Virtual machine-based dynamic introspection function-level virtual machine kernel detection system and method

A technology of dynamic detection and detection method, which is applied in the field of cloud security, can solve the problems of attackers' detection, breach, and inability to apply cloud computing, etc., to achieve strong isolation, prevent detection or even breach

Active Publication Date: 2018-08-31
HARBIN INST OF TECH +1
View PDF5 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the current methods based on dynamic tracking are often based on instruction-level tracking or jump-level tracking, which seriously degrades performance and cannot be applied to cloud computing.
[0004] Moreover, traditional control flow detection methods often run as a module in the operating system, or as a process in user space, but this scheme may be detected or even broken by attackers.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Virtual machine-based dynamic introspection function-level virtual machine kernel detection system and method
  • Virtual machine-based dynamic introspection function-level virtual machine kernel detection system and method
  • Virtual machine-based dynamic introspection function-level virtual machine kernel detection system and method

Examples

Experimental program
Comparison scheme
Effect test

specific Embodiment approach 1

[0046] A virtual machine kernel dynamic detection system based on virtual machine introspection function level, such as figure 1 As shown, it includes a security virtual machine 1, a target virtual machine 2, a virtual machine management layer 3 and hardware 4; the hardware 4 provides a hardware 4 basis for the security virtual machine 1, the target virtual machine 2 and the virtual machine management layer 3, and the The security virtual machine 1 includes a monitoring framework 11, and the monitoring framework 11 includes an extraction module 111, a learning module 112, and a monitoring module 113; the security virtual machine 1 interacts with the target virtual machine 2 through the virtual machine management layer 3, using VMI technology, The secure virtual machine 1 controls the part to be processed in the target virtual machine 2 through the virtual machine management layer 3, and the target virtual machine 2 can also receive the target object concerned in the secure virt...

specific Embodiment approach 2

[0051] The virtual machine kernel dynamic detection method based on virtual machine introspection function level includes a dynamic tracking method assisted by static analysis. After the monitoring starts, the method first uses the method of static memory analysis to find the addresses of all sub-functions in the system calls to be tracked, and then dynamically monitors these sub-functions. If these functions are executed, the execution information is recorded, and then analysis and modeling are performed based on the captured information. Because of indirect addressing problems such as call eax, we cannot determine where this instruction will jump to next, so after a static memory analysis we cannot find all the subfunctions of the system calls used. For this reason, we also need to track such instructions, so as to know where the next step will be executed, and then perform static analysis again to obtain the address of the subsequent sub-function for monitoring. This proce...

specific Embodiment approach 3

[0085] Based on the design, we implemented a prototype system on an x86 architecture supported Intel VT server. Our system is implemented on the Xen platform. The Xen virtualization platform was developed by the University of Cambridge in the United Kingdom. It supports multiple virtualization modes and Intel VT technology, and its performance can reach a level close to that of a physical machine operating system. The main part of the implementation includes the monitoring of the start and end of the target system call, the analysis, injection and monitoring of instructions. We introduced a whitelist mechanism in the analysis process, and a context switching processing mechanism in the monitoring process.

[0086] 1. Monitor the start and end of the target system call

[0087] In the fast system call mechanism, entering and exiting the kernel system call from the user mode requires the assistance of the sysenter and sysexit instructions. After the sysenter instruction is exe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a virtual machine-based dynamic introspection function-level virtual machine kernel detection system and method, and belongs to the field of cloud safety. The device compriseshardware which is used for providing hardware basis for a secure virtual machine, a target virtual machine and a virtual machine management layer; the secure virtual machine comprises a monitoring framework; the secure virtual machine interacts with the target virtual machine through the virtual machine management layer; the virtual machine management layer comprises a connection extraction module; and the extraction module is connected with each of the learning module and a monitoring module through page execution information. The method comprises the following steps of: starting a monitor, injecting a monitoring point to the target virtual machine by the extraction module, so as to ensure that the virtual machine management layer can monitor sub-functions in calling; carrying out staticanalysis by utilizing a static memory analysis method and dynamic tracking, so as to obtain subsequent sub-functions and carry out monitoring; and carrying out loop execution until system calling is returned. According to the system and method, execution information is modeled through three learning methods, so that integrity of kernel control flows is detected, and the kernel control flows are prevented from being detected and broken through by attackers.

Description

technical field [0001] The invention relates to a virtual machine introspection-based function-level virtual machine kernel dynamic detection system and method, which belong to the field of cloud security. Background technique [0002] Nowadays, with the vigorous development of cloud computing, its security issues must be taken seriously. In cloud computing infrastructure and services, the service core provided to users exists in the form of a virtual machine. Whether it is an individual user or an enterprise server user, its final presentation form is one or more servers located in the host cluster of the cloud computing provider. virtual machine. The integrity of the kernel control flow is very important to the security of the virtual machine. If the kernel of the virtual machine is damaged, the security of the entire cloud platform may be threatened. Therefore, detecting the integrity of the kernel control flow of a virtual machine is very important for cloud computing....

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F9/455
CPCG06F9/45558G06F2009/45583G06F2009/45591
Inventor 邹学强叶麟余翔湛包秀国詹东阳郭镔袁庆升
Owner HARBIN INST OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap