技术领域technical field
本发明涉及虚拟机安全监控技术领域,具体涉及一种虚拟机进程代码的无代理分页式度量系统和方法。The invention relates to the technical field of virtual machine security monitoring, in particular to an agentless paging measurement system and method for virtual machine process codes.
背景技术Background technique
虚拟化技术是云计算平台的核心技术之一,随着云计算服务的大量应用,云计算平台中的安全成为关注焦点。一般情况下,部署在云上的关键业务需要长时间运行,为用户提供服务,而业务的安全性、稳定性和可用性则是保证服务质量的关键需求。一方面,虚拟机操作系统作为关键业务的载体,存在不同程度的安全缺陷,如系统配置、代码漏洞等;另一方面,关键业务自身代码也存在漏洞等。恶意软件可以利用操作系统和业务系统的漏洞修改关键业务代码,以伪装自身存在、窃取敏感数据等,严重威胁关键业务的稳定运行。因此,尽早发现针对关键业务的篡改,有必要对虚拟机进程代码完整性进度量。Virtualization technology is one of the core technologies of cloud computing platform. With the massive application of cloud computing services, the security of cloud computing platform has become the focus of attention. In general, key businesses deployed on the cloud need to run for a long time to provide services to users, and business security, stability, and availability are key requirements to ensure service quality. On the one hand, the virtual machine operating system, as the carrier of key business, has different degrees of security flaws, such as system configuration and code loopholes; on the other hand, there are loopholes in the code of key business itself. Malicious software can take advantage of vulnerabilities in operating systems and business systems to modify key business codes to disguise its own existence, steal sensitive data, etc., seriously threatening the stable operation of key businesses. Therefore, it is necessary to measure the integrity of the virtual machine process code integrity to detect the tampering of the key business as early as possible.
现代操作系统一般采用分页机制实现内存管理,为用户态进程分配连续的逻辑地址空间,但以物理页为单位,采用按需分配的方式动态分配物理内存,只加载需要立即访问的代码或数据。完整性验证流程一般包括度量和验证两个部分:度量部分负责收集系统内部信息并发送到验证部分;验证部分负责保存原始基值,并与接收的度量信息进行比较以验证完整性。在云环境下针对虚拟机系统进行度量的方法中,根据度量部分的部署位置,可以分为两类:一类是将度量部分部署在虚拟机中;另一类是将度量部分部署在Hypervisor中。Modern operating systems generally use the paging mechanism to implement memory management, and allocate continuous logical address space for user-mode processes, but use physical pages as units to dynamically allocate physical memory in an on-demand manner, and only load code or data that needs to be accessed immediately. The integrity verification process generally includes two parts: measurement and verification: the measurement part is responsible for collecting the internal information of the system and sending it to the verification part; the verification part is responsible for saving the original base value and comparing it with the received measurement information to verify the integrity. According to the deployment location of the measurement part, the method for measuring the virtual machine system in the cloud environment can be divided into two categories: one is to deploy the measurement part in the virtual machine; the other is to deploy the measurement part in the Hypervisor .
第一类方法可以获取丰富的虚拟机系统信息,但存在缺陷:1)依赖目标虚拟机版本,通用性不强;2)易受虚拟机内部恶意软件的攻击,需要Hypervisor提供额外的防护措施,增加了系统的复杂性。第二类方法利用Hypervisor具有的高特权级和隔离性,避免度量部分受到来自虚拟机的恶意攻击,但同时也面临挑战:虚拟机为内部进程动态分配物理内存并加载代码或数据,处于Hypervisor的度量部分难以完整地获取虚拟机进程代码或数据并对其进行完整性验证。The first type of method can obtain rich virtual machine system information, but there are defects: 1) It depends on the version of the target virtual machine, and its versatility is not strong; 2) It is vulnerable to malware attacks inside the virtual machine and requires additional protection measures provided by the Hypervisor. increases the complexity of the system. The second type of method utilizes the high privilege level and isolation of the Hypervisor to avoid malicious attacks from the virtual machine on the measurement part, but it also faces challenges: the virtual machine dynamically allocates physical memory and loads code or data for the internal process, and is located in the hypervisor. It is difficult for the measurement part to completely obtain the virtual machine process code or data and verify its integrity.
发明内容Contents of the invention
针对上述问题,本发明的目的在于提供一种能够对虚拟机进程完整性进行度量的虚拟机进程代码的无代理分页式度量系统和方法,以解决虚拟机动态分配内存方式导致Hypervisor无法度量完整虚拟机进程代码段的问题。技术方案如下:In view of the above problems, the object of the present invention is to provide an agentless paging measurement system and method for virtual machine process codes capable of measuring the integrity of virtual machine processes, so as to solve the problem that Hypervisor cannot measure the integrity of virtual machines due to the way virtual machines dynamically allocate memory problem with the machine process code segment. The technical scheme is as follows:
一种虚拟机进程代码的无代理分页式度量系统,包括捕获模块、度量模块、基值库、对比模块和日志;An agentless paging measurement system for virtual machine process codes, including a capture module, a measurement module, a base value library, a comparison module and a log;
捕获模块在Hypervisor层设置度量点,捕获虚拟机中发生的系统事件;捕获到系统事件后,采用VMI(Virtual Machine Introspection虚拟机内省)技术进行语义重构,获取虚拟机当前执行进程的进程信息,并将进程信息传递到度量模块;The capture module sets measurement points at the Hypervisor layer to capture system events that occur in the virtual machine; after capturing system events, it uses VMI (Virtual Machine Introspection) technology for semantic reconstruction to obtain the process information of the current execution process of the virtual machine , and pass the process information to the measurement module;
度量模块接收捕获模块传递的虚拟机进程信息,以虚拟机物理页大小为单位,将虚拟机进程代码段划分为多个代码页,生成每个代码页的页信息;根据页信息,判断代码页是否被加载进入虚拟机物理内存中:若被加载入虚拟机物理内存中,则度量此代码页,生成代码页度量信息;若未被加载入虚拟机物理内存中,则忽略此代码页的度量;并将生成代码页度量信息传递到对比模块;The measurement module receives the virtual machine process information transmitted by the capture module, divides the virtual machine process code segment into multiple code pages in units of virtual machine physical page size, and generates page information for each code page; judges the code page according to the page information Whether it is loaded into the physical memory of the virtual machine: if it is loaded into the physical memory of the virtual machine, measure the code page and generate code page measurement information; if it is not loaded into the physical memory of the virtual machine, ignore the measurement of this code page ; and pass the generated code page measurement information to the comparison module;
基值库为存储所有的虚拟机进程代码页的度量基值信息的列表;The base value library is a list storing the measurement base value information of all virtual machine process code pages;
对比模块接收度量模块传递的度量信息,读取基值库中的基值信息;将度量信息与基值信息进行对比,并将对比信息写入日志中;The comparison module receives the measurement information delivered by the measurement module, reads the base value information in the base value library; compares the measurement information with the base value information, and writes the comparison information into the log;
日志用于接收并记录度量对比传送的对比信息。The log is used to receive and record the comparison information of the measurement and delivery.
进一步的,所述度量点为触发Hypervisor层度量过程的虚拟机系统事件。Further, the measurement point is a virtual machine system event that triggers a hypervisor layer measurement process.
更进一步的,所述系统事件为虚拟机系统中引发虚拟机退出事件的系统行为,包括但不限于进程系统调用、进程切换、缺页异常。Furthermore, the system event is a system behavior in the virtual machine system that causes a virtual machine exit event, including but not limited to process system calls, process switching, and page fault exceptions.
更进一步的,所述进程信息为Hypervisor度量虚拟机进程代码所需的基本信息,包括但不限于虚拟机进程名称、虚拟机进程代码起始地址、虚拟机进程代码长度;所述虚拟机进程代码起始地址是被度量虚拟机进程代码的虚拟地址。Further, the process information is the basic information required by the Hypervisor to measure the virtual machine process code, including but not limited to the name of the virtual machine process, the starting address of the virtual machine process code, the length of the virtual machine process code; the virtual machine process code The start address is the virtual address of the measured virtual machine process code.
更进一步的,所述页信息为Hypervisor度量虚拟机进程代码页所需的基本信息,包括但不限于虚拟机进程名称、页编号、页起始地址和页长度;所述页起始地址是虚拟机进程代码页的虚拟地址。Furthermore, the page information is the basic information required by Hypervisor to measure the code page of the virtual machine process, including but not limited to the virtual machine process name, page number, page start address and page length; the page start address is the virtual The virtual address of the code page of the machine process.
更进一步的,所述度量信息为对比模块执行对比过程所需的基本信息,包括但不限于虚拟机进程名称、代码页编号、代码页度量值和代码页长度。Furthermore, the measurement information is the basic information required by the comparison module to perform the comparison process, including but not limited to virtual machine process name, code page number, code page measurement value and code page length.
更进一步的,所述基值信息为代码页在正常状态下的可信度量信息,可信度量信息包括但不限于进程名、代码页编号和代码页度量值。Furthermore, the base value information is credible measurement information of the code page in a normal state, and the credible measurement information includes but not limited to process name, code page number and code page measurement value.
更进一步的,所述对比信息为虚拟机进程代码页度量值与虚拟机进程代码页基值信息的对比结果,包括但不限于进程名、代码页编号、度量值、基值、对比结果、对比时间。Furthermore, the comparison information is the comparison result of the virtual machine process code page measurement value and the virtual machine process code page base value information, including but not limited to process name, code page number, measurement value, base value, comparison result, comparison time.
一种虚拟机进程代码的无代理分页式度量方法,包括以下步骤:A method for measuring virtual machine process code without agent paging, comprising the following steps:
A:在虚拟机运行过程中,进程通过系统调用陷入指令访问内核系统调用处理程序;A: During the running of the virtual machine, the process accesses the kernel system call handler through a system call trap instruction;
B:虚拟机在调用系统调用陷入指令访问内核系统调用处理程序时,产生虚拟机退出事件;B: When the virtual machine calls a system call and falls into an instruction to access the kernel system call handler, a virtual machine exit event is generated;
C:捕获模块捕获虚拟机中产生的虚拟机退出事件,并通过VMI技术重构虚拟机进程语义信息,再传递到度量模块;C: The capture module captures the virtual machine exit event generated in the virtual machine, reconstructs the semantic information of the virtual machine process through VMI technology, and then passes it to the measurement module;
D:度量模块接收到虚拟机进程信息后,根据虚拟机进程代码起始地址和虚拟机进程代码长度,以虚拟机物理页大小划分多个代码页,并生成页信息;再根据页信息中的虚拟机进程代码页编号和虚拟机进程代码页起始地址,访问虚拟机物理内存判断代码页是否被加载;若被加载,则对代码页进行度量,生成度量信息传递到对比模块;若未被加载,则忽略此代码页的度量过程;D: After the measurement module receives the virtual machine process information, it divides multiple code pages according to the virtual machine physical page size according to the virtual machine process code start address and the virtual machine process code length, and generates page information; then according to the page information Virtual machine process code page number and virtual machine process code page start address, access the virtual machine physical memory to judge whether the code page is loaded; if loaded, measure the code page, generate measurement information and pass it to the comparison module; if not load, ignore the measurement process for this code page;
E:对比模块对比接收到的度量信息和从基值库中读取的基值信息,并将对比信息传递到日志中;恢复虚拟机系统调用处理程序的执行;E: The comparison module compares the received measurement information with the base value information read from the base value library, and transfers the comparison information to the log; resumes the execution of the virtual machine system call handler;
F:系统调用处理程序在虚拟机内核中按照正常流程继续执行,执行完毕后调用系统调用退出指令恢复进程的正常运行。F: The system call processing program continues to execute in the virtual machine kernel according to the normal process, and after the execution is completed, the system call exit command is called to resume the normal operation of the process.
本发明的有益效果是:The beneficial effects of the present invention are:
(1)本发明将虚拟机进程代码划分为多个页,并对被加载进入虚拟机内存的代码页进行度量,解决了虚拟机动态分配内存方式导致Hypervisor无法度量完整虚拟机进程代码的问题;(1) The present invention divides the virtual machine process code into multiple pages, and measures the code pages loaded into the virtual machine memory, which solves the problem that the hypervisor cannot measure the complete virtual machine process code due to the way the virtual machine dynamically allocates memory;
(2)本发明将度量流程部署在Hypervisor层,采用无代理的方式透明、动态地度量虚拟机进程代码,无需修改虚拟机内核;同时,度量流程位于虚拟机之外,避免了虚拟机内部恶意软件的攻击,提升了安全性;(2) The present invention deploys the measurement process on the Hypervisor layer, uses an agentless method to transparently and dynamically measure the virtual machine process code, without modifying the virtual machine kernel; at the same time, the measurement process is located outside the virtual machine, avoiding malicious inside the virtual machine Software attacks improve security;
(3)本发明采用的度量方式,可以用于度量虚拟机其他信息,包括但不限于虚拟机内核静态数据、虚拟机进程静态数据等。(3) The measurement method adopted in the present invention can be used to measure other information of the virtual machine, including but not limited to static data of the virtual machine kernel, static data of the virtual machine process, and the like.
附图说明Description of drawings
图1为本发明非代理虚拟机进程系统调用行为监控方法框图。FIG. 1 is a block diagram of a method for monitoring system call behavior of a non-agent virtual machine process in the present invention.
图2为本发明透明捕获虚拟机系统调用流程图。FIG. 2 is a flow chart of transparently capturing virtual machine system calls in the present invention.
具体实施方式detailed description
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图和具体实施例对本发明做进一步地详细描述。本系统的实现原理如下:In order to make the purpose, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments. The realization principle of this system is as follows:
在Hypervisor层设置度量点,拦截虚拟机进程引发的系统事件,利用VMI技术读取虚拟机进程信息。根据读取的虚拟机进程信息,以虚拟机物理页为单位,将虚拟机进程代码划分为多个代码页,确定每个代码页的编号和起始地址。在Hypervisor层根据每个代码页的起始地址,判断每个代码页是否被加载进入虚拟机物理内存中;若代码页被加载进入虚拟机物理内存中,则在Hypervisor层度量此代码页;若未被加载进入虚拟机物理内存中,则忽略对此代码页的度量。根据进程信息、代码页编号和度量值,读取基值库中相应的基值并进行对比,验证每个代码页的完整性,并记录到日志中。Set measurement points at the Hypervisor layer, intercept system events caused by virtual machine processes, and use VMI technology to read virtual machine process information. According to the read virtual machine process information, the virtual machine process code is divided into multiple code pages by taking the virtual machine physical page as a unit, and the number and starting address of each code page are determined. At the Hypervisor layer, according to the starting address of each code page, it is judged whether each code page is loaded into the physical memory of the virtual machine; if the code page is loaded into the physical memory of the virtual machine, the code page is measured at the Hypervisor layer; if If not loaded into virtual machine physical memory, measurements for this code page are ignored. According to process information, code page number and measurement value, read and compare the corresponding base value in the base value library, verify the integrity of each code page, and record it in the log.
如图1所示,本实施例的虚拟机进程代码的无代理分页式度量系统包括捕获模块、度量模块、基值库、对比模块和日志。As shown in FIG. 1 , the agentless paging measurement system of the virtual machine process code in this embodiment includes a capture module, a measurement module, a base value library, a comparison module and a log.
1)捕获模块在Hypervisor层设置度量点,捕获虚拟机中发生的系统事件;捕获到系统事件后,采用VMI技术进行语义重构,获取虚拟机当前执行进程的进程信息,并将进程信息传递到度量模块。1) The capture module sets measurement points at the Hypervisor layer to capture system events that occur in the virtual machine; after capturing system events, it uses VMI technology to perform semantic reconstruction, obtains the process information of the current execution process of the virtual machine, and passes the process information to Metrics module.
本实施例中,度量点为触发Hypervisor层度量过程的虚拟机系统事件。系统事件为虚拟机系统中引发虚拟机退出事件的进程行为,包括但不限于进程系统调用、进程切换、缺页异常等。In this embodiment, the measurement point is a virtual machine system event that triggers the hypervisor layer measurement process. System events are process behaviors that cause virtual machine exit events in the virtual machine system, including but not limited to process system calls, process switching, and page fault exceptions.
所述进程信息是Hypervisor度量虚拟机进程代码所需的基本信息,包括但不限于虚拟机进程名称、虚拟机进程代码起始地址、虚拟机进程代码长度等。其中,虚拟机进程代码起始地址是被度量虚拟机进程代码的虚拟地址。The process information is the basic information required by the Hypervisor to measure the virtual machine process code, including but not limited to the name of the virtual machine process, the starting address of the virtual machine process code, the length of the virtual machine process code, and the like. Wherein, the start address of the virtual machine process code is a virtual address of the measured virtual machine process code.
可采用如下方式定义进程信息:Process information can be defined in the following ways:
name address sizename address size
该信息表明,虚拟机进程名称为name,虚拟机进程代码段的起始地址为address,虚拟机代码段的长度为size。The information indicates that the virtual machine process name is name, the start address of the virtual machine process code segment is address, and the length of the virtual machine code segment is size.
2)度量模块接收捕获模块传递的虚拟机进程信息,以虚拟机物理页大小为单位,将虚拟机进程代码划分为多个代码页,生成每个代码页的页信息;根据页信息,判断代码页是否被加载进入虚拟机物理内存中:若被加载入虚拟机物理内存中,则度量此代码页,生成代码页度量信息;若未被加载入虚拟机物理内存中,则忽略此代码页的度量;并将生成代码页度量信息传递到对比模块。2) The measurement module receives the virtual machine process information transmitted by the capture module, divides the virtual machine process code into multiple code pages based on the virtual machine physical page size, and generates page information for each code page; judges the code based on the page information Whether the page is loaded into the physical memory of the virtual machine: if it is loaded into the physical memory of the virtual machine, measure the code page and generate code page measurement information; if it is not loaded into the physical memory of the virtual machine, ignore the code page of this code page measure; and pass the generated code page measure information to the comparison module.
所述页信息是Hypervisor度量虚拟机进程代码页所需的基本信息集合,包括但不限于虚拟机进程名称、页编号、页起始地址和页长度等。其中,页起始地址是虚拟机进程代码页的虚拟地址。The page information is a collection of basic information required by the Hypervisor to measure the virtual machine process code page, including but not limited to the virtual machine process name, page number, page start address, and page length. Wherein, the page starting address is the virtual address of the code page of the virtual machine process.
可采用如下方式定义页信息:Page information can be defined as follows:
name number page_address page_sizename number page_address page_size
该信息表明,虚拟机进程名称为name,虚拟机进程代码页的编号为number,虚拟机进程代码页的起始地址为page_address,虚拟机进程代码页的长度为page_size。The information indicates that the virtual machine process name is name, the number of the virtual machine process code page is number, the starting address of the virtual machine process code page is page_address, and the length of the virtual machine process code page is page_size.
所述度量信息是对比模块执行对比过程所需的基本信息集合,包括但不限于虚拟机进程名称、代码页编号、代码页度量值和代码页度量长度等。The measurement information is a collection of basic information required by the comparison module to perform the comparison process, including but not limited to virtual machine process name, code page number, code page measurement value, and code page measurement length.
可采用如下方式定义度量信息:Metric information can be defined in the following ways:
name number hash(value) page_sizename number hash(value) page_size
该信息表明,虚拟机进程名称为name,虚拟机进程代码页的编号为number,虚拟机进程代码页的度量值为hash(value),虚拟机进程代码页的长度为page_size。The information indicates that the virtual machine process name is name, the number of the virtual machine process code page is number, the measurement value of the virtual machine process code page is hash(value), and the length of the virtual machine process code page is page_size.
3)基值库为存储所有的虚拟机进程代码页的度量基值信息的列表。基值库包括但不限于文件、数据库等形式存在,基值信息的获取方式包括在纯净操作系统中,对正常状态下的进程代码段进行分页式度量。3) The base value library is a list that stores the measurement base value information of all virtual machine process code pages. The base value library includes but is not limited to files, databases, etc. The way to obtain base value information includes paging measurement of process code segments in a normal state in a pure operating system.
所述基值信息为代码页在正常状态下的可信度量信息,可信度量信息包括但不限于进程名、代码页编号和代码页度量值等。The base value information is credible metric information of the code page in a normal state, and the credible metric information includes but not limited to process name, code page number, and code page metric value.
4)对比模块接收度量模块传递的度量信息,读取基值库中的基值信息;将度量信息与基值信息进行对比,并将对比信息写入日志中。4) The comparison module receives the measurement information delivered by the measurement module, reads the base value information in the base value library; compares the measurement information with the base value information, and writes the comparison information into the log.
5)日志用于接收并记录对比模块传送的对比信息。5) The log is used to receive and record the comparison information sent by the comparison module.
所述对比信息是虚拟机进程代码页度量值与虚拟机进程代码页基值信息的对比结果,包括但不限于进程名、代码页编号、度量值、基值、对比结果、对比时间等。The comparison information is a comparison result of the virtual machine process code page measurement value and the virtual machine process code page base value information, including but not limited to process name, code page number, measurement value, base value, comparison result, comparison time, and the like.
可采用如下方式定义对比信息:Comparison information can be defined in the following ways:
name number hash(value) baseline result timename number hash(value) baseline result time
该信息表明,虚拟机进程名称为name,虚拟机进程代码页的编号为number,虚拟机进程代码页的度量值为hash(value),虚拟机进程代码页的基值为baseline,对比结果为result,对比时间为time。The information shows that the name of the virtual machine process is name, the code page number of the virtual machine process is number, the metric value of the virtual machine process code page is hash(value), the base value of the virtual machine process code page is baseline, and the comparison result is result , the comparison time is time.
各模块间的数据流转如下:The data flow between modules is as follows:
1)在虚拟机启动前,捕获模块在Hypervisor设置度量点;在虚拟机运行过程中,拦截设置模块捕获虚拟机中发生的系统事件,利用VMI读取虚拟机当前执行进程的进程信息,并传递到度量模块中。1) Before the virtual machine is started, the capture module sets measurement points on the Hypervisor; during the running of the virtual machine, the interception setting module captures the system events that occur in the virtual machine, uses VMI to read the process information of the current execution process of the virtual machine, and transmits into the metrics module.
2)度量模块接收捕获模块传递的进程信息;根据进程信息中的虚拟机进程名称、虚拟机代码段起始地址和虚拟机代码段长度信息,按虚拟机物理页大小进行分页操作,并生成页信息;根据页信息中的虚拟机代码页编号和虚拟机代码页起始地址,分别判定代码页是否被加载进入虚拟机物理内存中:若被加载,则读取代码页并进行度量,生成代码页度量信息;若未被加载,则忽略此页的度量过程;将生成的代码页度量信息传递到对比模块。2) The measurement module receives the process information passed by the capture module; according to the virtual machine process name, virtual machine code segment start address and virtual machine code segment length information in the process information, paging operation is performed according to the physical page size of the virtual machine, and a page is generated information; according to the virtual machine code page number and virtual machine code page starting address in the page information, respectively determine whether the code page is loaded into the virtual machine physical memory: if loaded, read the code page and measure it to generate code Page measurement information; if it is not loaded, ignore the measurement process of this page; pass the generated code page measurement information to the comparison module.
3)基值库为对比模块提供虚拟机进程代码页的基值信息。3) The base value library provides the base value information of the virtual machine process code page for the comparison module.
4)对比模块接收度量模块传递的度量信息;根据度量信息中的虚拟机进程名称和虚拟机进程代码页编号,基值库中索引对应的基值信息;根据度量信息中的虚拟机进程代码页度量值与基值进行对比;将对比信息结果写入日志。4) The comparison module receives the measurement information transmitted by the measurement module; according to the virtual machine process name and virtual machine process code page number in the measurement information, the base value information corresponding to the index in the base value library; according to the virtual machine process code page in the measurement information The metric value is compared with the base value; the result of the comparison information is written to the log.
5)日志接收对比模块传递的对比信息。5) The log receives the comparison information delivered by the comparison module.
基于上述度量系统,本实施例公开的虚拟机进程代码的分页式度量方法如图2的流程图所示,步骤如下:Based on the above measurement system, the paged measurement method of the virtual machine process code disclosed in this embodiment is shown in the flow chart of FIG. 2 , and the steps are as follows:
A:在虚拟机运行过程中,进程通过系统调用陷入指令访问内核系统调用处理程序;A: During the running of the virtual machine, the process accesses the kernel system call handler through a system call trap instruction;
B:虚拟机在调用系统调用陷入指令访问内核系统调用处理程序时,产生虚拟机退出事件;B: When the virtual machine calls a system call and falls into an instruction to access the kernel system call handler, a virtual machine exit event is generated;
C:捕获模块捕获虚拟机中产生的虚拟机退出事件,并通过VMI技术重构虚拟机进程语义信息,再传递到度量模块;C: The capture module captures the virtual machine exit event generated in the virtual machine, reconstructs the semantic information of the virtual machine process through VMI technology, and then passes it to the measurement module;
D:度量模块接收到虚拟机进程信息后,根据虚拟机进程代码起始地址和虚拟机进程代码长度,以虚拟机物理页大小划分多个代码页,并生成页信息;再根据页信息中的虚拟机进程代码页编号和虚拟机进程代码页起始地址,访问虚拟机物理内存判断代码页是否被加载;若被加载,则对代码页进行度量,生成度量信息传递到对比模块;若未被加载,则忽略此代码页的度量过程;D: After the measurement module receives the virtual machine process information, it divides multiple code pages according to the virtual machine physical page size according to the virtual machine process code start address and the virtual machine process code length, and generates page information; then according to the page information Virtual machine process code page number and virtual machine process code page start address, access the virtual machine physical memory to judge whether the code page is loaded; if loaded, measure the code page, generate measurement information and pass it to the comparison module; if not load, ignore the measurement process for this code page;
E:对比模块对比接收到的度量信息和从基值库中读取的基值信息,并将对比信息传递到日志中;恢复虚拟机系统调用处理程序的执行;E: The comparison module compares the received measurement information with the base value information read from the base value library, and transfers the comparison information to the log; resumes the execution of the virtual machine system call handler;
F:系统调用处理程序在虚拟机内核中按照正常流程继续执行,执行完毕后调用系统调用退出指令恢复进程的正常运行。F: The system call processing program continues to execute in the virtual machine kernel according to the normal process, and after the execution is completed, the system call exit command is called to resume the normal operation of the process.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710116432.2ACN106909509B (en) | 2017-03-01 | 2017-03-01 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710116432.2ACN106909509B (en) | 2017-03-01 | 2017-03-01 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| Publication Number | Publication Date |
|---|---|
| CN106909509Atrue CN106909509A (en) | 2017-06-30 |
| CN106909509B CN106909509B (en) | 2019-06-25 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710116432.2AActiveCN106909509B (en) | 2017-03-01 | 2017-03-01 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| Country | Link |
|---|---|
| CN (1) | CN106909509B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108121593A (en)* | 2017-12-22 | 2018-06-05 | 四川大学 | Method and system for detecting abnormal behavior of virtual machine process |
| CN110764995A (en)* | 2019-09-05 | 2020-02-07 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for detecting file access abnormity |
| CN111831609A (en)* | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | A method and system for unified management and distribution of binary file metrics in a virtualized environment |
| CN112463288A (en)* | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Behavior monitoring method and system based on pile insertion |
| CN114048485A (en)* | 2021-11-12 | 2022-02-15 | 四川大学 | Dynamic monitoring method for integrity of process code segment in Docker container |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101344904A (en)* | 2008-09-02 | 2009-01-14 | 中国科学院软件研究所 | A Dynamic Measurement Method |
| CN104134038A (en)* | 2014-07-31 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Safe and credible operation protective method based on virtual platform |
| CN106055385A (en)* | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101344904A (en)* | 2008-09-02 | 2009-01-14 | 中国科学院软件研究所 | A Dynamic Measurement Method |
| CN104134038A (en)* | 2014-07-31 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Safe and credible operation protective method based on virtual platform |
| CN106055385A (en)* | 2016-06-06 | 2016-10-26 | 四川大学 | System and method for monitoring virtual machine process, and method for filtering page fault anomaly |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108121593A (en)* | 2017-12-22 | 2018-06-05 | 四川大学 | Method and system for detecting abnormal behavior of virtual machine process |
| CN108121593B (en)* | 2017-12-22 | 2019-06-25 | 四川大学 | Method and system for detecting abnormal behavior of virtual machine process |
| CN110764995A (en)* | 2019-09-05 | 2020-02-07 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for detecting file access abnormity |
| CN110764995B (en)* | 2019-09-05 | 2023-06-06 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for detecting file access abnormality |
| CN112463288A (en)* | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Behavior monitoring method and system based on pile insertion |
| CN111831609A (en)* | 2020-06-18 | 2020-10-27 | 中国科学院数据与通信保护研究教育中心 | A method and system for unified management and distribution of binary file metrics in a virtualized environment |
| CN111831609B (en)* | 2020-06-18 | 2024-01-02 | 中国科学院数据与通信保护研究教育中心 | Method and system for unified management and distribution of binary metric values in virtualized environments |
| CN114048485A (en)* | 2021-11-12 | 2022-02-15 | 四川大学 | Dynamic monitoring method for integrity of process code segment in Docker container |
| Publication number | Publication date |
|---|---|
| CN106909509B (en) | 2019-06-25 |
| Publication | Publication Date | Title |
|---|---|---|
| CN106909509B (en) | A kind of virtual machine process code without acting on behalf of paging type gauging system and method | |
| CN103593617B (en) | Software integrity check system based on VMM and method thereof | |
| Venkatesh et al. | Fast in-memory CRIU for docker containers | |
| Zhou et al. | A bare-metal and asymmetric partitioning approach to client virtualization | |
| US9411743B2 (en) | Detecting memory corruption | |
| JP6494744B2 (en) | Transparent detection and extraction of return-oriented programming attacks | |
| US10121004B2 (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
| Zhang et al. | Fast and scalable VMM live upgrade in large cloud infrastructure | |
| CN103886259B (en) | Kernel level rootkit based on Xen virtualized environment detection and processing method | |
| JP7144642B2 (en) | Behavior-based VM resource capture for forensics | |
| KR101701014B1 (en) | Reporting malicious activity to an operating system | |
| CN114327791B (en) | Virtualization-based trusted computing measurement method, device, device and storage medium | |
| US10268558B2 (en) | Efficient breakpoint detection via caches | |
| CN107301082A (en) | A kind of method and apparatus for realizing operating system integrity protection | |
| CN106909437B (en) | Virtual machine kernel protection method and device | |
| US12164413B2 (en) | Memory page markings as logging cues for processor-based execution tracing | |
| Katsakioris et al. | FaaS in the age of (sub-) μs I/O: a performance analysis of snapshotting | |
| CN113467981A (en) | Method and device for exception handling | |
| CN112395610B (en) | Kernel layer shellcode detection method and device | |
| WO2024174887A1 (en) | Method for processing operating system failure, and accelerator card | |
| US12299126B2 (en) | Preventing activation of malware by exhibiting sandbox behavior in a non-sandbox environment | |
| CN113646763B (en) | shellcode detection method and device | |
| Zhan et al. | A low-overhead kernel object monitoring approach for virtual machine introspection | |
| CN110633210A (en) | File execution method, device, storage medium and electronic device | |
| CN114691291B (en) | Data processing method, device, computing equipment and medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |