Disclosure of Invention
In view of the foregoing, the present invention provides a method, apparatus, computer device, storage medium and program product for performing operations on registers to solve the problem that some software bypasses kernel reinforcement technology and attacks the virtual machine operating system.
In a first aspect, the present invention provides a method for performing an operation on a register, capturing a target operation instruction, where the target operation instruction is an operation instruction that causes a virtual machine to switch from a working state to an exit state;
determining the type of the target operation instruction according to the target operation instruction;
When the target operation instruction is determined to be an instruction for operating a target register according to the type of the target operation instruction, acquiring an original value corresponding to the target register;
Acquiring a first new value corresponding to the target operation instruction;
determining whether target policy data corresponding to the target register exists in a pre-constructed policy table;
When it is determined that the target policy data is present in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register.
The method for executing the operation on the register has the following advantages:
because the modification of the value in the register is the bottommost modification mode, although some software bypasses the kernel reinforcement technology, the scheme can directly intercept the target operation instruction at the register level, and can specifically analyze the target operation instruction according to the policy data in the pre-constructed policy table and the obtained original value and the first new value of the target register before executing the operation on the target register. In this way, virtual machine security problems caused by some software directly modifying the values in the registers can be avoided.
In an alternative embodiment, the target register is a control register;
the selecting one or more elements from the target policy data, the original value, and the first new value when it is determined that the target policy data exists in the policy table, performing an operation on the target register, including:
Performing an exclusive-or operation on the original value and the first new value to determine whether at least one modified bit exists;
When it is determined that at least one modification bit exists, updating a value corresponding to each modification bit in the first new value according to each modification bit and the target policy data to obtain a second new value;
and according to the second new value, executing updating operation on the target register.
Specifically, since each bit of the control register is used to indicate one function, policy verification operations are performed for each bit, and all functions can be covered in whole. And, update is carried out after strategy verification is carried out on each modification bit, so that the finally updated value is ensured to be a safe value, and the safety of the virtual machine can be improved.
In an alternative embodiment, when it is determined that at least one modified bit exists, updating a value corresponding to each modified bit in the first new value according to each modified bit and the target policy data to obtain a second new value, where the updating includes:
Determining whether policy sub-data corresponding to target modification bits exists in the target policy data according to the target modification bits, wherein the target modification bits are any modification bit in at least one modification bit;
When the strategy sub-data exists in the target strategy data, updating a value corresponding to the target modification bit in the first new value according to the strategy sub-data;
And after determining that the modification bits of the strategy sub-data exist, all performing updating operation, and obtaining the second new value.
Specifically, by the modification bit of the policy sub-data, after the first new value is updated, a security value, that is, a second new value, can be obtained, it can be ensured that the finally updated value is the security value, and the security of the virtual machine can be improved.
In an alternative embodiment, when determining that the policy sub-data exists in the target policy data, updating a value corresponding to the target modification bit in the first new value according to the policy sub-data includes:
When the strategy sub-data is determined to comprise a first fixed value corresponding to the target modification bit, modifying a value corresponding to the target modification bit in the first new value into the first fixed value;
Or alternatively
And when determining that the strategy sub-data comprises the instruction information for prohibiting modification, restoring the value corresponding to the target modification bit in the first new value into the value corresponding to the target modification bit in the original value.
Specifically, different modification bits may correspond to different modification manners, where the modification manners are related to functions of the corresponding modification bits, and by using the corresponding modification manners, the first new value may be updated to a security value, so that security of the virtual machine may be improved.
In an alternative embodiment, the destination register is a special module MSR register;
the selecting one or more elements from the target policy data, the original value, and the first new value when it is determined that the target policy data exists in the policy table, performing an operation on the target register, including:
when the target strategy data comprises a second fixed value corresponding to the target register, setting an execution mark for the target operation instruction according to the first new value and the second fixed value;
Or alternatively
When the target strategy data does not comprise a second fixed value corresponding to the target register, setting the execution mark for the target operation instruction according to whether the target strategy data comprises the instruction information for prohibiting modification;
And executing the operation corresponding to the execution mark on the target register according to the execution mark.
In particular, when the second fixed value is present, unauthorized modification can be prevented, ensuring that the register value remains within a secure range, depending on the first new value and the second fixed value. When the second fixed value is not present but the instruction information for prohibiting modification is present, the modification operation is directly prevented, and the protection of the target register is further enhanced.
In an optional embodiment, the execution flag is a first flag or a second flag, where the first flag is used to indicate that the target operation instruction is executed, and the second flag is used to indicate that the target operation instruction is prohibited from being executed;
when the target policy data includes a second fixed value corresponding to the target register, setting an execution flag for the target operation instruction according to the first new value and the second fixed value, including:
comparing the first new value with the second fixed value;
when the comparison result is that the first new value is consistent with the second fixed value, setting an execution flag of the target operation instruction as the first flag;
Or alternatively
And when the comparison result is that the first new value is inconsistent with the second fixed value, setting an execution flag of the target operation instruction as the second flag.
Specifically, the scheme can ensure that the modification operation is allowed to be executed only when the new value is completely consistent with the preset fixed value, so that unauthorized modification is effectively prevented, and the safety of the virtual machine is improved.
In an optional implementation manner, when it is determined that the target policy data does not include the second fixed value corresponding to the target register, the setting the execution flag for the target operation instruction according to whether the target policy data includes the instruction information for prohibiting modification includes:
When the target policy data is determined to comprise the modification prohibition instruction information, setting an execution flag of the target operation instruction to the second flag;
Or alternatively
And when the target strategy data does not comprise the instruction information for prohibiting modification, setting an execution flag of the target operation instruction as the first flag.
Specifically, by prohibiting modification to a particular register, unauthorized modification can be effectively prevented, protecting the virtual machine from dangerous operations, and security is enhanced.
In an alternative embodiment, the performing, according to the execution flag, an operation corresponding to the execution flag on the target register includes:
when the execution flag is determined to be a first flag, updating the value in the target register according to the first new value;
Or alternatively
And when the execution flag is determined to be a second flag, not performing updating operation on the target register.
Specifically, by setting the execution flag, it is ensured that only authenticated and authorized operations can update the target register, unauthorized access or modification is effectively prevented, and security of the virtual machine is enhanced.
In an alternative embodiment, the method further comprises:
Determining whether the target policy data comprises indication information for enabling a log;
When determining that the target policy data comprises the indication information of enabling the log, setting a log record mark for the target operation instruction, wherein the log record mark is used for indicating recording policy verification information;
Or alternatively
And when determining that the indication information of enabling the log is not included in the target strategy data, not setting a log record mark for the target operation instruction.
In particular, for important and valuable events, by enabling the indication information of the log, the history record of the register operation is tracked, so that the analysis by subsequent technicians is facilitated, and the strategy is improved. For events with low value, only policy verification is performed to avoid security problems, log recording is not needed, and storage space can be saved.
In an alternative embodiment, the obtaining a first new value corresponding to the target operation instruction includes:
Acquiring a first operand stored in a first general register and a second operand stored in a second general register;
And obtaining the first new value according to the first operand and the second operand.
Specifically, a complete first new value may be obtained by combining operands stored in two general purpose registers separately.
In an alternative embodiment, the method further comprises:
When the target operation instruction is determined to be an instruction for creating a storage area according to the type of the target operation instruction, a first storage area and a second storage area are created according to the target operation instruction, wherein the first storage area is used for storing the strategy table, and the second storage area is used for storing a log.
In particular, by storing the policy table and log in separate areas, a clear classification and organization of data may be maintained, facilitating management and retrieval. Also, since policy tables may require frequent access, while journals are more focused on long-term storage and archiving, such separation may optimize the respective access and storage policies. In addition, since the policy table and the log may have different access modes and performance requirements, dividing the storage area is more conducive to flexibly setting the access modes of the policy table and the log.
In an alternative embodiment, the method further comprises:
when the target operation instruction is determined to be an instruction for acquiring negotiation information according to the type of the target operation instruction, acquiring target negotiation information;
Storing the target negotiation information in a virtual machine control structure body, and informing the virtual machine to read, wherein the target negotiation information is used for the virtual machine to perform matching operation with a virtual machine monitor according to the target negotiation information.
In particular, the negotiation information typically includes security parameters and the like regarding communication between the virtual machine and the virtual machine monitor. Through the matching operation of the negotiation information, the interaction safety between the virtual machine and the virtual machine monitor can be ensured, and unauthorized access or data leakage can be prevented.
In a second aspect, the present invention provides an apparatus for performing an operation on a register, the apparatus comprising:
The capturing module is used for capturing a target operation instruction, wherein the target operation instruction is an operation instruction for causing the virtual machine to be switched from a working state to an exit state;
the determining module is used for determining the type of the target operation instruction according to the target operation instruction;
The acquisition module is used for acquiring an original value corresponding to the target register when the target operation instruction is determined to be an instruction for operating the target register according to the type of the target operation instruction;
The determining module is further configured to determine, in a pre-constructed policy table, whether target policy data corresponding to the target register exists;
And the execution module is used for selecting one or more elements from the target policy data, the original value and the first new value when the target policy data exists in the policy table, and executing operation on the target register.
In a third aspect, the present invention provides a computer device comprising a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the method of performing an operation on a register of the first aspect or any of its corresponding embodiments.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of performing an operation on a register of the first aspect or any of its corresponding embodiments.
In a fifth aspect, the present invention provides a computer program product comprising computer instructions for causing a computer to perform the method of performing an operation on a register of the first aspect or any of its corresponding embodiments.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The following explains the technical terms related to the embodiments of the present invention.
Virtual machine Exit (Virtual Machine Exit, VM Exit), which refers to a "trap" operation triggered when certain sensitive instructions are executed in the Non-Root mode of the virtual machine, causes the processor to switch back from the Non-Root mode to Root mode (Root), i.e., back to the Virtual Machine Monitor (VMM) MACHINE MANAGER.
Virtual MACHINE ENTERY, VM Entry is a process corresponding to VM Exit, and when the Virtual machine monitor processes the sensitive instruction executed by the Virtual machine, the control right of the processor is given to the Virtual machine through VM Entry operation. This operation causes the processor to switch from the root mode to the non-root mode, allowing the virtual machine to continue running.
The virtual machine control structure (Virtual Machine Control Structure, VMCS) is a memory area for storing and managing state and control information of the virtual machine, etc. The right of the virtual machine to the data stored in the virtual machine control structure is read-only. The authority of the virtual machine monitor to the data stored in the virtual machine control structure is read/write.
The embodiment of the invention is applied to computer equipment, and a virtual machine monitor and at least one virtual machine can be installed on the computer equipment. For example, the computer device may be a server, a terminal, or the like. As shown in fig. 1, the virtual machine monitor may include an event filtering module and a policy verification module, and at least one storage area is managed, where each storage area has an association relationship with one virtual machine, that is, each virtual machine may perform operations of writing data and reading data in a corresponding storage area. The event filtering module may be configured to identify sensitive operations of the virtual machine, that is, capture target operation instructions. The policy validation module may be configured to perform a policy validation operation on the target operation instruction using the policy data in the policy table. The Virtual Machine may include a negotiation module, a policy management module, a log management module, and a Virtual Machine (VM) communication module. The negotiation module may be configured to perform authentication of negotiation information. The policy management module may be used for writing and deleting policy data, etc. The log management module may be used to read the log stored in the storage area. The communication module may be used to accomplish interactions of the virtual machine and the virtual machine monitor. The detailed operation of each module mentioned above may be referred to in the following, and will not be described herein.
The embodiment of the invention provides a method for executing operation on a register, which can improve the security of a virtual machine operating system by monitoring an instruction for executing operation on the register, and then performing policy verification and processing.
In accordance with an embodiment of the present invention, there is provided a method embodiment for performing operations on registers, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
In this embodiment, a method for performing an operation on a register is provided, which may be performed by the computer device described above, and fig. 2 is a flowchart of a method for performing an operation on a register according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
Step S201, capturing a target operation instruction.
The target operation instruction may be an operation instruction that causes the virtual machine to switch from the working state to the exit state. The target operation instruction may be an instruction to operate a target register, an instruction to acquire negotiation information, an instruction to create a storage area, an instruction to write policy data, an instruction to delete policy data, and the like. Taking the x86 instruction set as an example, the instruction to obtain negotiation information may be the cpuid instruction. The instruction for creating the storage area, the instruction for writing the policy data, and the instruction for deleting the policy data may be vmcall instructions, and the vmcall instructions may include custom parameters, where the custom parameters are different to indicate different instructions, for example, when the custom parameter is a, the vmcall instruction is an instruction for creating the storage area, and when the custom parameter is B, the vmcall instruction is an instruction for writing the policy data. The instructions operating on the target register may be movcr 0 instructions, rdmsr instructions, wrmsr instructions, and the like.
Specifically, after the virtual machine acquires the target operation instruction, the target operation instruction is executed, and information related to the target operation instruction is recorded in a designated area in the virtual machine control structure (Virtual Machine Control Structure, VMCS). And when the computer equipment monitors that the target operation instruction is a sensitive instruction (namely an instruction which can cause a security problem to the virtual machine), triggering the virtual machine to enter a VM Exit mode, namely entering processing logic of a virtual machine monitor (Virtual Machine Monitor, VMM). The event filtering module of the virtual machine monitor may read information about the target operation instruction from the specified area of the virtual machine control structure, that is, the target operation instruction is captured.
Step S202, determining the type of the target operation instruction according to the target operation instruction.
Wherein the type of the target operation instruction may be used to indicate the operation object. The operation object may be one of a register, a virtual machine, or a virtual machine monitor.
Specifically, the event filtering module analyzes the related information of the target operation instruction, and determines the type of the target operation instruction.
In step S203, when the target operation instruction is determined to be an instruction for operating the target register according to the type of the target operation instruction, the original value corresponding to the target register is obtained.
The target Register may be a Control Register (CR), a special module Register (Model SPECIFIC REGISTERS, MSR), or the like.
Specifically, when it is determined that the operation target is a control register according to the type of the target operation instruction, the original value is stored in a control register area in the virtual machine control structure body, and at this time, the original value can be read from the control register area. Or when the target register is an MSR register, the original value is stored in an MSR register area in the virtual machine control structure body, and the original value can be read from the MSR register area.
In step S204, a first new value corresponding to the target operation instruction is obtained.
Specifically, when the target register is a control register, a first new value may be read from a source register region in the virtual machine control fabric. Or when the destination register is an MSR register, the steps of obtaining a first operand stored in the first general purpose register and a second operand stored in the second general purpose register, and obtaining a first new value according to the first operand rax and the second operand rck (which are combined after bitwise operation of the first operand and the second operand). The first general-purpose register may be an eax register, and the second general-purpose register may be an edx register.
In step S205, in the pre-constructed policy table, it is determined whether or not there is target policy data corresponding to the target register.
The policy table may store a plurality of pieces of policy data, and policy identification information corresponding to each piece of policy data. The policy data may include a policy verification object and policy indication information, wherein the policy indication information may be one of indication information for prohibiting modification and a fixed value. The policy object may be a register. Since each bit of the control register corresponds to a function, when the policy object is the control register, the policy indication information may include at least one bit of policy indication information (i.e., at least one piece of policy sub-data). For example, for Write Protect bit (WP) of CR0 register, the program may read and Write any physical page when wp=0, and Write operation will be disabled for read-only physical pages when wp=1. And one MSR register is used to handle one function, such as performance monitoring, power management, virtualization support, etc. Or the policy data may also include log-enabled indication information. Or when the register is a control register, the log-enabled indication information may also be set at the granularity of bits.
Specifically, the policy verification module may match the policy object included in each piece of policy data in the policy table according to the identification information of the target register. When the policy data corresponding to the identification information of the target register is matched, it may be determined that the policy table has the target policy data corresponding to the target register. When the policy data corresponding to the identification information of the target register is not matched, the target operation instruction is indicated to be a safe operation instruction, and the target operation instruction can be directly executed.
In step S206, when it is determined that the target policy data exists in the policy table, one or more elements are selected from the target policy data, the original value, and the first new value, and an operation is performed on the target register.
Specifically, since there is a difference in the workflow of different registers, it is necessary to perform a policy verification process according to its own operating characteristics for different registers. The control register and the MSR register are respectively described as examples.
First, the target register is a control register.
Step one, exclusive-or operation is performed on the original value and the first new value to determine whether at least one modification bit exists.
Specifically, the policy validation module may traverse each bit of the original value (or the first new value), traverse to one bit each time, obtain a first value corresponding to the traversed bit from the original value, and obtain a second value corresponding to the traversed bit from the first new value, compare the first value with the second value, determine that the bit is not a modified bit if the two are the same, and determine that the bit is a modified bit if the two are different. Similarly, it may be determined whether a modification bit is present. If not, the target operation instruction is indicated to be a safe operation instruction and can be directly executed. If there is a modification bit, a subsequent step two may be performed.
And step two, when at least one modification bit exists, updating the value corresponding to each modification bit in the first new value according to each modification bit and the target strategy data to obtain a second new value.
Step 1, determining whether policy sub-data corresponding to the target modification bit exists in the target policy data according to the target modification bit.
Wherein the target modification bit is any one of the at least one modification bit.
Specifically, the policy validation module may traverse policy sub-data included in the target policy data according to the target modification bit to determine whether there is policy sub-data matching the target modification bit. If yes, the target operation instruction is indicated to be a safe operation instruction and can be directly executed. If not, a subsequent step 2 may be performed.
And 2, when determining that the target strategy data has strategy sub-data, updating a value corresponding to the target modification bit in the first new value according to the strategy sub-data.
Specifically, when it is determined that the policy sub-data includes a first fixed value corresponding to the target modification bit, a value corresponding to the target modification bit in the first new value is modified to the first fixed value. Or when the strategy sub-data is determined to comprise the instruction information for prohibiting modification, restoring the value corresponding to the target modification bit in the first new value into the value corresponding to the target modification bit in the original value.
And step 3, after the fact that all the modification bits of the strategy sub data exist are updated is determined, a second new value is obtained.
And step three, according to the second new value, updating the target register.
Specifically, the virtual machine monitor may update the original value in the target register to the second new value.
The policy enforcement flow for the control registers is shown in fig. 3.
Second, the destination register is an MSR register.
When the target strategy data comprises a second fixed value corresponding to the target register, setting an execution mark for the target operation instruction according to the first new value and the second fixed value.
Wherein the execution flag is a first flag or a second flag. The first flag is used for indicating execution of the target operation instruction, and the second flag is used for indicating prohibition of execution of the target operation instruction. For example, the first flag may be "allow" and the second flag may be "redirect".
Specifically, the specific step of setting the execution flag for the target operation instruction according to the first new value and the second fixed value may include:
and step 1, comparing the first new value with the second fixed value.
And step 2, setting the execution flag of the target operation instruction as a first flag when the comparison result is that the first new value is consistent with the second fixed value.
And step 3, setting the execution flag of the target operation instruction as a second flag when the comparison result is that the first new value is inconsistent with the second fixed value.
And step two, when the fact that the target strategy data does not comprise the second fixed value corresponding to the target register is determined, setting an execution mark for the target operation instruction according to whether the target strategy data comprises the instruction information for prohibiting modification.
Specifically, when it is determined that the instruction information for prohibiting modification is included in the target policy data, the execution flag of the target operation instruction may be set to the second flag. Or when it is determined that the instruction information for prohibiting modification is not included in the target policy data, the execution flag of the target operating instruction may be set to the first flag.
And step three, executing the operation corresponding to the execution mark on the target register according to the execution mark.
Specifically, when the execution flag is determined to be the first flag, the value in the target register is updated according to the first new value, i.e., the original value in the target register is updated to the first new value. Or when the execution flag is determined to be the second flag, the update operation is not performed on the target register.
The policy enforcement flow for the MSR register is shown in FIG. 4.
In the method for executing the operation on the register provided in this embodiment, since the modification of the value in the register is the bottommost modification, although some software bypasses the kernel reinforcement technology, the method directly intercepts the target operation instruction at the register layer, and can execute the operation on the target register after specifically analyzing the target operation instruction according to the policy data in the policy table constructed in advance and the obtained original value and the first new value of the target register. In this way, virtual machine security problems caused by some software directly modifying the values in the registers can be avoided.
In this embodiment, a method for setting a logging flag is provided, which may be executed by the above-mentioned computer device, and fig. 5 is a flowchart of a method for setting a logging flag according to an embodiment of the present invention, as shown in fig. 5, where the flowchart includes the following steps:
in step S501, it is determined whether the indication information of enabling the log is included in the target policy data.
In step S502, when it is determined that the indication information for enabling the log is included in the target policy data, a log record flag is set for the target operation instruction.
Wherein the log record flag is used for indicating the record strategy verification information. The policy verification information may include the modification result, for example, the second new value.
In step S503, when it is determined that the instruction information for enabling the log is not included in the target policy data, the log record flag is not set for the target operation instruction.
Thus, for the control register, it may be determined whether the target operation instruction is set with the log record flag after the update operation is performed on the control register, and if so, policy verification information in the flow shown in fig. 2 (shown in fig. 4) may be recorded. For the MSR register, it may be determined whether the target operation instruction is set with the logging flag after setting the logging flag, and if so, policy verification information in the flow as shown in FIG. 2 may be recorded (as shown in FIG. 5).
The method for setting the log record mark provided by the embodiment is beneficial to tracking the history record of the register operation by enabling the indication information of the log for important and valuable events, so that the analysis by subsequent technicians is facilitated, and the strategy is improved. For events with low value, only policy verification is performed to avoid security problems, log recording is not needed, and storage space can be saved.
Since there are various cases of the target operation instruction, such as an instruction to operate the target register, an instruction to acquire negotiation information, an instruction to create a storage area, an instruction to write policy data, an instruction to delete policy data, and the like, steps S203 to S206 are mainly described with respect to the policy verification process of the instruction to operate the target register. The execution of the target operation instruction for other cases will be specifically described below.
First, a negotiation method. And when the target operation instruction is determined to be the instruction for acquiring the negotiation information according to the type of the target operation instruction, acquiring the target negotiation information. The target negotiation information is stored in the virtual machine control structure body, and the virtual machine is informed to read.
The target negotiation information is used for the virtual machine to perform matching operation with the virtual machine monitor according to the target negotiation information. The target negotiation information is a message determined in advance by the virtual machine negotiation module and the virtual machine monitor, and is not limited to specific content, and only needs to be approved by the negotiation module.
Specifically, as shown in fig. 6, the negotiation module executes cpuid an instruction (relevant information of the instruction is recorded in the virtual machine control structure body), triggers a negotiation information request, further triggers VM Exit, and jumps to the processing logic of the virtual machine monitor. The virtual machine monitor may acquire cpuid instructions from the virtual machine control structure, determine that the reason for the virtual machine exit event is to execute cpuid instructions, that is, the virtual machine monitor captures a target operation instruction, and determine that the target operation instruction is an instruction for acquiring negotiation information. At this time, the virtual machine monitor stores the designated negotiation information (target negotiation information) in the virtual machine control structure, triggers VM Entry (also referred to as VM Resume), and jumps to the processing logic of the virtual machine. The virtual machine can acquire the target negotiation information from the virtual machine control structure body, determine whether to run in a matched virtual machine monitor according to whether the target negotiation information carries the mark information matched with the virtual machine control structure body, and if so, can perform the subsequent operation of creating the storage area.
Second, a method of creating a storage area. When the target operation instruction is determined to be an instruction for creating a storage area according to the type of the target operation instruction, a first storage area and a second storage area are created according to the target operation instruction.
The first storage area is used for storing a policy table, and the second storage area is used for storing a log. The first storage area is read only for the virtual machine, the virtual machine monitor is read only, and the second storage area is read only for the virtual machine, and the virtual monitor is read only.
Specifically, as shown in fig. 7, the virtual machine executes vmcall an instruction (the relevant information of the instruction is recorded in the virtual machine control structure), triggers an initialization request, further triggers VM Exit, and jumps to the processing logic of the virtual machine monitor. The virtual machine monitor may acquire vmcall instructions from the virtual machine control structure, determine that the reason for the virtual machine exit event is to execute vmcall instructions, that is, the virtual machine monitor captures a target operation instruction, and determine, according to a first custom parameter in the vmcall instruction, that the target operation instruction is an instruction for creating a storage area. The virtual machine monitor performs an operation of initializing the shared memory area, divides the shared memory area into a policy area (first storage area) and a log area (second storage area), stores the position information of the first storage area and the position information of the second storage area as return values in the virtual machine control structure, triggers the VM Entry, and jumps to the processing logic of the virtual machine. The virtual machine may acquire the position information of the first storage area and the position information of the second storage area from the virtual machine control structure body, and map the position information of the first storage area and the position information of the second storage area to perform subsequent operations of writing policy data and reading log data.
Third, a method of writing policy data. And when the target operation instruction is determined to be the instruction for writing the strategy data according to the type of the target operation instruction, acquiring a plurality of pieces of strategy data written by the virtual machine from the first storage area. And constructing a policy table according to the plurality of policies.
Specifically, as shown in fig. 8, after the virtual machine acquires a plurality of pieces of policy data, the virtual machine may encapsulate the policy enabling command, and write the acquired policy data into the first storage area according to the encapsulated policy enabling command. The virtual machine may then execute vmcall an instruction (the relevant information for which is recorded in the virtual machine control structure), trigger an initialization policy request, further trigger VM Exit, and jump to the processing logic of the virtual machine monitor. The virtual machine monitor can acquire vmcall instructions from the virtual machine control structure body, determines that the reason for the virtual machine exit event is that vmcall instructions are executed, namely, the virtual machine monitor captures a target operation instruction, and when determining that the target operation instruction is an instruction for creating a storage area according to a second custom parameter in vmcall instructions, converts policy data written into the first storage area to generate a policy table.
Fourth, a method of deleting policy data. And when the target operation instruction is determined to be the instruction for deleting the strategy data according to the type of the target operation instruction, acquiring the first strategy identification information. And deleting the strategy data corresponding to the first strategy identification information from the strategy table according to the first strategy identification information.
Specifically, as shown in fig. 9, after the virtual machine obtains the first policy identification information, the virtual machine may encapsulate the first policy identification information into a policy shutdown instruction, and write the obtained first policy identification information into the first storage area according to the policy shutdown instruction. The virtual machine may then execute vmcall an instruction (the relevant information for which is recorded in the virtual machine control structure), trigger a delete policy request, further trigger VM Exit, and jump to the processing logic of the virtual machine monitor. When the virtual machine monitor acquires vmcall instructions from the virtual machine control structure, namely the virtual machine monitor captures a target operation instruction and determines that the target operation instruction is an instruction for deleting policy data according to a third user-defined parameter in the vmcall instructions, first policy identification information is acquired from the first storage area, and policy data corresponding to the first policy identification information is determined in a policy table according to the first policy identification information and deleted.
In some alternative embodiments, since various software updates that pose security problems to the virtual machine are faster, the policy data needs to be updated accordingly. The virtual machine may extract the second policy identification information and the modified policy data from the policy data update instruction after the policy data update instruction is acquired, and write the second policy identification information into the first storage area. When the virtual machine monitor is in a state of not performing policy verification, the second policy identification information and the modified policy data can be extracted from the first storage area, the policy data corresponding to the second policy identification information is determined in the policy table according to the second policy identification information to be deleted, and the modified policy data is supplemented. Therefore, the method can keep updating of the strategy data, can defend the damage of the latest software to the virtual machine, and improves the safety of the virtual machine.
In some optional embodiments, after the virtual machine monitor identifies that the number of the logs in the second storage area is greater than the preset threshold, the virtual machine may be notified, and the virtual machine reads all the logs from the second storage area, after the virtual machine completes the reading operation, the virtual machine monitor may delete the logs in time, so as to avoid the problem that after the second storage data is full, important logs cannot be stored, which results in the subsequent failure of technical analysis by a technician.
In some alternative embodiments, a third storage area may also be created, in which the policy table is backed up. When the fact that the strategy data stored in the first storage area are lost or the first storage area is damaged by related software is detected, the backup strategy table is read from the third storage area and is processed in time, and the virtual machine security problem caused by incapability of performing strategy verification is prevented. The security level can be further improved by the backup operation.
In this embodiment, a device for performing an operation on a register is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and will not be described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides an apparatus for performing an operation on a register, as shown in fig. 10, including:
The capturing module 1001 is configured to capture a target operation instruction, where the target operation instruction is an operation instruction that causes the virtual machine to switch from a working state to an exit state;
a determining module 1002, configured to determine a type of the target operation instruction according to the target operation instruction;
An obtaining module 1003, configured to obtain an original value corresponding to the target register when the target operation instruction is determined to be an instruction for operating the target register according to the type of the target operation instruction;
The determining module 1002 is further configured to determine, in a pre-constructed policy table, whether target policy data corresponding to the target register exists;
The executing module 1004 is configured to, when it is determined that the target policy data exists in the policy table, select one or more elements from the target policy data, the original value, and the first new value, and execute an operation on the target register.
In an alternative embodiment, the destination register is a control register;
The execution module 1004 is specifically configured to:
Exclusive-or operating the original value and the first new value to determine whether at least one modification bit exists;
when at least one modification bit exists, updating a value corresponding to each modification bit in the first new value according to each modification bit and target strategy data to obtain a second new value;
And according to the second new value, performing an updating operation on the target register.
In an alternative embodiment, execution module 1004 is specifically configured to:
Determining whether policy sub-data corresponding to the target modification bit exists in the target policy data according to the target modification bit, wherein the target modification bit is any modification bit in at least one modification bit;
When determining that the target strategy data has strategy sub-data, updating a value corresponding to the target modification bit in the first new value according to the strategy sub-data;
after determining that the modified bits of the policy sub-data are all updated, a second new value is obtained.
In an alternative embodiment, execution module 1004 is specifically configured to:
when the strategy sub-data comprises a first fixed value corresponding to the target modification bit, modifying a value corresponding to the target modification bit in the first new value into the first fixed value;
Or alternatively
And when determining that the strategy sub-data comprises the instruction information for prohibiting modification, restoring the value corresponding to the target modification bit in the first new value into the value corresponding to the target modification bit in the original value.
In an alternative embodiment, the destination register is a special module MSR register;
The execution module 1004 is specifically configured to:
When the target strategy data comprises a second fixed value corresponding to the target register, setting an execution mark for the target operation instruction according to the first new value and the second fixed value;
Or alternatively
When the target strategy data does not comprise a second fixed value corresponding to the target register, setting an execution mark for the target operation instruction according to whether the target strategy data comprises the instruction information for prohibiting modification or not;
and executing the operation corresponding to the execution flag on the target register according to the execution flag.
In an alternative embodiment, the execution flag is a first flag or a second flag, where the first flag is used to indicate that the target operation instruction is executed, and the second flag is used to indicate that the target operation instruction is prohibited from being executed;
The execution module 1004 is specifically configured to:
comparing the first new value with the second fixed value;
When the comparison result is that the first new value is consistent with the second fixed value, setting an execution mark of the target operation instruction as a first mark;
Or alternatively
And when the comparison result is that the first new value is inconsistent with the second fixed value, setting the execution flag of the target operation instruction as a second flag.
In an alternative embodiment, execution module 1004 is specifically configured to:
When the target policy data comprises the instruction information for prohibiting modification, setting an execution flag of the target operation instruction as a second flag;
Or alternatively
When it is determined that the instruction information for prohibiting modification is not included in the target policy data, an execution flag of the target operating instruction is set to a first flag.
In an alternative embodiment, execution module 1004 is specifically configured to:
when the execution flag is determined to be the first flag, updating the value in the target register according to the first new value;
Or alternatively
When the execution flag is determined to be the second flag, the update operation is not performed on the target register.
In an alternative embodiment, the apparatus further comprises a setting module 1005, the setting module 1005 being configured to:
determining whether the target policy data comprises indication information for enabling the log;
When determining that the target strategy data comprises indication information for enabling the log, setting a log record mark for the target operation instruction, wherein the log record mark is used for indicating to record strategy verification information;
Or alternatively
When it is determined that the indication information for enabling the log is not included in the target policy data, a log record flag is not set for the target operation instruction.
In an alternative embodiment, the obtaining module 1003 is specifically configured to:
Acquiring a first operand stored in a first general register and a second operand stored in a second general register;
a first new value is obtained based on the first operand and the second operand.
In an alternative embodiment, the apparatus further comprises a creation module 1006, the creation module 1006 for:
when the target operation instruction is determined to be an instruction for creating a storage area according to the type of the target operation instruction, a first storage area and a second storage area are created according to the target operation instruction, wherein the first storage area is used for storing a policy table, and the second storage area is used for storing a log.
In an alternative embodiment, the obtaining module 1003 is further configured to:
When the target operation instruction is determined to be an instruction for acquiring negotiation information according to the type of the target operation instruction, acquiring the target negotiation information;
storing target negotiation information in a virtual machine control structure body, and informing a virtual machine to read, wherein the target negotiation information is used for the virtual machine to perform matching operation with a virtual machine monitor according to the target negotiation information.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The means for performing operations on registers in this embodiment are presented as functional units, where the units are ASIC (Application SPECIFIC INTEGRATED Circuit) circuits, processors and memory that execute one or more software or firmware programs, and/or other devices that can provide the functionality described above.
The embodiment of the invention also provides a computer device which is provided with the device for executing the operation on the register shown in the figure 10.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, and as shown in fig. 11, the computer device includes one or more processors 10, a memory 20, and interfaces for connecting components, including a high-speed interface and a low-speed interface. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 11.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, application programs required for at least one function, and a storage data area that may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The memory 20 may comprise volatile memory, such as random access memory, or nonvolatile memory, such as flash memory, hard disk or solid state disk, or the memory 20 may comprise a combination of the above types of memory.
The computer device further comprises input means 30 and output means 40. The processor 10, memory 20, input device 30, and output device 40 may be connected by a bus or other means, for example in fig. 11.
The input device 30 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus, such as a touch screen, a keypad, a mouse, a trackpad, a touchpad, a pointer stick, one or more mouse buttons, a trackball, a joystick, and the like. The output means 40 may include a display device, auxiliary lighting means (e.g., LEDs), tactile feedback means (e.g., vibration motors), and the like. Such display devices include, but are not limited to, liquid crystal displays, light emitting diodes, displays and plasma displays. In some alternative implementations, the display device may be a touch screen.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium may be a magnetic disk, an optical disk, a read-only memory, a random-access memory, a flash memory, a hard disk, a solid state disk, or the like, and further, the storage medium may further include a combination of the above types of memories. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the existence of computer program instructions in a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and accordingly, the manner in which computer program instructions are executed by a computer includes, but is not limited to, the computer directly executing the instructions, or the computer compiling the instructions and then executing the corresponding compiled programs, or the computer reading and executing the instructions, or the computer reading and installing the instructions and then executing the corresponding installed programs. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.