Movatterモバイル変換

[0]ホーム
URL:

CN118520464A - Method for performing operations on registers, computer device, storage medium and program product - Google Patents

Method for performing operations on registers, computer device, storage medium and program productDownload PDF

Info

Publication number
CN118520464A
CN118520464ACN202410987349.2ACN202410987349ACN118520464ACN 118520464 ACN118520464 ACN 118520464ACN 202410987349 ACN202410987349 ACN 202410987349ACN 118520464 ACN118520464 ACN 118520464A
Authority
CN
China
Prior art keywords
target
operation instruction
register
policy
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410987349.2A
Other languages
Chinese (zh)
Other versions
CN118520464B (en
Inventor
许鑫
苏志远
徐国振
戴纯兴
吴保锡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Metabrain Intelligent Technology Co Ltd
Original Assignee
Suzhou Metabrain Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Metabrain Intelligent Technology Co LtdfiledCriticalSuzhou Metabrain Intelligent Technology Co Ltd
Priority to CN202410987349.2ApriorityCriticalpatent/CN118520464B/en
Publication of CN118520464ApublicationCriticalpatent/CN118520464A/en
Application grantedgrantedCritical
Publication of CN118520464BpublicationCriticalpatent/CN118520464B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Classifications

Landscapes

Abstract

The invention relates to the technical field of virtual machines, and discloses a method for executing operation on a register, computer equipment, a storage medium and a program product, wherein the method comprises the following steps: capturing a target operation instruction, wherein the target operation instruction is an operation instruction for causing the virtual machine to be switched from a working state to an exit state; determining the type of the target operation instruction according to the target operation instruction; when the target operation instruction is determined to be an instruction for operating the target register according to the type of the target operation instruction, acquiring an original value corresponding to the target register; acquiring a first new value corresponding to a target operation instruction; determining whether target policy data corresponding to a target register exists in a pre-constructed policy table; when it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register. The invention can prevent certain software from attacking the virtual machine operating system by bypassing the kernel reinforcement technology.

Description

Translated fromChinese
对寄存器执行操作的方法、计算机设备、存储介质及程序产品Method for performing operations on registers, computer device, storage medium and program product

技术领域Technical Field

本发明涉及虚拟机技术领域,具体涉及对寄存器执行操作的方法、计算机设备、存储介质及程序产品。The present invention relates to the field of virtual machine technology, and in particular to a method for performing operations on registers, a computer device, a storage medium and a program product.

背景技术Background Art

随着云计算的兴起,现阶段很多用户选择云端的计算、存储、网络等资源来构建计算环境。作为云计算的支撑技术,虚拟化技术已经实现大部分物理设备的功能。With the rise of cloud computing, many users now choose cloud computing, storage, network and other resources to build computing environments. As the supporting technology of cloud computing, virtualization technology has realized the functions of most physical devices.

在虚拟机技术领域中,虚拟机操作系统的安全手段与物理机操作系统的安全防御手段一致,例如,内核加固技术。内核加固技术是指通过对操作系统内核进行修改、优化和加密等手段,以提高系统的安全性和抵抗外部攻击的能力。例如,内核加固技术可以通过对关键内核函数进行限制,防止某些软件通过调用关键内核函数获取操作系统的权限,对虚拟机操作系统执行破坏操作。In the field of virtual machine technology, the security measures of virtual machine operating systems are consistent with the security defense measures of physical machine operating systems, such as kernel hardening technology. Kernel hardening technology refers to improving the security of the system and its ability to resist external attacks by modifying, optimizing, and encrypting the operating system kernel. For example, kernel hardening technology can restrict key kernel functions to prevent certain software from obtaining operating system permissions by calling key kernel functions and performing destructive operations on the virtual machine operating system.

但是,内核加固技术是在内核层面实现,而在虚拟机场景中,虚拟机内核并非运行在处理器的最高权限,因此,存在某些软件绕过内核加固技术进而攻击虚拟机操作系统的风险。However, kernel hardening technology is implemented at the kernel level, and in a virtual machine scenario, the virtual machine kernel does not run at the highest privilege of the processor. Therefore, there is a risk that some software will bypass kernel hardening technology and attack the virtual machine operating system.

发明内容Summary of the invention

有鉴于此,本发明提供了一种对寄存器执行操作的方法、装置、计算机设备、存储介质及程序产品,以解决某些软件绕过内核加固技术进而攻击虚拟机操作系统的问题。In view of this, the present invention provides a method, apparatus, computer device, storage medium and program product for performing operations on registers to solve the problem that some software bypasses kernel hardening technology and attacks virtual machine operating systems.

第一方面,本发明提供了一种对寄存器执行操作的方法,捕获目标操作指令,其中,所述目标操作指令为导致虚拟机从工作状态切换为退出状态的操作指令;In a first aspect, the present invention provides a method for performing an operation on a register, capturing a target operation instruction, wherein the target operation instruction is an operation instruction that causes a virtual machine to switch from a working state to an exit state;

根据所述目标操作指令,确定所述目标操作指令的类型;Determining the type of the target operation instruction according to the target operation instruction;

当根据所述目标操作指令的类型,确定所述目标操作指令为对目标寄存器进行操作的指令时,获取与所述目标寄存器对应的原值;When it is determined according to the type of the target operation instruction that the target operation instruction is an instruction for operating a target register, obtaining an original value corresponding to the target register;

获取与所述目标操作指令对应的第一新值;Acquire a first new value corresponding to the target operation instruction;

在预构建的策略表中,确定是否存在与所述目标寄存器对应的目标策略数据;In a pre-built policy table, determining whether there is target policy data corresponding to the target register;

当确定所述策略表中存在所述目标策略数据时,从所述目标策略数据、所述原值,以及所述第一新值中选取一个或多个元素,对所述目标寄存器执行操作。When it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register.

本发明提供的一种对寄存器执行操作的方法,具有如下优点:The method for performing operations on a register provided by the present invention has the following advantages:

由于对寄存器中的值进行修改是最底层的修改方式,尽管某些软件会绕过内核加固技术,但是本方案通过在寄存器层面直接拦截目标操作指令,并可以根据预先构建的策略表中的策略数据,以及获取到的目标寄存器的原值和第一新值,对目标操作指令进行具体分析后,才对目标寄存器执行操作。这样,可以避免某些软件直接修改寄存器中的值导致的虚拟机安全问题。Since modifying the value in the register is the lowest level modification method, although some software will bypass the kernel hardening technology, this solution can directly intercept the target operation instruction at the register level, and can perform specific analysis on the target operation instruction based on the policy data in the pre-built policy table, as well as the original value and the first new value of the target register, before performing the operation on the target register. In this way, virtual machine security issues caused by some software directly modifying the value in the register can be avoided.

在一种可选的实施方式中,所述目标寄存器为控制寄存器;In an optional implementation, the target register is a control register;

所述当确定所述策略表中存在所述目标策略数据时,从所述目标策略数据、所述原值,以及所述第一新值中选取一个或多个元素,对所述目标寄存器执行操作,包括:When it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register, including:

对所述原值和所述第一新值进行异或操作,确定是否存在至少一个修改位;Performing an XOR operation on the original value and the first new value to determine whether there is at least one modified bit;

当确定存在至少一个所述修改位时,根据每一个所述修改位和所述目标策略数据,对所述第一新值中与每一个所述修改位对应的值进行更新,得到第二新值;When it is determined that there is at least one modification bit, updating the value corresponding to each modification bit in the first new value according to each modification bit and the target policy data to obtain a second new value;

根据所述第二新值,对所述目标寄存器执行更新操作。An update operation is performed on the target register according to the second new value.

具体地,由于控制寄存器的每一个比特位用于指示一种功能,因此,对于每一个比特位都进行策略验证操作,可以全面覆盖所有功能。并且,对于每一个修改位都进行策略验证后进行更新,可以保证最终更新的值是安全值,可以提高虚拟机的安全性。Specifically, since each bit of the control register is used to indicate a function, a policy verification operation is performed on each bit to fully cover all functions. In addition, each modified bit is updated after policy verification to ensure that the final updated value is a safe value, which can improve the security of the virtual machine.

在一种可选的实施方式中,所述当确定存在至少一个所述修改位时,根据每一个所述修改位和所述目标策略数据,对所述第一新值中与每一个所述修改位对应的值进行更新,得到第二新值,包括:In an optional implementation, when it is determined that there is at least one modification bit, updating the value corresponding to each modification bit in the first new value according to each modification bit and the target policy data to obtain a second new value includes:

根据目标修改位,确定所述目标策略数据中是否存在与所述目标修改位对应的策略子数据,其中,所述目标修改位为至少一个所述修改位中的任一个修改位;According to the target modification bit, determining whether there is policy sub-data corresponding to the target modification bit in the target policy data, wherein the target modification bit is any modification bit of at least one of the modification bits;

当确定所述目标策略数据中存在所述策略子数据时,根据所述策略子数据,对所述第一新值中与所述目标修改位对应的值进行更新;When it is determined that the policy sub-data exists in the target policy data, updating the value corresponding to the target modification bit in the first new value according to the policy sub-data;

在确定存在策略子数据的修改位均被执行更新操作后,得到所述第二新值。After determining that all modification bits of the existing policy sub-data have been updated, the second new value is obtained.

具体地,通过存在策略子数据的修改位,对第一新值进行更新后,可以得到安全值,即第二新值,可以保证最终更新的值是安全值,可以提高虚拟机的安全性。Specifically, by using the modification bit of the policy sub-data, after the first new value is updated, a safe value, ie, the second new value, can be obtained, which can ensure that the final updated value is a safe value, thereby improving the security of the virtual machine.

在一种可选的实施方式中,所述当确定所述目标策略数据中存在所述策略子数据时,根据所述策略子数据,对所述第一新值中与所述目标修改位对应的值进行更新,包括:In an optional implementation, when it is determined that the target policy data contains the policy sub-data, updating the value corresponding to the target modification bit in the first new value according to the policy sub-data includes:

当确定所述策略子数据中包括与所述目标修改位对应的第一固定值时,将所述第一新值中与所述目标修改位对应的值修改为所述第一固定值;When it is determined that the policy sub-data includes a first fixed value corresponding to the target modification bit, modifying the value corresponding to the target modification bit in the first new value to the first fixed value;

或者,or,

当确定所述策略子数据中包括禁止修改的指示信息时,将所述第一新值中与所述目标修改位对应的值进行还原为所述原值中与所述目标修改位对应的值。When it is determined that the policy sub-data includes indication information prohibiting modification, the value corresponding to the target modification bit in the first new value is restored to the value corresponding to the target modification bit in the original value.

具体地,不同的修改位可以对应不同的修改方式,该修改方式与相应修改位的功能相关,通过相应的修改方式,可以将第一新值更新为一个安全值,可以提高虚拟机的安全性。Specifically, different modification bits may correspond to different modification methods, which are related to the functions of the corresponding modification bits. Through the corresponding modification methods, the first new value may be updated to a safe value, thereby improving the security of the virtual machine.

在一种可选的实施方式中,所述目标寄存器为特殊模块MSR寄存器;In an optional implementation, the target register is a special module MSR register;

所述当确定所述策略表中存在所述目标策略数据时,从所述目标策略数据、所述原值,以及所述第一新值中选取一个或多个元素,对所述目标寄存器执行操作,包括:When it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register, including:

当确定所述目标策略数据中包括与所述目标寄存器对应的第二固定值时,根据所述第一新值和所述第二固定值,对所述目标操作指令设置执行标志;When it is determined that the target policy data includes a second fixed value corresponding to the target register, setting an execution flag for the target operation instruction according to the first new value and the second fixed value;

或者,or,

当确定所述目标策略数据中不包括与所述目标寄存器对应的第二固定值时,根据所述目标策略数据中是否包括禁止修改的指示信息,对所述目标操作指令设置所述执行标志;When it is determined that the target policy data does not include the second fixed value corresponding to the target register, setting the execution flag for the target operation instruction according to whether the target policy data includes instruction information prohibiting modification;

根据所述执行标志,对所述目标寄存器执行与所述执行标志对应的操作。According to the execution flag, an operation corresponding to the execution flag is performed on the target register.

具体地,当存在第二固定值时,根据第一新值与第二固定值,可以防止未经授权的修改,确保寄存器值保持在安全范围内。当不存在第二固定值但有禁止修改的指示信息时,直接阻止修改操作,进一步加强了对目标寄存器的保护。Specifically, when the second fixed value exists, unauthorized modification can be prevented based on the first new value and the second fixed value, ensuring that the register value remains within a safe range. When the second fixed value does not exist but there is instruction information prohibiting modification, the modification operation is directly blocked, further strengthening the protection of the target register.

在一种可选的实施方式中,所述执行标志为第一标志或第二标志,其中,所述第一标志用于指示执行所述目标操作指令,所述第二标志用于指示禁止执行所述目标操作指令;In an optional implementation, the execution flag is a first flag or a second flag, wherein the first flag is used to indicate that the target operation instruction is executed, and the second flag is used to indicate that the target operation instruction is prohibited from being executed;

所述当确定所述目标策略数据中包括与所述目标寄存器对应的第二固定值时,根据所述第一新值和所述第二固定值,对所述目标操作指令设置执行标志,包括:When it is determined that the target policy data includes a second fixed value corresponding to the target register, setting an execution flag for the target operation instruction according to the first new value and the second fixed value includes:

对所述第一新值和所述第二固定值进行比较;comparing the first new value and the second fixed value;

当比较结果为所述第一新值和所述第二固定值一致时,将所述目标操作指令的执行标志设置为所述第一标志;When the comparison result is that the first new value and the second fixed value are consistent, setting the execution flag of the target operation instruction to the first flag;

或者,or,

当比较结果为所述第一新值和所述第二固定值不一致时,将所述目标操作指令的执行标志设置为所述第二标志。When the comparison result is that the first new value and the second fixed value are inconsistent, the execution flag of the target operation instruction is set to the second flag.

具体地,本方案可以确保只有当新值与预设的固定值完全一致时,才会允许执行修改操作,这有效地防止了未经授权的更改,提升了虚拟机的安全性。Specifically, this solution can ensure that the modification operation is allowed only when the new value is completely consistent with the preset fixed value, which effectively prevents unauthorized changes and improves the security of the virtual machine.

在一种可选的实施方式中,所述当确定所述目标策略数据中不包括与所述目标寄存器对应的第二固定值时,根据所述目标策略数据中是否包括禁止修改的指示信息,对所述目标操作指令设置所述执行标志,包括:In an optional implementation, when it is determined that the target policy data does not include the second fixed value corresponding to the target register, setting the execution flag for the target operation instruction according to whether the target policy data includes indication information prohibiting modification includes:

当确定所述目标策略数据中包括所述禁止修改的指示信息时,将所述目标操作指令的执行标志设置为所述第二标志;When it is determined that the target policy data includes the instruction information prohibiting modification, setting the execution flag of the target operation instruction to the second flag;

或者,or,

当确定所述目标策略数据中不包括所述禁止修改的指示信息时,将所述目标操作指令的执行标志设置为所述第一标志。When it is determined that the target policy data does not include the instruction information prohibiting modification, the execution flag of the target operation instruction is set to the first flag.

具体地,通过禁止对特定寄存器的修改,可以有效防止未经授权的更改,保护虚拟机免受危险操作的影响,加强了安全性。Specifically, by prohibiting the modification of specific registers, unauthorized changes can be effectively prevented, the virtual machine can be protected from dangerous operations, and security can be enhanced.

在一种可选的实施方式中,所述根据所述执行标志,对所述目标寄存器执行与所述执行标志对应的操作,包括:In an optional implementation, performing an operation corresponding to the execution flag on the target register according to the execution flag includes:

当确定所述执行标志为第一标志时,根据所述第一新值,对所述目标寄存器中的值进行更新操作;When it is determined that the execution flag is the first flag, updating the value in the target register according to the first new value;

或者,or,

当确定所述执行标志为第二标志时,不对所述目标寄存器进行更新操作。When it is determined that the execution flag is the second flag, no update operation is performed on the target register.

具体地,通过执行标志的设置,确保只有经过验证和授权的操作才能对目标寄存器进行更新,有效防止了未经授权的访问或修改,加强了虚拟机的安全性。Specifically, by setting the execution flag, it is ensured that only verified and authorized operations can update the target register, which effectively prevents unauthorized access or modification and enhances the security of the virtual machine.

在一种可选的实施方式中,所述方法还包括:In an optional embodiment, the method further includes:

确定所述目标策略数据中是否包括启用日志的指示信息;Determining whether the target policy data includes instruction information for enabling logging;

当确定所述目标策略数据中包括所述启用日志的指示信息时,对所述目标操作指令设置日志记录标志,其中,所述日志记录标志用于指示记录策略验证信息;When it is determined that the target policy data includes the instruction information for enabling the log, setting a log record flag for the target operation instruction, wherein the log record flag is used to indicate recording policy verification information;

或者,or,

当确定所述目标策略数据中不包括所述启用日志的指示信息时,不对所述目标操作指令设置日志记录标志。When it is determined that the target policy data does not include the instruction information for enabling the log, a log record flag is not set for the target operation instruction.

具体地,对于重要有价值的事件,通过启用日志的指示信息,有助于追踪寄存器操作的历史记录,便于后续技术人员进行分析,对策略进行改进。对于价值性不高的事件,仅进行策略验证避免安全问题的发生,而无需进行日志记录,可以节约存储空间。Specifically, for important and valuable events, enabling log instructions helps track the history of register operations, making it easier for subsequent technicians to analyze and improve policies. For events with low value, only policy verification is performed to avoid security issues, without logging, which can save storage space.

在一种可选的实施方式中,所述获取与所述目标操作指令对应的第一新值,包括:In an optional implementation, the acquiring the first new value corresponding to the target operation instruction includes:

获取第一通用寄存器中存储的第一操作数和第二通用寄存器中存储的第二操作数;Obtaining a first operand stored in a first general register and a second operand stored in a second general register;

根据所述第一操作数和第二操作数,得到所述第一新值。The first new value is obtained according to the first operand and the second operand.

具体地,通过两个通用寄存器中分别存储的操作数进行组合,可以得到完整的第一新值。Specifically, a complete first new value can be obtained by combining the operands respectively stored in the two general registers.

在一种可选的实施方式中,所述方法还包括:In an optional embodiment, the method further includes:

当根据所述目标操作指令的类型,确定所述目标操作指令为创建存储区域的指令时,根据所述目标操作指令,创建第一存储区域和第二存储区域,其中,所述第一存储区域用于存储所述策略表,所述第二存储区域用于存储日志。When it is determined that the target operation instruction is an instruction to create a storage area based on the type of the target operation instruction, a first storage area and a second storage area are created based on the target operation instruction, wherein the first storage area is used to store the policy table and the second storage area is used to store the log.

具体地,通过将策略表和日志存储在独立的区域,可以保持数据的清晰分类和组织,便于管理和检索。并且,由于策略表可能需要频繁访问,而日志则更侧重于长期保存和归档,这种分离可以优化各自的访问和存储策略。另外,由于策略表和日志可能有不同的访问模式和性能要求,因此,划分存储区域更有助于灵活设置策略表和日志的访问模式。Specifically, by storing policy tables and logs in separate areas, data can be clearly classified and organized for easy management and retrieval. Moreover, since policy tables may need to be accessed frequently, while logs are more focused on long-term preservation and archiving, this separation can optimize their respective access and storage strategies. In addition, since policy tables and logs may have different access modes and performance requirements, dividing storage areas is more conducive to flexibly setting the access modes of policy tables and logs.

在一种可选的实施方式中,所述方法还包括:In an optional embodiment, the method further includes:

当根据所述目标操作指令的类型,确定所述目标操作指令为获取协商信息的指令时,获取目标协商信息;When it is determined according to the type of the target operation instruction that the target operation instruction is an instruction for obtaining negotiation information, obtaining target negotiation information;

将所述目标协商信息存储在虚拟机控制结构体中,并通知所述虚拟机进行读取,其中,所述目标协商信息用于所述虚拟机根据所述目标协商信息与虚拟机监视器进行匹配操作。The target negotiation information is stored in a virtual machine control structure, and the virtual machine is notified to read the target negotiation information, wherein the target negotiation information is used by the virtual machine to perform a matching operation with a virtual machine monitor according to the target negotiation information.

具体地,协商信息通常包含有关虚拟机和虚拟机监视器之间通信的安全参数等。通过协商信息进行匹配操作,可以确保虚拟机与虚拟机监视器之间的交互安全,防止未经授权的访问或数据泄露。Specifically, the negotiation information usually includes security parameters related to the communication between the virtual machine and the virtual machine monitor, etc. By performing a matching operation through the negotiation information, the interaction security between the virtual machine and the virtual machine monitor can be ensured to prevent unauthorized access or data leakage.

第二方面,本发明提供了一种对寄存器执行操作的装置,所述装置包括:In a second aspect, the present invention provides a device for performing an operation on a register, the device comprising:

捕获模块,用于捕获目标操作指令,其中,所述目标操作指令为导致虚拟机从工作状态切换为退出状态的操作指令;A capture module, used to capture a target operation instruction, wherein the target operation instruction is an operation instruction that causes the virtual machine to switch from a working state to an exit state;

确定模块,用于根据所述目标操作指令,确定所述目标操作指令的类型;A determination module, used to determine the type of the target operation instruction according to the target operation instruction;

获取模块,用于当根据所述目标操作指令的类型,确定所述目标操作指令为对目标寄存器进行操作的指令时,获取与所述目标寄存器对应的原值;获取与所述目标操作指令对应的第一新值;an acquisition module, configured to acquire an original value corresponding to the target register when it is determined, according to the type of the target operation instruction, that the target operation instruction is an instruction for operating a target register; and acquire a first new value corresponding to the target operation instruction;

所述确定模块,还用于在预构建的策略表中,确定是否存在与所述目标寄存器对应的目标策略数据;The determination module is further used to determine whether there is target policy data corresponding to the target register in the pre-built policy table;

执行模块,用于当确定所述策略表中存在所述目标策略数据时,从所述目标策略数据、所述原值,以及所述第一新值中选取一个或多个元素,对所述目标寄存器执行操作。An execution module is used to select one or more elements from the target policy data, the original value, and the first new value to perform an operation on the target register when it is determined that the target policy data exists in the policy table.

第三方面,本发明提供了一种计算机设备,包括:存储器和处理器,存储器和处理器之间互相通信连接,存储器中存储有计算机指令,处理器通过执行计算机指令,从而执行上述第一方面或其对应的任一实施方式的对寄存器执行操作的方法。In a third aspect, the present invention provides a computer device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, and the processor executing the method of performing operations on a register according to the first aspect or any corresponding embodiment thereof by executing the computer instructions.

第四方面,本发明提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机指令,计算机指令用于使计算机执行上述第一方面或其对应的任一实施方式的对寄存器执行操作的方法。In a fourth aspect, the present invention provides a computer-readable storage medium having computer instructions stored thereon, the computer instructions being used to enable a computer to execute the method of performing operations on a register according to the first aspect or any corresponding embodiment thereof.

第五方面,本发明提供了一种计算机程序产品,包括计算机指令,计算机指令用于使计算机执行上述第一方面或其对应的任一实施方式的对寄存器执行操作的方法。In a fifth aspect, the present invention provides a computer program product, comprising computer instructions for causing a computer to execute the method for performing operations on a register according to the first aspect or any corresponding embodiment thereof.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明具体实施方式或相关技术中的技术方案,下面将对具体实施方式或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the related technologies, the drawings required for use in the specific embodiments or the related technical descriptions will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是根据本发明实施例的系统架构图;FIG1 is a system architecture diagram according to an embodiment of the present invention;

图2是根据本发明实施例的对寄存器执行操作的方法的流程示意图;2 is a schematic flow chart of a method for performing operations on a register according to an embodiment of the present invention;

图3是根据本发明实施例的控制寄存器的策略执行流程的示意图;3 is a schematic diagram of a policy execution flow of a control register according to an embodiment of the present invention;

图4是根据本发明实施例的MSR寄存器的策略执行流程的示意图;FIG4 is a schematic diagram of a policy execution flow of an MSR register according to an embodiment of the present invention;

图5是根据本发明实施例的设置日志记录标志的方法的流程示意图;5 is a schematic flow chart of a method for setting a log record flag according to an embodiment of the present invention;

图6是根据本发明实施例的协商方法的流程示意图;FIG6 is a schematic diagram of a process flow of a negotiation method according to an embodiment of the present invention;

图7是根据本发明实施例的创建存储区域的方法的流程示意图;7 is a schematic flow chart of a method for creating a storage area according to an embodiment of the present invention;

图8是根据本发明实施例的写入策略数据的方法的流程示意图;8 is a schematic flow chart of a method for writing strategy data according to an embodiment of the present invention;

图9是根据本发明实施例的删除策略数据的方法的流程示意图;9 is a schematic flow chart of a method for deleting policy data according to an embodiment of the present invention;

图10是根据本发明实施例的对寄存器执行操作的装置的结构框图;10 is a structural block diagram of an apparatus for performing operations on a register according to an embodiment of the present invention;

图11是本发明实施例的计算机设备的硬件结构示意图。FIG. 11 is a schematic diagram of the hardware structure of a computer device according to an embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present invention clearer, the technical solution in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative work are within the scope of protection of the present invention.

下面对本发明实施例涉及的专业术语进行解释。The professional terms involved in the embodiments of the present invention are explained below.

虚拟机退出(Virtual Machine Exit,VM Exit):指虚拟机的非根模式(Non Root)下执行某些敏感指令时触发的一个“陷入”操作,导致处理器从非根模式切换回根模式(Root),即返回到虚拟机监视器(virtual machine manager,VMM)。Virtual Machine Exit (VM Exit): refers to a "trap" operation triggered when certain sensitive instructions are executed in the non-root mode of the virtual machine, causing the processor to switch from non-root mode back to root mode, that is, returning to the virtual machine manager (VMM).

虚拟机进入(Virtual Machine Entery,VM Entry):是与VM Exit相对应的一个过程,当虚拟机监视器处理完虚拟机执行的敏感指令后,通过VM Entry操作将处理器的控制权交给这个虚拟机。这个操作使处理器从根模式切换到非根模式,让虚拟机继续运行。Virtual Machine Entery (VM Entry): is a process corresponding to VM Exit. After the virtual machine monitor has processed the sensitive instructions executed by the virtual machine, it transfers the control of the processor to the virtual machine through the VM Entry operation. This operation switches the processor from root mode to non-root mode, allowing the virtual machine to continue running.

虚拟机控制结构体(Virtual Machine Control Structure,VMCS):是一个内存区域,用于存储和管理虚拟机的状态和控制信息等。虚拟机对虚拟机控制结构体中存储的数据的权限为只读。虚拟机监视器对虚拟机控制结构体中存储的数据的权限为读写。Virtual Machine Control Structure (VMCS): A memory area used to store and manage the state and control information of a virtual machine. The virtual machine has read-only access to the data stored in the VMCS. The virtual machine monitor has read-write access to the data stored in the VMCS.

本发明实施例应用于计算机设备,计算机设备上可以安装有虚拟机监视器和至少一个虚拟机。例如,计算机设备可以是服务器、终端等。如图1所示,虚拟机监视器可以包括事件过滤模块和策略验证模块,以及管理有至少一个存储区域,每一个存储区域与一个虚拟机之间具有关联关系,即每一个虚拟机可以在相应的存储区域进行写数据和读数据的操作。其中,事件过滤模块可以用于识别虚拟机的敏感操作,也即捕获目标操作指令。策略验证模块可以用于使用策略表中的策略数据对目标操作指令进行策略验证操作。虚拟机可以包括协商模块、策略管理模块、日志管理模块和虚拟机(Virtual Machine,VM)通信模块。其中,协商模块可以用于进行协商信息的认证。策略管理模块可以用于策略数据的写入和删除等。日志管理模块可以用于读取存储区域中存储的日志。通信模块可以用于完成虚拟机和虚拟机监视器的交互。上述涉及的各个模块的详细操作可以参见后续内容,此处不再进行赘述。The embodiment of the present invention is applied to a computer device, and a virtual machine monitor and at least one virtual machine may be installed on the computer device. For example, the computer device may be a server, a terminal, etc. As shown in FIG. 1 , the virtual machine monitor may include an event filtering module and a policy verification module, and manages at least one storage area, each storage area having an association relationship with a virtual machine, that is, each virtual machine may perform operations of writing and reading data in the corresponding storage area. Among them, the event filtering module may be used to identify sensitive operations of the virtual machine, that is, to capture target operation instructions. The policy verification module may be used to perform policy verification operations on the target operation instructions using the policy data in the policy table. The virtual machine may include a negotiation module, a policy management module, a log management module, and a virtual machine (VM) communication module. Among them, the negotiation module may be used to authenticate negotiation information. The policy management module may be used to write and delete policy data, etc. The log management module may be used to read logs stored in the storage area. The communication module may be used to complete the interaction between the virtual machine and the virtual machine monitor. The detailed operations of each module involved above can be found in the subsequent content, and will not be repeated here.

本发明实施例提供了一种对寄存器执行操作的方法,通过监控对寄存器进行操作的指令,进行策略验证后再进行处理,可以提高虚拟机操作系统的安全性。The embodiment of the present invention provides a method for performing operations on registers, which can improve the security of a virtual machine operating system by monitoring instructions for operating registers and performing policy verification before processing.

根据本发明实施例,提供了一种对寄存器执行操作的方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, an embodiment of a method for performing operations on a register is provided. It should be noted that the steps shown in the flowchart of the accompanying drawings can be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in an order different from that shown here.

在本实施例中提供了一种对寄存器执行操作的方法,可以由上述的计算机设备执行,图2是根据本发明实施例的对寄存器执行操作的方法的流程图,如图2所示,该流程包括如下步骤:In this embodiment, a method for performing an operation on a register is provided, which can be performed by the above-mentioned computer device. FIG. 2 is a flow chart of the method for performing an operation on a register according to an embodiment of the present invention. As shown in FIG. 2 , the flow chart includes the following steps:

步骤S201,捕获目标操作指令。Step S201, capturing target operation instructions.

其中,目标操作指令可以是导致虚拟机从工作状态切换为退出状态的操作指令。目标操作指令可以是对目标寄存器进行操作的指令、获取协商信息的指令、创建存储区域的指令、写入策略数据的指令、删除策略数据的指令等等。以x86指令集为例,获取协商信息的指令可以是cpuid指令。创建存储区域的指令、写入策略数据的指令、删除策略数据的指令都可以是vmcall指令,vmcall指令中可以包括自定义参数,自定义参数的不同用于指示不同的指令,例如,自定义参数为A时,vmcall指令为创建存储区域的指令,自定义参数为B时,vmcall指令为写入策略数据的指令。对目标寄存器进行操作的指令可以是mov cr0指令、rdmsr指令和wrmsr指令等。Among them, the target operation instruction may be an operation instruction that causes the virtual machine to switch from a working state to an exit state. The target operation instruction may be an instruction to operate on a target register, an instruction to obtain negotiation information, an instruction to create a storage area, an instruction to write policy data, an instruction to delete policy data, and the like. Taking the x86 instruction set as an example, the instruction to obtain negotiation information may be a cpuid instruction. The instruction to create a storage area, the instruction to write policy data, and the instruction to delete policy data may all be vmcall instructions, and the vmcall instruction may include custom parameters. Different custom parameters are used to indicate different instructions. For example, when the custom parameter is A, the vmcall instruction is an instruction to create a storage area, and when the custom parameter is B, the vmcall instruction is an instruction to write policy data. The instruction to operate on the target register may be a mov cr0 instruction, an rdmsr instruction, and a wrmsr instruction, and the like.

具体地,当虚拟机获取到目标操作指令后,执行目标操作指令,将目标操作指令的相关信息记录在虚拟机控制结构体(Virtual Machine Control Structure,VMCS)中的指定区域。并且,当计算机设备监测到目标操作指令为敏感指令(即可能会对虚拟机造成安全问题的指令)时,触发虚拟机进入VM Exit模式,即进入到虚拟机监视器(Virtual MachineMonitor,VMM)的处理逻辑。虚拟机监视器的事件过滤模块可以从虚拟机控制结构体的指定区域中读取到目标操作指令的相关信息,也即捕获到了目标操作指令。Specifically, when the virtual machine obtains the target operation instruction, it executes the target operation instruction and records the relevant information of the target operation instruction in the specified area of the virtual machine control structure (VMCS). In addition, when the computer device detects that the target operation instruction is a sensitive instruction (i.e., an instruction that may cause security problems to the virtual machine), it triggers the virtual machine to enter the VM Exit mode, that is, enter the processing logic of the virtual machine monitor (VMM). The event filtering module of the virtual machine monitor can read the relevant information of the target operation instruction from the specified area of the virtual machine control structure, that is, the target operation instruction is captured.

步骤S202,根据目标操作指令,确定目标操作指令的类型。Step S202: determining the type of the target operation instruction according to the target operation instruction.

其中,目标操作指令的类型可以用于指示操作对象。操作对象可以是寄存器、虚拟机或虚拟机监视器中的一个。The type of the target operation instruction may be used to indicate an operation object, which may be one of a register, a virtual machine, or a virtual machine monitor.

具体地,事件过滤模块对目标操作指令的相关信息进行分析,确定出目标操作指令的类型。Specifically, the event filtering module analyzes relevant information of the target operation instruction to determine the type of the target operation instruction.

步骤S203,当根据目标操作指令的类型,确定目标操作指令为对目标寄存器进行操作的指令时,获取与目标寄存器对应的原值。Step S203, when it is determined according to the type of the target operation instruction that the target operation instruction is an instruction for operating the target register, the original value corresponding to the target register is obtained.

其中,目标寄存器可以是控制寄存器(Control Register,CR)、特殊模块寄存器(Model Specific Registers,MSR)等等。Among them, the target register can be a control register (CR), a special module register (MSR), etc.

具体地,当根据目标操作指令的类型确定操作对象是控制寄存器时,原值存储在虚拟机控制结构体中的控制寄存器区域,此时,可以从该控制寄存器区域读取到原值。或者,当目标寄存器为MSR寄存器时,原值存储在虚拟机控制结构体中的MSR寄存器区域,此时,可以从该MSR寄存器区域读取到原值。Specifically, when the operation object is determined to be a control register according to the type of the target operation instruction, the original value is stored in the control register area in the virtual machine control structure, and the original value can be read from the control register area. Alternatively, when the target register is an MSR register, the original value is stored in the MSR register area in the virtual machine control structure, and the original value can be read from the MSR register area.

步骤S204,获取与目标操作指令对应的第一新值。Step S204, obtaining a first new value corresponding to the target operation instruction.

具体地,当目标寄存器为控制寄存器时,可以从虚拟机控制结构体中的源寄存器区域读取到第一新值。或者,当目标寄存器为MSR寄存器时,可以执行如下步骤:获取第一通用寄存器中存储的第一操作数和第二通用寄存器中存储的第二操作数,并根据第一操作数rax和第二操作数rck(对第一操作数和第二操作数进行按位操作后进行组合)得到第一新值。其中,第一通用寄存器可以是eax寄存器,第二通用寄存器可以是edx寄存器。Specifically, when the target register is a control register, the first new value can be read from the source register area in the virtual machine control structure. Alternatively, when the target register is an MSR register, the following steps can be performed: obtain the first operand stored in the first general register and the second operand stored in the second general register, and obtain the first new value according to the first operand rax and the second operand rck (combining the first operand and the second operand after bitwise operation). The first general register can be the eax register, and the second general register can be the edx register.

步骤S205,在预构建的策略表中,确定是否存在与目标寄存器对应的目标策略数据。Step S205: Determine whether there is target policy data corresponding to the target register in the pre-built policy table.

其中,策略表中可以存储有多条策略数据,以及与每一条策略数据对应的策略标识信息。策略数据中可以包括策略验证对象和策略指示信息,其中,策略指示信息可以是禁止修改的指示信息、固定值中的一个。策略对象可以是寄存器。由于控制寄存器的每一个比特位对应一项功能,因此,当策略对象为控制寄存器时,策略指示信息中可以包括至少一个比特位的策略指示信息(也即包括至少一条策略子数据)。例如,对于CR0寄存器的写保护位(Write Protect,WP),当WP=0时,程序可以读写任意物理页,当WP=1时,对于只读的物理页面,写操作将被禁止。而一个MSR寄存器用于处理一项功能,例如,性能监控、功耗管理、虚拟化支持等。或者,策略数据中还可以包括启用日志的指示信息。或者,当寄存器是控制寄存器时,也可以在比特位的粒度,对比特位设置启用日志的指示信息。Among them, the policy table may store multiple policy data and policy identification information corresponding to each policy data. The policy data may include a policy verification object and policy indication information, wherein the policy indication information may be one of indication information that prohibits modification and a fixed value. The policy object may be a register. Since each bit of the control register corresponds to a function, when the policy object is a control register, the policy indication information may include at least one bit of policy indication information (that is, at least one policy sub-data). For example, for the write protection bit (Write Protect, WP) of the CR0 register, when WP=0, the program can read and write any physical page, and when WP=1, the write operation will be prohibited for the read-only physical page. An MSR register is used to process a function, such as performance monitoring, power consumption management, virtualization support, etc. Alternatively, the policy data may also include indication information for enabling the log. Alternatively, when the register is a control register, the indication information for enabling the log may also be set for the bit at the bit granularity.

具体地,策略验证模块可以根据目标寄存器的标识信息,与策略表中的每一条策略数据中包括的策略对象进行匹配。当匹配到与目标寄存器的标识信息对应的策略数据后,可以确定策略表存在与目标寄存器对应的目标策略数据。当未匹配搭配与目标寄存器的标识信息对应的策略数据后,说明目标操作指令为安全操作指令,可以直接执行。Specifically, the policy verification module can match the policy object included in each policy data in the policy table according to the identification information of the target register. When the policy data corresponding to the identification information of the target register is matched, it can be determined that the policy table has the target policy data corresponding to the target register. When the policy data corresponding to the identification information of the target register is not matched, it means that the target operation instruction is a safe operation instruction and can be executed directly.

步骤S206,当确定策略表中存在目标策略数据时,从目标策略数据、原值,以及第一新值中选取一个或多个元素,对目标寄存器执行操作。Step S206, when it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register.

具体地,由于不同的寄存器的工作流程存在差异,因此,对于不同的寄存器,需要根据其自身的工作特点执行策略验证过程。下面分别以控制寄存器和MSR寄存器为例进行说明。Specifically, since the workflows of different registers are different, it is necessary to perform the policy verification process for different registers according to their own working characteristics. The following takes the control register and the MSR register as examples for explanation.

第一,目标寄存器为控制寄存器。First, the target register is the control register.

步骤一,对原值和第一新值进行异或操作,确定是否存在至少一个修改位。Step 1: Perform an XOR operation on the original value and the first new value to determine whether there is at least one modified bit.

具体地,策略验证模块可以遍历原值(或第一新值)的每一个比特位,每遍历到一个比特位,从原值中获取到与遍历到的比特位对应的第一数值,以及从第一新值中获取到与遍历到的比特位对应的第二数值,将第一数值与第二数值进行对比,如果两者相同,则可以确定该比特位并非为修改位,如果两者不同,则可以确定该比特位为修改位。以此类推,可以确定出是否存在修改位。如果不存在,则说明目标操作指令为安全操作指令,可以直接执行。如果存在修改位可以执行后续步骤二。Specifically, the policy verification module can traverse each bit of the original value (or the first new value), and each time a bit is traversed, the first numerical value corresponding to the traversed bit is obtained from the original value, and the second numerical value corresponding to the traversed bit is obtained from the first new value, and the first numerical value is compared with the second numerical value. If the two are the same, it can be determined that the bit is not a modification bit. If the two are different, it can be determined that the bit is a modification bit. By analogy, it can be determined whether there is a modification bit. If not, it means that the target operation instruction is a safe operation instruction and can be executed directly. If there is a modification bit, the subsequent step two can be executed.

步骤二,当确定存在至少一个修改位时,根据每一个修改位和目标策略数据,对第一新值中与每一个修改位对应的值进行更新,得到第二新值。Step 2: When it is determined that there is at least one modification bit, the value corresponding to each modification bit in the first new value is updated according to each modification bit and the target policy data to obtain a second new value.

步骤1,根据目标修改位,确定目标策略数据中是否存在与目标修改位对应的策略子数据。Step 1: Determine, based on the target modification bit, whether there is policy sub-data corresponding to the target modification bit in the target policy data.

其中,目标修改位为至少一个修改位中的任一个修改位。The target modification bit is any modification bit of the at least one modification bit.

具体地,策略验证模块可以根据目标修改位,遍历目标策略数据中包括的策略子数据,以确定是否存在与目标修改位匹配的策略子数据。如果是,则说明目标操作指令为安全操作指令,可以直接执行。如果否,则可以执行后续的步骤2。Specifically, the policy verification module can traverse the policy sub-data included in the target policy data according to the target modification bit to determine whether there is policy sub-data matching the target modification bit. If yes, it means that the target operation instruction is a safe operation instruction and can be executed directly. If not, the subsequent step 2 can be executed.

步骤2,当确定目标策略数据中存在策略子数据时,根据策略子数据,对第一新值中与目标修改位对应的值进行更新。Step 2: When it is determined that the target policy data contains policy sub-data, the value corresponding to the target modification bit in the first new value is updated according to the policy sub-data.

具体地,当确定策略子数据中包括与目标修改位对应的第一固定值时,将第一新值中与目标修改位对应的值修改为第一固定值。或者,当确定策略子数据中包括禁止修改的指示信息时,将第一新值中与目标修改位对应的值进行还原为原值中与目标修改位对应的值。Specifically, when it is determined that the policy sub-data includes a first fixed value corresponding to the target modification bit, the value corresponding to the target modification bit in the first new value is modified to the first fixed value. Alternatively, when it is determined that the policy sub-data includes indication information prohibiting modification, the value corresponding to the target modification bit in the first new value is restored to the value corresponding to the target modification bit in the original value.

步骤3,在确定存在策略子数据的修改位均被执行更新操作后,得到第二新值。Step 3: After determining that all modification bits of the existing policy sub-data have been updated, obtain a second new value.

步骤三,根据第二新值,对目标寄存器执行更新操作。Step three: perform an update operation on the target register according to the second new value.

具体地,虚拟机监视器可以将目标寄存器中的原值更新为第二新值。Specifically, the virtual machine monitor may update the original value in the target register to the second new value.

如图3所示为控制寄存器的策略执行流程。FIG3 shows the strategy execution flow of the control register.

第二,目标寄存器为MSR寄存器。Second, the destination register is an MSR register.

步骤一,当确定目标策略数据中包括与目标寄存器对应的第二固定值时,根据第一新值和第二固定值,对目标操作指令设置执行标志。Step 1: when it is determined that the target policy data includes a second fixed value corresponding to the target register, an execution flag is set for the target operation instruction according to the first new value and the second fixed value.

其中,执行标志为第一标志或第二标志。第一标志用于指示执行目标操作指令,第二标志用于指示禁止执行目标操作指令。例如,第一标志可以是“allow”,第二标志可以是“redirect”。The execution flag is a first flag or a second flag. The first flag is used to indicate that the target operation instruction is to be executed, and the second flag is used to indicate that the target operation instruction is prohibited from being executed. For example, the first flag may be "allow" and the second flag may be "redirect".

具体地,根据第一新值和第二固定值,对目标操作指令设置执行标志的具体步骤可以包括:Specifically, according to the first new value and the second fixed value, the specific step of setting the execution flag for the target operation instruction may include:

步骤1,对第一新值和第二固定值进行比较。Step 1: compare the first new value and the second fixed value.

步骤2,当比较结果为第一新值和第二固定值一致时,将目标操作指令的执行标志设置为第一标志。Step 2: When the comparison result is that the first new value and the second fixed value are consistent, the execution flag of the target operation instruction is set to the first flag.

步骤3,当比较结果为第一新值和第二固定值不一致时,将目标操作指令的执行标志设置为第二标志。Step 3: When the comparison result is that the first new value and the second fixed value are inconsistent, the execution flag of the target operation instruction is set to the second flag.

步骤二,当确定目标策略数据中不包括与目标寄存器对应的第二固定值时,根据目标策略数据中是否包括禁止修改的指示信息,对目标操作指令设置执行标志。Step 2: when it is determined that the target policy data does not include the second fixed value corresponding to the target register, an execution flag is set for the target operation instruction according to whether the target policy data includes indication information prohibiting modification.

具体地,当确定目标策略数据中包括禁止修改的指示信息时,可以将目标操作指令的执行标志设置为第二标志。或者,当确定目标策略数据中不包括禁止修改的指示信息时,可以将目标操作指令的执行标志设置为第一标志。Specifically, when it is determined that the target policy data includes indication information prohibiting modification, the execution flag of the target operation instruction can be set to the second flag. Alternatively, when it is determined that the target policy data does not include indication information prohibiting modification, the execution flag of the target operation instruction can be set to the first flag.

步骤三,根据执行标志,对目标寄存器执行与执行标志对应的操作。Step three: according to the execution flag, perform the operation corresponding to the execution flag on the target register.

具体地,当确定执行标志为第一标志时,根据第一新值,对目标寄存器中的值进行更新操作,即将目标寄存器中原值更新为第一新值。或者,当确定执行标志为第二标志时,不对目标寄存器进行更新操作。Specifically, when the execution flag is determined to be the first flag, the value in the target register is updated according to the first new value, that is, the original value in the target register is updated to the first new value. Alternatively, when the execution flag is determined to be the second flag, the target register is not updated.

如图4所示为MSR寄存器的策略执行流程。FIG4 shows the strategy execution flow of the MSR register.

本实施例提供的对寄存器执行操作的方法,由于对寄存器中的值进行修改是最底层的修改方式,尽管某些软件会绕过内核加固技术,但是本方案通过在寄存器层面直接拦截目标操作指令,并可以根据预先构建的策略表中的策略数据,以及获取到的目标寄存器的原值和第一新值,对目标操作指令进行具体分析后,才对目标寄存器执行操作。这样,可以避免某些软件直接修改寄存器中的值导致的虚拟机安全问题。The method for performing operations on registers provided in this embodiment is the lowest level modification method to modify the value in the register. Although some software may bypass the kernel hardening technology, this solution directly intercepts the target operation instruction at the register level and can perform operations on the target register after performing a specific analysis of the target operation instruction based on the policy data in the pre-built policy table and the original value and the first new value of the target register obtained. In this way, the virtual machine security issues caused by some software directly modifying the value in the register can be avoided.

在本实施例中提供了一种设置日志记录标志的方法,可以由上述的计算机设备执行,图5是根据本发明实施例的设置日志记录标志的方法的流程图,如图5所示,该流程包括如下步骤:In this embodiment, a method for setting a log record flag is provided, which can be executed by the above-mentioned computer device. FIG. 5 is a flow chart of the method for setting a log record flag according to an embodiment of the present invention. As shown in FIG. 5 , the process includes the following steps:

步骤S501,确定目标策略数据中是否包括启用日志的指示信息。Step S501: determine whether the target policy data includes instruction information for enabling logging.

步骤S502,当确定目标策略数据中包括启用日志的指示信息时,对目标操作指令设置日志记录标志。Step S502: When it is determined that the target policy data includes instruction information for enabling logging, a logging flag is set for the target operation instruction.

其中,日志记录标志用于指示记录策略验证信息。策略验证信息中可以包括上述的修改结果,例如,第二新值。The log record flag is used to indicate recording the policy verification information. The policy verification information may include the above modification result, for example, the second new value.

步骤S503,当确定目标策略数据中不包括启用日志的指示信息时,不对目标操作指令设置日志记录标志。Step S503: when it is determined that the target policy data does not include instruction information for enabling logging, a logging flag is not set for the target operation instruction.

这样,对于控制寄存器来说,可以在对控制寄存器执行完更新操作后,确定目标操作指令是否设置有日志记录标志,如果是,则可以记录如图2中所示流程中的策略验证信息(如图4所示)。对于MSR寄存器来说,可以在设置日志记录标志之后,确定目标操作指令是否设置有日志记录标志,如果是,则可以记录如图2中所示流程中的策略验证信息(如图5所示)。Thus, for the control register, after the update operation is performed on the control register, it can be determined whether the target operation instruction is set with a log record flag, and if so, the policy verification information in the process shown in FIG. 2 can be recorded (as shown in FIG. 4). For the MSR register, after the log record flag is set, it can be determined whether the target operation instruction is set with a log record flag, and if so, the policy verification information in the process shown in FIG. 2 can be recorded (as shown in FIG. 5).

本实施例提供的设置日志记录标志的方法,对于重要有价值的事件,通过启用日志的指示信息,有助于追踪寄存器操作的历史记录,便于后续技术人员进行分析,对策略进行改进。对于价值性不高的事件,仅进行策略验证避免安全问题的发生,而无需进行日志记录,可以节约存储空间。The method for setting the log record flag provided in this embodiment helps to track the history of register operations for important and valuable events by enabling the indication information of the log, which is convenient for subsequent technical personnel to analyze and improve the strategy. For events with low value, only strategy verification is performed to avoid the occurrence of security problems, and no log recording is required, which can save storage space.

由于目标操作指令存在多种情况,如对目标寄存器进行操作的指令、获取协商信息的指令、创建存储区域的指令、写入策略数据的指令、删除策略数据的指令等,步骤S203到步骤S206主要是关于对目标寄存器进行操作的指令的策略验证过程进行了说明。下面针对其他情况的目标操作指令的执行进行具体说明。Since there are many situations of target operation instructions, such as instructions for operating the target register, instructions for obtaining negotiation information, instructions for creating a storage area, instructions for writing policy data, instructions for deleting policy data, etc., steps S203 to S206 mainly describe the policy verification process of instructions for operating the target register. The execution of target operation instructions in other situations is described in detail below.

第一,协商方法。当根据目标操作指令的类型,确定目标操作指令为获取协商信息的指令时,获取目标协商信息。将目标协商信息存储在虚拟机控制结构体中,并通知虚拟机进行读取。First, a negotiation method: when the target operation instruction is determined to be an instruction for obtaining negotiation information according to the type of the target operation instruction, the target negotiation information is obtained, the target negotiation information is stored in a virtual machine control structure, and the virtual machine is notified to read the information.

其中,目标协商信息用于虚拟机根据目标协商信息与虚拟机监视器进行匹配操作。目标协商信息是指虚拟机协商模块和虚拟机监控器提前确定的消息,并不限定具体内容,只需协商模块认可即可。The target negotiation information is used by the virtual machine to match the virtual machine monitor according to the target negotiation information. The target negotiation information refers to the message determined in advance by the virtual machine negotiation module and the virtual machine monitor, and does not limit the specific content, and only needs to be recognized by the negotiation module.

具体地,如图6所示,协商模块执行cpuid指令(该指令的相关信息被记录在虚拟机控制结构体中),触发协商信息请求,进一步触发VM Exit,跳转到虚拟机监视器的处理逻辑。虚拟机监视器从虚拟机控制结构体中可以获取到cpuid指令,确定出发生虚拟机退出事件的原因是执行cpuid指令,也即虚拟机监视器捕获到目标操作指令,并确定目标操作指令为获取协商信息的指令。此时,虚拟机监视器将指定的协商信息(目标协商信息)存在虚拟机控制结构体中,触发VM Entry(也称为VM Resume),跳转到虚拟机的处理逻辑。虚拟机可以将从虚拟机控制结构体中获取到目标协商信息,根据目标协商信息中是否携带有与自身匹配的标志信息,确定是否运行在匹配的虚拟机监视器中,如果是,才能进行后续创建存储区域的操作。Specifically, as shown in FIG6 , the negotiation module executes the cpuid instruction (the relevant information of the instruction is recorded in the virtual machine control structure), triggers the negotiation information request, further triggers VM Exit, and jumps to the processing logic of the virtual machine monitor. The virtual machine monitor can obtain the cpuid instruction from the virtual machine control structure, and determine that the cause of the virtual machine exit event is the execution of the cpuid instruction, that is, the virtual machine monitor captures the target operation instruction, and determines that the target operation instruction is an instruction for obtaining negotiation information. At this time, the virtual machine monitor stores the specified negotiation information (target negotiation information) in the virtual machine control structure, triggers VM Entry (also called VM Resume), and jumps to the processing logic of the virtual machine. The virtual machine can obtain the target negotiation information from the virtual machine control structure, and determine whether it is running in a matching virtual machine monitor based on whether the target negotiation information carries flag information that matches itself. If so, the subsequent operation of creating a storage area can be performed.

第二,创建存储区域的方法。当根据目标操作指令的类型,确定目标操作指令为创建存储区域的指令时,根据目标操作指令,创建第一存储区域和第二存储区域。Second, a method for creating a storage area: when the target operation instruction is determined to be an instruction for creating a storage area according to the type of the target operation instruction, a first storage area and a second storage area are created according to the target operation instruction.

其中,第一存储区域用于存储策略表,第二存储区域用于存储日志。第一存储区域对于虚拟机只写,虚拟机监视器只读,第二存储区域对于虚拟机只读,虚拟监控器只写。The first storage area is used to store the policy table, and the second storage area is used to store the log. The first storage area is write-only for the virtual machine and read-only for the virtual machine monitor, and the second storage area is read-only for the virtual machine and write-only for the virtual monitor.

具体地,如图7所示,虚拟机执行vmcall指令(该指令的相关信息被记录在虚拟机控制结构体中),触发初始化请求,进一步触发VM Exit,跳转到虚拟机监视器的处理逻辑。虚拟机监视器从虚拟机控制结构体中可以获取到vmcall指令,确定出发生虚拟机退出事件的原因是执行vmcall指令,也即虚拟机监视器捕获到目标操作指令,并根据vmcall指令中的第一自定义参数确定目标操作指令为创建存储区域的指令。虚拟机监视器进行初始化共享内存区域的操作,将共享内存区域中划分为策略区域(第一存储区域)和日志区域(第二存储区域),并将第一存储区域的位置信息和第二存储区域的位置信息作为返回值存储在虚拟机控制结构体中,触发VM Entry,跳转到虚拟机的处理逻辑。虚拟机可以将从虚拟机控制结构体中获取到第一存储区域的位置信息和第二存储区域的位置信息,并进行映射,以进行后续写入策略数据和读取日志数据的操作。Specifically, as shown in FIG7 , the virtual machine executes the vmcall instruction (the relevant information of the instruction is recorded in the virtual machine control structure), triggers the initialization request, further triggers VM Exit, and jumps to the processing logic of the virtual machine monitor. The virtual machine monitor can obtain the vmcall instruction from the virtual machine control structure, and determines that the cause of the virtual machine exit event is the execution of the vmcall instruction, that is, the virtual machine monitor captures the target operation instruction, and determines that the target operation instruction is an instruction to create a storage area according to the first custom parameter in the vmcall instruction. The virtual machine monitor initializes the shared memory area, divides the shared memory area into a policy area (first storage area) and a log area (second storage area), and stores the location information of the first storage area and the location information of the second storage area as a return value in the virtual machine control structure, triggers VM Entry, and jumps to the processing logic of the virtual machine. The virtual machine can obtain the location information of the first storage area and the location information of the second storage area from the virtual machine control structure, and map them to perform subsequent operations of writing policy data and reading log data.

第三,写入策略数据的方法。当根据目标操作指令的类型,确定目标操作指令为写入策略数据的指令时,从第一存储区域获取虚拟机写入的多条策略数据。根据多条策略,构建策略表。Third, a method for writing policy data: when the target operation instruction is determined to be an instruction for writing policy data according to the type of the target operation instruction, multiple policy data written by the virtual machine are obtained from the first storage area, and a policy table is constructed according to the multiple policies.

具体地,如图8所示,虚拟机在获取到多条策略数据后,可以封装策略使能命令,并根据封装策略使能命令将获取到的策略数据写入第一存储区域中。然后,虚拟机可以执行vmcall指令(该指令的相关信息被记录在虚拟机控制结构体中),触发初始化策略请求,进一步触发VM Exit,跳转到虚拟机监视器的处理逻辑。虚拟机监视器从虚拟机控制结构体中可以获取到vmcall指令,确定出发生虚拟机退出事件的原因是执行vmcall指令,也即虚拟机监视器捕获到目标操作指令,并根据vmcall指令中的第二自定义参数确定目标操作指令为创建存储区域的指令时,对写入到第一存储区域中的策略数据进行转换后生成策略表。Specifically, as shown in FIG8 , after obtaining multiple policy data, the virtual machine can encapsulate the policy enable command and write the obtained policy data into the first storage area according to the encapsulated policy enable command. Then, the virtual machine can execute the vmcall instruction (the relevant information of the instruction is recorded in the virtual machine control structure), trigger the initialization policy request, further trigger VM Exit, and jump to the processing logic of the virtual machine monitor. The virtual machine monitor can obtain the vmcall instruction from the virtual machine control structure, and determine that the cause of the virtual machine exit event is the execution of the vmcall instruction, that is, when the virtual machine monitor captures the target operation instruction and determines that the target operation instruction is an instruction to create a storage area according to the second custom parameter in the vmcall instruction, the policy data written into the first storage area is converted to generate a policy table.

第四,删除策略数据的方法。当根据目标操作指令的类型,确定目标操作指令为删除策略数据的指令时,获取第一策略标识信息。根据第一策略标识信息,将与第一策略标识信息对应的策略数据从策略表中删除。Fourth, a method for deleting policy data: when the target operation instruction is determined to be an instruction for deleting policy data according to the type of the target operation instruction, first policy identification information is obtained. According to the first policy identification information, the policy data corresponding to the first policy identification information is deleted from the policy table.

具体地,如图9所示,虚拟机在获取到第一策略标识信息后,可以将第一策略标识信息封装到策略关闭指令中,并根据策略关闭指令将获取到第一策略标识信息写入第一存储区域中。然后,虚拟机可以执行vmcall指令(该指令的相关信息被记录在虚拟机控制结构体中),触发删除策略请求,进一步触发VM Exit,跳转到虚拟机监视器的处理逻辑。虚拟机监视器从虚拟机控制结构体中获取到vmcall指令,也即虚拟机监视器捕获到目标操作指令,并根据vmcall指令中的第三自定义参数确定目标操作指令为删除策略数据的指令时,从第一存储区域中获取到第一策略标识信息,根据第一策略标识信息,在策略表中确定出与该第一策略标识信息对应的策略数据并进行删除。Specifically, as shown in FIG9 , after obtaining the first policy identification information, the virtual machine can encapsulate the first policy identification information into a policy shutdown instruction, and write the obtained first policy identification information into the first storage area according to the policy shutdown instruction. Then, the virtual machine can execute the vmcall instruction (the relevant information of the instruction is recorded in the virtual machine control structure), trigger the policy deletion request, further trigger VM Exit, and jump to the processing logic of the virtual machine monitor. When the virtual machine monitor obtains the vmcall instruction from the virtual machine control structure, that is, the virtual machine monitor captures the target operation instruction, and determines that the target operation instruction is an instruction to delete policy data according to the third custom parameter in the vmcall instruction, the first policy identification information is obtained from the first storage area, and according to the first policy identification information, the policy data corresponding to the first policy identification information is determined in the policy table and deleted.

在一些可选的实施方式中,由于各种对虚拟机造成安全问题的软件更新换代较快,因此,策略数据需要进行相应的更新。虚拟机可以在获取到策略数据更新指令后,从策略数据更新指令中提取出第二策略标识信息和修改后的策略数据,并将第二策略标识信息写入到第一存储区域中。当虚拟机监视器在不进行策略验证的状态下时,可以从第一存储区域中提取出第二策略标识信息和修改后的策略数据,根据第二策略标识信息,在策略表中确定出与第二策略标识信息对应的策略数据进行删除,并将修改后的策略数据补入。这样,可以根据使得策略数据保持更新,能够防御最新的软件对虚拟机的破坏行为,提高虚拟机的安全性。In some optional implementations, since various software that may cause security issues to virtual machines are updated quickly, the policy data needs to be updated accordingly. After obtaining the policy data update instruction, the virtual machine can extract the second policy identification information and the modified policy data from the policy data update instruction, and write the second policy identification information into the first storage area. When the virtual machine monitor is in a state where no policy verification is performed, the second policy identification information and the modified policy data can be extracted from the first storage area, and according to the second policy identification information, the policy data corresponding to the second policy identification information can be determined in the policy table for deletion, and the modified policy data can be added. In this way, the policy data can be kept updated to prevent the latest software from damaging the virtual machine and improve the security of the virtual machine.

在一些可选的实施方式中,当虚拟机监视器识别到第二存储区域中的日志数量大于预设阈值后,可以通知虚拟机,由虚拟机从第二存储区域中读取所有的日志,在虚拟机完成读取操作后,虚拟机监视器可以及时对这些日志进行删除,避免第二存储数据被占满后,无法存储重要的日志,导致技术人员后续无法进行技术分析的问题。In some optional implementations, when the virtual machine monitor recognizes that the number of logs in the second storage area is greater than a preset threshold, it can notify the virtual machine to read all logs from the second storage area. After the virtual machine completes the reading operation, the virtual machine monitor can delete these logs in a timely manner to avoid the problem that the second storage data is full and important logs cannot be stored, resulting in the technician being unable to perform subsequent technical analysis.

在一些可选的实施方式中,还可以创建第三存储区域,将策略表备份在第三存储区域中。当检测到第一存储区域中存储的策略数据发生丢失或者第一存储区域被相关软件破坏后,从第三存储区域中读取到备份的策略表,进行及时处理,防止无法进行策略验证导致的虚拟机安全问题。通过备份操作,可以进一步提高安全程度。In some optional implementations, a third storage area may be created to back up the policy table in the third storage area. When it is detected that the policy data stored in the first storage area is lost or the first storage area is damaged by related software, the backed-up policy table is read from the third storage area and processed in time to prevent virtual machine security issues caused by failure to perform policy verification. The backup operation can further improve security.

在本实施例中还提供了一种对寄存器执行操作的装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a device for performing operations on a register is also provided, and the device is used to implement the above-mentioned embodiments and preferred implementation modes, and the descriptions that have been made are not repeated. As used below, the term "module" can implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, the implementation of hardware, or a combination of software and hardware, is also possible and conceivable.

本实施例提供一种对寄存器执行操作的装置,如图10所示,包括:This embodiment provides a device for performing an operation on a register, as shown in FIG10 , including:

捕获模块1001,用于捕获目标操作指令,其中,目标操作指令为导致虚拟机从工作状态切换为退出状态的操作指令;The capture module 1001 is used to capture a target operation instruction, wherein the target operation instruction is an operation instruction that causes the virtual machine to switch from a working state to an exited state;

确定模块1002,用于根据目标操作指令,确定目标操作指令的类型;A determination module 1002 is used to determine the type of the target operation instruction according to the target operation instruction;

获取模块1003,用于当根据目标操作指令的类型,确定目标操作指令为对目标寄存器进行操作的指令时,获取与目标寄存器对应的原值;获取与目标操作指令对应的第一新值;The acquisition module 1003 is used to acquire the original value corresponding to the target register when it is determined according to the type of the target operation instruction that the target operation instruction is an instruction for operating the target register; and acquire the first new value corresponding to the target operation instruction;

确定模块1002,还用于在预构建的策略表中,确定是否存在与目标寄存器对应的目标策略数据;The determination module 1002 is further used to determine whether there is target policy data corresponding to the target register in the pre-built policy table;

执行模块1004,用于当确定策略表中存在目标策略数据时,从目标策略数据、原值,以及第一新值中选取一个或多个元素,对目标寄存器执行操作。The execution module 1004 is used to select one or more elements from the target policy data, the original value, and the first new value to perform an operation on the target register when it is determined that the target policy data exists in the policy table.

在一种可选的实施方式中,目标寄存器为控制寄存器;In an optional implementation, the target register is a control register;

执行模块1004,具体用于:The execution module 1004 is specifically used for:

对原值和第一新值进行异或操作,确定是否存在至少一个修改位;Performing an XOR operation on the original value and the first new value to determine whether there is at least one modified bit;

当确定存在至少一个修改位时,根据每一个修改位和目标策略数据,对第一新值中与每一个修改位对应的值进行更新,得到第二新值;When it is determined that there is at least one modification bit, updating the value corresponding to each modification bit in the first new value according to each modification bit and the target policy data to obtain a second new value;

根据第二新值,对目标寄存器执行更新操作。An update operation is performed on the target register according to the second new value.

在一种可选的实施方式中,执行模块1004,具体用于:In an optional implementation, the execution module 1004 is specifically configured to:

根据目标修改位,确定目标策略数据中是否存在与目标修改位对应的策略子数据,其中,目标修改位为至少一个修改位中的任一个修改位;Determining, according to the target modification bit, whether there is policy sub-data corresponding to the target modification bit in the target policy data, wherein the target modification bit is any modification bit of the at least one modification bit;

当确定目标策略数据中存在策略子数据时,根据策略子数据,对第一新值中与目标修改位对应的值进行更新;When it is determined that the target policy data contains policy sub-data, updating the value corresponding to the target modification bit in the first new value according to the policy sub-data;

在确定存在策略子数据的修改位均被执行更新操作后,得到第二新值。After determining that the modification bits of the existing policy sub-data are all updated, a second new value is obtained.

在一种可选的实施方式中,执行模块1004,具体用于:In an optional implementation, the execution module 1004 is specifically configured to:

当确定策略子数据中包括与目标修改位对应的第一固定值时,将第一新值中与目标修改位对应的值修改为第一固定值;When it is determined that the policy sub-data includes a first fixed value corresponding to the target modification bit, modifying the value corresponding to the target modification bit in the first new value to the first fixed value;

或者,or,

当确定策略子数据中包括禁止修改的指示信息时,将第一新值中与目标修改位对应的值进行还原为原值中与目标修改位对应的值。When it is determined that the policy sub-data includes indication information prohibiting modification, the value corresponding to the target modification bit in the first new value is restored to the value corresponding to the target modification bit in the original value.

在一种可选的实施方式中,目标寄存器为特殊模块MSR寄存器;In an optional implementation, the target register is a module-specific MSR register;

执行模块1004,具体用于:The execution module 1004 is specifically used for:

当确定目标策略数据中包括与目标寄存器对应的第二固定值时,根据第一新值和第二固定值,对目标操作指令设置执行标志;When it is determined that the target policy data includes a second fixed value corresponding to the target register, setting an execution flag for the target operation instruction according to the first new value and the second fixed value;

或者,or,

当确定目标策略数据中不包括与目标寄存器对应的第二固定值时,根据目标策略数据中是否包括禁止修改的指示信息,对目标操作指令设置执行标志;When it is determined that the target policy data does not include the second fixed value corresponding to the target register, setting an execution flag for the target operation instruction according to whether the target policy data includes instruction information prohibiting modification;

根据执行标志,对目标寄存器执行与执行标志对应的操作。According to the execution flag, an operation corresponding to the execution flag is performed on the target register.

在一种可选的实施方式中,执行标志为第一标志或第二标志,其中,第一标志用于指示执行目标操作指令,第二标志用于指示禁止执行目标操作指令;In an optional implementation, the execution flag is a first flag or a second flag, wherein the first flag is used to indicate that the target operation instruction is executed, and the second flag is used to indicate that the target operation instruction is prohibited from being executed;

执行模块1004,具体用于:The execution module 1004 is specifically used for:

对第一新值和第二固定值进行比较;Comparing the first new value and the second fixed value;

当比较结果为第一新值和第二固定值一致时,将目标操作指令的执行标志设置为第一标志;When the comparison result is that the first new value and the second fixed value are consistent, setting the execution flag of the target operation instruction to the first flag;

或者,or,

当比较结果为第一新值和第二固定值不一致时,将目标操作指令的执行标志设置为第二标志。When the comparison result is that the first new value and the second fixed value are inconsistent, the execution flag of the target operation instruction is set to the second flag.

在一种可选的实施方式中,执行模块1004,具体用于:In an optional implementation, the execution module 1004 is specifically configured to:

当确定目标策略数据中包括禁止修改的指示信息时,将目标操作指令的执行标志设置为第二标志;When it is determined that the target policy data includes instruction information prohibiting modification, setting the execution flag of the target operation instruction to a second flag;

或者,or,

当确定目标策略数据中不包括禁止修改的指示信息时,将目标操作指令的执行标志设置为第一标志。When it is determined that the target policy data does not include instruction information prohibiting modification, the execution flag of the target operation instruction is set to the first flag.

在一种可选的实施方式中,执行模块1004,具体用于:In an optional implementation, the execution module 1004 is specifically configured to:

当确定执行标志为第一标志时,根据第一新值,对目标寄存器中的值进行更新操作;When it is determined that the execution flag is the first flag, an update operation is performed on the value in the target register according to the first new value;

或者,or,

当确定执行标志为第二标志时,不对目标寄存器进行更新操作。When it is determined that the execution flag is the second flag, no update operation is performed on the target register.

在一种可选的实施方式中,装置还包括设置模块1005,设置模块1005,用于:In an optional implementation, the device further includes a setting module 1005, wherein the setting module 1005 is configured to:

确定目标策略数据中是否包括启用日志的指示信息;determining whether the target policy data includes an instruction to enable logging;

当确定目标策略数据中包括启用日志的指示信息时,对目标操作指令设置日志记录标志,其中,日志记录标志用于指示记录策略验证信息;When it is determined that the target policy data includes instruction information for enabling logging, setting a logging flag for the target operation instruction, wherein the logging flag is used to indicate recording of policy verification information;

或者,or,

当确定目标策略数据中不包括启用日志的指示信息时,不对目标操作指令设置日志记录标志。When it is determined that the target policy data does not include instruction information for enabling logging, the logging flag is not set for the target operation instruction.

在一种可选的实施方式中,获取模块1003,具体用于:In an optional implementation, the acquisition module 1003 is specifically configured to:

获取第一通用寄存器中存储的第一操作数和第二通用寄存器中存储的第二操作数;Obtaining a first operand stored in a first general register and a second operand stored in a second general register;

根据第一操作数和第二操作数,得到第一新值。A first new value is obtained based on the first operand and the second operand.

在一种可选的实施方式中,装置还包括创建模块1006,创建模块1006,用于:In an optional implementation, the apparatus further includes a creation module 1006, wherein the creation module 1006 is configured to:

当根据目标操作指令的类型,确定目标操作指令为创建存储区域的指令时,根据目标操作指令,创建第一存储区域和第二存储区域,其中,第一存储区域用于存储策略表,第二存储区域用于存储日志。When the target operation instruction is determined to be an instruction for creating a storage area according to the type of the target operation instruction, a first storage area and a second storage area are created according to the target operation instruction, wherein the first storage area is used to store a policy table and the second storage area is used to store a log.

在一种可选的实施方式中,获取模块1003,还用于:In an optional implementation, the acquisition module 1003 is further configured to:

当根据目标操作指令的类型,确定目标操作指令为获取协商信息的指令时,获取目标协商信息;When it is determined according to the type of the target operation instruction that the target operation instruction is an instruction for obtaining negotiation information, obtaining the target negotiation information;

将目标协商信息存储在虚拟机控制结构体中,并通知虚拟机进行读取,其中,目标协商信息用于虚拟机根据目标协商信息与虚拟机监视器进行匹配操作。The target negotiation information is stored in a virtual machine control structure, and the virtual machine is notified to read the target negotiation information, wherein the target negotiation information is used by the virtual machine to perform a matching operation with the virtual machine monitor according to the target negotiation information.

上述各个模块和单元的更进一步的功能描述与上述对应实施例相同,在此不再赘述。The further functional description of each of the above modules and units is the same as that of the above corresponding embodiments and will not be repeated here.

本实施例中的对寄存器执行操作的装置是以功能单元的形式来呈现,这里的单元是指ASIC(Application Specific Integrated Circuit,专用集成电路)电路,执行一个或多个软件或固定程序的处理器和存储器,和/或其他可以提供上述功能的器件。The device for performing operations on the register in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application Specific Integrated Circuit) circuit, a processor and memory that executes one or more software or fixed programs, and/or other devices that can provide the above functions.

本发明实施例还提供一种计算机设备,具有上述图10所示的对寄存器执行操作的装置。An embodiment of the present invention further provides a computer device having the apparatus for performing operations on a register as shown in FIG. 10 .

请参阅图11,图11是本发明可选实施例提供的一种计算机设备的结构示意图,如图11所示,该计算机设备包括:一个或多个处理器10、存储器20,以及用于连接各部件的接口,包括高速接口和低速接口。各个部件利用不同的总线互相通信连接,并且可以被安装在公共主板上或者根据需要以其它方式安装。处理器可以对在计算机设备内执行的指令进行处理,包括存储在存储器中或者存储器上以在外部输入/输出装置(诸如,耦合至接口的显示设备)上显示GUI的图形信息的指令。在一些可选的实施方式中,若需要,可以将多个处理器和/或多条总线与多个存储器和多个存储器一起使用。同样,可以连接多个计算机设备,各个设备提供部分必要的操作(例如,作为服务器阵列、一组刀片式服务器、或者多处理器系统)。图11中以一个处理器10为例。Please refer to Figure 11, which is a schematic diagram of the structure of a computer device provided by an optional embodiment of the present invention. As shown in Figure 11, the computer device includes: one or more processors 10, a memory 20, and interfaces for connecting various components, including high-speed interfaces and low-speed interfaces. The various components are connected to each other using different buses for communication, and can be installed on a common motherboard or installed in other ways as needed. The processor can process instructions executed in the computer device, including instructions stored in or on the memory to display graphical information of the GUI on an external input/output device (such as a display device coupled to the interface). In some optional embodiments, if necessary, multiple processors and/or multiple buses can be used together with multiple memories and multiple memories. Similarly, multiple computer devices can be connected, and each device provides some necessary operations (for example, as a server array, a group of blade servers, or a multi-processor system). In Figure 11, a processor 10 is taken as an example.

处理器10可以是中央处理器,网络处理器或其组合。其中,处理器10还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路,可编程逻辑器件或其组合。上述可编程逻辑器件可以是复杂可编程逻辑器件,现场可编程逻辑门阵列,通用阵列逻辑或其任意组合。The processor 10 may be a central processing unit, a network processor or a combination thereof. The processor 10 may further include a hardware chip. The hardware chip may be a dedicated integrated circuit, a programmable logic device or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general purpose array logic or any combination thereof.

其中,所述存储器20存储有可由至少一个处理器10执行的指令,以使所述至少一个处理器10执行实现上述实施例示出的方法。The memory 20 stores instructions executable by at least one processor 10, so that the at least one processor 10 executes the method shown in the above embodiment.

存储器20可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储根据计算机设备的使用所创建的数据等。此外,存储器20可以包括高速随机存取存储器,还可以包括非瞬时存储器,例如至少一个磁盘存储器件、闪存器件、或其他非瞬时固态存储器件。在一些可选的实施方式中,存储器20可选包括相对于处理器10远程设置的存储器,这些远程存储器可以通过网络连接至该计算机设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 20 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application required by at least one function; the data storage area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include a high-speed random access memory, and may also include a non-transient memory, such as at least one disk storage device, a flash memory device, or other non-transient solid-state storage device. In some optional embodiments, the memory 20 may optionally include a memory remotely arranged relative to the processor 10, and these remote memories may be connected to the computer device via a network. Examples of the above-mentioned network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

存储器20可以包括易失性存储器,例如,随机存取存储器;存储器也可以包括非易失性存储器,例如,快闪存储器,硬盘或固态硬盘;存储器20还可以包括上述种类的存储器的组合。The memory 20 may include a volatile memory, such as a random access memory; the memory may also include a non-volatile memory, such as a flash memory, a hard disk or a solid state drive; the memory 20 may also include a combination of the above types of memory.

该计算机设备还包括输入装置30和输出装置40。处理器10、存储器20、输入装置30和输出装置40可以通过总线或者其他方式连接,图11中以通过总线连接为例。The computer device further includes an input device 30 and an output device 40. The processor 10, the memory 20, the input device 30 and the output device 40 may be connected via a bus or other means, and FIG11 takes the connection via a bus as an example.

输入装置30可接收输入的数字或字符信息,以及产生与该计算机设备的用户设置以及功能控制有关的键信号输入,例如触摸屏、小键盘、鼠标、轨迹板、触摸板、指示杆、一个或者多个鼠标按钮、轨迹球、操纵杆等。输出装置40可以包括显示设备、辅助照明装置(例如,LED)和触觉反馈装置(例如,振动电机)等。上述显示设备包括但不限于液晶显示器,发光二极管,显示器和等离子体显示器。在一些可选的实施方式中,显示设备可以是触摸屏。The input device 30 can receive input digital or character information, and generate key signal input related to the user settings and function control of the computer device, such as a touch screen, a keypad, a mouse, a track pad, a touch pad, an indicator rod, one or more mouse buttons, a trackball, a joystick, etc. The output device 40 may include a display device, an auxiliary lighting device (e.g., an LED) and a tactile feedback device (e.g., a vibration motor), etc. The above-mentioned display device includes but is not limited to a liquid crystal display, a light emitting diode, a display and a plasma display. In some optional embodiments, the display device may be a touch screen.

该计算机设备还包括通信接口30,用于该计算机设备与其他设备或通信网络通信。The computer device further comprises a communication interface 30 for the computer device to communicate with other devices or a communication network.

本发明实施例还提供了一种计算机可读存储介质,上述根据本发明实施例的方法可在硬件、固件中实现,或者被实现为可记录在存储介质,或者被实现通过网络下载的原始存储在远程存储介质或非暂时机器可读存储介质中并将被存储在本地存储介质中的计算机代码,从而在此描述的方法可被存储在使用通用计算机、专用处理器或者可编程或专用硬件的存储介质上的这样的软件处理。其中,存储介质可为磁碟、光盘、只读存储记忆体、随机存储记忆体、快闪存储器、硬盘或固态硬盘等;进一步地,存储介质还可以包括上述种类的存储器的组合。可以理解,计算机、处理器、微处理器控制器或可编程硬件包括可存储或接收软件或计算机代码的存储组件,当软件或计算机代码被计算机、处理器或硬件访问且执行时,实现上述实施例示出的方法。The embodiment of the present invention also provides a computer-readable storage medium. The method according to the embodiment of the present invention can be implemented in hardware, firmware, or can be implemented as a computer code that can be recorded in a storage medium, or can be implemented as a computer code that is originally stored in a remote storage medium or a non-temporary machine-readable storage medium and will be stored in a local storage medium through a network download, so that the method described herein can be stored in such software processing on a storage medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware. Among them, the storage medium can be a magnetic disk, an optical disk, a read-only storage memory, a random access memory, a flash memory, a hard disk or a solid-state hard disk, etc.; further, the storage medium can also include a combination of the above types of memories. It can be understood that a computer, a processor, a microprocessor controller, or programmable hardware includes a storage component that can store or receive software or computer code. When the software or computer code is accessed and executed by a computer, a processor, or hardware, the method shown in the above embodiment is implemented.

本发明的一部分可被应用为计算机程序产品,例如计算机程序指令,当其被计算机执行时,通过该计算机的操作,可以调用或提供根据本发明的方法和/或技术方案。本领域技术人员应能理解,计算机程序指令在计算机可读介质中的存在形式包括但不限于源文件、可执行文件、安装包文件等,相应地,计算机程序指令被计算机执行的方式包括但不限于:该计算机直接执行该指令,或者该计算机编译该指令后再执行对应的编译后程序,或者该计算机读取并执行该指令,或者该计算机读取并安装该指令后再执行对应的安装后程序。在此,计算机可读介质可以是可供计算机访问的任意可用的计算机可读存储介质或通信介质。A part of the present invention may be applied as a computer program product, such as a computer program instruction, which, when executed by a computer, can call or provide the method and/or technical solution according to the present invention through the operation of the computer. Those skilled in the art should understand that the existence of computer program instructions in computer-readable media includes, but is not limited to, source files, executable files, installation package files, etc., and accordingly, the way in which computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Here, the computer-readable medium may be any available computer-readable storage medium or communication medium accessible to the computer.

虽然结合附图描述了本发明的实施例,但是本领域技术人员可以在不脱离本发明的精神和范围的情况下做出各种修改和变型,这样的修改和变型均落入由所附权利要求所限定的范围之内。Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the present invention, and such modifications and variations are all within the scope defined by the appended claims.

Claims (15)

CN202410987349.2A2024-07-232024-07-23 Method for performing operations on registers, computer device, storage medium and program productActiveCN118520464B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN202410987349.2ACN118520464B (en)2024-07-232024-07-23 Method for performing operations on registers, computer device, storage medium and program product

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN202410987349.2ACN118520464B (en)2024-07-232024-07-23 Method for performing operations on registers, computer device, storage medium and program product

Publications (2)

Publication NumberPublication Date
CN118520464Atrue CN118520464A (en)2024-08-20
CN118520464B CN118520464B (en)2024-12-03

Family

ID=92277135

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN202410987349.2AActiveCN118520464B (en)2024-07-232024-07-23 Method for performing operations on registers, computer device, storage medium and program product

Country Status (1)

CountryLink
CN (1)CN118520464B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN101196869A (en)*2007-12-292008-06-11中国科学院计算技术研究所 A RISC processor and its register flag bit processing method
CN101221496A (en)*2008-01-232008-07-16中国科学院计算技术研究所 Reduced instruction set computer processor device and data processing method thereof
EP2367102A1 (en)*2010-02-112011-09-21Nxp B.V.Computer processor and method with increased security properties
US20120173851A1 (en)*2010-12-302012-07-05International Business Machines CorporationMechanism for maintaining dynamic register-level memory-mode flags in a virtual machine system
CN103765401A (en)*2011-04-072014-04-30威盛电子股份有限公司 A microprocessor that compiles conditional load/store instructions into a variable number of microinstructions
US20170286672A1 (en)*2016-04-012017-10-05Intel CorporationSystem, Apparatus And Method For Filtering Memory Access Logging In A Processor
WO2021114548A1 (en)*2019-12-122021-06-17浪潮(北京)电子信息产业有限公司Batch processing method, apparatus and device, and storage medium
CN114168196A (en)*2021-11-192022-03-11中科可控信息产业有限公司Register control method, system, device, computer equipment and storage medium
CN114880030A (en)*2022-05-162022-08-09海光信息技术股份有限公司 Instruction decoding method and device, electronic device, and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN101196869A (en)*2007-12-292008-06-11中国科学院计算技术研究所 A RISC processor and its register flag bit processing method
CN101221496A (en)*2008-01-232008-07-16中国科学院计算技术研究所 Reduced instruction set computer processor device and data processing method thereof
EP2367102A1 (en)*2010-02-112011-09-21Nxp B.V.Computer processor and method with increased security properties
US20120173851A1 (en)*2010-12-302012-07-05International Business Machines CorporationMechanism for maintaining dynamic register-level memory-mode flags in a virtual machine system
CN103765401A (en)*2011-04-072014-04-30威盛电子股份有限公司 A microprocessor that compiles conditional load/store instructions into a variable number of microinstructions
US20170286672A1 (en)*2016-04-012017-10-05Intel CorporationSystem, Apparatus And Method For Filtering Memory Access Logging In A Processor
WO2021114548A1 (en)*2019-12-122021-06-17浪潮(北京)电子信息产业有限公司Batch processing method, apparatus and device, and storage medium
CN114168196A (en)*2021-11-192022-03-11中科可控信息产业有限公司Register control method, system, device, computer equipment and storage medium
CN114880030A (en)*2022-05-162022-08-09海光信息技术股份有限公司 Instruction decoding method and device, electronic device, and storage medium

Also Published As

Publication numberPublication date
CN118520464B (en)2024-12-03

Similar Documents

PublicationPublication DateTitle
KR102189296B1 (en) Event filtering for virtual machine security applications
RU2472215C1 (en)Method of detecting unknown programs by load process emulation
JP6378758B2 (en) Process evaluation for malware detection in virtual machines
EP1939754B1 (en)Providing protected access to critical memory regions
CN100389408C (en)Fixed disk data enciphering back-up and restoring method
CN111353162B (en) Active trusted computing method and system based on TrustZone sub-core asynchronous execution
EP3627368B1 (en)Auxiliary memory having independent recovery area, and device applied with same
CN107368739B (en)Kernel drive monitoring method and device
US9424427B1 (en)Anti-rootkit systems and methods
KR20130036189A (en)Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag
US10114948B2 (en)Hypervisor-based buffer overflow detection and prevention
CN103399812A (en)Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
JP2013515989A (en) Method and system for protecting an operating system from unauthorized changes
Vokorokos et al.Application security through sandbox virtualization
US20170220795A1 (en)Information-processing device, information-processing monitoring method, and recording medium
CN105512550A (en)Systems and methods for active operating system kernel protection
KR20210059212A (en)Method for defending memory sharing-based side channel attacks by embedding random values in binaries
CN107463513B (en)System and method for transferring control between storage locations
US11386219B2 (en)Detection of an unauthorized modification to storage and restoration of the storage
CN118503959A (en)Memory monitoring method under Windows operating system based on hardware virtualization technology
US20240249020A1 (en)Selective deletion of sensitive data
CN118520464A (en)Method for performing operations on registers, computer device, storage medium and program product
CN100514305C (en)System and method for implementing safety control of operation system
JP2019008503A (en)Information processing monitoring apparatus, information processing monitoring method, program, recording medium, and information processing apparatus
CN100424652C (en) A Hard Disk Self-Recovery Protection Method Based on Embedded Operating System

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
GR01Patent grant
[8]ページ先頭
©2009-2025 Movatter.jp