[go: up one dir, main page]

CN106203082A - The system and method efficiently isolating kernel module based on virtualization hardware characteristic - Google Patents

The system and method efficiently isolating kernel module based on virtualization hardware characteristic Download PDF

Info

Publication number
CN106203082A
CN106203082A CN201610497325.4A CN201610497325A CN106203082A CN 106203082 A CN106203082 A CN 106203082A CN 201610497325 A CN201610497325 A CN 201610497325A CN 106203082 A CN106203082 A CN 106203082A
Authority
CN
China
Prior art keywords
kernel
module
incredible
core
context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610497325.4A
Other languages
Chinese (zh)
Inventor
刘宇涛
陈海波
夏虞斌
臧斌宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiao Tong University
Original Assignee
Shanghai Jiao Tong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiao Tong University filed Critical Shanghai Jiao Tong University
Priority to CN201610497325.4A priority Critical patent/CN106203082A/en
Publication of CN106203082A publication Critical patent/CN106203082A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供了一种基于虚拟化硬件特性的高效隔离内核模块的系统及方法,其设计了一种安全的高效的针对不可信的内核模块的强隔离机制,并且能够满足当下对于安全性和功能性方面的需求。本发明相对现有的解决方法,具有更好的性能、更强的隔离性、更高的向后兼容性。本发明提出的机制易于在当下主流的云计算平台中部署,进而可以带来可观的社会效益及经济效益。在本发明提出的机制中,当不可信的内核模块需要调用内核核心的函数,或者内核核心需要调用不可信的内核模块中的函数时,建立一套基于虚拟化硬件特性安全且高效的控制流转换机制,使得在该切换中不会暴露更多的攻击面。

The present invention provides a system and method for efficiently isolating kernel modules based on the characteristics of virtualized hardware, which designs a safe and efficient strong isolation mechanism for untrusted kernel modules, and can meet the current requirements for security and functions sexual needs. Compared with the existing solutions, the present invention has better performance, stronger isolation and higher backward compatibility. The mechanism proposed by the present invention is easy to be deployed in the current mainstream cloud computing platform, and then can bring considerable social and economic benefits. In the mechanism proposed by the present invention, when the untrusted kernel module needs to call the function of the kernel core, or the kernel core needs to call the function in the untrusted kernel module, a set of safe and efficient control flow based on virtualization hardware characteristics is established Transition mechanisms such that no further attack surface is exposed during this transition.

Description

基于虚拟化硬件特性的高效隔离内核模块的系统及方法System and method for efficiently isolating kernel modules based on virtualization hardware characteristics

技术领域technical field

本发明属于云计算平台系统安全技术领域,具体地说,是一种能够在安全性和性能之间寻求到一个平衡点的安全高效的恶意内核模块预防机制。The invention belongs to the technical field of cloud computing platform system security, and specifically relates to a safe and efficient malicious kernel module prevention mechanism capable of finding a balance between security and performance.

背景技术Background technique

首先对本发明涉及到的技术术语进行解释说明:At first the technical terms involved in the present invention are explained:

内核——所有运行在内核态的代码和数据Kernel - all code and data running in kernel mode

内核核心——被包含在内核文件中,在系统启动的时候就被加载到内核态的代码和数据Kernel core - included in the kernel file, the code and data loaded into the kernel state when the system starts

内核模块——独立于内核文件,在系统运行过程中动态插入到内核态的代码和数据Kernel module - independent of the kernel file, code and data dynamically inserted into the kernel state during system operation

系统运行过程中,内核态运行的代码和数据是由内核核心和内核模块组成的。During the running of the system, the code and data running in the kernel mode are composed of the kernel core and the kernel module.

在云计算平台中,虚拟化技术通常被用来高效整合服务器,提高包括处理器、内存在内的硬件的利用率。同时,虚拟化技术也通常被用于做虚拟机之间的隔离,防止恶意虚拟机访问其他虚拟机中的内存和磁盘存储的隐私数据。但是,在虚拟机内部,随着操作系统功能性日益繁多,操作系统的内核的代码量也日益扩大,内核中代码的漏洞数目也越来越多。在针对内核的漏洞曝光和攻击中,内核模块首当其冲,内核模块包括了那些未被编入内核核心的但是运行在内核中的代码,比如驱动等。同时,近些年,内核恶意软件rootkit也大行其道,学术界和工业界对rootkit的研究也一直没有停歇。总的来说,rootkit也是一种特殊的内核模块,它们通过欺骗用户将其安装在内核空间中,并且通过一系列手段来修改内核中的一些特殊的数据结构来达到特定的目的,比如通过修改系统调用表或者中断处理表,来对某些敏感的系统调用和中断处理进行拦截;或者通过修改进程列表,来对一些特定的进程进行隐藏等。In cloud computing platforms, virtualization technology is usually used to efficiently integrate servers and improve the utilization of hardware including processors and memory. At the same time, virtualization technology is usually used to isolate virtual machines to prevent malicious virtual machines from accessing private data stored in memory and disks in other virtual machines. However, within the virtual machine, as the operating system has more and more functions, the amount of code in the kernel of the operating system is also increasing, and the number of loopholes in the code in the kernel is also increasing. In the exposure of vulnerabilities and attacks against the kernel, the kernel module bears the brunt. The kernel module includes codes that are not programmed into the kernel core but run in the kernel, such as drivers. At the same time, in recent years, kernel malware rootkits have also become popular, and the research on rootkits in academia and industry has never stopped. In general, rootkits are also a special kind of kernel module. They install it in the kernel space by deceiving users, and modify some special data structures in the kernel through a series of means to achieve specific purposes, such as by modifying System call table or interrupt processing table to intercept some sensitive system calls and interrupt processing; or to hide some specific processes by modifying the process list.

由于内核模块处于整个系统最高权限层,所以包括杀毒软件在内的上层防护软件并不能解决恶意模块造成的问题。一种比较常用的方法是利用虚拟化技术对虚拟机内核中不可信的内核模块进行隔离,因为虚拟机监控器处于比虚拟机操作系统更高权限级别的层次,所以它可以控制虚拟机内核中内存的访问权限,从而通过对内存访问权限的控制来区分不可信的内核模块和内核核心对不同内存的访问。但是,通过虚拟化技术隔离内核模块容易造成较大的性能损失,因为对虚拟机中的内存访问控制需要虚拟机监控器的介入,特别是当不可信的内核模块和内核核心之间存在某种交互,比如相互之间的函数调用和数据访问时,需要在不同的内存上下文之间进行切换和跳转,而这些切换和跳转都需要虚拟机监控器进行拦截,比如可以通过产生一个异常,陷入虚拟机监控器等,这些频繁的虚拟机陷入容易造成很大的性能开销。另一方面,由于在虚拟机中的运行时的语义是对虚拟机不可知的,所以对于虚拟机监控器来说,检测和监控虚拟机内存的访问存在语义鸿沟的问题,需要进一步的工作来解决相关问题。Since the kernel module is at the highest authority level of the entire system, upper layer protection software including antivirus software cannot solve the problems caused by malicious modules. A common method is to use virtualization technology to isolate untrusted kernel modules in the virtual machine kernel, because the virtual machine monitor is at a higher level of authority than the virtual machine operating system, so it can control the virtual machine kernel Memory access rights, so as to distinguish between untrusted kernel modules and kernel core access to different memory through the control of memory access rights. However, isolating the kernel module through virtualization technology is likely to cause a large performance loss, because the memory access control in the virtual machine requires the intervention of the virtual machine monitor, especially when there is some kind of untrusted kernel module and the kernel core. Interaction, such as mutual function calls and data access, needs to switch and jump between different memory contexts, and these switches and jumps need to be intercepted by the virtual machine monitor, for example, by generating an exception, Trapped into the virtual machine monitor, etc., these frequent virtual machine traps can easily cause a large performance overhead. On the other hand, since the runtime semantics in a virtual machine are agnostic to the virtual machine, there is a semantic gap in detecting and monitoring virtual machine memory access for a virtual machine monitor, and further work is needed to Solve related problems.

除此之外,如何有效切合理地将不可信的内核模块从内核核心中解耦合出来也是一个比较大的挑战。之前的一些程序分析系统通过数据流分析可以得到和某些数据相关的控制流,从而将程序中相关的代码分离出来,另外一些系统通过虚拟化的技术隔离一整个用户态的应用程序,防止不可信内核对其的数据窃取。然而这些系统并没有考虑到不可信的内核模块和内核核心之间比较大的耦合度,在一般的内核模块中,它会调用内核核心向其提供的接口,以及访问某些内核数据结构,同时内核核心也会调用内核模块提供的接口,比如调用一个驱动模块的函数等。因此,如何有效地将不可信的内核模块合理地隔离出来,并且不会影响其本身的功能性,也是一个亟需解决的问题。In addition, how to effectively and reasonably decouple untrusted kernel modules from the kernel core is also a relatively big challenge. Some previous program analysis systems can obtain the control flow related to certain data through data flow analysis, so as to separate the relevant code in the program. Data theft from the trusted kernel. However, these systems do not take into account the relatively large degree of coupling between the untrusted kernel module and the kernel core. In a general kernel module, it will call the interface provided by the kernel core and access some kernel data structures. At the same time The kernel core also calls the interface provided by the kernel module, such as calling a function of a driver module. Therefore, how to effectively isolate the untrusted kernel module reasonably without affecting its own functionality is also a problem that needs to be solved urgently.

Intel处理器在很早之前就提出了硬件虚拟化的支持,其中包括CPU虚拟化,内存虚拟化和I/O虚拟化,在本发明中主要利用的是内存虚拟化的硬件支持。在虚拟化环境中,内存虚拟化是通过两级页表映射实现的,如图1所示。内存虚拟化的两级页表机制客户虚拟机中每个客户机虚拟地址(GVA,Guest Virtual Address)首先会被映射到一个客户机物理地址(GPA,Guest Physical Address),之后在虚拟机监控器(VMM,Virtual MachineMonitor)中,每个客户机物理地址又会被映射为一个宿主机物理地址(HPA,host physicaladdress)。也就是说在虚拟机监控器VMM中会维护一个页表(Intel中被称为EPT),该页表会对所有客户虚拟机中的物理地址进行映射,只有存在于该页表中的映射的客户机地址才会被反映在真实的物理内存中。该页表通过一个硬件页表指针寄存器进行访问,该页表指针寄存器被称为EPT Pointer(EPTP)。理论上我们完全可以通过操作EPT(即改变GPA到HPA之间的映射)来操作客户机中的内存分配,但是在正常模式下,修改EPT中地址的映射关系都是由虚拟机监控器VMM进行操作的,在虚拟机中切换不同的EPTP会引起虚拟机下陷,造成比较大的性能开销。Intel processors proposed hardware virtualization support a long time ago, including CPU virtualization, memory virtualization and I/O virtualization, and the hardware support of memory virtualization is mainly utilized in the present invention. In a virtualization environment, memory virtualization is implemented through two-level page table mapping, as shown in Figure 1. The two-level page table mechanism of memory virtualization Each guest virtual address (GVA, Guest Virtual Address) in the guest virtual machine will first be mapped to a guest physical address (GPA, Guest Physical Address), and then in the virtual machine monitor (VMM, Virtual MachineMonitor), each client physical address will be mapped to a host physical address (HPA, host physical address). That is to say, a page table (called EPT in Intel) will be maintained in the virtual machine monitor VMM. This page table will map the physical addresses in all guest virtual machines. Only the mappings that exist in the page table The client address will be reflected in the real physical memory. The page table is accessed through a hardware page table pointer register called EPT Pointer (EPTP). In theory, we can operate the memory allocation in the client by operating EPT (that is, changing the mapping between GPA and HPA), but in normal mode, modifying the mapping relationship of addresses in EPT is performed by the virtual machine monitor VMM Operationally, switching between different EPTPs in the virtual machine will cause the virtual machine to sink, resulting in relatively large performance overhead.

因此如何同时满足安全性、功能性和性能三个方面的需求,实已成为本领域技术人员亟待解决的技术难题。Therefore, how to simultaneously meet the three requirements of safety, functionality and performance has become a technical problem to be solved urgently by those skilled in the art.

发明内容Contents of the invention

针对现有技术中的缺陷,本发明的目的在于,设计一种基于虚拟化硬件特性的高效隔离内核模块的系统作为安全机制,其能够方便地部署在现有的云计算平台的机器中,并且能够满足用户在安全性、功能性和性能方面与日俱增的需求。Aiming at the defects in the prior art, the object of the present invention is to design a system based on virtualized hardware features to efficiently isolate kernel modules as a security mechanism, which can be easily deployed in the machines of the existing cloud computing platform, and It can meet the increasing needs of users in terms of security, functionality and performance.

根据本发明提供的一种基于虚拟化硬件特性的高效隔离内核模块的系统,包括内核分割模块、内存隔离模块、安全通信模块;A system for efficiently isolating kernel modules based on virtualization hardware features provided by the present invention includes a kernel segmentation module, a memory isolation module, and a secure communication module;

内核分割模块,用于将内核核心源码和不可信的内核模块源码分割成两段独立的上下文,分别为不可信的内核模块上下文、内核核心上下文;The kernel segmentation module is used to divide the kernel core source code and the untrusted kernel module source code into two independent contexts, which are respectively the untrusted kernel module context and the kernel core context;

内存隔离模块,用于将所述两段独立的上下文部署在两个隔离开来的物理内存中;A memory isolation module, configured to deploy the two independent contexts in two isolated physical memories;

安全通信模块,用于在不可信的内核模块需要调用内核核心提供的函数时,将控制流由不可信的内核模块上下文切换到内核核心上下文,由内核核心调用不可信的内核模块需要调用的函数后,将控制流切换返回到不可信的内核模块上下文;并且,在内核核心需要调用不可信的内核模块提供的函数时,将控制流由内核核心上下文切换到不可信的内核模块上下文,由不可信的内核模块调用内核核心需要调用的函数后,将控制流切换返回到内核核心上下文。The secure communication module is used to switch the control flow from the untrusted kernel module context to the kernel core context when the untrusted kernel module needs to call the function provided by the kernel core, and the kernel core calls the function that the untrusted kernel module needs to call After that, switch the control flow back to the untrusted kernel module context; and, when the kernel core needs to call the function provided by the untrusted kernel module, switch the control flow from the kernel core context to the untrusted kernel module context, by the untrusted After the kernel module of the letter calls the function that the kernel core needs to call, the control flow is switched back to the kernel core context.

优选地,内存隔离模块,用于为不可信的内核模块上下文、内核核心上下文建立两套互相独立的页表,并且在运行时对所述两个隔离开来的物理内存的访问进行访问权限控制。Preferably, the memory isolation module is used to establish two sets of mutually independent page tables for the untrusted kernel module context and the kernel core context, and perform access control on the access of the two isolated physical memory during operation .

优选地,内核分割模块,用于通过对内核核心源码和不可信的内核模块源码进行数据依赖分析和控制流分析;Preferably, the kernel segmentation module is used for performing data dependency analysis and control flow analysis on kernel core source code and untrusted kernel module source code;

通过安全通信模块,将如下函数调用和数据访问编译到内核核心上下文中:Through the secure communication module, the following function calls and data access are compiled into the kernel core context:

-不可信的内核模块需要调用的内核核心提供的函数;- Functions provided by the kernel core that untrusted kernel modules need to call;

-不可信的内核模块需要访问的内核核心中的数据;- Data in the kernel core that untrusted kernel modules need to access;

通过安全通信模块,将如下函数调用和数据访问编译到不可信的内核模块上下文中:Compile the following function calls and data accesses into an untrusted kernel module context through the secure communication module:

-内核核心需要调用的不可信的内核模块提供的函数;- Functions provided by untrusted kernel modules that the kernel core needs to call;

-内核核心需要访问的不可信的内核模块中的数据。- Data in untrusted kernel modules that the kernel core needs to access.

优选地,在安全通信模块中,通过在所述两套互相独立的页表中进行切换来实现不可信的内核模块上下文与内核核心上下文之间的切换。Preferably, in the secure communication module, switching between the untrusted kernel module context and the kernel core context is realized by switching between the two sets of mutually independent page tables.

优选地,还包括扩展页表指针替换模块;Preferably, it also includes an extended page table pointer replacement module;

扩展页表指针替换模块,用于在虚拟机监控器中创建多个页表以及所述多个页表各自对应的页表指针寄存器EPTP,将页表指针寄存器EPTP组成EPTP数组,将EPTP数组的首地址填到虚拟机控制结构VMCS中的域,该域记为EPTP_LIST_ADDR域;在客户虚拟机的非根模式中,将当前的页表切换到已配置好的存储在EPTP_LIST_ADDR域中地址所对应的页表。The extended page table pointer replacement module is used to create a plurality of page tables and the page table pointer registers EPTP corresponding to the plurality of page tables in the virtual machine monitor, form the page table pointer register EPTP into an EPTP array, and combine the EPTP array The first address is filled in the field in the virtual machine control structure VMCS, which is recorded as the EPTP_LIST_ADDR field; in the non-root mode of the guest virtual machine, switch the current page table to the configured address corresponding to the address stored in the EPTP_LIST_ADDR field page table.

根据本发明提供的一种基于虚拟化硬件特性的高效隔离内核模块的方法,包括内核分割步骤、内存隔离步骤、安全通信步骤;A method for efficiently isolating a kernel module based on virtualization hardware characteristics provided by the present invention includes a kernel segmentation step, a memory isolation step, and a secure communication step;

内核分割步骤:将内核核心源码和不可信的内核模块源码分割成两段独立的上下文,分别为不可信的内核模块上下文、内核核心上下文;Kernel segmentation step: split the kernel core source code and the untrusted kernel module source code into two independent contexts, namely the untrusted kernel module context and the kernel core context;

内存隔离步骤:将所述两段独立的上下文部署在两个隔离开来的物理内存中;Memory isolation step: deploying the two independent contexts in two isolated physical memories;

安全通信步骤:在不可信的内核模块需要调用内核核心提供的函数时,将控制流由不可信的内核模块上下文切换到内核核心上下文,由内核核心调用不可信的内核模块需要调用的函数后,将控制流切换返回到不可信的内核模块上下文;并且,在内核核心需要调用不可信的内核模块提供的函数时,将控制流由内核核心上下文切换到不可信的内核模块上下文,由不可信的内核模块调用内核核心需要调用的函数后,将控制流切换返回到内核核心上下文。Secure communication steps: When the untrusted kernel module needs to call the function provided by the kernel core, switch the control flow from the untrusted kernel module context to the kernel core context, and after the kernel core calls the function that the untrusted kernel module needs to call, Switch the control flow back to the untrusted kernel module context; and, when the kernel core needs to call the function provided by the untrusted kernel module, switch the control flow from the kernel core context to the untrusted kernel module context, and the untrusted After the kernel module calls the functions that the kernel core needs to call, it switches the control flow back to the kernel core context.

优选地,内存隔离步骤:为不可信的内核模块上下文、内核核心上下文建立两套互相独立的页表,并且在运行时对所述两个隔离开来的物理内存的访问进行访问权限控制。Preferably, the memory isolation step: establish two sets of mutually independent page tables for the untrusted kernel module context and the kernel core context, and perform access control on the access of the two isolated physical memory during operation.

优选地,内核分割步骤:通过对内核核心源码和不可信的内核模块源码进行数据依赖分析和控制流分析;Preferably, the kernel segmentation step: by performing data dependency analysis and control flow analysis to the kernel core source code and untrusted kernel module source code;

通过安全通信步骤,将如下函数调用和数据访问编译到内核核心上下文中:With a secure communication step, the following function calls and data accesses are compiled into the kernel core context:

-不可信的内核模块需要调用的内核核心提供的函数;- Functions provided by the kernel core that untrusted kernel modules need to call;

-不可信的内核模块需要访问的内核核心中的数据;- Data in the kernel core that untrusted kernel modules need to access;

通过安全通信步骤,将如下函数调用和数据访问编译到不可信的内核模块上下文中:With a secure communication step, the following function calls and data accesses are compiled into the untrusted kernel module context:

-内核核心需要调用的不可信的内核模块提供的函数;- Functions provided by untrusted kernel modules that the kernel core needs to call;

-内核核心需要访问的不可信的内核模块中的数据。- Data in untrusted kernel modules that the kernel core needs to access.

优选地,在安全通信步骤中,通过在所述两套互相独立的页表中进行切换来实现不可信的内核模块上下文与内核核心上下文之间的切换。Preferably, in the secure communication step, switching between the untrusted kernel module context and the kernel core context is realized by switching between the two sets of mutually independent page tables.

优选地,还包括扩展页表指针替换步骤;Preferably, the step of replacing the extended page table pointer is also included;

扩展页表指针替换步骤:在虚拟机监控器中创建多个页表以及所述多个页表各自对应的页表指针寄存器EPTP,将页表指针寄存器EPTP组成EPTP数组,将EPTP数组的首地址填到虚拟机控制结构VMCS中的域,该域记为EPTP_LIST_ADDR域;在客户虚拟机的非根模式中,将当前的页表切换到已配置好的存储在EPTP_LIST_ADDR域中地址所对应的页表。Extended page table pointer replacement steps: create multiple page tables and page table pointer registers EPTP corresponding to the multiple page tables in the virtual machine monitor, form the page table pointer register EPTP into an EPTP array, and set the first address of the EPTP array Fill in the domain in the virtual machine control structure VMCS, which is recorded as the EPTP_LIST_ADDR domain; in the non-root mode of the guest virtual machine, switch the current page table to the configured page table corresponding to the address stored in the EPTP_LIST_ADDR domain .

与现有技术相比,本发明具有如下的有益效果:Compared with the prior art, the present invention has the following beneficial effects:

1、本发明能够对不可信的内核模块进行有效的分割和隔离,防止不可信的内核模块对内核核心中关键数据的访问和纂改。1. The present invention can effectively divide and isolate untrustworthy kernel modules, and prevent untrustworthy kernel modules from accessing and tampering with key data in the kernel core.

2、本发明利用Intel处理器中内存硬件虚拟化特性和EPTP Switching的硬件扩展,提出了一种不可信内核和内核核心之间基于硬件特性的安全和高效的切换机制,安全和高效地在不可信的内核模块和内核核心之间进行控制流的转换,极大程度地减小性能损失。2. The present invention utilizes the memory hardware virtualization feature in the Intel processor and the hardware extension of EPTP Switching to propose a safe and efficient switching mechanism based on hardware characteristics between the untrusted kernel and the kernel core, which can be safely and efficiently used in untrusted kernels and kernel cores. The conversion of the control flow between the kernel module of the letter and the kernel core greatly reduces the performance loss.

3、本发明对应的架构能够被部署到现有的云计算平台中。3. The architecture corresponding to the present invention can be deployed in an existing cloud computing platform.

附图说明Description of drawings

通过阅读参照以下附图对非限制性实施例所作的详细描述,本发明的其它特征、目的和优点将会变得更明显:Other characteristics, objects and advantages of the present invention will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:

图1是本发明中利用的内存硬件虚拟化的示意图。FIG. 1 is a schematic diagram of memory hardware virtualization utilized in the present invention.

图2是本发明中的系统架构图。Fig. 2 is a system architecture diagram in the present invention.

图3是本发明中不可信的内核模块分割系统示意图。Fig. 3 is a schematic diagram of an untrusted kernel module partitioning system in the present invention.

图4是本发明中不可信的内核模块和内核核心的通信示意图。Fig. 4 is a schematic diagram of communication between an untrusted kernel module and a kernel core in the present invention.

具体实施方式detailed description

下面结合具体实施例对本发明进行详细说明。以下实施例将有助于本领域的技术人员进一步理解本发明,但不以任何形式限制本发明。应当指出的是,对本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变化和改进。这些都属于本发明的保护范围。The present invention will be described in detail below in conjunction with specific embodiments. The following examples will help those skilled in the art to further understand the present invention, but do not limit the present invention in any form. It should be noted that those skilled in the art can make several changes and improvements without departing from the concept of the present invention. These all belong to the protection scope of the present invention.

本发明尤其提供了一种属于云计算平台系统安全技术领域的基于虚拟化硬件特性的高效隔离内核模块的系统,实现了不可信的内核模块上下文的隔离,内核模块与内核核心之间基于虚拟化硬件特性的安全高效切换。本发明利用Intel服务器硬件虚拟化扩展中提供的硬件特性,设计了一种安全的高效的针对不可信的内核模块的强隔离机制,并且能够满足当下对于安全性和功能性方面的需求。本发明相对现有的解决方法,具有更好的性能、更强的隔离性、更高的向后兼容性。本发明提出的机制易于在当下主流的云计算平台中部署,进而可以带来可观的社会效益及经济效益。在本发明提出的机制中,当不可信的内核模块需要调用内核核心的函数,或者内核核心需要调用不可信的内核模块中的函数时,建立一套基于虚拟化硬件特性安全且高效的控制流转换机制,使得在该切换中不会暴露更多的攻击面。In particular, the present invention provides a system for efficiently isolating kernel modules based on virtualization hardware characteristics, which belongs to the field of cloud computing platform system security technology, and realizes the isolation of untrustworthy kernel module contexts. Safe and efficient switching of hardware features. The present invention utilizes the hardware features provided in the Intel server hardware virtualization extension to design a safe and efficient strong isolation mechanism for untrustworthy kernel modules, and can meet the current requirements for security and functionality. Compared with the existing solutions, the present invention has better performance, stronger isolation and higher backward compatibility. The mechanism proposed by the present invention is easy to be deployed in the current mainstream cloud computing platform, and then can bring considerable social and economic benefits. In the mechanism proposed by the present invention, when the untrusted kernel module needs to call the function of the kernel core, or the kernel core needs to call the function in the untrusted kernel module, a set of safe and efficient control flow based on virtualization hardware characteristics is established Transition mechanisms such that no further attack surface is exposed during this transition.

具体地,所述基于虚拟化硬件特性的高效隔离内核模块的系统,包括内核分割模块、基于虚拟化的内存隔离模块、不可信的内核模块与内核核心之间的安全通信模块。Specifically, the system for efficiently isolating kernel modules based on virtualization hardware features includes a kernel segmentation module, a virtualization-based memory isolation module, and a secure communication module between untrusted kernel modules and kernel cores.

图2展示了整体的本发明的架构图。首先,内核分割模块接收内核核心源码和不可信的内核模块源码,将内核核心源码和不可信的内核模块源码分割成两段独立的上下文,分别为不可信的内核模块上下文、内核核心上下文;上下文包括代码和数据。FIG. 2 shows an overall architecture diagram of the present invention. First, the kernel segmentation module receives the kernel core source code and the untrusted kernel module source code, and divides the kernel core source code and the untrusted kernel module source code into two independent contexts, namely the untrusted kernel module context and the kernel core context; the context Includes code and data.

之后通过基于虚拟化的内存隔离模块,将这两段独立的上下文部署在两个隔离开来的物理内存中,该物理内存的隔离过程采用的是Intel提供的内存硬件虚拟化支持,通过EPT的划分,为不可信的内核模块上下文和内核核心上下文建立两套互相独立的EPT,并且在运行时对这两个隔离开来的物理内存的访问进行访问权限控制,防止不可信的内核模块直接读取或者修改内核核心中的敏感数据。Afterwards, through the memory isolation module based on virtualization, the two independent contexts are deployed in two isolated physical memories. The isolation process of the physical memory adopts the memory hardware virtualization support provided by Intel, and through the EPT Divide, establish two sets of independent EPTs for the untrusted kernel module context and the kernel core context, and control access to these two isolated physical memory accesses at runtime, preventing untrusted kernel modules from directly reading Access or modify sensitive data in the kernel core.

除此之外,为了维持包含不可信的内核模块在内的所有内核模块和内核核心中原有的功能性,我们通过安全通信模块,将原有的不可信的内核模块中对内核核心的调用包装成一个跳板函数,通过跳板函数中的上下文切换功能将控制流切换到内核核心上下文,由内核核心直接调用不可信的内核模块中调用的函数,并且使得控制流返回到不可信的内核模块上下文,并且,当内核核心需要调用不可信的内核模块提供的接口函数时,同样先通过安全通信模块提供上下文切换功能使得控制流切换到不可信的内核模块上下文,由不可信的内核模块调用接口函数,最后让控制流回到内核核心上下文。In addition, in order to maintain the original functionality of all kernel modules and kernel cores including untrusted kernel modules, we use the secure communication module to wrap the calls to the kernel core in the original untrusted kernel modules Form a springboard function, switch the control flow to the kernel core context through the context switching function in the springboard function, the kernel core directly calls the function called in the untrusted kernel module, and makes the control flow return to the untrusted kernel module context, Moreover, when the kernel core needs to call the interface function provided by the untrusted kernel module, it also provides the context switching function through the security communication module to switch the control flow to the untrusted kernel module context, and the untrusted kernel module calls the interface function. Finally let control flow back to the kernel core context.

图3展示了内核分割模块的流程,我们首先将内核核心源码和不可信的内核模块源码作为参数传入内核分割模块,在内核分割模块中对相应的源码进行数据依赖分析和控制流分析,找到不可信的内核模块中调用了哪些内核核心中的函数接口,以及访问了哪些相关数据,或者内核核心中调用了哪些不可信的内核模块的接口函数,访问了哪些相关数据等。然后通过自动化的函数调用替换脚本,将这些函数调用和数据访问替换成通信模块中提供的跳板函数,最后通过编译器(如GCC)将相应的代码段和数据段编译到相互独立的程序片段中。Figure 3 shows the process of the kernel split module. We first pass the kernel core source code and untrusted kernel module source code into the kernel split module as parameters, and perform data dependency analysis and control flow analysis on the corresponding source code in the kernel split module, and find What function interfaces in the kernel core are called in the untrusted kernel module, and what related data are accessed, or what interface functions of the untrusted kernel module are called in the kernel core, what related data is accessed, etc. Then replace scripts with automated function calls, replace these function calls and data access with springboard functions provided in the communication module, and finally compile the corresponding code segments and data segments into mutually independent program segments through a compiler (such as GCC) .

当内核分割模块完成,就会进入基于虚拟化的内存隔离模块,它会将内核核心和不可信的内核模块所在的程序段部署在两个相互隔离的物理内存区域中,通过Intel内存硬件虚拟化提供的EPT支持,为两段不同的内存区域创建两个EPT,在安全通信模块中通过在这两个EPT中进行切换来实现不可信的内核模块和内核核心的上下文的切换。When the kernel segmentation module is completed, it will enter the memory isolation module based on virtualization, which will deploy the program segments where the kernel core and untrusted kernel modules are located in two mutually isolated physical memory areas, through Intel memory hardware virtualization The provided EPT support creates two EPTs for two different memory areas, and switches between the two EPTs in the secure communication module to realize context switching between the untrusted kernel module and the kernel core.

图4展示了不可信的内核模块和内核核心之间的通信机制,通过内核分割模块中函数替换的过程,我们将不可信的内核模块和内核核心间可能存在的依赖关系,包括函数调用和数据访问操作替换成了由安全通信模块提供的跳板函数,该跳板函数的作用在于首先通过切换之前由虚拟机监控器配置好的EPT,来达到切换上下文的目的,比如,当不可信的内核模块需要调用内核核心中的函数或者访问内核核心中的数据的时候,通过跳板函数,切换成内核核心对应的EPT,然后调用内核核心中相应的函数和数据访问操作,最后再切换成不可信的内核模块对应的EPT,将结果返回。反之亦然。Figure 4 shows the communication mechanism between the untrusted kernel module and the kernel core. Through the process of function replacement in the kernel split module, we will remove the possible dependencies between the untrusted kernel module and the kernel core, including function calls and data The access operation is replaced by the springboard function provided by the secure communication module. The function of this springboard function is to switch the EPT configured by the virtual machine monitor first to achieve the purpose of switching the context. For example, when the untrusted kernel module needs to When calling a function in the kernel core or accessing data in the kernel core, switch to the EPT corresponding to the kernel core through the springboard function, then call the corresponding function and data access operation in the kernel core, and finally switch to an untrusted kernel module The corresponding EPT returns the result. vice versa.

为了在运行过程中尽可能减少由内存隔离和上下文切换带来的虚拟机下陷造成的性能损失,我们的系统利用了Intel处理器的一个虚拟化硬件扩展机制:EPTP Switching(扩展页表指针替换)。这是硬件提供的一个可以在虚拟机中运行的函数,该函数的功能是在不下陷到虚拟机监控器的情况下改变EPT Pointer的值。我们可以在虚拟机监控器中创建一系列EPT,以及它们各自对应的EPTP,组成EPTP数组,然后将该数组的首地址填到虚拟机控制结构VMCS(Virtual Machine ControlStructure)中的一个特定的域EPTP_LIST_ADDR中。在客户虚拟机的非根模式(non-root模式)下,调用相关指令,并将寄存器设为相应的值,来实现EPTP switching的操作,在不下陷的情况下高效地将当前的EPTP切换到之前配置好存储在EPTP_LIST_ADDR中的某个EPTP。因此,当虚拟机监控器配置好了相应的EPT之后,在安全通信模块的跳板函数中,只需要调用一个VMFUNC指令,传入对应的EPT的索引,既可以达到切换EPT所对应的上下文的效果,而不需要引起虚拟机下陷。这就是我们提出的内核模块与内核核心之间基于虚拟化硬件特性的安全高效切换。In order to minimize the performance loss caused by virtual machine sinking caused by memory isolation and context switching during operation, our system uses a virtualization hardware extension mechanism of Intel processors: EPTP Switching (Extended Page Table Pointer Replacement) . This is a function provided by the hardware that can run in the virtual machine. The function of this function is to change the value of the EPT Pointer without sinking into the virtual machine monitor. We can create a series of EPTs and their corresponding EPTPs in the virtual machine monitor to form an EPTP array, and then fill the first address of the array into a specific field EPTP_LIST_ADDR in the virtual machine control structure VMCS (Virtual Machine ControlStructure) middle. In the non-root mode (non-root mode) of the guest virtual machine, call the relevant instructions and set the register to the corresponding value to realize the operation of EPTP switching, and efficiently switch the current EPTP to Configure an EPTP stored in EPTP_LIST_ADDR before. Therefore, after the virtual machine monitor has configured the corresponding EPT, in the springboard function of the secure communication module, only one VMFUNC instruction needs to be called, and the index of the corresponding EPT is passed in, which can achieve the effect of switching the context corresponding to the EPT. , without causing the virtual machine to sink. This is the safe and efficient switching between the kernel module and the kernel core based on the characteristics of virtualized hardware.

在一个优选的具体实施方式中,本发明提供的基于虚拟化硬件特性的高效隔离内核模块的系统的具体部署流程包括内核分割、基于虚拟化的内存隔离初始化、运行时内存访问监控、不可信的内核模块和内核核心之间基于硬件特性的高效切换这四个阶段。以下将通过具体实施示例来详细描述本发明。In a preferred embodiment, the specific deployment process of the system for efficiently isolating kernel modules based on virtualization hardware features provided by the present invention includes kernel segmentation, virtualization-based memory isolation initialization, runtime memory access monitoring, untrusted These four phases are hardware-based efficient switching between kernel modules and kernel cores. The present invention will be described in detail below through specific implementation examples.

本发明的示例具体步骤如下:The example concrete steps of the present invention are as follows:

步骤1,在部署整个系统之前,需要对内核核心和不可信的内核模块的源码进行源代码级别的程序分析,通过数据依赖和控制流分析得到不可信的内核模块和内核核心之间的依赖关系,并且通过自动脚本将所有函数调用依赖和数据访问依赖替换成通信模块提供的跳板函数封装,最后通过编译器(GCC)编译选项,将处理好的数据和代码分割到不同的程序段中。Step 1. Before deploying the entire system, it is necessary to perform source code-level program analysis on the source code of the kernel core and untrusted kernel modules, and obtain the dependencies between the untrusted kernel modules and the kernel core through data dependency and control flow analysis , and replace all function call dependencies and data access dependencies with springboard function packages provided by the communication module through automatic scripts, and finally divide the processed data and code into different program segments through compiler (GCC) compilation options.

步骤2,虚拟机内核核心调用一个系统提供的系统调用,传入准备好的程序段信息,虚拟机监控器根据提供的程序段信息将两段程序段部署在不同的相互隔离的内存区域,并且为两个内存区域分别创建一套EPT。Step 2, the virtual machine kernel core invokes a system call provided by the system, and passes in the prepared program segment information, and the virtual machine monitor deploys the two program segments in different mutually isolated memory areas according to the provided program segment information, and Create a set of EPTs for the two memory regions respectively.

步骤3,在运行时,虚拟机监控器会对这两个EPT对应的内存区域进行权限访问控制,当不可信的内核模块中的代码直接访问内核核心对应的EPT中的数据的时候,会产生一个异常,下陷进入虚拟机监控器,由虚拟机监控器中的内存隔离模块对该访问进行检查,如果确定是非法访问,则终止不可信的内核模块的运行。Step 3. During operation, the virtual machine monitor will perform permission access control on the memory areas corresponding to the two EPTs. When the code in the untrusted kernel module directly accesses the data in the EPT corresponding to the kernel core, it will generate An abnormality sinks into the virtual machine monitor, and the memory isolation module in the virtual machine monitor checks the access, and if it is determined to be an illegal access, the operation of the untrusted kernel module is terminated.

步骤4,在不可信的内核模块和内核核心的运行过程中,如果发生不可信的内核模块需要调用内核核心的函数,或者访问相关数据,则进入通信模块提供的跳板函数。跳板函数通过VMFUNC指令,传入内核核心对于的EPT指针索引,快速切换到内核核心的EPT内存空间,由内核核心调用和访问相应的函数和数据,最后再通过VMFUNC指令,传入不可信的内核模块对于的EPT指针索引,将结果返回给不可信的内核模块。反之亦然。Step 4: During the operation of the untrusted kernel module and the kernel core, if the untrusted kernel module needs to call the function of the kernel kernel or access related data, enter the springboard function provided by the communication module. The springboard function passes the VMFUNC instruction to the EPT pointer index of the kernel core, quickly switches to the EPT memory space of the kernel core, and the kernel core calls and accesses the corresponding functions and data, and finally passes the VMFUNC instruction to the untrusted kernel The EPT pointer index for the module to return the result to the untrusted kernel module. vice versa.

本领域技术人员知道,除了以纯计算机可读程序代码方式实现本发明提供的系统及其各个装置以外,完全可以通过将方法步骤进行逻辑编程来使得本发明提供的系统及其各个装置以逻辑门、开关、专用集成电路、可编程逻辑控制器以及嵌入式微控制器等的形式来实现相同功能。所以,本发明提供的系统及其各项装置可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构;也可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。Those skilled in the art know that, in addition to realizing the system provided by the present invention and its various devices in a purely computer-readable program code mode, the system provided by the present invention and its various devices can be completely programmed with logic gates, logic gates, The same functions can be realized in the form of switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, the system provided by the present invention and its various devices can be considered as a hardware component, and the devices included in it for realizing various functions can also be regarded as the structure in the hardware component; Means for implementing various functions can be regarded as either a software module implementing a method or a structure within a hardware component.

以上对本发明的具体实施例进行了描述。需要理解的是,本发明并不局限于上述特定实施方式,本领域技术人员可以在权利要求的范围内做出各种变化或修改,这并不影响本发明的实质内容。在不冲突的情况下,本申请的实施例和实施例中的特征可以任意相互组合。Specific embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above, and those skilled in the art may make various changes or modifications within the scope of the claims, which do not affect the essence of the present invention. In the case of no conflict, the embodiments of the present application and the features in the embodiments can be combined with each other arbitrarily.

Claims (10)

1. the system efficiently isolating kernel module based on virtualization hardware characteristic, it is characterised in that include that kernel is split Module, internal memory isolation module, secure communication module;
Kernel segmentation module, for kernel core source code and incredible kernel module source code be divided into two sections independent upper and lower Literary composition, the most incredible kernel module context, kernel core context;
Internal memory isolation module, for being deployed in described two sections of independent contexts in two physical memories kept apart;
Secure communication module, for when incredible kernel module needs the function calling the offer of kernel core, flowing control Be switched to kernel core context by incredible kernel module context, kernel core calling incredible kernel module needs After function to be called, control stream is switched back to incredible kernel module context;Further, need to adjust in kernel core During the function provided with incredible kernel module, control stream is switched to incredible kernel module by kernel core context Context, incredible kernel module, after calling the function that kernel core needs call, switch back to kernel by control stream Core context.
The system efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 1, its feature exists In, internal memory isolation module, for for incredible kernel module context, that kernel core context sets up two sets is the most independent Page table, and the access of the physical memory operationally kept apart said two conducts interviews control of authority.
The system efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 1, its feature exists In, kernel segmentation module, for by carrying out data dependence analysis to kernel core source code and incredible kernel module source code And control flow analysis;
By secure communication module, following function call and data access are compiled in kernel core context:
-incredible kernel module needs the function that the kernel core called provides;
-incredible kernel module needs the data in the kernel core accessed;
By secure communication module, following function call and data access are compiled in incredible kernel module context:
-kernel core needs the function that the incredible kernel module called provides;
-kernel core needs the data in the incredible kernel module accessed.
The system efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 2, its feature exists In, in secure communication module, realize incredible kernel by the page table the most independent at described two sets switches over Switching between module context and kernel core context.
The system efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 1, its feature exists In, also include extending page table pointers replacement module;
Extension page table pointers replacement module, for creating multiple page table and the plurality of page table each in monitor of virtual machine Corresponding page table pointers depositor EPTP, forms EPTP array by page table pointers depositor EPTP, by the first address of EPTP array Filling out the territory in virtual machine control structure VMCS, this territory is designated as EPTP_LIST_ADDR territory;Non-root mode at guest virtual machine In, current page table is switched to the configured good page table being stored in EPTP_LIST_ADDR territory corresponding to address.
6. the method efficiently isolating kernel module based on virtualization hardware characteristic, it is characterised in that include that kernel is split Step, internal memory isolation step, secure communication step;
Kernel segmentation step: kernel core source code and incredible kernel module source code are divided into two sections of independent contexts, It is respectively incredible kernel module context, kernel core context;
Internal memory isolation step: described two sections of independent contexts are deployed in two physical memories kept apart;
Secure communication step: when incredible kernel module needs the function calling the offer of kernel core, control is flowed by not Believable kernel module context is switched to kernel core context, kernel core calling incredible kernel module needs to adjust Function after, control stream is switched back to incredible kernel module context;Further, need to call not in kernel core During the function that believable kernel module provides, control stream is switched to incredible kernel module by kernel core context upper and lower Literary composition, incredible kernel module, after calling the function that kernel core needs call, switch back to kernel core by control stream Context.
The method efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 6, its feature exists In, internal memory isolation step: set up the page that two sets are the most independent for incredible kernel module context, kernel core context Table, and the access of the physical memory operationally kept apart said two conducts interviews control of authority.
The method efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 6, its feature exists In, kernel segmentation step: by kernel core source code and incredible kernel module source code are carried out data dependence analysis and control Flow point processed is analysed;
By secure communication step, following function call and data access are compiled in kernel core context:
-incredible kernel module needs the function that the kernel core called provides;
-incredible kernel module needs the data in the kernel core accessed;
By secure communication step, following function call and data access are compiled in incredible kernel module context:
-kernel core needs the function that the incredible kernel module called provides;
-kernel core needs the data in the incredible kernel module accessed.
The method efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 7, its feature exists In, in secure communication step, realize incredible kernel by the page table the most independent at described two sets switches over Switching between module context and kernel core context.
The method efficiently isolating kernel module based on virtualization hardware characteristic the most according to claim 6, its feature exists In, also include extending page table pointers replacement step;
Extension page table pointers replacement step: create multiple page table in monitor of virtual machine and the plurality of page table is the most corresponding Page table pointers depositor EPTP, by page table pointers depositor EPTP form EPTP array, the first address of EPTP array is filled out Territory in virtual machine control structure VMCS, this territory is designated as EPTP_LIST_ADDR territory;In the non-root mode of guest virtual machine, will Current page table is switched to the configured good page table being stored in EPTP_LIST_ADDR territory corresponding to address.
CN201610497325.4A 2016-06-29 2016-06-29 The system and method efficiently isolating kernel module based on virtualization hardware characteristic Pending CN106203082A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610497325.4A CN106203082A (en) 2016-06-29 2016-06-29 The system and method efficiently isolating kernel module based on virtualization hardware characteristic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610497325.4A CN106203082A (en) 2016-06-29 2016-06-29 The system and method efficiently isolating kernel module based on virtualization hardware characteristic

Publications (1)

Publication Number Publication Date
CN106203082A true CN106203082A (en) 2016-12-07

Family

ID=57463590

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610497325.4A Pending CN106203082A (en) 2016-06-29 2016-06-29 The system and method efficiently isolating kernel module based on virtualization hardware characteristic

Country Status (1)

Country Link
CN (1) CN106203082A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106970823A (en) * 2017-02-24 2017-07-21 上海交通大学 Efficient secure virtual machine guard method and system based on nested virtualization
CN107102888A (en) * 2017-04-25 2017-08-29 华中科技大学 A kind of shared library insulation blocking method and system based on hardware virtualization technology
CN107103257A (en) * 2017-05-16 2017-08-29 成都鼎智汇科技有限公司 computer intrusion prevention method
CN107194287A (en) * 2017-05-12 2017-09-22 中国科学院信息工程研究所 A kind of module safety partition method on ARM platforms
CN107450962A (en) * 2017-07-03 2017-12-08 北京东土科技股份有限公司 Abnormality eliminating method, apparatus and system under a kind of virtualization running environment
CN107563224A (en) * 2017-09-04 2018-01-09 济南浪潮高新科技投资发展有限公司 A kind of multi-user's physical isolation method and device
CN107797895A (en) * 2017-05-08 2018-03-13 中国人民解放军国防科学技术大学 A kind of secure virtual machine monitoring method and system
CN108491716A (en) * 2018-01-29 2018-09-04 中国电子科技网络信息安全有限公司 A kind of virutal machine memory isolation detection method based on physical page address analysis
CN109460373A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 A kind of data sharing method, terminal device and storage medium
CN110059453A (en) * 2019-03-13 2019-07-26 中国科学院计算技术研究所 A kind of container virtualization safety reinforced device and method
CN110058921A (en) * 2019-03-13 2019-07-26 上海交通大学 Guest virtual machine memory dynamic isolation and monitoring method and system
CN110119637A (en) * 2018-02-07 2019-08-13 晨星半导体股份有限公司 Hardware controlling method and hardware system
US10698720B2 (en) 2018-01-08 2020-06-30 Mediatek Inc. Hardware control method and hardware control system
CN112035272A (en) * 2019-06-03 2020-12-04 华为技术有限公司 Method, apparatus and computer equipment for interprocess communication
CN113064697A (en) * 2021-04-01 2021-07-02 上海交通大学 Method for accelerating communication between microkernel processes by using multiple hardware characteristics
CN113704007A (en) * 2021-09-14 2021-11-26 上海交通大学 Serverless computing platform acceleration system using hardware features
WO2021238294A1 (en) * 2020-05-27 2021-12-02 华为技术有限公司 Data processing method and data processing apparatus
CN120263424A (en) * 2025-06-04 2025-07-04 广州钛动科技股份有限公司 A dynamic key protection method and system based on AI context perception

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Integrity Protection Method of Microkernel Operating System Based on Trusted Hardware and Virtual Machine
WO2009039375A3 (en) * 2007-09-20 2009-07-02 C & S Operations Inc Computer system
US20120030669A1 (en) * 2010-07-28 2012-02-02 Michael Tsirkin Mechanism for Delayed Hardware Upgrades in Virtualization Systems
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009039375A3 (en) * 2007-09-20 2009-07-02 C & S Operations Inc Computer system
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Integrity Protection Method of Microkernel Operating System Based on Trusted Hardware and Virtual Machine
US20120030669A1 (en) * 2010-07-28 2012-02-02 Michael Tsirkin Mechanism for Delayed Hardware Upgrades in Virtualization Systems
CN104809401A (en) * 2015-05-08 2015-07-29 南京大学 Method for protecting integrity of kernel of operating system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘宇涛 等: "Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation", 《THE 22ND ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY》 *
刘宇涛 等: "基于体系结果扩展的云计算安全增强研究", 《集成技术》 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106970823B (en) * 2017-02-24 2021-02-12 上海交通大学 Efficient nested virtualization-based virtual machine security protection method and system
CN106970823A (en) * 2017-02-24 2017-07-21 上海交通大学 Efficient secure virtual machine guard method and system based on nested virtualization
CN107102888A (en) * 2017-04-25 2017-08-29 华中科技大学 A kind of shared library insulation blocking method and system based on hardware virtualization technology
CN107102888B (en) * 2017-04-25 2019-11-22 华中科技大学 A shared library isolation protection method and system based on hardware virtualization technology
CN107797895A (en) * 2017-05-08 2018-03-13 中国人民解放军国防科学技术大学 A kind of secure virtual machine monitoring method and system
CN107194287A (en) * 2017-05-12 2017-09-22 中国科学院信息工程研究所 A kind of module safety partition method on ARM platforms
CN107103257B (en) * 2017-05-16 2020-06-16 陕西国博政通信息科技有限公司 Computer intrusion prevention method
CN107103257A (en) * 2017-05-16 2017-08-29 成都鼎智汇科技有限公司 computer intrusion prevention method
CN107450962A (en) * 2017-07-03 2017-12-08 北京东土科技股份有限公司 Abnormality eliminating method, apparatus and system under a kind of virtualization running environment
CN107450962B (en) * 2017-07-03 2020-04-24 北京东土科技股份有限公司 Exception handling method, device and system in virtualized operation environment
CN107563224A (en) * 2017-09-04 2018-01-09 济南浪潮高新科技投资发展有限公司 A kind of multi-user's physical isolation method and device
CN109460373A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 A kind of data sharing method, terminal device and storage medium
WO2019047745A1 (en) * 2017-09-06 2019-03-14 阿里巴巴集团控股有限公司 Data sharing method, terminal apparatus and storage medium
CN109460373B (en) * 2017-09-06 2022-08-26 阿里巴巴集团控股有限公司 Data sharing method, terminal equipment and storage medium
US10698720B2 (en) 2018-01-08 2020-06-30 Mediatek Inc. Hardware control method and hardware control system
CN108491716A (en) * 2018-01-29 2018-09-04 中国电子科技网络信息安全有限公司 A kind of virutal machine memory isolation detection method based on physical page address analysis
CN110119637A (en) * 2018-02-07 2019-08-13 晨星半导体股份有限公司 Hardware controlling method and hardware system
CN110119637B (en) * 2018-02-07 2023-04-14 联发科技股份有限公司 Hardware control method and hardware control system
CN110059453A (en) * 2019-03-13 2019-07-26 中国科学院计算技术研究所 A kind of container virtualization safety reinforced device and method
CN110059453B (en) * 2019-03-13 2021-02-05 中国科学院计算技术研究所 Container virtualization security reinforcing device and method
CN110058921A (en) * 2019-03-13 2019-07-26 上海交通大学 Guest virtual machine memory dynamic isolation and monitoring method and system
CN110058921B (en) * 2019-03-13 2021-06-22 上海交通大学 Client virtual machine memory dynamic isolation and monitoring method and system
WO2020244369A1 (en) * 2019-06-03 2020-12-10 华为技术有限公司 Inter-process communication method and apparatus, and computer device
CN112035272A (en) * 2019-06-03 2020-12-04 华为技术有限公司 Method, apparatus and computer equipment for interprocess communication
WO2021238294A1 (en) * 2020-05-27 2021-12-02 华为技术有限公司 Data processing method and data processing apparatus
CN113064697A (en) * 2021-04-01 2021-07-02 上海交通大学 Method for accelerating communication between microkernel processes by using multiple hardware characteristics
CN113704007A (en) * 2021-09-14 2021-11-26 上海交通大学 Serverless computing platform acceleration system using hardware features
CN113704007B (en) * 2021-09-14 2023-11-07 上海交通大学 Serverless computing platform that leverages hardware features to accelerate systems
CN120263424A (en) * 2025-06-04 2025-07-04 广州钛动科技股份有限公司 A dynamic key protection method and system based on AI context perception

Similar Documents

Publication Publication Date Title
CN106203082A (en) The system and method efficiently isolating kernel module based on virtualization hardware characteristic
AU2019252434B2 (en) Method and system for improving software container performance and isolation
US11768931B2 (en) Technologies for object-oriented memory management with extended segmentation
US11200080B1 (en) Late load technique for deploying a virtualization layer underneath a running operating system
EP3311322B1 (en) Protected memory regions
KR102189296B1 (en) Event filtering for virtual machine security applications
JP6142027B2 (en) System and method for performing protection against kernel rootkits in a hypervisor environment
US9648045B2 (en) Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US9946562B2 (en) System and method for kernel rootkit protection in a hypervisor environment
US9390267B2 (en) Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
Wang et al. {SecPod}: a Framework for Virtualization-based Security Systems
US10360386B2 (en) Hardware enforcement of providing separate operating system environments for mobile devices
Wang et al. Design and implementation of SecPod, a framework for virtualization-based security systems
CN106970823A (en) Efficient secure virtual machine guard method and system based on nested virtualization
US10489185B2 (en) Hypervisor-assisted approach for locating operating system data structures based on attribute matching
US20180267818A1 (en) Hypervisor-assisted approach for locating operating system data structures based on notification data
CN119105802A (en) Optimization method, optimization device and computing equipment
Hua et al. Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation
Bratus et al. The cake is a lie: privilege rings as a policy resource
CN104794407A (en) Virtual machine file mandatory access control method and system based on KVM
Liu et al. HyperPS: a hypervisor monitoring approach based on privilege separation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207