据。其中,该计算机程序的指令以及计算机软件中的数据可以保存在内存120或者缓存单元116中。
在本申请实施例中,处理器110可能是集成电路芯片,具有信号的处理能力。作为示例而非限定,处理器110可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。其中,通用处理器可以是微处理器等。例如,该处理器110可以是中央处理单元(Central Processing Unit,CPU)。
其中,每个处理器110包括至少一个处理单元112和内存控制单元114。
处理单元112也可以称为核心(Core)或内核,是处理器最重要的组成部分。处理单元112可以是由单晶硅以一定的生产工艺制造出来的,处理器所有的计算、接受命令、存储命令、处理数据都由核心执行。处理单元可以分别独立地运行程序指令,利用并行计算的能力加快程序的运行速度。各种处理单元都具有固定的逻辑结构,例如,处理单元可以包括例如,一级缓存、二级缓存、执行单元、指令级单元和总线接口等逻辑单元。
内存控制单元114用于控制内存120与处理单元112之间的数据交互。具体地说,内存控制单元114可以从处理单元112接收内存访问请求,并基于该内存访问请求控制针对内存的访问。作为示例而非限定,在本申请实施例中,内存控制单元可以是内存管理单元(Memory Management Unit,MMU)等器件。
在本申请实施例,各内存控制单元114可以通过系统总线进行针对内存120的寻址。并且在系统总线中可以配置仲裁器(未图示),该仲裁器可以负责处理和协调多个处理单元112的竞争访问。
在本申请实施例中,处理单元112和内存控制单元114可以通过芯片内部的连接线,例如地址线,通信连接,从而实现处理单元112和内存控制单元114之间的通信。
可选地,每个处理器110还可以包括缓存单元116,其中,缓存是数据交换的缓冲区 (称作Cache)。当处理单元112要读取数据时,会首先从缓存中查找需要的数据,如果找到了则直接执行,找不到的话则从内存中找。由于缓存的运行速度比内存快得多,故缓存的作用就是帮助处理单元112更快地运行。
内存(Memory)120可以为计算设备100中的进程提供运行空间,例如,内存120中可以保存用于生成进程的计算机程序(具体地说,是程序的代码),并且,内存120中可以保存进程运行期间产生的数据,例如,中间数据,或过程数据。内存也可以称为内存储器,其作用是用于暂时存放处理器110中的运算数据,以及与硬盘等外部存储器交换的数据。只要计算机在运行中,处理器110就会把需要运算的数据调到内存中进行运算,当运算完成后处理单元112再将结果传送出来。
作为示例而非限定,在本申请是实施例中,内存120可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的内存120旨在包括但不限于这些和任意其它适合类型的存储器。
应理解,以上列举的计算设备100的结构仅为示例性说明,本申请并未限定于此,本申请实施例的计算设备100可以包括现有技术中计算机系统中的各种硬件,例如,该计算设备110还可以包括除内存120以外的其他存储器,例如,磁盘存储器等。
在本申请实施例中,可以在计算设备100上应用虚拟化技术。通过虚拟化技术计算机设备100中可以同时运行多个虚拟机,每个虚拟机上可以运行至少一个操作系统,每一个操作系统都运行多个程序。
虚拟机(Virtual Machine)指通过软件模拟的具有完整硬件系统功能的、运行在一个完全隔离环境中的完整计算机系统。其中,运行有虚拟机的物理存在的计算机可以称为宿主机(Host)。宿主机内存的物理地址可以称为宿主机物理地址(Host Physical Address,HPA)。
运行有虚拟机的操作系统可以称为客户机(Guest)。在一个客户机上的一个进程的运行期间,可以为该进程分配一个客户虚拟地址(Guest Virtual Address,GVA)。
如图2所示,在本申请实施例中,为了让一个客户机使用一个隔离的、从零开始且连续的内存空间,引入了客户机物理地址(Guest Physical Address,GPA)的概念。这个地址空间并不是真正的物理地址空间。对客户机来说,客户机物理地址空间都是从零开始的连续地址空间,但对于宿主机来说,客户机物理地址空间并不一定是连续的,客户机物理地址空间有可能映射在若干个不连续的宿主机物理地址区间。因此,为了实现一个客户机中的一个进程对宿主机的内存的访问,需要实现从GVA到GPA再到HPA的映射,或者说,地址转换。
可选地,图3示出了上述地址转换的一种实现方式。在本申请实施例中,配置有客户机地址页表(Guest Page Tables,GPT),以及配置有扩展页表(Extended Page Table,EPT)。页表是地址空间的一种管理方式,参照相关文档中的说明,在这里不进行详述。其中,GPT可以由客户机维护,EPT可以由宿主机上的虚拟化软件,例如运行在宿主机上的虚拟机监控器(virtual machine monitor,VMM)维护。VMM,又称Hypervisor。由样本程序生成的目标进程在虚拟机中运行。监控程序运行于虚拟机外部(例如,在另一个虚拟机当中),监控程序负责监控和记录样本程序(或者说或,目标进程)执行过程中的行为。
例如,当虚拟机中的一个进程(记作进程#X)在需要访问宿主机内存中的宿主物理地址空间(记作宿主机物理空间#X)时,虚拟机分配给该进程#X的虚拟地址(该虚拟地址与宿主机物理空间#X对应)为GVA#X,则客户机可以基于GPT,确定GVA#X对应的GPA(记作GPA#X)。进而宿主机的内存控制单元MMU,可以基于EPT,确定该GPA#X对应的HPA(记作HPA#X),进而完成对HPA#X对应的内存空间的访问。宿主机中的VMM可以记录目标进程对内存的访问行为。
在本发实施例中,EPT中不仅记录GPA与HPA之间的映射关系,还可以记录HPA(具体地说,是HPA对应的内存空间)的访问规则(或者说,访问权限)。
作为示例而非限定,在本申请实施例中,访问权限可以包括三种:读、写以及执行。对应地,在EPT中可以为HPA所指示的内存空间设置三个字段,分别用于指示三种权限的具体状态。
例如,字段#0可以用于承载指示读访问权限的比特(记作Bit#0),该Bit#0可以用于标示该HPA(或者说,GPA)对应的内存空间(具体地说,是内存空间中的数据)是否允许被客户机读。该Bit#0可以包括一个比特也可以包括多个比特,本申请并未特别限定,只要能够使处理单元112与内存控制单元114对于Bit#0的不同取值的解释达成一致即可。例如,当Bit#0为“0”时,可以表示内存空间不允许被客户机读,再例如,当Bit#0为“1”时,可以表示内存空间允许被客户机读。
再例如,字段#1可以用于承载指示写访问权限的比特(记作Bit#1),该Bit#1可以用于标示HPA(或者说,GPA)对应的内存空间是否允许被客户机写。该Bit#1可以包括一个比特也可以包括多个比特,本申请并未特别限定,只要能够使处理单元112与内存控制单元114对于Bit#1的不同取值的解释达成一致即可。例如,当Bit#1为“0”时,可以表示内存空间不允许被客户机写,再例如,当Bit#1为“1”时,可以表示内存空间允许被客户机写。
再例如,字段#2可以用于承载指示执行访问权限的比特(记作Bit#2),该Bit#2可以用于标示该HPA(或者说,GPA)对应的内存空间(具体地说,是内存空间中存储的代码或指令)是否允许被客户机执行。该Bit#2可以包括一个比特也可以包括多个比特,本申请并未特别限定,只要能够使处理单元112与内存控制单元114对于Bit#2的不同取值的解释达成一致即可。例如,当Bit#2为“0”时,可以表示内存空间不允许被客户机执行,再例如,当Bit#2为“1”时,可以表示内存空间允许被客户机执行。
通过在EPT页表中设置相应的访问权限标志,可以控制客户机对特定物理页的访问。当客户机执行过程中违反了相应标志位的权限控制时,比如读取被设置不可读权限的物理页内容,会触发页异常(EPT violation)。
通过在EPT页表中设置特定物理页的不可执行标志(non-execute,NX),即设置该物 理页对应的EPT页表项中的Bit#2标志位,能够实现监控客户机执行特定物理页中代码的行为。比如当客户机中的进程调用外部函数时,指令执行将跳转到外部函数所在物理页代码,如果该物理页被设置了不可执行标志,则会立即触发页异常。应理解,附图2、附图3所示的逻辑架构仅本申请提供的监控程序的方法所使用的场景的一种示例性说明,本申请并未限定于此。本申请实施例提供的监控程序的方法也适用于其他场景,如在一个虚拟机上也可以只运行一个操作系统(或者说,客户机),此情况下,无需引入GPA,只需保存GVA到HPA的映射(即,传统页表),即可实现客户机中运行的进程对宿主机的内存的访问。
在本申请中,着重针对执行访问权限进行设置,即对字段#2的取值进行设置。在不加区分的情况下,在提及设置某段内存空间的访问规则时,具体是指设置执行访问权限。例如,设置某段内存空间的访问规则为禁止访问是指禁止执行,设置某段内存空间的访问规则为允许访问是指允许执行。
本申请实施例附图1所示的计算机设备100可以是沙箱系统所在的主机。计算机设备100上运行的虚拟机提供样本程序运行的环境,通过VMM、或者安全虚拟机上运行的监控程序,对样本程序生成的目标进程的访问行为进行监控。
沙箱技术的产生有一定的历史背景。伴随着高级持续性威胁(Advanced persistent threat,APT)攻击的持续发展,高级恶意代码也日新月异,传统的基于特征码匹配技术的静态恶意代码检测已经越来越难以应对。基于程序运行时的动态行为特征检测技术逐渐被安全厂商认可和采用,其中沙箱被实践证明是一种有效的基于动态行为监控的恶意代码检测系统,通过构建隔离的真实运行环境,监控和记录样本程序(具体地说,是样本进程所生成的进程)在执行的过程中的所有行为,提交给后端分析引擎进行分析,判断该样本程序的代码是否为恶意代码。
由于沙箱系统的普遍采用,高级恶意代码也相应增加了对抗沙箱监控的技术。比如恶意代码在初始运行时对运行环境进行检测,判断当前是否在沙箱系统中运行,如果是则直接退出运行,从而躲避沙箱系统的行为监控;另一方面,恶意代码也可以通过破坏沙箱系统的行为监控机制从而导致沙箱监控失效。因此,一套高效的沙箱系统必须具备很强的防检测和防破坏能力。最后,随着样本程序数量的急剧增加,为了应付用户海量样本程序的分析任务,沙箱系统需要同时具备高性能监控能力,行为监控带来的开销必须非常小,从而能够支持大规模并发监控。
样本程序在被处理单元运行后,生成被监控进程。被监控进程在执行过程中,会产生一系列的行为,根据行为包含的语义复杂程度的不同,有简单的行为比如执行特定的指令,也有外部代码调用等。
如图4所示,在本申请实施例中,内存中存储的代码可以分为内部代码和外部代码两种。
内部代码和外部代码是相对于一个由程序产生的进程而言的。对于一个进程而言,内部代码是指生成该进程的程序自身的代码,属于该进程,是不和其它进程共享的代码,比如Windows进程PE文件中具备可执行属性的段(通常是TEXT段)。使用T1表示进程1自身的代码段,系统中所有运行中的进程的内部代码集合Tall={T1,T2,…,Tn}、n表示系统中运行的进程数量。其中进程分为目标进程和非目标进程,目标进程即沙箱系统需要监控其行为的进程,包括样本程序生成的进程,以及样本程序生成的进程进一步生成的 子进程。非目标进程为系统中运行的其它正常进程,不受沙箱系统监控。定义s-Tall={s-T1,s-T2,…,s-Ti}表示所有的目标进程(或者说,样本程序)的自身代码集合,ns-Tall={ns-T1,ns-T2,…,ns-Tj}表示所有非目标进程(或者说,非样本程序)的自身代码集合,因此Tall={s-Tall,ns-Tall}。
外部代码是指全局的所有进程共享的代码。
例如,外部代码还可以包括外部函数的代码。其中,外部函数可以是指除进程函数之外的函数,所述进程函数是生成进程的程序代码所包含的函数。
例如,外部函数的代码可以包括用户态的共享库的代码(或者,也可以称为进程共享代码),比如Windows系统中的kernel32.dll、user32.dll以及Linux系统中的c运行时库libc.so等等。
再例如,外部代码还可以包括所有内核态代码,比如操作系统内核代码、设备驱动代码等等。作为示例而非限定,在本申请实施例中,外部代码在内存120中可以只存在一份,每个进程通过虚拟内存映射的方式将这些共享的物理内存分别映射到自身的虚拟地址空间,从而实现共享使用。
设Sdll表示用户态共享库的代码,Skernel表示操作系统内核代码,Sdriver1表示设备驱动1的代码,则外部代码集合Sall={Skernel,Sdll1,Sdriver2,Sdll2,Sdriver2,…,Sdlln,Sdrivern}。
在本申请实施例中,目标进程在执行过程中,会不断地调用外部代码来获取系统提供的服务。调用外部代码反映出目标进程向系统请求服务的行为,比如在Windows系统中,目标进程需要读取某个文件内容时,可以通过调用共享库kernel32.dll中的ReadFile函数实现。通过监控和记录目标进程调用外部代码的行为,可以有效帮助沙箱后端引擎检测出可疑恶意目标进程,或者说,生成可疑恶意目标进程的样本程序(在本申请中简称为可疑恶意程序)。
根据本申请实施例提供的监控进程的方法,能够有效地监测出目标进程对外部代码的调用行为。
本申请实施例的监控进程的方法中由处理单元完成的各步骤可以直接体现为硬件译码处理单元执行完成,或者用译码处理单元中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理单元读取存储器中的信息,结合其硬件完成本申请实施例的监控进程的方法中由处理单元完成的各步骤。下面结合图5至图11对本申请实施例的监控进程的方法200进行详细说明。
以一个进程(记作:进程#A)对一个外部代码(记作:外部代码#B)的调用过程为例,对该方法200进行详细说明。
在本申请实施例中,进程可以包括需要被监控的目标进程(例如,由样本程序生成的进程)和不需要被监控的非目标进程(例如,由非样本程序生成的进程),其中,该进程#A可以是目标进程也可以是非目标进程,本申请并未特别限定。
作为示例而非限定,该外部代码#B可以包括一个或多个外部函数的代码。例如,该外部代码#B可以包括一个或多个进程间共享代码。再例如,该外部代码#B可以包括一个或多个系统内核代码。
为了便于理解,以下,将内存120中用于存储外部代码#B的内存空间记作:内存空间 #B;将该内存空间#B的物理地址记作:物理地址#B;将该内存空间#B的虚拟地址记作:虚拟地址#B。即,在本申请实施例中,在物理地址#B可以是Sall中的一个或多个代码所存储于的内存空间的物理地址。并且,以下,将内存120中用于存储进程#A的代码(或者说,用于生成进程#A的程序的代码)的内存空间记作:内存空间#A;将该内存空间#A的物理地址记作:物理地址#A;将该内存空间#A的虚拟地址记作:虚拟地址#A。
如图5所示,S510,处理单元112可以确定映射关系#1和映射关系#2。
其中,映射关系#1和映射关系#2用于指示物理地址#B与虚拟地址#B之间的映射关系。
例如,在本申请实施例中,该映射关系#1和映射关系#2可以分别为一个EPT。
此情况下,该物理地址#B可以是附图3所示的宿主机的HPA,该虚拟地址#A可以是运行有进程#A的客户机的GPA。并且,作为示例而非限定,此情况下,该虚拟地址#A可以是基于附图3中的GPT确定的。
应理解,以上列举的“物理地址#B与虚拟地址#B之间的映射关系”的形式仅为示例性说明,本申请并未限定于此,例如,该映射关系也可以是传统主机系统的内存管理中使用的从虚拟地址(例如,GVA)到物理地址(例如,HPA)的映射关系(即,传统页表)。下面以EPT表作为上述映射关系为例,对本申请实施例的监控进程的方法进行详细说明。上述映射关系确定方法和过程可以与现有技术相似,为了避免赘述,省略其详细说明。
在本申请实施例中,该映射关系#1和映射关系#2还用于指示物理地址#B的访问规则。并且,该映射关系#1和映射关系#2指示的物理地址#B的访问规则相异。
可选地,设该映射关系#1指示的物理地址#B的访问规则为禁止访问,禁止访问可以包括该物理地址#B指示的内存空间#B禁止被读,该禁止访问可以包括该物理地址#B指示的内存空间#B禁止被写,或者该禁止访问可以包括该物理地址#B指示的内存空间#B存储的代码禁止被执行。
可选地,如图6所示,在本申请实施例中,在映射关系#1中记录的用于保存外部代码的内存空间(内存空间#B)的访问规则均被设置为禁止访问。并且,在本申请实施例中,虽然图6中未示出,但是在映射关系#2中记录的用于保存外部代码的内存空间(内存空间#B)的访问规则均被设置为允许访问。
在本申请实施例中,在计算设备100的存储设备(例如,内存120的部分内存空间)内可以包括用于存储目标映射关系的存储空间,该目标映射关系是内存控制单元114控制针对内存120的访问时使用的映射关系,即该目标映射关系是该映射关系#1和映射关系#2中的一方。
在本申请实施例中,当处理单元112检测到进程#A开始运行时(记作时刻#1),处理单元112可以将目标映射关系设置为映射关系#1。
在时刻#1至时刻#2之间的时间段(记作时段#a)内,内存控制单元114控制针对内存120的访问时使用的映射关系为映射关系#1。时刻#2为后述处理单元112对目标映射关系进行切换处理#1的时刻。
S520,在时段#a中的某一时刻(或者说,时刻#1之后的某一时刻),处理单元112在执行进程#A的代码的过程中需要访问内存空间#B,例如,进程#A的代码指示需要调用(或者说,执行)内存空间#B中存储的外部代码。处理单元112确定该内存空间#B的虚拟地址(即,虚拟地址#B),例如,该虚拟地址#B可以是GPA。处理单元112向内存控制单元114发送访问请求#1,该访问请求#1中携带有虚拟地址#B。
相应地,内存控制单元114接收到该访问请求#1,内存控制单元114在当前的目标映射关系(映射关系#1)中查找虚拟地址#B对应的物理地址(即,物理地址#B)。例如,如上所述,该物理地址#B可以是HPA。并且,内存控制单元114能够基于当前的目标映射关系(映射关系#1)确定物理地址#B对应的内存空间(即,内存空间#B)的访问规则为禁止访问。
S530,由于当前的目标映射关系(映射关系#1)指示的内存空间#B访问规则为禁止访问,内存控制单元114触发页面异常。即,内存控制单元114向处理单元112发送一个页面异常信息。为了便于理解和区分,将S530中发送的页面异常信息记作页面异常信息#1。
S540,处理单元112根据页面异常信息#1,确定存储有外部代码的内存空间被访问,或者说,处理单元112可以确定当前(例如,处理单元112接收到页面异常信息#1时)运行的进程(进程#A)进行了需要被进行监控的外部代码调用。作为示例而限定,处理单元112可以根据CPU上下文确定当前运行的进程。
此时,处理单元112可以对进程#A进行监控。监控具体可以通过VMM实现。监控的内容包括但不限于获得进程#A的上下文信息、被调用的外部代码的函数名、调用发生时传递的参数值、以及返回值等等。处理单元对进程进行监控的内容和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。
可选地,处理单元112还可以先判定进程#A是否为目标进程,并在判定为是的情况下,再对进程#A进行监控。从而可以减少监控处理本身带来的处理开销。
作为示例而非限定,处理单元112可以确定该进程#A的父进程,并基于该进程#A的父进程是否为目标进程的情况,确定进程#A是否为目标进程,或者说,确定进程#A是否为需要被监控。
例如,如果该进程#A的父进程为目标进程,则处理单元112可以确定进程#A是需要被监控的目标进程。
例如,如果该进程#A的父进程不为目标进程,则处理单元112可以确定进程#A不是目标进程。
作为示例而非限定,该进程#A的父进程是否为目标进程的情况可以是使用者或管理员预先设定的。或者,该进程#A的父进程是否为目标进程的情况可以是服务器确定并下发给运行有监控程序的计算设备100后,由计算设备100中的监控程序设定的。再或者,该进程#A的父进程是否为目标进程的情况可以是计算设备100根据进程#A的父进程的来源确定的。例如,处理单元112还可以判定生成进程#A的程序是否为样本程序,并在判定为是的情况下,对进程#A进行监控。
作为示例而非限定,一个程序是否为样本程序的情况可以是使用者或管理员预先设定的。或者,该一个程序是否为样本程序的情况可以是服务器确定并下发给运行有监控程序的计算设备100后,由计算设备100中的监控程序设定的。
S550,在时刻#2,处理单元112基于页面异常信息#1,对目标映射关系进行切换处理。为了与其他步骤中的切换处理相区分,在这里将S250中的切换处理记为切换处理#1,切换处理#1用于将该目标映射关系从映射关系#1切换至映射关系#2。
在时刻#2之后的具有一定时长的时间段,例如,时刻#2至时刻#3之间的时间段(记作时段#b),内存控制单元114控制针对内存120的访问时使用的映射关系为映射关系#2。时刻#3为处理单元112对目标映射关系进行切换处理#2的时刻。
S560,在时段#b中的某一时刻(或者说,时刻#2之后的某一时刻),处理单元112重新向内存控制单元114发送访问请求#1。
相应地,内存控制单元114能够在时段#b中的某一时刻接收到再次发送的访问请求#1,并确定当前的目标映射关系(映射关系#2)。
S570,内存控制单元114在当前的目标映射关系(映射关系#2)中查找虚拟地址#B对应的物理地址(即,物理地址#B)。由于当前的目标映射关系(映射关系#2)指示的内存空间#B访问规则为允许访问,内存控制单元114基于访问请求#1控制处理单元112对于内存空间#B的访问,例如,读取并执行内存空间#B中存储的外部代码。
由此,完成了进程#A对内存空间#B的访问。
在执行内存空间#B中存储的外部代码的过程中,内存空间#B存储的外部代码可能会向进程A返回数据。在这种情况下,内存空间#B存储的外部代码指示需要访问内存空间#A。
可选地,映射关系#1和映射关系#2还可以用于指示物理地址#A与虚拟地址#A之间的映射关系。在本申请实施例中,该映射关系#1和映射关系#2还用于指示物理地址#A的访问规则。并且,该映射关系#1和映射关系#2指示的物理地址#A的访问规则相异。
在本申请实施例中,由于外部代码的返回发生在进程对外部代码的被调用之后(即,在上述时段#b中的某一时刻),因此外部代码返回时当前目标映射关系为映射关系#2。
为了实现对外部代码返回的监控,可以将该映射关系#2指示的物理地址#A的访问规则设置为禁止访问。作为示例而非限定,该禁止访问可以包括该物理地址#A指示的内存空间#A禁止被读,或者,该禁止访问可以包括该物理地址#A指示的内存空间#A禁止被写,或者,该禁止访问可以包括该物理地址#A指示的内存空间#A存储的代码禁止被执行。
同时,将该映射关系#1指示的物理地址#A的访问规则设置为允许访问。作为示例而非限定,该允许访问可以包括该物理地址#A指示的内存空间#A允许被读,或者,该允许访问可以包括该物理地址#A指示的内存空间#A允许被写,或者,该允许访问可以包括该物理地址#A指示的内存空间#A存储的代码允许被执行。
如图7所示,在本申请实施例中,在映射关系#2中记录的用于保存目标进程的程序代码的内存空间(内存空间#A)的访问规则设置为禁止访问。并且,虽然图7中未示出,但是,在映射关系#1中记录的用于保存目标进程的程序代码的内存空间(内存空间#A)的访问规则设置为允许访问。
以进程#A为目标进程时的处理过程为例,进行说明。
S580,在S570之后时段#b中的某一时刻,处理单元112执行内存空间#B中存储的代码(例如,外部函数代码)需要访问内存空间#A。例如,内存空间#B中存储的代码指示需要将代码执行结果返回至进程#A。处理单元112确定该进程#A所对应的内存空间#A的虚拟地址(即,虚拟地址#A),并向内存控制单元114发送访问请求#2,该访问请求#2中携带有虚拟地址#A。例如,该虚拟地址#A可以是GPA。
相应地,内存控制单元114接收到该访问请求#2,内存控制单元114在当前的目标映射关系(映射关系#2)中查找虚拟地址#A对应的物理地址(即,物理地址#A)。例如,该物理地址#A可以是HPA。并且,内存控制单元114能够基于当前的目标映射关系(映射关系#2)确定物理地址#A对应的内存空间(即,内存空间#A)的访问规则为禁止访问。
S590,由于当前的目标映射关系(映射关系#2)指示的内存空间#A访问规则为禁止访问,内存控制单元114触发页面异常。即,内存控制单元114向处理单元112发送一个页 面异常信息。为了便于理解和区分,将S590中发送的页面异常信息记作页面异常信息#2。
S592,处理单元112根据页面异常信息#2,确定外部代码需要返回被监控的进程,或者说,处理单元112确定当前运行的进程(即,进程#A)对的外部代码的调用发生了返回。作为示例而限定,处理单元112可以根据CPU上下文确定当前运行的进程。
此时,处理单元112可以对进程#A进行监控。关于监控的含义请参考上述S540中的说明。
可选地,处理单元112还可以先判定进程#A是否为目标进程,并在判定为是的情况下,再对进程#A进行监控。从而可以减少监控处理本身带来的处理开销。
S594,在时刻#3,处理单元112基于页面异常信息#2,对目标映射关系进行切换处理,为了与其他步骤中的切换处理相区分,在这里将S594中的切换处理记为切换处理#2,切换处理#2用于将该目标映射关系从映射关系#2切换至映射关系#1。
在时刻#3之后的具有一定时长的时间段,例如,时刻#3至下一次对目标映射关系进行切换的时刻之间的时间段(记作时段#c),内存控制单元114控制针对内存120的访问时使用的映射关系为映射关系#1。
S596,在时段#c中的某一时刻,处理单元112重新向内存控制单元114发送访问请求#2。
相应地,内存控制单元114能够在时段#c内接收到再次发送的访问请求#2,并确定当前的目标映射关系(映射关系#1)。
S598,内存控制单元114在当前的目标映射关系(映射关系#1)中查找虚拟地址#A对应的物理地址(即,物理地址#A)。由于当前的目标映射关系(映射关系#1)指示的内存空间#A访问规则为允许访问,内存控制单元114基于访问请求#2对于内存空间#A的访问,例如将外部代码返回的处理结果写入内存空间#A,或者说,返回至进程#A。
由此,完成了外部代码的调用返回。
另外,需要说明的是,如果进程#A为非目标进程则在映射关系#2中记录的物理地址#A对应的访问规则为允许访问。从而在时段#b,内存控制单元114可以直接根据当前目标映射关系(映射关系#2)允许基于访问请求#2的内存访问,无需进行上述切换处理#2。
图8示出了本申请实施例的处理单元112在本申请实施例的监控进程的方法中执行的动作。
S810,处理单元112可以创建初始的映射关系#1和映射关系#2。其中在映射关系#1中,用于存储外部代码的内存空间的访问规则为禁止访问;相对地,在映射关系#2中,用于存储外部代码的内存空间的访问规则为允许访问。
可选地,处理单元112还可以确定用于存储进程的内部代码的内存空间的访问规则。
其中,在映射关系#2中,用于存储目标进程的内部代码的内存空间的访问规则为禁止访问;相对地,在映射关系#1中,用于存储目标进程的内部代码的内存空间的访问规则为允许访问。
可选地,在本申请实施例中是通过触发异常来实现监控,为了避免频繁触发异常而影响主机的处理性能,在映射关系#2和映射关系#1中,可以将用于存储非目标进程的内部代码的内存空间的访问规则设置为允许访问。这样,当用于存储非目标进程的内部代码的内存空间被访问时,并不会触发异常。
可选地,处理单元112可以在创建一个进程时,根据该进程的父进程是否为目标进程 的情况,确定该创建的进程是否为目标进程。
S820,处理单元判定是否有新进程(例如,新的子进程)创建,如果判定有新进程创建,则处理新进程创建事件,如果判定为没有新进程创建,则执行S830。
S830,处理单元判定是否有已运行的进程结束,如果判定为有进程结束,则处理进程结束事件,如果判定为没有进程结束,则执行S840。
S840,处理单元判定是否发生页面异常,如果判定为发生页面异常,则可以处理页面异常事件,如果判定为没有发生页面异常,则可以执行S850。
S850,处理单元判定监控过程是否结束,如果判定为监控结束,则退出监控,并删除映射关系#1和映射关系#2,如果判定为监控未结束,则返回S820。
图9示出了本申请实施例的处理单元112在处理新进程创建事件中执行的动作,是对图8中处理新进程创建事件的详细说明。
S910,处理单元112确定新进程的父进程。
S920,处理单元112确定该父进程是否为目标进程,如果父进程是目标进程,则执行S430;如果父进程不是目标进程,处理单元112退出新进程创建事件的处理。
S930,处理单元112将映射关系#2中用于存储新进程内部代码的内存空间的访问规则设置为禁止访问。
图10示出了本申请实施例的处理单元112在处理页面异常事件中执行的动作,是对图8中处理页面异常事件的详细说明。
S1010,处理单元112接收内存控制单元114发送的页面异常信息,确定在接收到该页面异常信息时正在运行的进程。例如,处理单元112可以根据CPU上下文等信息,确定正在运行的进程标识,从而确定该标识所指示的进程。
S1020,处理单元112确定接收到该页面异常信息时正在使用的目标映射关系是否为映射关系#1;
如果判定目标映射关系为映射关系#1,则执行S1030。
如果判定目标映射关系不为映射关系#1,或者说,如果判定目标映射关系为映射关系#2,则可以进一步确定触发页面异常的访问请求是否为该进程发送的首条内存访问请求。
如果触发页面异常的访问请求是否为该进程发送的首条内存访问请求,则处理单元112可以根据该进程的父进程是否为目标进程的情况,确定映射关系#2中的用于保存该进程的程序代码的内存空间的访问规则,例如,如果该进程的父进程为目标进程,则映射关系#2中用于保存该进程的程序代码的内存空间的访问规则为禁止访问;如果该进程的父进程不为目标进程,则映射关系#2中用于保存该进程的程序代码的内存空间的访问规则为允许访问。
如果触发页面异常的访问请求是否不是该进程发送的首条内存访问请求,则处理单元112可以判定触发页面异常的访问请求携带的物理地址是否为用于保存该进程的程序代码的内存空间的物理地址。
如果判定触发页面异常的访问请求携带的物理地址是该保存该进程的程序代码的内存空间的物理地址,则触发对该进程的监控,并执行S1050;
如果判定触发页面异常的访问请求携带的物理地址不是该保存该进程的程序代码的内存空间的物理地址,则直接执行S1050。
在S1030,处理单元可以判断在接收到该页面异常信息时正在运行的进程是否为目标 进程;
如果该进程为目标进程,则执行S1040;
如果该进程不为目标进程,则执行S1050。
在S1040,处理单元112可以对该进程进行监控,例如,处理单元112可以记录进程调用外部代码的行为,再例如,该监控具体可以通过VMM实现。监控的内容包括但不限于获得进程的上下文信息、被调用的外部代码的函数名、调用发生时传递的参数值、以及返回值等等。处理单元112对进程进行监控的内容和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。
在S1050,处理单元112可以对目标映射关系进行切换,如果当前使用的目标映射关系为映射关系#1,则将目标映射关系切换为映射关系#2;如果当前使用的目标映射关系为映射关系#2,则将目标映射关系切换为映射关系#1。
图11示出了本申请实施例的处理单元112在处理进程结束事件中执行的动作,是对图8中处理进程结束事件的详细说明,如图11所示,在S1110,处理单元112可以确定当前需要结束的进程。
在S1120,处理单元112判定需要结束的进程是否为目标进程;
如果需要结束的进程为目标进程,则可以执行1130;
如果需要结束的进程不为目标进程,则可以退出进程结束事件的处理。
在S1130,处理单元112可以将进程移出目标进程集合,并删除该进程对应的物理地址的访问规则,并退出进程结束事件的处理。
根据本申请实施例的监控进程的方法,处理单元可以配置第一映射关系和第二映射关系,该第一映射关系和第二映射关系指示的虚拟地址与物理地址之间的映射关系相同,该第一映射关系和第二映射关系指示的物理地址的访问规则相异。在进程开始运行时,处理单元将访问规则为禁止访问的第一映射关系设置为内存控制单元控制针对内存的访问的目标映射关系。当第一进程的代码指示需要访问第一物理地址对应的内存空间时,由于目标映射关系(即,第一映射关系)指示第一物理地址的访问规则为禁止访问,内存控制单元向处理单元上报页面异常信息。处理单元能够根据页面异常信息,触发对第一进程的监控,并将目标映射关系从第一映射关系切换为第二映射关系,并重新发送访问请求。由于切换后的目标映射关系(即,第二映射关系)指示第一物理地址的访问规则为允许访问,因此内存控制单元能够访问。能够在不影响进程访问内存的情况下,实现对进程的监控。能够基于本申请实施例的监控进程的方法和装置,在不对进程和外部函数的代码进行修改的情况下,实现对进程调用外部函数的行为进行监控。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的 划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。
Claims (14)
- 一种监控进程的方法,其特征在于,所述方法由计算设备执行,所述计算设备包括处理单元、内存和内存控制单元,所述方法包括:所述处理单元确定第一映射关系和第二映射关系,所述第一映射关系和所述第二映射关系均指示第一虚拟地址与第一物理地址之间的映射关系以及所述第一物理地址的访问规则,且所述第一映射关系指示所述第一物理地址的访问规则为禁止访问,所述第二映射关系指示所述第一物理地址的访问规则为允许访问,其中,所述第一物理地址是所述内存中第一内存空间的物理地址,所述第一内存空间是所述内存中除第二内存空间以外的内存空间,所述第二内存空间是用于保存生成所述第一进程的程序代码的内存空间;在第一进程开始运行时,所述处理单元确定目标映射关系为所述第一映射关系,其中,所述目标映射关系是所述内存控制单元控制针对所述内存的访问时使用的映射关系;在所述第一进程需要访问所述第一内存空间时,所述处理单元向所述内存控制单元发送第一访问请求,所述第一访问请求携带有所述第一虚拟地址;所述处理单元接收所述内存控制单元发送的第一异常信息,所述第一异常信息是所述内存控制单元在确定所述第一物理地址在目标映射关系下的访问规则为禁止访问时发送的;所述处理单元根据所述第一异常信息,对所述第一进程进行第一监控处理,并对所述目标映射关系进行第一切换处理,所述第一切换处理用于将所述目标映射关系从所述第一映射关系切换为所述第二映射关系;所述处理单元向所述内存控制单元重新发送所述第一访问请求。
- 根据权利要求1所述的方法,其特征在于,所述第一映射关系和所述第二映射关系还指示第二虚拟地址与第二物理地址之间的映射关系以及所述第二物理地址的访问规则,且所述第一映射关系指示所述第二物理地址的访问规则为允许访问,且所述第二映射关系指示所述第二物理地址的访问规则为禁止访问,其中,所述第二物理地址是所述第二内存空间的物理地址,以及在对所述目标映射关系进行所述第一切换处理之后,所述方法还包括:在所述第一内存空间存储的代码指示需要访问所述第二内存空间时,所述处理单元向所述内存控制单元发送第二访问请求,所述第二访问请求携带有所述第二虚拟地址;所述处理单元接收所述内存控制单元发送的第二异常信息,所述第二异常信息是所述内存控制单元在确定所述第二物理地址在目标映射关系下的访问规则为禁止访问时发送的;所述处理单元根据所述第二异常信息,对所述第一进程进行第二监控处理,并对所述目标映射关系进行第二切换处理,所述第二切换处理用于将所述目标映射关系从所述第二映射关系切换为所述第一映射关系;所述处理单元向所述内存控制单元重新发送所述第二访问请求。
- 根据权利要求2所述的方法,其特征在于,所述处理单元确定针对第一映射关系和第二映射关系,包括:在所述第一进程创建时,所述处理单元确定第二进程,所述第二进程是所述第一进程的父进程;在所述第二进程需要被监控的情况下,所述处理单元确定所述第二物理地址在所述第一映射关系和所述第二映射关系中的访问规则。
- 根据权利要求1至3中任一项所述的方法,所述方法还包括:在所述第一进程结束时,所述处理单元删除所述第一映射关系和所述第二映射关系。
- 根据权利要求1至4中任一项所述的方法,其特征在于,所述第一内存空间用于保存外部函数的代码,所述外部函数包括除进程函数之外的函数,所述进程函数是生成所述第一进程的程序代码所包含的函数。
- 根据权利要求5所述的方法,其特征在于,所述外部函数的代码包括:进程共享代码和系统内核代码中的至少一方。
- 一种监控进程的方法,其特征在于,所述方法由计算设备执行,所述计算设备包括处理单元、内存和内存控制单元,所述方法包括:所述内存控制单元接收处理单元发送的第一访问请求,所述第一访问请求携带有第一虚拟地址,所述第一访问请求是所述处理单元在第一进程需要访问所述内存中的第一内存空间时发送的,所述第一内存空间是所述内存中除第二内存空间以外的内存空间,所述第二内存空间是用于保存生成所述第一进程的程序代码的内存空间;所述内存控制单元在确定第一物理地址在当前使用的目标映射关系下的访问规则为禁止访问时,向所述处理单元发送第一异常信息,以便于所述处理单元根据所述第一异常信息对所述第一进程进行第一监控处理,其中,所述目标映射关系在所述第一进程开始运行时被所述处理单元确定为第一映射关系,所述第一映射关系指示所述第一虚拟地址与所述第一物理地址之间的映射关系以及所述第一物理地址的访问规则,且所述第一映射关系指示所述第一物理地址的访问规则为禁止访问,所述第一物理地址是所述第一内存空间的物理地址;所述内存控制单元接收处理单元根据所述第一异常信息重新发送的第一访问请求;所述内存控制单元根据目标映射关系和所述处理单元重新发送的第一访问请求,控制针对所述第一内存空间的访问,其中,所述目标映射关系在所述内存控制单元接收到重新发送的第一访问请求之前,被所述处理单元切换为第二映射关系,所述第二映射关系指示所述第一虚拟地址与所述第一物理地址之间的映射关系以及所述第一物理地址的访问规则,且所述第二映射关系指示所述第一物理地址的访问规则为允许访问。
- 根据权利要求7所述的方法,其特征在于,所述第一映射关系和所述第二映射关系还指示第二虚拟地址与第二物理地址之间的映射关系以及所述第二物理地址的访问规则,且所述第一映射关系指示所述第二物理地址的访问规则为允许访问,所述第二映射关系指示所述第二物理地址的访问规则为禁止访问,其中,所述第二物理地址是所述第二内存空间的物理地址,以及所述内存控制单元根据目标映射关系和所述处理单元重新发送的第一访问请求,控制针对所述第一内存空间的访问之后,所述方法还包括:所述内存控制单元接收处理单元发送的第二访问请求,所述第二访问请求携带有所述第二虚拟地址;所述内存控制单元在确定所述第二物理地址在当前使用的目标映射关系下的访问规则为禁止访问时,向所述处理单元发送第二异常信息;所述内存控制单元接收处理单元根据所述第二异常信息重新发送的第二访问请求;所述内存控制单元根据目标映射关系和所述第二访问请求,控制针对所述第二内存空间的访问,其中,处理单元所述目标映射关系在所述内存控制单元接收到重新发送的第二访问请求之前,被所述处理单元切换为所述第一映射关系。
- 根据权利要求8所述的方法,其特征在于,所述第二物理地址在所述第一映射关系和所述第二映射关系中的访问规则是在第二进程需要被监控的情况下确定的,所述第二进程是所述第一进程的父进程。
- 根据权利要求7至9中任一项所述的方法,其特征在于,所述第一内存空间用于保存外部函数代码,所述外部函数包括除进程函数之外的函数,所述进程函数是生成所述第一进程的程序代码所包含的函数。
- 根据权利要求10所述的方法,其特征在于,所述外部函数代码包括:进程共享代码和系统内核代码中的至少一方。
- 一种计算机芯片,其特征在于,包括:至少一个处理单元,用于执行如权利要求1至6中任一项所述的方法;内存控制单元,用于执行如权利要求7至11中任一项所述的方法。
- 一种计算机可读存储介质,其特征在于,包括计算机程序,当其在计算机设备上运行时,使得所述计算机设备中的处理单元执行如权利要求1至6中任意一项所述的方法。
- 一种计算机可读存储介质,其特征在于,包括计算机程序,当其在计算机设备上运行时,使得所述计算机设备中的内存控制单元执行如权利要求7至11中任意一项所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18862757.4A EP3680798B1 (en) | 2017-09-28 | 2018-08-27 | Method and device for monitoring process |
US16/831,123 US11972116B2 (en) | 2017-09-28 | 2020-03-26 | Process monitoring method and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710897225.5 | 2017-09-28 | ||
CN201710897225.5A CN109583190B (zh) | 2017-09-28 | 2017-09-28 | 监控进程的方法和装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/831,123 Continuation US11972116B2 (en) | 2017-09-28 | 2020-03-26 | Process monitoring method and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019062420A1 true WO2019062420A1 (zh) | 2019-04-04 |
Family
ID=65900719
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/102476 WO2019062420A1 (zh) | 2017-09-28 | 2018-08-27 | 监控进程的方法和装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US11972116B2 (zh) |
EP (1) | EP3680798B1 (zh) |
CN (1) | CN109583190B (zh) |
WO (1) | WO2019062420A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022057002A1 (zh) * | 2020-09-16 | 2022-03-24 | 厦门网宿有限公司 | 一种异常请求处理方法和装置 |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111177716B (zh) * | 2019-06-14 | 2024-04-02 | 腾讯科技(深圳)有限公司 | 一种内存中可执行文件获取方法、装置、设备及存储介质 |
CN112464221A (zh) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | 内存访问行为的监控方法及系统 |
CN111181978B (zh) * | 2019-12-31 | 2022-09-30 | 深信服科技股份有限公司 | 异常网络流量的检测方法、装置、电子设备及存储介质 |
CN111259379A (zh) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | 一种沙盒分析恶意程序的方法 |
CN113268726B (zh) * | 2020-02-17 | 2023-10-20 | 华为技术有限公司 | 程序代码执行行为的监控方法、计算机设备 |
CN111338988B (zh) * | 2020-02-20 | 2022-06-14 | 西安芯瞳半导体技术有限公司 | 内存访问方法、装置、计算机设备和存储介质 |
CN112187919B (zh) * | 2020-09-28 | 2024-01-23 | 腾讯科技(深圳)有限公司 | 一种存储节点管理方法及相关装置 |
CN114691532A (zh) * | 2020-12-30 | 2022-07-01 | 华为技术有限公司 | 内存访问方法、内存地址分配方法及装置 |
CN115220993B (zh) * | 2022-04-20 | 2024-03-12 | 广州汽车集团股份有限公司 | 进程监控方法、装置、车辆及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102609254A (zh) * | 2012-01-19 | 2012-07-25 | 中国科学院计算技术研究所 | 获取对象级访存行为的方法及装置 |
CN102736969A (zh) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | 一种针对硬件虚拟化的内存监控方法和系统 |
CN103744851A (zh) * | 2013-10-25 | 2014-04-23 | 中国科学院计算技术研究所 | 一种虚拟化环境中的进程信息监控系统及其方法 |
CN103914363A (zh) * | 2012-12-31 | 2014-07-09 | 华为技术有限公司 | 一种内存监控方法及相关装置 |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8271450B2 (en) * | 2009-10-01 | 2012-09-18 | Vmware, Inc. | Monitoring a data structure in a virtual machine and determining if memory pages containing the data structure are swapped into or out of guest physical memory |
CN102567217B (zh) * | 2012-01-04 | 2014-12-24 | 北京航空航天大学 | 一种面向mips平台的内存虚拟化方法 |
CN103365702B (zh) * | 2013-07-11 | 2017-02-08 | 中国科学院合肥物质科学研究院 | IaaS云环境下轻量级虚拟机进程追踪系统和方法 |
CN105701020B (zh) * | 2014-11-28 | 2018-11-30 | 华为技术有限公司 | 一种内存访问的方法、相关装置和系统 |
US10621340B2 (en) * | 2016-09-01 | 2020-04-14 | Intel Corporation | Hybrid hypervisor-assisted security model |
US20180165133A1 (en) * | 2016-12-13 | 2018-06-14 | Microsoft Technology Licensing, Llc | Shared Memory Using Memory Mapped Files Between Host And Guest On A Computing Device |
-
2017
- 2017-09-28 CN CN201710897225.5A patent/CN109583190B/zh active Active
-
2018
- 2018-08-27 EP EP18862757.4A patent/EP3680798B1/en active Active
- 2018-08-27 WO PCT/CN2018/102476 patent/WO2019062420A1/zh unknown
-
2020
- 2020-03-26 US US16/831,123 patent/US11972116B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102609254A (zh) * | 2012-01-19 | 2012-07-25 | 中国科学院计算技术研究所 | 获取对象级访存行为的方法及装置 |
CN102736969A (zh) * | 2012-05-22 | 2012-10-17 | 中国科学院计算技术研究所 | 一种针对硬件虚拟化的内存监控方法和系统 |
CN103914363A (zh) * | 2012-12-31 | 2014-07-09 | 华为技术有限公司 | 一种内存监控方法及相关装置 |
CN103744851A (zh) * | 2013-10-25 | 2014-04-23 | 中国科学院计算技术研究所 | 一种虚拟化环境中的进程信息监控系统及其方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3680798A4 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022057002A1 (zh) * | 2020-09-16 | 2022-03-24 | 厦门网宿有限公司 | 一种异常请求处理方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
US11972116B2 (en) | 2024-04-30 |
EP3680798B1 (en) | 2024-01-24 |
CN109583190B (zh) | 2020-11-27 |
CN109583190A (zh) | 2019-04-05 |
EP3680798A4 (en) | 2020-11-04 |
EP3680798A1 (en) | 2020-07-15 |
US20200225855A1 (en) | 2020-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019062420A1 (zh) | 监控进程的方法和装置 | |
US10073986B2 (en) | Regulating access to and protecting portions of applications of virtual machines | |
CN107977573B (zh) | 用于安全的盘访问控制的方法和系统 | |
JP6117068B2 (ja) | 情報処理装置、およびプログラム | |
US11061710B2 (en) | Virtual machine exit support by a virtual machine function | |
JP5611598B2 (ja) | Usbトークン上の暗号化キーコンテナ | |
US7827326B2 (en) | Method and apparatus for delegation of secure operating mode access privilege from processor to peripheral | |
US10810138B2 (en) | Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME) | |
US10255088B2 (en) | Modification of write-protected memory using code patching | |
US11755753B2 (en) | Mechanism to enable secure memory sharing between enclaves and I/O adapters | |
US11392405B2 (en) | Method and apparatus for securely entering trusted execution environment in hyper- threading scenario | |
US20210089684A1 (en) | Controlled access to data stored in a secure partition | |
US11403180B2 (en) | Auxiliary storage device having independent recovery area, and device applied with same | |
US11782744B2 (en) | Data processing system and method for accessing data in the data processing system | |
CN113302613A (zh) | 旁路保护 | |
CN116157795A (zh) | 分层保护域中的安全性增强 | |
US20170185791A1 (en) | Application program interface (API) monitoring bypass | |
US11783055B2 (en) | Secure application execution in a data processing system | |
KR102584506B1 (ko) | 가상 기계들을 위한 상태 정보 보호 | |
US20150356307A1 (en) | Safe input method and system | |
WO2013074071A1 (en) | Regulating access to and protecting portions of applications of virtual machines | |
Wei et al. | File protection system based on driver |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18862757 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2018862757 Country of ref document: EP Effective date: 20200408 |