Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A virtual machine kernel dynamic detection system and method based on virtual machine introspection function level

A technology of dynamic detection and detection methods, applied in the field of cloud security, can solve the problems of attackers detecting, breaking through, and unable to apply cloud computing

Active Publication Date: 2021-07-30
HARBIN INST OF TECH +1
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the current methods based on dynamic tracking are often based on instruction-level tracking or jump-level tracking, which seriously degrades performance and cannot be applied to cloud computing.
[0004] Moreover, traditional control flow detection methods often run as a module in the operating system, or as a process in user space, but this scheme may be detected or even broken by attackers.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A virtual machine kernel dynamic detection system and method based on virtual machine introspection function level
  • A virtual machine kernel dynamic detection system and method based on virtual machine introspection function level
  • A virtual machine kernel dynamic detection system and method based on virtual machine introspection function level

Examples

Experimental program
Comparison scheme
Effect test

specific Embodiment approach 1

[0047] A virtual machine kernel dynamic detection system based on virtual machine introspection function level, such as figure 1 As shown, it includes a security virtual machine 1, a target virtual machine 2, a virtual machine management layer 3 and hardware 4; the hardware 4 provides a hardware 4 basis for the security virtual machine 1, the target virtual machine 2 and the virtual machine management layer 3, and the The security virtual machine 1 includes a monitoring framework 11, and the monitoring framework 11 includes an extraction module 111, a learning module 112, and a monitoring module 113; the security virtual machine 1 interacts with the target virtual machine 2 through the virtual machine management layer 3, using VMI technology, The secure virtual machine 1 controls the part to be processed in the target virtual machine 2 through the virtual machine management layer 3, and the target virtual machine 2 can also receive the target object concerned in the secure virt...

specific Embodiment approach 2

[0053] The virtual machine kernel dynamic detection method based on virtual machine introspection function level includes a dynamic tracking method assisted by static analysis. After the monitoring starts, the method first uses the method of static memory analysis to find the addresses of all sub-functions in the system calls to be tracked, and then dynamically monitors these sub-functions. If these functions are executed, the execution information is recorded, and then analysis and modeling are performed based on the captured information. Because of indirect addressing problems such as call eax, we cannot determine where this instruction will jump to next, so after a static memory analysis we cannot find all the subfunctions of the system calls used. For this reason, we also need to track such instructions, so as to know where the next step will be executed, and then perform static analysis again to obtain the address of the subsequent sub-function for monitoring. This proce...

specific Embodiment approach 3

[0088] Based on the design, we implemented a prototype system on an x86 architecture supported Intel VT server. Our system is implemented on the Xen platform. The Xen virtualization platform was developed by the University of Cambridge in the United Kingdom. It supports multiple virtualization modes and Intel VT technology, and its performance can reach a level close to that of a physical machine operating system. The main part of the implementation includes the monitoring of the start and end of the target system call, the analysis, injection and monitoring of instructions. We introduced a whitelist mechanism in the analysis process, and a context switching processing mechanism in the monitoring process.

[0089] 1. Monitor the start and end of the target system call

[0090] In the fast system call mechanism, entering and exiting the kernel system call from the user mode requires the assistance of the sysenter and sysexit instructions. After the sysenter instruction is exe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention is based on a virtual machine introspection function-level virtual machine kernel dynamic detection system and method belonging to the field of cloud security; the device includes hardware to provide a hardware foundation for a safe virtual machine, a target virtual machine, and a virtual machine management layer; the safe virtual machine includes a monitoring framework, The security virtual machine interacts with the target virtual machine through the virtual machine management layer, and the virtual machine management layer is connected to the extraction module, and the extraction module is respectively connected to the learning module and the monitoring module through the page execution information; the method includes monitoring and opening; the extraction module injects the monitoring point into the target virtual machine In this way, the virtual machine management layer can monitor the sub-functions in the call, use the method of static memory analysis and dynamic tracking, perform static analysis again to obtain the address of the subsequent sub-functions to monitor, execute in a loop until the system call returns; through three learning methods The method models the execution information; thereby detecting the integrity of the kernel control flow and preventing it from being detected or even broken by an attacker.

Description

technical field [0001] The invention relates to a virtual machine introspection-based function-level virtual machine kernel dynamic detection system and method, which belong to the field of cloud security. Background technique [0002] Nowadays, with the vigorous development of cloud computing, its security issues must be taken seriously. In cloud computing infrastructure and services, the service core provided to users exists in the form of a virtual machine. Whether it is an individual user or an enterprise server user, its final presentation form is one or more servers located in the host cluster of the cloud computing provider. virtual machine. The integrity of the kernel control flow is very important to the security of the virtual machine. If the kernel of the virtual machine is damaged, the security of the entire cloud platform may be threatened. Therefore, detecting the integrity of the kernel control flow of a virtual machine is very important for cloud computing....

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F9/455
CPCG06F9/45558G06F2009/45583G06F2009/45591
Inventor 邹学强叶麟余翔湛包秀国詹东阳郭镔袁庆升
Owner HARBIN INST OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products