CN104021344A - Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer - Google Patents
Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer Download PDFInfo
- Publication number
- CN104021344A CN104021344A CN201410203373.9A CN201410203373A CN104021344A CN 104021344 A CN104021344 A CN 104021344A CN 201410203373 A CN201410203373 A CN 201410203373A CN 104021344 A CN104021344 A CN 104021344A
- Authority
- CN
- China
- Prior art keywords
- honey jar
- page
- module
- honey
- jar
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 432
- 238000000034 method Methods 0.000 title claims abstract description 245
- 230000006399 behavior Effects 0.000 title claims abstract description 32
- 230000007246 mechanism Effects 0.000 title claims abstract description 14
- 230000006870 function Effects 0.000 claims abstract description 12
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 230000008569 process Effects 0.000 claims description 219
- 230000004888 barrier function Effects 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 9
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 claims description 6
- 239000000872 buffer Substances 0.000 claims description 6
- 238000011017 operating method Methods 0.000 claims description 4
- 238000011112 process operation Methods 0.000 claims description 4
- 238000013519 translation Methods 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 3
- 239000000725 suspension Substances 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 19
- 238000005516 engineering process Methods 0.000 abstract description 17
- 230000003068 static effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 230000003446 memory effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000010223 real-time analysis Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- YQYRYHNCVCFNHU-UHFFFAOYSA-N 1-ethyl-4-phenyl-3,6-dihydro-2h-pyridine Chemical compound C1N(CC)CCC(C=2C=CC=CC=2)=C1 YQYRYHNCVCFNHU-UHFFFAOYSA-N 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000010363 phase shift Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a honey pot mechanism and method used for collecting and intercepting internal storage behaviors of a computer. The mechanism comprises an internal storage virtualization module, a honey pot module, an introspection module, a control module and a honey pot recording module; the mechanism is based on the internal storage virtualization technology, supports the SMP structure, can deploy a lightweight virtual machine when an operating system operates, and monitors the internal storage behaviors in a honey pot; the mechanism can also serve as a submodule of other virtual machines to achieve the same functions; the honey pot monitors the accurate amendment situations of each course of multiple kernels on the key area of an internal storage when the operating system operates, the amendment situations are represented by a bitmap, at the same time, the introspection module collects related detailed course information and the state when the course completely operates at that time, and all records are centralized in the honey pot recording module. On the basis of the event-driven mode, any codes of the operating system of an object are not amended, and compared with existing instruction-level monitoring, the performance losses are low, the flexibility is high, and the method is applicable to real-time evidence obtaining and dynamic analysis.
Description
Technical field
What the present invention relates to is the mechanism that a kind of computing machine behavior monitors field, especially a kind of for collecting and intercept and capture honey jar mechanism and the method thereof of calculator memory behavior.
Background technology
Honeypot Techniques is divided into high mutual honey jar and low mutual honey jar according to mutual degree, and low mutual honey jar is disposed honey jar by simulated operating system and network service, although dispose simple, because simulation degree is limited, the information deficiency of obtaining and easily being penetrated.And high mutual honey jar provides completely real operating system and network service, can obtain very abundant attack information, but the difficulty of potential risks and deployment is very high.High mutual honey jar can realize observing the state variation in honey jar by Intel Virtualization Technology at present.This relates to the dynamic analysis technology of computing machine, and the performance analysis based on Intel Virtualization Technology at present can only be carried out in the virtualized environment of having disposed in advance.
Computer Analysis technology is divided into performance analysis and static analysis.The target of static analysis is source code, judges its behavior by analyzing the semanteme of source code, and current code adds shell and virtual execution technique has limited the validity of static analysis greatly.Performance analysis can solve the problem of static analysis, and it directly obtains its behavior by analyzing an operating system.The approach of at present performance analysis can be that analytic system is called the mutual and module that behavior, core A PI call between behavior and monitoring process and called situation etc.But a process with interior Nuclear Authorization can be walked around system call, use DKOM technology to realize the object of oneself.Due to the kernel data of the direct retouching operation system of the method, although common supervision method based on kernel can be observed the change of internal memory, cannot judge its source.Use at present the analysis of instruction-level to deal with problems, use the virtual machine that is similar to QEMU, be translated in the process of short code in guest virtual machine instruction, express-analysis is carried out in each instruction to computer run, learns core position that present instruction will be revised and the particular content of amendment.But these class methods have low-down dirigibility and efficiency, cannot use the analytical technology of instruction-level to obtain the internal memory operation behavior of a process to the operating system operating in real hardware.
Use internal memory virtualization technology to change at the memory address to operating system of user, memory read-write is carried out authority and TLB buffer memory is managed completely.Have at present and use the EPT technology of the shadow page table technology of software virtualization and the IntelVT based on hardware virtualization and RVI (NPT) technology of AMD V completely.The advantage realizing based on hardware virtualization is to be totally independent of destination OS, and the support of internal memory virtualization function is directly provided by hardware, more simple and efficient with respect to software virtualization method.
Summary of the invention
Deficiency for prior art in computer monitor field, the invention provides a kind of for collecting and intercept and capture honey jar mechanism and the method thereof of calculator memory behavior, adopt the basic ideas of honey jar to dispose honey jar in internal memory critical area, monitor the process of internal memory in all modifications honey jar, the method that uses non-instruction-level to monitor, has solved the limitation to internal memory behavioural analysis based on instruction-level at present.
Computing machine honey jar realization mechanism of the present invention is cannot walk around reliable.From traditional to be deployed in outside honey jar in network environment different, internal memory honey jar is a kind of honey jar in the activity of hardware-level supervisory computer internal memory, utilize hardware virtualization technology can be deployed in any real operating system, a part that also can be used as software virtual machine monitors the internal memory activity of virtual system.Internal memory activity comprises internally deposits the change of middle data structure and the change to code.The present invention, due to the dirigibility of its deployment and the event of concern bottom, can be used as high mutual honey jar and is deployed in honey net, also can directly monitor the attack of rogue program to operating system nucleus.Because honey jar monitors at hardware-level, any workaround system kernel, the behavior of directly revising internal memory also can be captured by internal memory honey jar, as long as this modification of program honey jar monitor region of memory.Internal memory honey jar has accurately recorded the Process Movement in honey jar, comprises that each process is accurate to the amendment situation of byte to honey jar, running status when process is captured by honey jar and operation snapshot, and the details of process.Can also carry out further static analysis to the process operation snapshot obtaining.
Technical scheme of the present invention is: a kind of for collecting and intercept and capture the honey jar mechanism of calculator memory behavior, comprise internal memory virtualization module, honey jar module, introspection module, control module and honey jar logging modle;
Described internal memory virtualization module is used for controlling virutal machine memory operating right, comprise the control of two-level address translation function and the read-write in address translation process and execution authority, in the time occurring violate reading and writing or carry out the event of authority, the control of current C PU is circulated in the event handling function of honey jar module, after function returns, recover the normal operation of CPU;
Described honey jar module is made up of multiple configurable independent honey jar individualities, and a page in the individual respective operations system of each honey jar, becomes honey jar page; Honey jar module is taking honey jar page as unit, the accurate amendment situation of each process in multiple core of monitoring in the time that system is moved to honey jar region, and represented by bitmap;
Described introspection module is collected in information in honey jar module, collects relevant Process Details and process complete run time behaviour at that time;
Described control module provides external control interface, and control command signal is forwarded in control interface corresponding to honey jar module, for the region of memory of honey jar module monitors is set, starts, stops and replacement honey jar function;
Described honey jar logging modle collects honey jar module and Inner economizes the data that module is submitted to, records each complete behavior that enters honey jar process.
Further, described honey jar logging modle is made up of process register, and described process register is made up of one or more honey jar registers, the corresponding honey jar page moving of each honey jar register; In a process register, the honey jar page in honey jar module is an only corresponding honey jar register at the most; In different process registers, the mutual separate records information of the honey jar register of corresponding identical honey jar page, and only committed memory in the time recording content of each register.
It is a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior that the present invention also provides, and concrete steps are as follows:
(1) configuration phase, configures the region of memory of honey jar module monitors, i.e. honey jar region by control module;
(2) unloading phase, control module receives after outside startup command, startup command is forwarded in control interface corresponding to honey jar module, and honey jar module is used internal memory virtualization module to close the write permission in honey jar region, and catches any process behavior of attempting to write honey jar region;
(3) operation phase, the access of the process that honey jar module attempts to write honey jar region by internal memory virtualization module Sustainable Control to honey jar, and collect the amendment situation of process to internal memory in honey jar region; Introspection module is collected relevant Process Details and the process running status while entering honey jar; Honey jar logging modle collects and arrange honey jar module and Inner economizes the data that module is constantly submitted to.
(4) stop phase, control module is received after ceasing and desisting order of outside, be forwarded to ceasing and desisting order in control interface corresponding to honey jar module, honey jar module is submitted all data to honey jar logging modle, and the write permission of opening honey jar region allows all read-write operations, obtain the data that record in honey jar logging modle;
(5) reset phase, control module is received after outside replacement order, and the order of resetting is forwarded in control interface corresponding to honey jar module, honey jar module is removed the honey jar having configured, and records honey jar module and empties all data;
(6) after replacement completes, return to step (1), wait for the region of memory that reconfigures honey jar module monitors.
Further, the concrete operating procedure of described honey jar module is as follows:
(1) configuration phase, honey jar module is obtained idle honey jar individuality and idle honey jar individuality is corresponded on target page, becomes honey jar page;
(2) operation phase, utilize the individual process read-write situation monitoring on target page of honey jar of honey jar page, economize module and obtain simultaneously the details of associated process in operating system by Inner, be constantly submitted in honey jar logging modle; The concrete operating procedure of described honey jar page is as follows:
A, initialization, open internal memory barrier;
B, captured target process, in the time having process to access for the first time the internal memory of honey jar page correspondence, trigger hardware protection event, control stream and be absorbed in virtual machine monitor, target process operation suspension, honey jar page is intercepted and captured the event of writing, and economizes module obtain target process details and running state of process by Inner, and target process details and the running state of process of Inner being economized to module acquisition are articulated in honey jar page; And before target process write memory, obtain page snapshot, for generating internal memory amendment bitmap, target process prepares; Afterwards, honey jar page allows the write operation of target process at current C PU, and returns in virtual machine; Afterwards, target process writes honey jar on current C PU;
C, process switching event handling, current C PU, in the time of handover process context, will be absorbed in virtual machine monitor; Now, there is the write permission in current core by cancelling in all honey jar pages in honey jar module, like this, in the time that process continues to write honey jar page, whether still honey jar page can check the target process of accessing honey jar page after handover process, if, enter steps d, if not, enter step f;
D, the event handling of skipping leaf, while having page faults event to occur, if the page that system discovery is displaced belongs to honey jar page, system will continue to preserve the current state of honey jar page, and in the time that be set to swap-in physical memory next time, upgrades its physical memory addresses;
E, tracking target process, catching after process, if there is process access honey jar page in other core, or after occurring, cpu process handover event there is write operation in honey jar page, whether the process that honey jar page is attempted inspection to write is the current process monitoring, if so, continue step c, steps d and step e, the synchronization of access of the multiple threads in permission individual process to honey jar; If not, open the current change record of internal memory barrier protection, and proceed to the monitor record of step f submission target process, ensure the different processes exclusive reference to single honey jar page at one time;
F, submission target process monitor record, honey jar page starts submission process, snapshot page content in current page content and step b is contrasted by BYTE, generating one is the amendment situation bitmap of current page 1/8 size, be updated to the correspondence position of honey jar logging modle, the details of target process and the state of the target process capturing be articulated in the correspondence position of honey jar logging modle simultaneously; Forwarding afterwards step a to, is new process initialization honey jar page; If honey jar module is entering stop phase, open all write permissions.
(3) stop phase, all honey jar pages of honey jar module controls complete last submission, and stop the operation of honey jar.
Further, the concrete steps of opening internal memory barrier described in described step a and step e are as follows:
(1) control and flow to the critical section corresponding into internal memory barrier;
(2) internal memory virtualization module is cancelled guest virtual machine write permission to target page on all CPU;
(3) use and interrupt informing that all CPU page table authorities change, during each CPU receives, have no progeny, the very first time is refreshed TLB and page table structure buffer memory, and returns to whether success, if enter step (4), returns to if not step (2);
(4) when all CPU return to successful flush buffers, successfully open internal memory barrier.
Further, described internal memory barrier is in the time meeting the following conditions: a, control stream leave the critical section that internal memory barrier is corresponding; The upper CPU that the write permission of target page is waited for of b, all CPU opens; Internal memory barrier is closed automatically.
Further, described configuration phase, configures the region of memory of honey jar module monitors, i.e. honey jar region by control module; Concrete steps are as follows:
(1) control module informs that honey jar module requires the page of configuration, and honey jar module is distributed idle honey jar individuality in internal memory, and concrete configuration process can be undertaken by step a, b or c:
A, control module are informed the physical address of honey jar module target page, first honey jar module checks whether the physical address of target page has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to this physical address initial configuration, and return step (1) continue etc. to be configured;
B, control module are informed the virtual address of honey jar module target page, honey jar module obtains corresponding physical address according to the page table structure base address of guest virtual machine current process (CR3 value) and virtual address by the page table in inquiry physical memory, first honey jar module checks whether described physical address has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to described physical address initial configuration, and return step (1) continue etc. to be configured;
C, control module are informed the virtual address of honey jar module target page and the value of corresponding CR3, honey jar module obtains physical address by the page table in query manipulation system, first honey jar module checks whether described physical address has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to described physical address initial configuration, and return step (1) continue etc. to be configured.
Further; described a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior; its step 3) in the operation phase; in the time there is write-protect event in process; first honey jar module obtains by internal memory virtualization module the physical address that write-protect event occurs; honey jar module finds the honey jar page of unique correspondence according to physical address inquiry HASH table, and by write-protect event forwarding in corresponding honey jar page, control voluntarily the operation of honey jar page.
Further, in described step f, the concrete searching step of the correspondence position of honey jar logging modle is as follows:
(1) honey jar page, according to current target process, uses HASH table to find rapidly corresponding process register, if exist, enters step (3); If do not exist, enter step (2);
(2) honey jar logging modle is distributed an idle process register, and according to process register described in the Process Details initialization of honey jar page, make while once entering step (1), to show can find described process register by HASH upper;
(3) honey jar page, according to the target page of its configuration, uses HASH table to find rapidly corresponding honey jar register, if exist, described honey jar register is the correspondence position of honey jar logging modle, if do not exist, enters step (4);
(4) honey jar logging modle is distributed an idle honey jar register, and according to honey jar register described in the target page configuration information initialization of honey jar page, make while once entering step (3), to show can find described honey jar register by HASH upper; Described honey jar register is the correspondence position of honey jar logging modle.
Introspection module of the present invention obtains details and the running status of the current process in client operating system in virtual machine monitor, comprise current process related system module, the file of opening, process ID, process title, process file path etc., running status comprises the programmable counter on current C PU, stack pointer, stack base pointer, each general-purpose register, in honey jar page institute correspondence, there is the virtual address in target process, and the task details of current operation etc., also comprise near code snapshot current program counter and the part snapshot of current stack.According to these contents, can coarse analysis go out to enter basic condition and the residing state at that time of the target process of honey jar, for further dynamically and static analysis offer help.
Honey jar logging modle of the present invention collects honey jar module and Inner economizes the data that module is submitted to, records each complete behavior that enters honey jar process.The concrete content of preserving comprises: each Process Details of accessing honey jar, comprises current process related system module, the file of opening, process ID, process title, process file path etc.; For each process, record it to the comprehensive amendment bitmap in relevant honey jar page is during monitoring; Also recorded the configuration information of relevant honey jar page for each process, i.e. CR3, virtual address and the physical address of configuration, and the running status of process while accessing each honey jar page, comprise in programmable counter on current C PU, stack pointer, stack base pointer, each general-purpose register, honey jar page institute correspondence and have task details of the virtual address in target process, current operation etc.; Also has each process in the time entering each honey jar page, near near part snapshot code snapshot and stack pointer programmable counter.
Beneficial effect of the present invention is:
(1) with respect to the supervision of instruction-level, internal memory honey jar does not need to analyze the internal memory operation content that each execution instruction is obtained, but by the internal memory write permission in hardware is set subtly, by drawing the content of process concrete modification with the comparison of former memory image, this has improved efficiency greatly again.
(2) internal memory honey jar can move in the environment of the hardware MMU of all support pagings, also the defect that before having made up, method is only used in software virtual machine, can be applied in the operating system running in real hardware the method that monitors internal memory activity.
(3) in real-time analysis, use internal memory honey jar can directly monitor the Malware that uses direct kernel objects operative technique, and needn't use software virtualization technical modelling hardware environment, control module provides an approach from external control honey jar, can be network, serial ports or transmit control signal from client operating system inside, intercepted and captured by control module, and be forwarded in control interface corresponding to honey jar module; Control information comprises command number and command parameter, and after being finished, whether control module returns results successful to outside; Whole command routing process is encrypted, only has correct signal after deciphering just can be forwarded in the control interface of honey jar module, and remaining is left in the basket, to ensure the transparency of whole honey jar mechanism; Its transparency will make rogue program trust this real-time analysis platform completely, thereby can carry out effective behavioural analysis.
(4) in computer forensics process, the method can be obtained the activity of all processes at important region of memory in real time, can obtain details and the running status of corresponding process, an approach that effectively obtains volatibility evidence in internal memory is provided simultaneously.
(5) as a honey pot system, the present invention can dispose high mutual honey jar under the system of a true operation or virtual opetrating system, thereby provide the operating system not changing completely really as honey jar, simultaneously can to entering, the process of honey jar monitors, determination and analysis.
(6) operation phase of the present invention, honey jar module is by the access of the each process of internal memory virtualization module Sustainable Control to honey jar; This module ensures the different processes exclusive reference to single honey jar at one time in multiple nucleus system, can meet accuracy; The synchronization of access of multiple threads in honey jar module permission individual process to honey jar, can raise the efficiency.
Brief description of the drawings
Fig. 1 is the structural representation of internal memory honey jar;
Fig. 2 is honey jar running status transition diagram;
Fig. 3 is the individual running status transition diagram of honey jar;
Fig. 4 is honey jar and logging modle structural representation;
Fig. 5 is honey jar operational scheme schematic diagram.
Embodiment
Shown in Fig. 1 is structural representation of the present invention, comprises honey jar module, honey jar logging modle, introspection module, control module and internal memory virtualization module.
The present embodiment has adopted hardware virtualization technology, and wherein, internal memory virtualization module has been used the EPT technology in Intel VT, controls the conversion from client's physical memory space to actual physical memory headroom.In order independently to control the write permission in each CPU in the operation phase, internal memory virtualization module has been set up the secondary conversion page table equal with CPU quantity, the EPTP pointer in each CPU is configured to the PML4 page address of each page table.Internal memory virtualization module mapping client physical address is to identical actual physical address.Make closing after internal memory virtualization module, guest virtual machine still can normally move.The Write access position of all EPT page tables of internal memory virtualization module controls, thus the function of all page write permissions of honey jar control can be provided.Like this, in the time of client operating system access customer physical memory, as long as current page has been cancelled write permission, will trigger the write-protect event of EPT, system can be processed this event in the unwitting situation of client operating system.Use RVI (NPT) technology in AMD-V can realize equally identical function.In the hardware platform that does not have hardware virtualization to support, also can use the shadow page table technology in software virtualization to realize internal memory virtualization.Introspection module, by the data structure in operating system is resolved, is obtained details and the running state of a process of process.The definition of data structure derives from symbol table, and introspection module obtains the content of target data structure by the page table in the virtual address query manipulation system of CR3 and data structure.Control module is intercepted and captured CPUID event, and relevant general-purpose register information in parsing event, obtains control information and inform honey jar module.
The structure of honey jar module and honey jar logging modle can be with reference to figure 4.Wherein, honey jar logging modle is made up of process register, and process register is made up of one or more honey jar registers, the corresponding honey jar page moving of each honey jar register; In a process register, the honey jar page in honey jar module is an only corresponding honey jar register at the most; In different process registers, the mutual separate records information of the honey jar register of corresponding identical honey jar page.
Shown in Fig. 2 is four running statuses and the one of four states transfer process of honey jar.Its step comprises:
Step 1: layoutprocedure, configure the region of memory of honey jar module monitors by control module, the content of configuration comprises: the CR3 value that page virtual address and virtual address are corresponding.Whether page physical address and this page belong to kernel spacing can obtain the layout of virtual address range by analyzing page table structure and operating system.
Step 2: start-up course, control module is received outside startup command.Honey jar module is used internal memory virtualization module to close the EPT page table of each CPU about the Write access page table authority in honey jar region.
Step 3: in running status, honey jar module, by the Sustainable Control of the Write access authority of internal memory virtualization module to EPT page table, limits the access of each process to honey jar.The control of write permission is ensured to the different processes exclusive reference to single honey jar at one time in multiple nucleus system, allow multiple threads in individual process synchronization of access to honey jar simultaneously, concrete process can be with reference to figure 5.Honey jar the operation phase collect process to honey jar in the amendment situation of each memory address, and generate amendment bitmap and be constantly submitted in honey jar logging modle, the Process Details obtaining by introspection module in addition of simultaneously submitting to and the process running status while entering honey jar.All records are collected and arranged to honey jar logging modle.
Step 4: stopped process, control module is received outside ceasing and desisting order.Honey jar module is submitted all contents of not submitting to to logging modle, and by Write access position 1 corresponding EPT page table.
Step 5: reset process, control module is received outside replacement order.Honey jar module is removed the honey jar page having configured, and logging modle empties all records.After replacement completes, enter Reset Status, return to step 1, the region of memory that reconfigurable honey jar monitors.
Shown in Fig. 3 is the individual running status transition diagram of honey jar, and the running status of each honey jar individuality operates under pattern separately according to the current state of honey jar module, and its step comprises:
Step 1: configuration phase.The region of memory that will monitor by honey jar module controls, each page is monitored by a honey jar individuality, honey jar module by the page that will monitor in idle honey jar individual configuration, comprises the CR3 value of physical address, virtual address, correspondence in this stage, becomes honey jar page.
Step 2: honey jar page init state.This state can from unloading phase shift come, now honey jar page will carry out initial work in the time starting to monitor a new process, the EPT page table on all CPU core to should page internal memory Write access authority be all set to 0, open internal memory barrier, and all recorded information and state in the honey jar of resetting.Come if submit to recording status to shift from honey jar page, the initialization of honey jar page needn't be controlled Write access authority.And allow client operating system continue operation.
Step 3: after the initialization of honey jar page, while having process to attempt to write this page of internal memory, can produce write-protect permission event, this event is transferred to the processing of honey jar page by honey jar module.Now, target process operation suspension, economize related system module, the file of opening, process ID, process title, the process file path of module acquisition target process by Inner, and running state of process, comprise near code snapshot and near the part snapshot of stack pointer of task details, programmable counter that has the virtual address in target process, current operation in programmable counter, stack pointer, stack base pointer, each general-purpose register, honey jar page institute correspondence, all the elements are articulated in corresponding honey jar page.And will obtain page snapshot before target process write memory.Afterwards, honey jar page allows the write operation of current process at current C PU, and returns in guest virtual machine.Afterwards, target process could write honey jar on this CPU.
Step 4: catching after target process, while having process switching event to occur, current C PU, in the time of handover process context, controls stream and will be absorbed in virtual machine monitor.Now, honey jar module is cancelled in all honey jar pages and is had the write permission in current core, like this, in the time that process continues to write honey jar page, honey jar page can check after handover process, access honey jar page whether or target process.
Step 5: catching after target process, while having page faults event to occur, if the page being displaced is honey jar page, system will continue to preserve the current state of honey jar page, and upgrades its physical memory addresses in the time that be set to swap-in physical memory next time.
Step 6: process status follows the trail of the objective.Catching after process, if there is process access honey jar page in other core, or in honey jar page, write operation is occurring after cpu process handover event occurs, whether the process that honey jar page is attempted inspection to write is the current process monitoring.If so, continue step 4, step 5 and step 6, allow multiple threads in individual process synchronization of access to honey jar; If not, proceed to step 7 and submit to the monitor record of current process, ensure the different processes exclusive reference to single honey jar page at one time.
Step 7: submit target process monitor record to.In the time finding that non-target process is attempted to access honey jar, honey jar page is opened internal memory barrier, protects current change record, and detailed process can be with reference to figure 5.Honey jar page starts the submission process that records, and generates the amendment bitmap of target process to internal memory, is updated to the correspondence position of honey jar logging modle, the details of target process and state is articulated in the correspondence position of logging modle simultaneously.If honey jar module is entering stop phase, the Write access authority of EPT page table is set to 1, otherwise, be automatically brought to step 3 and continue operation.
Step 8: when honey jar page in stop phase is, by replacement step, all honey jar pages that configured are reset to idle honey jar.
Shown in Fig. 4 is the inner structure of honey jar and logging modle.Wherein, the n configuring from idle honey jar honey jar page comprises that honey jar page a is to honey jar page x, and n honey jar page monitor the physical memory page that n piece is different.In the time processing new process access, honey jar page is submitted to recorded information in logging modle.The mode of submitting to is first to arrive the register of process X according to HASH table searching process A, if there is not corresponding process register, from idle register, distributes one, and preserves the details of corresponding process.Obtain after corresponding process register, honey jar page continues to show honey jar page register corresponding to search by HASH, if there is not corresponding honey jar page register, from idle honey jar register, distributes one.Obtaining after corresponding honey jar page register, honey jar page is updated to current amendment bitmap in register, and the current process state of acquisition is articulated in honey jar page register simultaneously.
Shown in Fig. 5 is honey jar operational scheme schematic diagram.Honey jar page is mainly in order to allow synchronization of access to honey jar of multiple threads in individual process and to ensure the different processes exclusive reference to single honey jar page at one time to the control of write permission.
System is by the write operation to same honey jar page between each CPU of internal memory barrier control.In the time opening internal memory barrier, first honey jar module enters internal memory barrier critical section, then cancels all CPU write permission to this page on EPT page table by internal memory virtualization module, then refreshes TLB and page table buffer memory by the each CPU of IPI interrupt notification.Open after internal memory barrier; if the process on other CPU attempts to access identical page; as the thread 2 of the process B in Fig. 5 and process A; hardware will produce write-protect event; be absorbed in virtual machine monitor and move; finally, these processes will be waited for outside internal memory barrier critical section, until the thread 1 of process A leaves position, critical section.Realize by spin lock critical section, and in the time that the thread 1 of process A obtains spin lock, all the other processes of attempting to obtain identical spin lock are by time-out and wait for that this spin lock is released.
First honey jar uses internal memory barrier to stop all processes of attempting to write same memory page, then completes the initialization of honey jar page, leaves afterwards internal memory barrier critical section.After this thread 2 of process A enters critical section, and honey jar page finds that this thread belongs to target process, allows immediately it to enter honey jar, the synchronization of access of the multiple threads in guarantee individual process to honey jar.Then, process B enters critical section, honey jar page finds that this process is not the target process of current supervision, submit the record of honey jar inside to honey jar logging modle at once, then reinitialize honey jar, now the target process of honey jar page transfers process B to, and the thread that only belongs to process B allows to operate in current honey jar.This has ensured the different processes exclusive reference to single honey jar page at one time.These two characteristics have ensured efficiency and the accuracy of honey jar record.
Claims (9)
1. for collecting and intercept and capture a honey jar mechanism for calculator memory behavior, it is characterized in that: comprise internal memory virtualization module, honey jar module, introspection module, control module and honey jar logging modle;
Described internal memory virtualization module is used for controlling virutal machine memory operating right, comprise the control of two-level address translation function and the read-write in address translation process and execution authority, in the time occurring violate reading and writing or carry out the event of authority, the control of current C PU is circulated in the event handling function of honey jar module, after function returns, recover the normal operation of CPU;
Described honey jar module is made up of multiple configurable independent honey jar individualities, and a page in the individual respective operations system of each honey jar, becomes honey jar page; Honey jar module is taking honey jar page as unit, the accurate amendment situation of each process in multiple core of monitoring in the time that system is moved to honey jar region, and represented by bitmap;
Described introspection module is collected in information in honey jar module, collects relevant Process Details and process complete run time behaviour at that time;
Described control module provides external control interface, and control command signal is forwarded in control interface corresponding to honey jar module, for the region of memory of honey jar module monitors is set, starts, stops and replacement honey jar function;
Described honey jar logging modle collects honey jar module and Inner economizes the data that module is submitted to, records each complete behavior that enters honey jar process.
2. according to claim 1 a kind of for collecting and intercept and capture the honey jar mechanism of calculator memory behavior, it is characterized in that: described honey jar logging modle is made up of process register, described process register is made up of one or more honey jar registers, the corresponding honey jar page moving of each honey jar register; In a process register, the honey jar page in honey jar module is an only corresponding honey jar register at the most; In different process registers, the mutual separate records information of the honey jar register of corresponding identical honey jar page, and only committed memory in the time recording content of each register.
3. for collecting and intercept and capture a honey jar method for calculator memory behavior, it is characterized in that: concrete steps are as follows:
(1) configuration phase, configures the region of memory of honey jar module monitors, i.e. honey jar region by control module;
(2) unloading phase, control module receives after outside startup command, startup command is forwarded in control interface corresponding to honey jar module, and honey jar module is used internal memory virtualization module to close the write permission in honey jar region, and catches any process behavior of attempting to write honey jar region;
(3) operation phase, the access of the process that honey jar module attempts to write honey jar region by internal memory virtualization module Sustainable Control to honey jar, and collect the amendment situation of process to internal memory in honey jar region; Introspection module is collected relevant Process Details and the process running status while entering honey jar; Honey jar logging modle collects and arrange honey jar module and Inner economizes the data that module is constantly submitted to.
(4) stop phase, control module is received after ceasing and desisting order of outside, be forwarded to ceasing and desisting order in control interface corresponding to honey jar module, honey jar module is submitted all data to honey jar logging modle, and the write permission of opening honey jar region allows all read-write operations, obtain the data that record in honey jar logging modle;
(5) reset phase, control module is received after outside replacement order, and the order of resetting is forwarded in control interface corresponding to honey jar module, honey jar module is removed the honey jar having configured, and records honey jar module and empties all data;
(6) after replacement completes, return to step (1), wait for the region of memory that reconfigures honey jar module monitors.
4. according to claim 3 a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior, it is characterized in that: the concrete operating procedure of described honey jar module is as follows:
(1) configuration phase, honey jar module is obtained idle honey jar individuality and idle honey jar individuality is corresponded on target page, becomes honey jar page;
(2) operation phase, utilize the individual process read-write situation monitoring on target page of honey jar of honey jar page, economize module and obtain simultaneously the details of associated process in operating system by Inner, be constantly submitted in honey jar logging modle; The concrete operating procedure of described honey jar page is as follows:
A, initialization, open internal memory barrier;
B, captured target process, in the time having process to access for the first time the internal memory of honey jar page correspondence, trigger hardware protection event, control stream and be absorbed in virtual machine monitor, target process operation suspension, honey jar page is intercepted and captured the event of writing, and economizes module obtain target process details and running state of process by Inner, and target process details and the running state of process of Inner being economized to module acquisition are articulated in honey jar page; And before target process write memory, obtain page snapshot, for generating internal memory amendment bitmap, target process prepares; Afterwards, honey jar page allows the write operation of target process at current C PU, and returns in virtual machine; Afterwards, target process writes honey jar on current C PU;
C, process switching event handling, current C PU, in the time of handover process context, will be absorbed in virtual machine monitor; Now, there is the write permission in current core by cancelling in all honey jar pages in honey jar module, like this, in the time that process continues to write honey jar page, whether still honey jar page can check the target process of accessing honey jar page after handover process, if, enter steps d, if not, enter step f;
D, the event handling of skipping leaf, while having page faults event to occur, if the page that system discovery is displaced belongs to honey jar page, system will continue to preserve the current state of honey jar page, and in the time that be set to swap-in physical memory next time, upgrades its physical memory addresses;
E, tracking target process, catching after process, if there is process access honey jar page in other core, or after occurring, cpu process handover event there is write operation in honey jar page, whether the process that honey jar page is attempted inspection to write is the current process monitoring, if so, continue step c, steps d and step e, the synchronization of access of the multiple threads in permission individual process to honey jar; If not, open the current change record of internal memory barrier protection, and proceed to the monitor record of step f submission target process, ensure the different processes exclusive reference to single honey jar page at one time;
F, submission target process monitor record, honey jar page starts submission process, snapshot page content in current page content and step b is contrasted by BYTE, generating one is the amendment situation bitmap of current page 1/8 size, be updated to the correspondence position of honey jar logging modle, the details of target process and the state of the target process capturing be articulated in the correspondence position of honey jar logging modle simultaneously; Forwarding afterwards step a to, is new process initialization honey jar page; If honey jar module is entering stop phase, open all write permissions.
(3) stop phase, all honey jar pages of honey jar module controls complete last submission, and stop the operation of honey jar.
5. according to claim 4 a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior, it is characterized in that: described step 2) in the concrete steps of opening internal memory barrier described in step a and step e as follows:
(1) control and flow to the critical section corresponding into internal memory barrier;
(2) internal memory virtualization module is cancelled guest virtual machine write permission to target page on all CPU;
(3) use and interrupt informing that all CPU page table authorities change, during each CPU receives, have no progeny, the very first time is refreshed TLB and page table structure buffer memory, and returns to whether success, if enter step (4), returns to if not step (2);
(4) when all CPU return to successful flush buffers, successfully open internal memory barrier.
6. according to claim 5 a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior, it is characterized in that: described internal memory barrier is in the time meeting the following conditions: a, control stream leave the critical section that internal memory barrier is corresponding; The upper CPU that the write permission of target page is waited for of b, all CPU opens; Internal memory barrier is closed automatically.
7. according to claim 4 a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior, it is characterized in that: step 1 in described claim 3) configuration phase, configure the region of memory of honey jar module monitors, i.e. honey jar region by control module; Concrete steps are as follows:
(1) control module informs that honey jar module requires the page of configuration, and honey jar module is distributed idle honey jar individuality in internal memory, and concrete configuration process can be undertaken by step a, b or c:
A, control module are informed the physical address of honey jar module target page, first honey jar module checks whether the physical address of target page has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to this physical address initial configuration, and return step (1) continue etc. to be configured;
B, control module are informed the virtual address of honey jar module target page, honey jar module is according to page table structure base address (CR3) and the current virtual address of guest virtual machine current process, obtain corresponding physical address by the page table in inquiry physical memory, first honey jar module checks whether described physical address has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to described physical address initial configuration, and return step (1) continue etc. to be configured;
C, control module are informed the virtual address of honey jar module target page and the value of corresponding CR3, honey jar module obtains physical address by the page table in query manipulation system, first honey jar module checks whether described physical address has configured honey jar page, if not, idle honey jar individuality becomes honey jar page according to described physical address initial configuration, and return step (1) continue etc. to be configured.
8. according to claim 4 a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior; it is characterized in that: step 3 in described claim 3) in the operation phase; in the time there is write-protect event in process; first honey jar module obtains by internal memory virtualization module the physical address that write-protect event occurs; honey jar module finds the honey jar page of unique correspondence according to physical address inquiry HASH table; and by write-protect event forwarding in corresponding honey jar page, control voluntarily honey jar page operation.
9. a kind of for collecting and intercept and capture the honey jar method of calculator memory behavior according to claim 4, it is characterized in that: in described step f, the concrete searching step of the correspondence position of honey jar logging modle is as follows:
(1) honey jar page, according to current target process, uses HASH table to find rapidly corresponding process register, if exist, enters step (3); If do not exist, enter step (2);
(2) honey jar logging modle is distributed an idle process register, and according to process register described in the Process Details initialization of honey jar page, make while once entering step (1), to show can find described process register by HASH upper;
(3) honey jar page, according to the target page of its configuration, uses HASH table to find rapidly corresponding honey jar register, if exist, described honey jar register is the correspondence position of honey jar logging modle, if do not exist, enters step (4);
(4) honey jar logging modle is distributed an idle honey jar register, and according to honey jar register described in the target page configuration information initialization of honey jar page, make while once entering step (3), to show can find described honey jar register by HASH upper; Described honey jar register is the correspondence position of honey jar logging modle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203373.9A CN104021344B (en) | 2014-05-14 | 2014-05-14 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203373.9A CN104021344B (en) | 2014-05-14 | 2014-05-14 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104021344A true CN104021344A (en) | 2014-09-03 |
| CN104021344B CN104021344B (en) | 2015-06-24 |
Family
ID=51438091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410203373.9A Expired - Fee Related CN104021344B (en) | 2014-05-14 | 2014-05-14 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104021344B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
| CN107003949A (en) * | 2015-02-04 | 2017-08-01 | 华为技术有限公司 | The system and method synchronous for the internal memory of multiple nucleus system |
| CN107465663A (en) * | 2017-07-06 | 2017-12-12 | 广州锦行网络科技有限公司 | A kind of implementation method and device of the seamless honey jar of network |
| CN109145599A (en) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | The means of defence of malicious virus |
| CN109409089A (en) * | 2018-09-28 | 2019-03-01 | 西安电子科技大学 | A kind of Windows ciphering type examined oneself based on virtual machine extorts software detecting method |
| CN110096871A (en) * | 2019-05-10 | 2019-08-06 | 南京大学 | A kind of multi-core environment process kernel stack guard method based on hardware virtualization |
| CN110336811A (en) * | 2019-06-29 | 2019-10-15 | 上海淇馥信息技术有限公司 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
| CN112422481A (en) * | 2019-08-22 | 2021-02-26 | 华为技术有限公司 | Trapping method, system and forwarding equipment for network threats |
| CN113569244A (en) * | 2021-09-18 | 2021-10-29 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
| CN113590106A (en) * | 2021-06-25 | 2021-11-02 | 许继电气股份有限公司 | Industrial control graphical programming environment operation state data monitoring system and method |
| WO2023093380A1 (en) * | 2021-11-27 | 2023-06-01 | 华为技术有限公司 | Maintenance method for translation lookaside buffer, and related device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651062A (en) * | 2012-04-09 | 2012-08-29 | 华中科技大学 | System and method for tracking malicious behavior based on virtual machine architecture |
| CN102088379B (en) * | 2011-01-24 | 2013-03-13 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
-
2014
- 2014-05-14 CN CN201410203373.9A patent/CN104021344B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102088379B (en) * | 2011-01-24 | 2013-03-13 | 国家计算机网络与信息安全管理中心 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
| CN102651062A (en) * | 2012-04-09 | 2012-08-29 | 华中科技大学 | System and method for tracking malicious behavior based on virtual machine architecture |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10452686B2 (en) | 2015-02-04 | 2019-10-22 | Huawei Technologies Co., Ltd. | System and method for memory synchronization of a multi-core system |
| CN107003949A (en) * | 2015-02-04 | 2017-08-01 | 华为技术有限公司 | The system and method synchronous for the internal memory of multiple nucleus system |
| CN107003949B (en) * | 2015-02-04 | 2020-02-14 | 华为技术有限公司 | System and method for memory synchronization for multi-core systems |
| CN105787370B (en) * | 2016-03-07 | 2018-08-10 | 四川驭奔科技有限公司 | A kind of Malware based on honey jar collects and analyzes method |
| CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
| CN109145599A (en) * | 2017-06-27 | 2019-01-04 | 关隆股份有限公司 | The means of defence of malicious virus |
| CN107465663A (en) * | 2017-07-06 | 2017-12-12 | 广州锦行网络科技有限公司 | A kind of implementation method and device of the seamless honey jar of network |
| CN109409089A (en) * | 2018-09-28 | 2019-03-01 | 西安电子科技大学 | A kind of Windows ciphering type examined oneself based on virtual machine extorts software detecting method |
| CN110096871A (en) * | 2019-05-10 | 2019-08-06 | 南京大学 | A kind of multi-core environment process kernel stack guard method based on hardware virtualization |
| CN110096871B (en) * | 2019-05-10 | 2021-03-19 | 南京大学 | Multi-core environment process kernel stack protection method based on hardware virtualization |
| CN110336811A (en) * | 2019-06-29 | 2019-10-15 | 上海淇馥信息技术有限公司 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
| CN112422481A (en) * | 2019-08-22 | 2021-02-26 | 华为技术有限公司 | Trapping method, system and forwarding equipment for network threats |
| CN112422481B (en) * | 2019-08-22 | 2021-10-26 | 华为技术有限公司 | Trapping method, system and forwarding equipment for network threats |
| CN113590106A (en) * | 2021-06-25 | 2021-11-02 | 许继电气股份有限公司 | Industrial control graphical programming environment operation state data monitoring system and method |
| CN113590106B (en) * | 2021-06-25 | 2022-04-08 | 许继电气股份有限公司 | Industrial control graphical programming environment operation state data monitoring system and method |
| CN113569244A (en) * | 2021-09-18 | 2021-10-29 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
| CN113569244B (en) * | 2021-09-18 | 2021-12-03 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
| WO2023093380A1 (en) * | 2021-11-27 | 2023-06-01 | 华为技术有限公司 | Maintenance method for translation lookaside buffer, and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104021344B (en) | 2015-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104021344B (en) | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer | |
| CN104021063B (en) | Modular computer forensic system and method based on hardware virtualization | |
| US9529614B2 (en) | Automatically bridging the semantic gap in machine introspection | |
| CN103399812B (en) | Based on disk file operation supervise and control system and the method for supervising of Xen hardware virtualization | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| JP5571208B2 (en) | Virtualization of performance counters | |
| CN104205064B (en) | By program event recording (PER) event to the system and method running the conversion of time detecting event | |
| Fu et al. | Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery | |
| CN104662552A (en) | Secure disk access control | |
| CN102906704A (en) | Controlling a rate at which adapter interruption requests are processed | |
| CN110785747A (en) | Invalidation of target domains in a domain hierarchy | |
| US10061918B2 (en) | System, apparatus and method for filtering memory access logging in a processor | |
| CN105512550A (en) | Systems and methods for active operating system kernel protection | |
| CN104169888A (en) | Run-time instrumentation directed sampling | |
| CN105511941A (en) | System and method for facilitating joint operation of multiple hypervisors in computer system | |
| CN110799953A (en) | Domain identifier comparison for translation cache lookup | |
| CN107479946A (en) | A kind of interbehavior monitoring scheme of kernel module | |
| CN111615689A (en) | Region fusion | |
| US11734430B2 (en) | Configuration of a memory controller for copy-on-write with a resource controller | |
| Nemati et al. | Trustworthy virtualization of the ARMv7 memory subsystem | |
| DE202019005669U1 (en) | System for restricting the use of encryption keys by untrusted software | |
| CN107368739A (en) | A kind of monitoring method and apparatus of kernel-driven | |
| US20150286490A1 (en) | I/o redirection method, i/o virtualization system and method, and content delivery apparatus | |
| Oliveira et al. | Opvis: extensible, cross-platform operational visibility and analytics for cloud | |
| Zhou et al. | Hardware-based workload forensics: Process reconstruction via TLB monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150624 Termination date: 20210514 |