CN102147840B - Method for realizing network control through virtual machine - Google Patents
Method for realizing network control through virtual machine Download PDFInfo
- Publication number
- CN102147840B CN102147840B CN 201010109183 CN201010109183A CN102147840B CN 102147840 B CN102147840 B CN 102147840B CN 201010109183 CN201010109183 CN 201010109183 CN 201010109183 A CN201010109183 A CN 201010109183A CN 102147840 B CN102147840 B CN 102147840B
- Authority
- CN
- China
- Prior art keywords
- network
- interface card
- transferred
- virtual
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention is applicable to the field of computers and provides a method for realizing network control through a virtual machine. The method comprises the following steps that: when network data is transmitted to a network interface card, the network interface card transmits the network data to a virtual network interface card module, monitors the network data in a unified extensible firmware interface basic input/output system (UEFI BIOS) by using the virtual network interface card module, and controls on and off of a network transmission function. By the method, data capturing or data transmission to the network interface card can be realized, so the network safety of a computer is protected.
Description
Technical field
The invention belongs to computer realm, relate in particular to a kind of method that realizes network control by virtual machine.
Background technology
In recent years, network security has caused widely to be paid close attention to, and along with popularizing of the network user, it is more and more important that the Secure Application of network also becomes, and wherein the control of network just seems and is even more important.Network control comprises to the opening and closing of network and to intercepting and capturing analysis of network data etc.Along with the continual renovation of computer technology, Intel Virtualization Technology has obtained using widely, and Intel Virtualization Technology has been penetrated into the every field of computing machine, and it also is development in future trend that the applying virtual technology is controlled computer network data.
In the prior art, behind the computer booting, be communicated with netting twine, computing machine can be connected to Internet network or job network automatically, carries out normal network data transmission, therefore, is subjected to the attack of network easily, thereby makes the network security of computing machine can not get protection.
(virtual machine is to support a kind of system of multiple operating system parallel running on the single physical server VM) to virtual machine, and can providing more effectively, bottom hardware uses.Freeze phenomenon if program occurs in certain virtual machine, this can't influence and operate in the outer procedure operation of virtual machine and the operate as normal of operating system; (Virtual Machine Monitor VMM) is a software layer of being introduced by the Vanderpool technology to virtual machine monitor.A VMM can be a host, and it is the processor in the control system and other hardware resource fully, can also be to operating in the VM Resources allocation on him, as: processor, physical memory, interrupt management, input/output port I/O distribute etc.; (Virtualization Technology VT) is the term of a broad sense to Intel Virtualization Technology, is typically referring to the computing machine components and parts aspect the computing machine on virtual basis rather than real basis is moved.Intel Virtualization Technology can enlarge the capacity of hardware, simplifies the process that reconfigures of software.It is parallel that the Intel Virtualization Technology of CPU can single CPU be simulated many CPU, allows a platform to move a plurality of operating systems simultaneously, and application program can move in separate space and be independent of each other, thereby significantly improve the work efficiency of computing machine.
Intel Virtualization Technology and multitask and Hyper-Threading are diverse.Multitask refers to a plurality of programs parallel running simultaneously in an operating system.And in Intel Virtualization Technology, then can move a plurality of operating systems simultaneously, and a plurality of program operations are arranged in each operating system, each operating system all operates on the virtual CPU or fictitious host computer.Come the equilibrium code runnability and Hyper-Threading is single CPU simulated dual CPU, the CPU that these two simulations are come out is indissociable, can only collaborative work.
The pure software virtual software has VMWare Workstation, VMWare PC, and the virtual concrete advantage of pure software shows the associated overhead that reduces virtual machine and supports operating system widely.Reason is: make the prerogative grade in the original system change behind the VMM of use pure software, make the communication between VMM and the OS increase binary conversion, with by being provided to the interface of physical resource (as processor, internal memory, storage, video card and network interface card etc.), analog hardware environment.
And the Intel Virtualization Technology of CPU is a kind of hardware plan, the CPU of virtual support technology has the special instruction set of optimizing and controls virtual process, by these instruction set, VMM can be easy to improve performance, and the Virtual Realization mode of comparing software can improve performance to a great extent.Intel Virtualization Technology can provide the function based on chip, can improve the pure software solution by compatible VMM software.Because virtualization hardware can provide brand-new framework, support directly operation in the above of operating system, thereby need not to carry out Binary Conversion, reduced relevant performance cost, greatly simplified the VMM design, and then VMM can be write by the universal standard, performance is more powerful.
Summary of the invention
It is a kind of under the situation of connected network that technical matters to be solved by this invention is to provide; the applying virtual technology can be controlled the opening and closing of computer network; network card data is intercepted and captured, with the method that virtual machine is realized network control of passing through of the network security of protection computing machine.
For solving the problems of the technologies described above, the invention provides a kind of method by virtual machine realization network control, said method comprising the steps of:
When network data transmission was to the real network interface card, to virtual network interface card module, monitored network data in UEFI BIOS by the network interface card module of applying virtual with described network data transmission for this network interface card, the opening and closing of control network transmission function;
When network transmission function is in opening, the network data of external network transmission can be transferred on the real network interface card, be transferred to virtual network control module again, virtual network control module is resolved network data, network data transmission after virtual network control module will be resolved is on final operating system, equally, the network data of being sent by operating system is transferred on the real network interface card by the virtual network control module of centre, is transferred to network by network interface card again;
When network transmission function was in closed condition, the network data of external network transmission can be transferred on the real network interface card, is transferred to virtual network control module again, and virtual network control module can be tackled network data, can not be transferred to operating system; Equally, when operating system sent to virtual network control module with network data, virtual network control module also can be tackled network data, can not be transferred on the real network interface card.
In the present invention; when network data transmission is to the network interface card; network interface card arrives virtual network interface card module with described network data transmission; the network interface card module of applying virtual is controlled network data in UEFI BIOS; the opening and closing of control network transmission function; thereby realize to the data intercepting and capturing of network interface card or the transmission of data, with the network security of protection computing machine.
Description of drawings
Fig. 1 be the embodiment of the invention provide pass through the realization flow synoptic diagram that virtual machine is realized the method for network control.
Fig. 2 is the control realization flow synoptic diagram of the receiving network data that provides of the embodiment of the invention.
Fig. 3 is the control realization flow synoptic diagram of the transmission network data that provides of the embodiment of the invention.
Fig. 4 is the overall logic Organization Chart based on the BIOS of UEFI that the embodiment of the invention provides.
Embodiment
In order to make technical matters to be solved by this invention, technical scheme and beneficial effect clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explaining the present invention, and be not used in restriction the present invention.
In embodiments of the present invention, when network data transmission is to the network interface card, to virtual network interface card module, monitor network data in UEFIBIOS by the network interface card module of applying virtual with described network data transmission for network interface card, the opening and closing of control network transmission function.When network transmission function is in opening, external network can by netting twine with network data transmission to network interface card, again network data transmission is arrived virtual network control module, network data transmission after will being resolved by virtual network control module is on final operating system, equally, the network data of being sent by operating system is transferred on the real network interface card by the virtual network control module of centre, is transferred to network by network interface card again.When network transmission function was in closed condition, the network data of external network transmission can be transferred on the real network interface card, is transferred to virtual network control module again, and virtual network control module can be tackled network data, can not be transferred to operating system; Equally, when operating system sent to virtual network control module with network data, virtual network control module also can be tackled network data, can not be transferred on the real network interface card.So just can utilize virtual middle layer (network control module) that network data is controlled.
See also Fig. 1, pass through the realization flow that virtual machine is realized the method for network control for what the embodiment of the invention provided, it may further comprise the steps:
In step S101, netting twine will receive network data transmission that automatic network transmits on network adapter (network interface card);
In embodiments of the present invention, network interface card itself is the equipment of LAN (LAN (Local Area Network)), then this LAN (Local Area Network) can be articulated on the Internet by equipment such as gateway, routers.And Internet itself is exactly numerous such LAN (Local Area Network) composition.Network interface card is operated on the data link layer and Physical layer of OSI (Open System Interconnection) structure.
In step S102, described network adapter with described network data transmission on virtual network adapter;
In step S103, virtual network adapter is sent to parsing module with network data;
In step S104, the network data transmission after parsing module will be resolved to micro operation system (for example: the Great Wall micro operation system);
In step S105, by micro operation system with network data transmission to virtual machine monitor;
In step S106, virtual machine monitor arrives network interface card Miniport protocol of I O with network data transmission;
In step S107, by the opening and closing of network control function are set in UEFI BIOS;
In step S108, the transmission data by network interface card Miniport protocol of I O intercepts and captures network judge whether to be transferred in the operating system;
In step S109, if network control function is opened, then be transferred on the operating system; If network control function is closed, then intercept and capture network data.
See also Fig. 2, the control realization flow of the receiving network data that provides for the embodiment of the invention, its implementation procedure is as follows:
Behind the computer booting connected network, execution in step 001: network is transferred to the form of network data with packet on the network adapter by netting twine.
Execution in step 002:NIC (network interface card then, network interface card) network data is received hardware FIFO (First in from netting twine, First out, the data buffer of first in first out), when the network data of hardware FIFO reception reaches data limit, network data begins (the Direct Memory Access by DMA, direct memory access (DMA)) to ring buffer (Installed System Memory), when whole packet is copied to ring buffer, head pointer is written into, CBA (write pointer register) points to the ending of packet, utilizes CR (command register) that corresponding mode of operation is set then.
Step 003: call network interface card MiniPort Driver, be responsible for real network card data exchange, network interface card MiniPort Driver is that a virtual network interface card drives, and calls the Driver service routine and mainly is responsible for removing the mode of operation that CR arranges, and current read pointer register CAPR is set.
Step 004: when VMM has monitored network data when will send from network interface card, the packet that the analysis of protocol analysis logging modle sends resolves to upper-layer protocol with the packet that sends, and mainly solves TCP/IPV4 and UDP/IPV4 agreement.
Step 005:GW Mini OS for a micro operation system of the independent brand-new exploitation in Great Wall, finishes the initialization of CPU protected mode; GDT, IDT, TR, CR0 the processing of CR4; virtual memory and physical memory management, module management etc. are for VMM provides running environment with other module.
Step 006:VMM mainly is responsible for monitoring the exterior I nterrupt (interruption) of network I/O among OS and the BIOS and hard disk IO and this two kind equipment.
Step 007: the UNDI that calls among the UEFI BIOS serves the unlatching of network control function to be set or to close.
Step 008:VMM arrives network interface card Miniport agreement IO module with network data transmission, if the state of network control function for opening is set among the UEFIBIOS, network interface card Miniport agreement IO module directly sends to network data on the pci bus, finally is transferred on the operating system; If network control function is set to close in UEFI BIOS, network interface card Miniport agreement IO module will be when Port I/O (in the computing machine routine call has been arranged in/out dependent instruction), can call VMM and handle function, from the physical address of RBSTART Register (distributor) acquisition network data, and with its intercepting and capturing.
Step 009: network control function is set to opening, and network data is not is not intercepted and captured, and directly is transferred on the operating system.
Step 010: network control function is set to closed condition, and network data is intercepted and captured, and can not be transferred in the operating system.
See also Fig. 3, the control realization flow of the transmission network data that provides for the embodiment of the invention, its implementation procedure is as follows:
The transmission flow of network data is an inverse process with receiving flow process, the opening and closing of network control module are set in the UNDI service that equally need be in UEFI BIOS, when the network data in the operating system need send, will produce an out port interrupts, this moment, network interface card Miniport agreement IO module will judge whether the network control function among the BIOS is opened, if be set to open, will be with network data transmission to VMM up to being transferred to network by netting twine.If be set to close, network interface card Miniport agreement IO module can obtain address, data length and the state of network data from 4 TSAD, and with its intercepting and capturing, does not send downwards.Because sending with receiving data is inverse process, so just do not carry out detailed repetition here.
The principle of MMIO and port I/O are similar, and the register that is not both of institute (register) also is mapped on the memory map area (memory table), and driving can innerly deposit to operate NIC.Main reception and transmission flow are with above-mentioned flow process basically identical.The method for interception that MMIO sends data mainly is to monitor Port IO when output is arranged, and can check TxDesc Ring, is Own that 1 data all check once, these all are the data that will send, obtain to send data length, the buffer area physical address, and intercept and capture its content; The method for interception that MMIO receives data is to have when interrupting taking place as Port IO, and service routine can read the ROK position of ISR, checks RxDesc Ring, OWN be all inspections of 0 once, be linear address with physical address translations, intercept and capture its data.
See also Fig. 4, for the overall logic framework based on the BIOS of UEFI that the embodiment of the invention provides, because it is prior art, only it is done simple introduction in the present invention.BIOS based on UEFI logically is divided into three layers: the bottom is based on the hardware environment of the BIOS operation of UEFI; The middle layer is based on platform and the drive environment of the BIOS operation that the BIOS of UEFI supports; The upper strata is application program module.
Wherein bottom hardware module (Hardware) is for providing hardware supported based on the operation of the BIOS of UEFI and the operation of upper level applications.Framework agreement module (Pre-EFI Modules) has defined the data-interface agreement for the BIOS Driver based on UEFI.The VMM control module is supervisory layers, is responsible for the hardware resource of monitoring bottom, and provides running environment for driving layer.Drive layer and provide relevant driving for upper level applications.Network control module opens the effect of a switch to the transmission of network data.The UEFI interface module has defined the upper level applications interface according to the UEFI specification protocol, by calling the upper level applications interface of UEFI interface module 14 definition, realizes mutual between bottom hardware and the upper layer application.
In sum; the embodiment of the invention is when network data transmission is to the network interface card; network interface card arrives virtual network interface card module with described network data transmission; the network interface card module of applying virtual is controlled network data in UEFI BIOS; the opening and closing of control network transmission function; thereby realize to the data intercepting and capturing of network interface card or the transmission of data, with the network security of protection computing machine.
The above only is preferred embodiment of the present invention, not in order to limiting the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. the method by virtual machine realization network control is characterized in that, said method comprising the steps of:
When network data transmission was to the real network interface card, to virtual network interface card module, monitored network data in UEFI BIOS by the network interface card module of applying virtual with described network data transmission for this network interface card, the opening and closing of control network transmission function;
When network transmission function is in opening, the network data of external network transmission can be transferred on the real network interface card, be transferred to virtual network control module again, virtual network control module is resolved network data, network data transmission after virtual network control module will be resolved is on final operating system, equally, the network data of being sent by operating system is transferred on the real network interface card by the virtual network control module of centre, is transferred to network by network interface card again;
When network transmission function was in closed condition, the network data of external network transmission can be transferred on the real network interface card, is transferred to virtual network control module again, and virtual network control module can be tackled network data, can not be transferred to operating system; Equally, when operating system sent to virtual network control module with network data, virtual network control module also can be tackled network data, can not be transferred on the real network interface card.
2. the method for claim 1 is characterized in that, described virtual network control module can be tackled network data, can not be transferred to the step of operating system, is specially:
If network control function is set to close in UEFI BIOS, network interface card Miniport agreement IO module will can be called VMM and handle function when PortI/O, obtains the physical address of network data from RBSTART Register distributor, and with its intercepting and capturing, can not be transferred in the operating system.
3. the method for claim 1 is characterized in that, the described network data of being sent by operating system is transferred on the real network interface card by the virtual network control module of centre, is transferred to the step of network again by network interface card, is specially:
When the network data in the operating system need send, will produce an out port interrupts, this moment, network interface card Miniport agreement IO module will judge whether the network control function among the BIOS is opened, if be set to open, will be with network data transmission to VMM up to being transferred to network by netting twine.
4. the method for claim 1, it is characterized in that described when operating system sends to virtual network control module with network data, virtual network control module also can be tackled network data, can not be transferred to the step on the real network interface card, be specially:
If network control function is set to close, network interface card Miniport agreement IO module can send address, data length and the state of the base address register acquisition network data of buffer zone from 4 TSAD, and with its intercepting and capturing, do not send downwards, can not be transferred on the real network interface card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010109183 CN102147840B (en) | 2010-02-05 | 2010-02-05 | Method for realizing network control through virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010109183 CN102147840B (en) | 2010-02-05 | 2010-02-05 | Method for realizing network control through virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102147840A CN102147840A (en) | 2011-08-10 |
| CN102147840B true CN102147840B (en) | 2013-08-28 |
Family
ID=44422103
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010109183 Active CN102147840B (en) | 2010-02-05 | 2010-02-05 | Method for realizing network control through virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102147840B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102609638A (en) * | 2011-12-22 | 2012-07-25 | 中国航天科工集团第二研究院七〇六所 | Xen virtual machine framework based on UEFI (unified extensible firmware interface) runtime service and implementation method thereof |
| WO2014161133A1 (en) * | 2013-04-01 | 2014-10-09 | 华为技术有限公司 | Data exchange method, apparatus and system for virtual machine |
| CN104702469B (en) * | 2015-03-27 | 2019-02-12 | 北京奇虎科技有限公司 | Method, physical machine virtual unit and the network system of monitoring network |
| CN104869361B (en) * | 2015-05-20 | 2018-06-05 | 浙江宇视科技有限公司 | A kind of Video Monitoring Terminal equipment in video monitoring system |
| CN110365760A (en) * | 2019-07-09 | 2019-10-22 | 广东美的制冷设备有限公司 | Household appliance, the control method of household appliance, device and computer equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1916854A (en) * | 2005-08-19 | 2007-02-21 | 联想(北京)有限公司 | System the method for managing and configuring virtual machine |
| CN101002171A (en) * | 2003-12-18 | 2007-07-18 | 英特尔公司 | Virtual network interface |
| CN101399830A (en) * | 2007-09-29 | 2009-04-01 | 联想(北京)有限公司 | Virtual machine system and method for sharing Ethernet point to point protocol link |
| CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7620955B1 (en) * | 2001-06-08 | 2009-11-17 | Vmware, Inc. | High-performance virtual machine networking |
-
2010
- 2010-02-05 CN CN 201010109183 patent/CN102147840B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002171A (en) * | 2003-12-18 | 2007-07-18 | 英特尔公司 | Virtual network interface |
| CN1916854A (en) * | 2005-08-19 | 2007-02-21 | 联想(北京)有限公司 | System the method for managing and configuring virtual machine |
| CN101399830A (en) * | 2007-09-29 | 2009-04-01 | 联想(北京)有限公司 | Virtual machine system and method for sharing Ethernet point to point protocol link |
| CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102147840A (en) | 2011-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101444984B1 (en) | Method for network interface sharing among multiple virtual machines | |
| CN101465863B (en) | Method for implementing high-efficiency network I/O in kernel virtual machine circumstance | |
| CN101557420B (en) | Realization method of high-efficiency network communication of a virtual machine monitor | |
| Liu et al. | High Performance VMM-Bypass I/O in Virtual Machines. | |
| US7865908B2 (en) | VM network traffic monitoring and filtering on the host | |
| US10540294B2 (en) | Secure zero-copy packet forwarding | |
| CN103150279B (en) | Method allowing host and baseboard management controller to share device | |
| CN102147763B (en) | Method, system and computer for recording weblog | |
| Ren et al. | Shared-memory optimizations for inter-virtual-machine communication | |
| CN102147840B (en) | Method for realizing network control through virtual machine | |
| WO2007019316A3 (en) | Zero-copy network i/o for virtual hosts | |
| CN101751284A (en) | I/O resource scheduling method for distributed virtual machine monitor | |
| EP4053706A1 (en) | Cross address-space bridging | |
| JP5669851B2 (en) | Apparatus, method, and computer program for efficient communication between partitions in a logically partitioned system | |
| Lettieri et al. | A survey of fast packet I/O technologies for network function virtualization | |
| Ren et al. | Nosv: A lightweight nested-virtualization VMM for hosting high performance computing on cloud | |
| Mohebbi et al. | Zivm: A zero-copy inter-vm communication mechanism for cloud computing | |
| Cardigliano et al. | vPF_RING: Towards wire-speed network monitoring using virtual machines | |
| Nordal et al. | Paravirtualizing tcp | |
| Niu et al. | NetKernel: Making network stack part of the virtualized infrastructure | |
| Imada | Mirageos unikernel with network acceleration for iot cloud environments | |
| Jin et al. | Virtual switching without a hypervisor for a more secure cloud | |
| CN103425563B (en) | Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology | |
| US10785120B2 (en) | Systems and methods for extending link layer discovery over virtual Ethernet bridges | |
| Gebhardt et al. | Challenges for inter virtual machine communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 518057 computer building of the Great Wall, Nanshan District science and Technology Park, Shenzhen, Guangdong Patentee after: China the Great Wall science and technology group Limited by Share Ltd Address before: 518057 computer building of the Great Wall, Nanshan District science and Technology Park, Shenzhen, Guangdong Patentee before: China Changcheng Computer Shenzhen Co., Ltd. |