CN104809401B - A kind of operating system nucleus completeness protection method - Google Patents
A kind of operating system nucleus completeness protection method Download PDFInfo
- Publication number
- CN104809401B CN104809401B CN201510234249.3A CN201510234249A CN104809401B CN 104809401 B CN104809401 B CN 104809401B CN 201510234249 A CN201510234249 A CN 201510234249A CN 104809401 B CN104809401 B CN 104809401B
- Authority
- CN
- China
- Prior art keywords
- ips
- integrity protection
- target
- monitoring
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
A kind of operating system nucleus integrity protection system, including integrity protection program, kernel hooking, redirect code, goal systems and monitoring protector;Using following steps:(1) startup and initialization of monitoring protector;Integrity protection program IPS request operation is waited after initialization;(2) integrity protection program IPS registration and the setting of monitoring environmental protection;(3) monitoring and protection to goal systems Target O/S kernel integralities are implemented;When the hook that integrity protection program IPS is arranged in kernel is triggered, it is necessary to which the generation for the kernel events that Target O/S kernel integralities are checked and protected, is now switched in integrity protection program IPS and carries out respective handling;(4) integrity protection program IPS nullifies removes with monitoring environmental protection;The monitoring environmental protection established in clear operation (2), and recover goal systems Target OS normal operation.
Description
Technical field
It is more particularly to a kind of that integrality monitoring is carried out to operating system nucleus the present invention relates to the safeguard protection of operating system
With the method for protection.
Background technology
Operating system nucleus code is in large scale, complicated, and in order to ensure running efficiency of system, generally use is not
The programming language of safety, thus substantial amounts of leak and mistake wherein be present.Attacker can utilize these leaks to kernel
Implement attack, change kernel key state, perform arbitrary malicious code, therefore, operating system nucleus is faced with very severe
Safety issue.The integrality of operating system nucleus is monitored and protected, can effectively lift its security.
The more mechanism using monitor of virtual machine VMM of integrity protection of existing operating system nucleus, these VMM should
Virtualization is provided for operating system to support, but there are problems that.VMM is faced with the same safety of operating system nucleus
Problem, the security of its own can not be effectively ensured.Because operating system continually can be entered in its life cycle with VMM
Row interaction so that VMM has extensive attack face.So, malicious operating system can just be touched by the data constructed meticulously
The leak in VMM is sent out, to implement to attack.VMM needs to perform virtualization operations for operating system and needs to intervene kernel integrity
Checksum protection process, serious performance cost can be produced so that practicality substantially reduces.Therefore, safe and efficient operation system
Kernel integrity of uniting monitors protection technique, is very important.Using computer hardware virtualization technology, ensureing effectively to implement
Kernel integrity is monitored with the basis of protection, lifting its own security and reducing the performance cost of completeness protection method,
With realistic meaning.
The content of the invention
In order to overcome the deficiencies in the prior art, the invention provides a kind of operating system nucleus integrity protection side
Method so that the monitoring and protection to operating system nucleus integrality are more safe efficient.
To achieve the above object, the present invention adopts the following technical scheme that:A kind of operating system nucleus integrity protection system,
Based on component include integrity protection program, kernel hooking, redirect code, goal systems and monitoring protector;Including as follows
Step (key operation):
(1) startup and initialization of monitoring protector;Monitoring protector carries out the configuration work of virtualized environment on startup
Make, the extension page table EPT mechanism and VM-functions mechanism of Intel processor offer are provided, and establish for supporting target
System Target OS carry out the EPT paging structure GEPT of internal storage access, and integrity protection program IPS is waited after initialization
Request operation;
(2) integrity protection program IPS registration and the setting of monitoring environmental protection;Integrity protection program IPS is adding
, it is necessary to set the kernel hooking of intercepting and capturing event during load, create and configure and redirect code and coherence check program, surpassed by VMCALL
Level call instruction is registered to monitoring protector, and monitoring protector is created for supporting integrity protection program IPS to carry out internal memory visit
The EPT paging structure SEPT asked, and set internal memory to protect, realize that internal memory is isolated;
(3) monitoring and protection to goal systems Target O/S kernel integralities are implemented;As integrity protection program IPS
When the hook being arranged in kernel is triggered, it is meant that in needing Target O/S kernel integralities are checked and protected
The generation of nuclear incident, now it is switched in integrity protection program IPS and carries out respective handling.
(4) integrity protection program IPS nullifies removes with monitoring environmental protection;The monitoring established in clear operation (2) is protected
Retaining ring border, and recover goal systems Target OS normal operation.
Integrity protection program IPS (Integrity Protection Software) is placed in destination OS
Inside Target OS address spaces, encapsulate and integrity checking and protection are carried out to destination OS Target O/S kernels
Correlative code, and data segment and work stack required during operation, the performing environment of a closing is formed, wherein specific complete
Property the inspection security strategy related to protection voluntarily formulated according to user's request;When need to operating system nucleus implement integrality
Monitoring protection when, integrity protection program IPS loading when to monitoring protector register, monitoring protector be IPS build by
The running environment of protection, corresponding security strategy is performed under monitoring protector protection in IPS whole life cycle.
Kernel hooking is placed in goal systems Target O/S kernels, may make Target OS integralities for intercepting and capturing
The kernel events that state changes so that controlling stream can be transferred in integrity protection program IPS and be checked and be analyzed.
The embodiment and set location of kernel hooking are related to security strategy, are voluntarily formulated by user, for example,
Set at the kernel events such as kernel module loading and deletion, executable file execution, or intercept and capture Target OS tick interrupts
Processing routine is to carry out periodic integrity checking.
The control switching that code is used between destination OS Target OS and integrity protection program IPS is redirected, together
The protection of the monitored protector of sample.After the kernel hooking that user is placed in Target OS is triggered, controlling stream can pass through
Redirect code and be transferred in integrity protection program IPS and analyzed and processed, then return to goal systems by redirecting code again
Target OS are continued executing with.The code that redirects into integrity protection program IPS is referred to as entry and redirects code, returns to target system
The system Target OS code that redirects is referred to as exit and redirects code.
Monitoring protector is run directly on computer hardware, for integrity protection program IPS, kernel hooking and is redirected
Code provides insulation blocking, builds safe performing environment, resists goal systems Target OS and the malice of said modules is attacked
Hit, so as to ensure the validity of kernel integrity protection system;
Monitoring protector provides the running environment of an insulation blocking for integrity protection program IPS, is a lightweight
VMM but do not perform any virtualization operations, nonintervention destination OS Target OS operation;Monitoring protector, connect
The registration and unregistration request that program IPS integrity protected is sent, constructed internal storage access safeguard measure is established and cancels, and
Recording-related information;Monitoring protector is booted up by Grub, is run directly on hardware, and monitoring protector uses on startup
Intel TXT GETSEC instructions carry out credible startup;Monitoring protector only enables extension page table EPT mechanism, VM-
Functions mechanism and the protection to LBR MSR, control targe is distinguished by different EPT page table structures GEPT and SEPT
The access of system Target OS and integrity protection program IPS to physical memory.
READ, WRITE, EXECUTION position that monitoring protector is enabled in extension page table EPT items reflect list item meaning
The reading and writing of the physical memory page and executable access rights;By setting different access rights in GEPT and SEPT;Together
When, the EPTP handover mechanisms that provide in VM-functions is used in redirecting code, directly realized in non-root patterns
Switching between EPT;
In order to manage integrity protection program IPS, kernel hooking, the internal storage access authority for redirecting code, monitoring protector
Using corresponding the registered integrity protection program IPS of safe_monitor data structures, for stored memory protection information, bag
Include:Index ips_index, each region of memorys of SEPT base address ips_eptp, the ips_eptp in EPTP list fields
Starting and end address and required setting access rights.
Goal systems Target OS contextual information and monitoring configure when performing integrity checking with protecting to preserve
Information, integrity protection program IPS inside are recorded using ips_context structures, including:Need to preserve goal systems
Stack pointer os_stack, integrity protection program IPS stack pointers ips_stack when Target OS are currently run,
Entry and exit redirects code address ips_entry and ips_exit, integrity protection program IPS processing function entrances address
Ips_handler, kernel hooking address ips_hook and return address ips_return.
Beneficial effects of the present invention:It is hard that operating system nucleus completeness protection method provided by the invention is based on Intel VT
Part virtualization technology.In this kernel integrity protection system, integrity protection program IPS operates in goal systems Target
Inside OS, by setting kernel hooking to intercept and capture Target O/S kernel events, integrity protection program is transferred to via code is redirected
IPS performs corresponding security strategy.The protection of the monitored protector of all components so that Target OS can not be to it
Modify and destroy, so as to protect its security.Monitoring protector provided by the invention is a lightweight VMM, is only
System is protected to provide an isolated execution environment for kernel integrity, without other virtualization features, monitoring protector is only
Extension page table EPT mechanism, VM-functions mechanism and the protection to LBR MSR are enabled, is controlled by different EPT page tables
Access of the Target OS and IPS to physical memory, and the EPTP handover mechanisms provided using VM-functions, directly
The switching between EPT is realized in non-root patterns.Thus, Target OS are in the process of implementation and IPS performs integrality and protected
Protect during related security policies, the intervention without monitoring protector so that whole system performs safe and efficient.
Brief description of the drawings
Fig. 1 operating system nucleus integrity protection system's structural representations;
Fig. 2 operating system nucleus completeness protection method flow charts;
Fig. 3 monitoring protector initialization flowcharts;
Fig. 4 integrity protection programs IPS is registered and monitoring environmental protection setting procedure figure;
Fig. 5 HYPERCALL_CREATE hypercalls execution flow charts;
Fig. 6 HYPERCALL_SET hypercalls execution flow charts;
Specifically flow chart is protected in the monitoring to kernel integrity to Fig. 7;
Fig. 8 entry redirect code flow diagram;
Fig. 9 exit redirect code flow diagram;
Figure 10 integrity protection programs IPS nullifies removes flow chart with monitoring environmental protection;
Figure 11 HYPERCALL_DESTROY hypercalls flow charts.
Embodiment
The present invention is further described below in conjunction with the accompanying drawings.
As shown in figure 1, a kind of operating system nucleus integrity protection system provided by the invention, contained component includes complete
Property defence program IPS, kernel hooking, redirect code, goal systems Target OS and monitoring protector.When needs are to operation
When kernel of uniting implements integrality monitoring protection, integrity protection program IPS is loaded into object run by way of kernel module
In system Target OS address spaces, the configuration needed for environmental protection is monitored, and registered to monitoring protector, structure
Build the running environment by insulation blocking.Integrity protection program IPS itself is encapsulated in goal systems Target OS
Core carries out integrity checking and the correlative code of protection, and data segment and work stack required during operation, forms an envelope
The performing environment closed, wherein specific security strategy is voluntarily formulated according to user's request.
Goal systems Target OS contextual information and monitoring are matched somebody with somebody when performing integrity checking with protecting to preserve
Confidence ceases, and is recorded inside integrity protection program IPS using ips_context structures, including:Need to preserve goal systems
Stack pointer os_stack, integrity protection program IPS stack pointers ips_stack when Target OS are currently run,
Entry and exit redirects code address ips_entry and ips_exit, integrity protection program IPS processing function entrances address
Ips_handler, kernel hooking address ips_hook and return address ips_return.
Goal systems Target OS integrity states may occur to enable integrity protection program IPS to intercept and capture
The kernel events of change, and then association integrity inspection and analysis are carried out, it is necessary to set kernel hooking in Target OS.It is interior
The embodiment and set location of core hook are related to security strategy, are voluntarily formulated by user, for example, in kernel module
Loading and delete, executable file performs etc. sets at kernel events, or intercept and capture Target OS clock interrupt handling routines with
Carry out periodic integrity checking.
Redirect code be used between goal systems Target OS and integrity protection program IPS control switching, equally by
To the protection of monitoring protector.After the kernel hooking that user is placed in goal systems Target OS is triggered, controlling stream meeting
It is transferred in integrity protection program IPS by redirecting code and is analyzed and processed, then returns to target system by redirecting code again
System Target OS are continued executing with.The code that redirects from goal systems Target OS into integrity protection program IPS is referred to as
Entry redirects code, and the code that redirects for returning to goal systems Target OS is referred to as exit and redirects code.
Monitoring protector is the core component of the system, and the fortune of an insulation blocking is provided for integrity protection program IPS
Row environment, the VMM of a lightweight is effectively equivalent to, receives the registration and unregistration request that integrity protection program IPS is sent,
Establish and cancel constructed internal storage access safeguard measure, and recording-related information.Monitoring protector is booted up by Grub, directly
Connect and operate on hardware, in order to ensure the clean boot of itself, monitoring protector uses Intel TXT GETSEC on startup
Instruction carries out credible startup.Monitoring protector is only to protect system to provide an isolated execution environment for kernel integrity, and
Without other virtualization features, thus almost it is not required to set the execution control domain in virtual machine control block VMCS, only enables expansion
Open up page table EPT mechanism, VM-functions mechanism and the protection to LBR MSR, by different EPT page table structures GEPT and
SEPT distinguishes the access of control targe system Target OS and integrity protection program IPS to physical memory.EPT page table entries
In READ, WRITE, EXECUTION position reflect the reading and writing of the list item meaning physical memory page and executable access right
Limit.It is to realize to carry out insulation blocking to integrity protection program IPS by setting different access rights in GEPT and SEPT
Key.Meanwhile the EPTP handover mechanisms provided in redirecting code using VM-functions, can be directly in non-
The switching between EPT is realized in root patterns, without the intervention of monitoring protector, ensure that the high efficiency of monitoring guard method.
In order to manage integrity protection program IPS, kernel hooking, the internal storage access authority for redirecting code, monitoring protector
Using corresponding the registered integrity protection program IPS of safe_monitor data structures, for stored memory protection information, bag
Include:Index ips_index, each region of memorys of SEPT base address ips_eptp, the ips_eptp in EPTP list fields
Starting and end address and required setting access rights.
Fig. 2 show operating system nucleus completeness protection method flow chart.Including:Step 20 monitoring protector is initial
Change;Step 21 integrity protection program IPS registers to be set with monitoring environmental protection;The step 22 specifically monitoring to kernel integrity
Protection;And step 23 integrity protection program IPS is nullified with monitoring the primary operationals such as environmental protection removing.
Fig. 3 is monitoring protector initialization flowchart.Step 30 is initial state;Step 31 enables extension page table EPT machines
System and VM functions mechanism, the purpose for enabling VM functions be in order to can in goal systems Target OS it is straight
Connect and perform EPT handover operations, by Enable EPT positions in virtual machine control block VMCS and VM functions positions 1;Step 32
By the positions 1 of IA32_DEBUGCTL MSR registers bit 0, to open LBR (Last Branch Record) mechanism, while
In VMCS MSR write bit figures, by the position 1 corresponding to IA32_DEBUGCTL and LBR stacks (LBR stack) register, to forbid
Goal systems Target OS change these registers, while allow to read these deposits in integrity protection program IPS again
Device;Step 33 sets whole GEPT list items according to the size of goal systems Target OS physical address, and page-size is set to
4KB, READ, WRITE, EXECUTION position 1 of whole GEPT list items is initialized, ensure Target OS guest-physical addresses
Identical mapping between machine physical address, and GEPT page tables base address guest_eptp is stored in virtual machine control block
VMCS EPTP fields, in addition, physical memory area where monitoring protector itself is left out from GEPT page table entries, to forbid
External module access monitoring protector own content;Step 34 by the positions 1 of VM-functions control fields bit 0 in VMCS,
To enable EPTP switching (EPTP Switching) mechanism, 4KB size EPTP lists are distributed, and guest_eptp is stored in
EPTP list indexs position is at 0;Step 35 terminates.Initialization is completed, and waits integrity protection program IPS request.
After monitoring protector initialization is completed, just possess and build an isolation operation for integrity protection program IPS
The function of environment.Integrity protection program IPS is in loading, it is necessary to carry out pertinent registration with monitoring the behaviour such as environmental protection setting
Make.And at the end of monitoring, the configured monitoring environmental protection of revocation, recovery goal systems Target OS normal operation.Tool
The operation being configured in monitoring protector is needed during the registration and unregistration of body, is used by integrity protection program IPS
Hypercalls are carried out.In Intel VT-x, hypercalls make use of VMCALL to instruct, therefore, the present invention provides following three
Individual supersystem is called:(1)HYPERCALL_CREATE:For notifying monitoring protector to create SEPT paging structures, RAX deposits
Device Transfer Parameters HYPERCALL_CREATE.(2)HYPERCALL_SET:For setting kernel hooking in GEPT and SEPT, jump
Turn code, the access rights of region of memory where integrity protection program IPS, environmental protection is monitored to integrality for realizing
Protection, RAX register Transfer Parameters HYPERCALL_SET, RBX register Transfer Parameters initial address start, RCX registers
Transfer Parameters end address end, RDX register Transfer Parameters component type (kernel hooking, redirects code, IPS codes, IPS numbers
According to).(3)HYPERCALL_DESTROY:For removing the internal memory safeguard measure set in monitoring protector, RAX registers pass
Pass parameter HYPERCALL_DESTROY.When integrity protection program IPS calls supersystem to call, CPU can be trapped in monitoring
In protector, monitoring protector carries out relevant treatment according to specific parameter information.
Fig. 4 is that integrity protection program IPS is registered with monitoring environmental protection setting procedure figure.Step 40 is initial state;
Stack and other data areas needed for step 41 distribution integrality defence program IPS operations, for forming the operation of a closing
Environment;Step 42 dynamically produces ips_context structures, goal systems Target O/S context information when being monitored for preserving
And monitoring configuration information, including need to preserve stack pointer os_stack, IPS storehouses of Target OS when currently running and refer to
Pin ips_stack, entry and exit redirect code address ips_entry and ips_exit, IPS processing function entrance address
Ips_handler, kernel hooking address ips_hook and return address ips_return;Step 43 is by IPS stack tops address ips_
Stack, entry and exit redirect code address ips_entry, ips_exit, and IPS processing function entrances ips_handler is protected
It is stored in ips_context structures;Step 44 sets kernel hooking, and the present invention does not limit the specific side that user adds kernel hooking
Formula, ensure that kernel hooking jumps to ips_entry positions by user, and by its address ips_hook and return address ips_
Return is saved in ips_context structures, and ips_hook, which is used to call, checks program, ensures integrity protection program IPS
It is to be triggered by set kernel hooking;Step 45 calls HYPERCALL_CREATE hypercalls to create SEPT paging knots
Structure, the process includes a sub-process handled in monitoring protector, and transmits return value ips_index with RAX registers,
Ips_index is indexes of the SEPT page tables base address ips_eptp in virtual machine control block VMCS EPTP list fields;Step
Rapid 46 judge kernel hooking, redirect code, whether page internal memory protection setting has all been handled shared by integrity protection program IPS
Into terminating if so, then going to step 48, otherwise go to step 47;Step 47 calls HYPERCALL_SET hypercalls in GEPT
With kernel hooking is set in SEPT, redirect code, the access rights of internal memory where integrity protection program IPS, for realizing pair
Kernel integrity monitors the protection of environmental protection, and the process includes a sub-process handled in monitoring protector;Step 48
Terminate.
Fig. 5 is HYPERCALL_CREATE hypercalls execution flow charts.Step 50 is initial state;Step 51 produces
Safe_monitor structure stored memory protection informations, including SEPT base address ips_eptp, ips_eptp in EPTP lists
The starting of index ips_index, each region of memory in field and end address and the access rights of required setting;Step
52 set whole SEPT list items according to the size of goal systems Target OS physical address, and page-size is set to 4KB, SEPT
Duplication version equivalent to GEPT, but all pages not can perform authority, therefore, initialize whole SEPT list items READ,
WRITE positions 1, EXECUTION positions 0, ensure the identical mapping of guest-physical addresses and machine physical address, monitoring is protected
Physical memory area where device itself is left out from SEPT page table entries, to forbid in external module access monitoring protector itself
Hold, and SEPT base address ips_eptp is saved in safe_monitor;Ips_eptp is saved in VMCS by step 53
EPTP list fields, index as ips_index;Ips_index is saved in safe_monitor by step 54;Step 55 is used
RAX registers preserve return value ips_index;Step 56 terminates.
Fig. 6 is HYPERCALL_SET hypercalls execution flow charts.Step 60 is initial state;Step 61 is verified
HYPERCALL_SET hypercalls instruct the legitimacy of Transfer Parameters, i.e. the initial address start of determination component and end address
Whether end is processed (having been saved in safe_monitor), and start<End, if Transfer Parameters are legal, it is transferred to
Step 62, otherwise it is transferred to step 6A error handle;Step 62 is determined in GEPT and SEPT according to component type in RDX registers
The authority gacc and sacc to be set:If kernel hooking, then gacc is arranged to readable, not writeable, executable, and sacc is arranged to
It is readable, writeable, not can perform, if code is redirected, then gacc is arranged to readable, not writeable, executable, and sacc is arranged to can
Read, be writeable, executable, if IPS codes, then gacc is arranged to unreadable, not writeable, can perform, sacc be arranged to it is readable,
Not writeable, executable, if IPS data, then gacc is arranged to unreadable, not writeable, can perform, sacc be arranged to it is readable,
It is writeable, not can perform;Step 63 sets circulation initial state, and initial address start is set into current address laddr;Step 64
Judge whether laddr is more than or equal to end address end, if so, then all page processing are completed, jump to step 69, circulation knot
Beam, otherwise into loop body, go to step 65;Step 65 inquires about current Target OS page tables using laddr, obtains corresponding client
Physical address paddr;Step 66 travels through GEPT and SEPT respectively using paddr, and corresponding list item access rights are set respectively
For gacc and sacc;Step 67 preserves laddr, paddr, gacc and sacc in safe_monitor;Step 68 is by current position
Location laddr is arranged to the address of next page, goes to step 64;Step 69 terminates internal storage access priority assignation;Passed in step 6A
The parameter entered is illegal, and program error terminates.
Fig. 7 is that specifically flow chart is protected in the monitoring to kernel integrity.Step 70 is initial state;Work as setting in step 71
When hook in kernel is triggered, it will jump to entry and redirect execution at the address ips_entry of code;In step 72 by
Entry redirects code and performs switching task, and the main task that performs includes preserving the deposits of goal systems Target OS before the handover
Device information, perform EPT handover operations (GEPT switches to SEPT), integrality defence program IPS operation work stacks ips_ is set
Stack and jump to calling check program;Jump information can be recorded in step 73 in LBR stack registers, reads the deposit of LBR stacks
Device content, and compared with ips_hook, call validity checking for performing, it is ensured that controlling stream was redirected from corresponding hook
Come, rather than goal systems Target OS malice triggers;If step 74 is identical, it is legal to call, and is transferred to step 75, otherwise
Step 78 mistake is transferred to terminate;Step 75 is jumped at integrity protection program IPS processing function entrances address ips_handler
Perform kernel integrity inspection to operate with protection, the security strategy specifically performed is defined by the user;Step 76 redirects generation by exit
Code performs return task, and the main task that performs includes recovering goal systems Target OS register informations before the handover, performed
EPT handover operations (SEPT switches to GEPT) and returning in goal systems Target OS continue executing with;Step 77 terminates;
Step 78 mistake terminates.
Fig. 8 is that entry redirects code flow diagram, is made up of assembly instruction.Step 80 is initial state, and kernel hooking redirects
Redirected to entry at code;Step 81 is broken using the CLI instructions Central Shanxi Plain, ensures that entry redirects the atomicity of code execution;Step
The 82 general register pop downs for using goal systems Target OS, the storehouse oneself used by Target OS preserve;Step
83 by RAX register assignments 0, represent EPTP switchings (EPTP switching), are ips_index by RCX register assignments, hold
Row VMFUNC instructions are switched to SEPT;Step 84 performs CLI instructions again, prevents goal systems Target OS from directly skipping step
Rapid 81, ensure the atomicity of kernel integrity monitoring protection process;The stack pointer that step 85 uses goal systems Target OS
The os_stack being saved in ips_context;Ips_stack is assigned to RSP registers by step 86;Step 87 jumps to step
Rapid 73 perform.Step 88 terminates.
Fig. 9 is that exit redirects code flow diagram, is made up of assembly instruction.Step 90 is initial state, integrity protection journey
Sequence is finished, and returns to exit and redirects at code;Step 91 is broken using the CLI instructions Central Shanxi Plain, ensures that exit redirects code execution
Atomicity;Os_stack is assigned to RSP registers by step 92, recovers goal systems Target OS stack pointer;Step 93
By RAX register assignments 0, EPTP switchings (EPTP switching) are represented, is 0 by RCX register assignments, represents GEPT and exist
Index in EPTP list fields, perform VMFUNC instructions and EPTP is switched back into GEPT;Step 94 recovers previously used target
System Target OS general register;Step 95 opens interruption using STI instructions, recovers Target OS interrupt status;Step
Rapid 96, which jump to return address ips_return, continues goal systems Target OS execution.Step 97 terminates.
Figure 10 is that integrity protection program IPS is nullified and monitors environment removing flow chart.Step A0 is initial state;Step
A1 calls HYPERCALL_DESTROY hypercalls to remove the internal memory safeguard measure set in monitoring protector, the process bag
Containing a sub-process handled in monitoring protector;Step A2 eliminates the kernel hooking set, recovers goal systems Target
OS is normally performed;Step A3 empties the internal memory and register that integrity protection program IPS is used, and to prevent information leakage, discharges institute
The memory headroom of occupancy;Step A4 terminates.
Figure 11 is HYPERCALL_DESTROY hypercalls flow charts.Step B0 is initial state;Step B1 judges current
Whether under SEPT controls, only integrity protection program IPS internal codes can call HYPERCALL_DESTROY to surpass
Level is called, and such as "Yes", then into step B2, otherwise, is transferred to step B9 mistakes and is terminated;Step B2 judges to need to remove internal memory protection
All the page of setting whether complete by processing, if so, then going to step B4, otherwise goes to step B3;Step B3 is utilized and is stored in
Corresponding page table entry access rights are reverted to READ, WRITE, EXECUTION by the paddr traversal GEPT in safe_monitor,
And it is transferred to step B2 and handles next paddr;Step B4 empties whole SEPT list items, release busy internal memory;Step B5 discharges
Safe_monitor space-consumings;GEPT page tables base address guest_eptp is stored in the EPTP fields in VMCS by step B6;
Step B7 normal terminations;Step B8 mistakes terminate.
Described above is only the preferred embodiment of the present invention, it should be pointed out that:For the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (7)
1. a kind of operating system nucleus completeness protection method, it is characterized in that based on component include integrity protection program, interior
Core hook, redirect code, goal systems and monitoring protector;Using following steps:
(1)The startup and initialization of monitoring protector;Monitoring protector carries out the configuration work of virtualized environment on startup, opens
The extension page table EPT mechanism and VM-functions mechanism provided with Intel processor, and establish for supporting goal systems
Target OS carry out the EPT paging structure GEPT of internal storage access, and asking for integrity protection program IPS is waited after initialization
Ask operation;
(2)Integrity protection program IPS registration and the setting of monitoring environmental protection;Integrity protection program IPS loading when,
Need to set the kernel hooking of intercepting and capturing event, create and configure and redirect code and coherence check program, pass through the super tune of VMCALL
Registered with instruction to monitoring protector, monitoring protector is created for supporting integrity protection program IPS to carry out internal storage access
EPT paging structure SEPT, and set internal memory to protect, realize that internal memory is isolated;
(3)Implement the monitoring and protection to goal systems Target O/S kernel integralities;When integrity protection program IPS is set
, it is necessary to the hair for the kernel events that Target O/S kernel integralities are checked and protected when hook in kernel is triggered
It is raw, now it is switched in integrity protection program IPS and carries out respective handling;
(4)Integrity protection program IPS nullifies to be removed with monitoring environmental protection;Clear operation(2)The monitoring protection ring of middle foundation
Border, and recover goal systems Target OS normal operation;
Integrity protection program IPS(Integrity Protection Software)It is placed in destination OS Target OS
Inside address space, encapsulate and integrity checking and the correlative code of protection carried out to destination OS Target O/S kernels,
And required data segment and work stack during operation, form the performing environment of a closing, wherein specific integrity checking with
Related security strategy is protected voluntarily to be formulated according to user's request;Protected when needing to monitor operating system nucleus implementation integrality
When, load integrity protection program IPS and registered to monitoring protector, monitoring protector is the operation that IPS structures are protected
Environment, corresponding security strategy is performed under monitoring protector protection in IPS whole life cycle;
Kernel hooking is placed in goal systems Target O/S kernels, may make Target OS integrity states for intercepting and capturing
The kernel events to change so that controlling stream can be transferred in integrity protection program IPS and be checked and be analyzed;Kernel hook
The embodiment and set location of son are related to security strategy, are voluntarily formulated by user, the core module that is included loading
Perform with deletion, executable file and set at kernel events, or intercept and capture Target OS clock interrupt handling routines to carry out week
The integrity checking of phase property;
Redirect code be used between destination OS Target OS and integrity protection program IPS control switching, equally by
To the protection of monitoring protector;After the kernel hooking that user is placed in Target OS is triggered, controlling stream can be by redirecting
Code is transferred in integrity protection program IPS and analyzed and processed, and then returns to goal systems Target by redirecting code again
OS is continued executing with;The code that redirects into integrity protection program IPS is referred to as entry and redirects code, returns to goal systems
The Target OS code that redirects is referred to as exit and redirects code;
Monitoring protector is run directly on computer hardware, for integrity protection program IPS, kernel hooking and redirects code
Insulation blocking is provided, safe performing environment is built, resists malicious attacks of the goal systems Target OS to said modules, from
And ensure the validity of kernel integrity protection system;
Monitoring protector provides the running environment of an insulation blocking for integrity protection program IPS, is a lightweight
VMM, but any virtualization operations are not performed, nonintervention destination OS Target OS operation;Monitoring protector receives
The registration and unregistration request that integrity protection program IPS is sent, establishes and cancels constructed internal storage access safeguard measure, and remember
Record relevant information;Monitoring protector is booted up by Grub, is run directly on hardware, and monitoring protector uses on startup
Intel TXT GETSEC instructions carry out credible startup;Monitoring protector only enables extension page table EPT mechanism, VM-
Functions mechanism and the protection to LBR MSR, control targe is distinguished by different EPT page table structures GEPT and SEPT
The access of system Target OS and integrity protection program IPS to physical memory.
2. operating system nucleus completeness protection method according to claim 1, it is characterized in that monitoring protector enables expansion
Exhibition page table EPT items in READ, WRITE, EXECUTION position reflect the list item meaning physical memory page reading and writing and
Executable access rights;Different access rights are set in GEPT and SEPT;Meanwhile VM- is used in code is redirected
The EPTP handover mechanisms provided in functions, the switching between EPT is directly realized in non-root patterns;
In order to manage integrity protection program IPS, kernel hooking, the internal storage access authority for redirecting code, monitoring protector uses
Corresponding the registered integrity protection program IPS of safe_monitor data structures, for stored memory protection information, including:
Index ips_index, of each region of memory of SEPT base address ips_eptp, the ips_eptp in EPTP list fields
The access rights to begin with end address and required setting.
3. operating system nucleus completeness protection method according to claim 1, it is characterized in that performing integrality to preserve
The contextual information and monitoring configuration information with goal systems Target OS during protection are checked, in integrity protection program IPS
Portion is recorded using ips_context structures, including:Need to preserve storehouse when goal systems Target OS are currently run
Pointer os_stack, integrity protection program IPS stack pointers ips_stack, entry and exit redirect code address ips_
Entry and ips_exit, integrity protection program IPS processing function entrances address ips_handler, kernel hooking address ips_
Hook and return address ips_return.
4. operating system nucleus completeness protection method according to claim 1, it is characterized in that monitoring protector initializes
Flow;Step 30 is initial state;Step 31 enables extension page table EPT mechanism and VM functions mechanism, enables VM
Functions purpose is in order to directly perform EPT handover operations in goal systems Target OS, by virtual machine control block
Enable EPT positions and VM functions positions 1 in VMCS;Step 32 is by IA32_DEBUGCTL MSR registers bit 0
1 is put, to open LBR(Last Branch Record)Mechanism, while in VMCS MSR write bit figures, by IA32_DEBUGCTL
With LBR stacks(LBR stack)Position 1 corresponding to register, to forbid goal systems Target OS to change these registers,
Allow to read these registers in integrity protection program IPS again simultaneously;Step 33 is according to goal systems Target OS physics
The size of address sets whole GEPT list items, and page-size is set to 4KB, initialize whole GEPT list items READ, WRITE,
EXECUTION positions 1, ensure the identical mapping between Target OS guest-physical addresses and machine physical address, and will
GEPT page tables base address guest_eptp is stored in virtual machine control block VMCS EPTP fields, in addition, by monitoring protector certainly
Physical memory area where body is left out from GEPT page table entries, to forbid external module access monitoring protector own content;Step
Rapid 34 by the positions 1 of VM-functions control fields bit 0 in VMCS, to enable EPTP handover mechanisms, distribution 4KB sizes EPTP
List, and it is at 0 that guest_eptp is stored in into EPTP list indexs position;Step 35 terminates;Initialization is completed, and is waited complete
Property defence program IPS request;
After monitoring protector initialization is completed, just possess and build an isolation running environment for integrity protection program IPS
Function;Integrity protection program IPS operates in loading, it is necessary to carry out pertinent registration and set with monitoring environmental protection;And
At the end of monitoring, the configured monitoring environmental protection of revocation, recovery goal systems Target OS normal operation;Specific note
The operation being configured in monitoring protector is needed in volume and log off procedure, super tune is used by integrity protection program IPS
For carry out;In Intel VT-x, hypercalls make use of VMCALL to instruct;Adjusted therefore, providing following three supersystem
With:(1)HYPERCALL_CREATE:For notifying monitoring protector to create SEPT paging structures, RAX register Transfer Parameters
HYPERCALL_CREATE;(2)HYPERCALL_SET:For setting kernel hooking in GEPT and SEPT, code is redirected, it is complete
The access rights of region of memory where whole property defence program IPS, the protection of environmental protection, RAX are monitored to integrality for realizing
Register Transfer Parameters HYPERCALL_SET, RBX register Transfer Parameters initial address start, RCX register Transfer Parameters
End address end, RDX register Transfer Parameters component type:Including kernel hooking, code, IPS codes, IPS data are redirected;
(3)HYPERCALL_DESTROY:For removing the internal memory safeguard measure set in monitoring protector, RAX registers transmission ginseng
Number HYPERCALL_DESTROY;When integrity protection program IPS calls supersystem to call, CPU can be trapped in monitoring protection
In device, monitoring protector carries out relevant treatment according to specific parameter information.
5. operating system nucleus completeness protection method according to claim 1, it is characterized in that integrity protection program IPS
Registration and monitoring environmental protection setting procedure:Step 40 is initial state;Step 41 distribution integrality defence program IPS operations institute
The stack needed and other data areas, for forming the running environment of a closing;Step 42 dynamically produces ips_context knots
Structure, goal systems Target O/S contexts information and monitoring configuration information when being monitored for preserving, including need to preserve
Stack pointer os_stack, IPS stack pointer ips_stack, entry and exit when Target OS are currently run redirect generation
Code address ips_entry and ips_exit, IPS processing function entrance address ips_handler, kernel hooking address ips_hook
And return address ips_return;IPS stack tops address ips_stack, entry and exit are redirected code address ips_ by step 43
Entry, ips_exit, IPS processing function entrances ips_handler are saved in ips_context structures;In step 44 is set
Core hook, the concrete mode that user adds kernel hooking is not limited, ensures that kernel hooking jumps to ips_entry positions by user
Put, and its address ips_hook and return address ips_return are saved in ips_context structures, ips_hook is used for
Call and check program, ensure that integrity protection program IPS is triggered by set kernel hooking;Step 45 is called
HYPERCALL_CREATE hypercalls create SEPT paging structures, and the process includes a son handled in monitoring protector
Flow, and return value ips_index is transmitted with RAX registers, ips_index is SEPT page tables base address ips_eptp virtual
Index in machine control block VMCS EPTP list fields;Step 46 judges kernel hooking, redirects code, integrity protection program
All page internal memory protection setting shared by IPS whether complete by processing, terminates if so, then going to step 48, otherwise goes to step 47;Step
Rapid 47 calling HYPERCALL_SET hypercalls set kernel hooking in GEPT and SEPT, redirect code, integrity protection journey
The access rights of internal memory where sequence IPS, the protection of environmental protection is monitored for realizing to kernel integrity, and the process includes one
The sub-process handled in monitoring protector;Step 48 terminates.
6. operating system nucleus completeness protection method according to claim 1, it is characterized in that the prison to kernel integrity
Control protection flow:Step 70 is initial state;In step 71 when the hook being arranged in kernel is triggered, it will jump to
Entry is redirected and performed at the address ips_entry of code;Code is redirected by entry in step 72 and performs switching task, is mainly held
Row task include preserving goal systems Target OS register information before the handover, perform EPT handover operations, set it is complete
Property defence program IPS operation work stack ips_stack and jump to calling and check program;In step 73 in LBR stack registers
Jump information can be recorded, reads LBR stack register contents, and compared with ips_hook, calls validity checking for performing, really
Protect controlling stream to redirect from corresponding hook, rather than goal systems Target OS malice triggers;If step 74 phase
Together, then it is legal to call, and is transferred to step 75, is otherwise transferred to step 78 mistake and terminates;Step 75 jumps to integrity protection program IPS
Perform kernel integrity inspection at the ips_handler of processing function entrance address to operate with protection, the security strategy specifically performed
It is defined by the user;Step 76 redirects code by exit and performs return task, and the main task that performs includes recovering goal systems
Register information, execution EPT handover operations, the SEPT of Target OS before the handover switch to GEPT and return to target system
Continued executing with system Target OS;Step 77 terminates;Step 78 mistake terminates.
7. operating system nucleus completeness protection method according to claim 1, it is characterized in that entry redirects code flow
Journey:It is made up of assembly instruction;Step 80 is initial state, and kernel hooking jumps to entry and redirected at code;Step 81 uses
The CLI instructions Central Shanxi Plain is broken, and ensures that entry redirects the atomicity of code execution;Step 82 uses goal systems Target OS logical
With register pop down, the storehouse oneself used by Target OS preserves;RAX register assignments 0 are represented EPTP and cut by step 83
Change(EPTP switching), it is ips_index by RCX register assignments, performs VMFUNC instructions and be switched to SEPT;Step 84
CLI instructions are performed again, prevent goal systems Target OS from directly skipping step 81, ensure that kernel integrity monitoring was protected
The atomicity of journey;The goal systems Target OS stack pointers used are saved in the os_ in ips_context by step 85
stack;Ips_stack is assigned to RSP registers by step 86;Step 87 jumps to step 73 and performed;Step 88 terminates.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510234249.3A CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510234249.3A CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104809401A CN104809401A (en) | 2015-07-29 |
CN104809401B true CN104809401B (en) | 2017-12-19 |
Family
ID=53694214
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510234249.3A Active CN104809401B (en) | 2015-05-08 | 2015-05-08 | A kind of operating system nucleus completeness protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104809401B (en) |
Families Citing this family (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107301082B (en) * | 2016-04-15 | 2020-10-09 | 南京中兴软件有限责任公司 | Method and device for realizing integrity protection of operating system |
CN106203082A (en) * | 2016-06-29 | 2016-12-07 | 上海交通大学 | The system and method efficiently isolating kernel module based on virtualization hardware characteristic |
CN106096455A (en) * | 2016-08-08 | 2016-11-09 | 王波 | A kind of main frame kernel data reduction protection method |
CN106778257A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of anti-release apparatus of virtual machine |
CN106775941A (en) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | A kind of virtual machine kernel completeness protection method and device |
CN107016283B (en) * | 2017-02-15 | 2019-09-10 | 中国科学院信息工程研究所 | Android privilege-escalation attack safety defense method and device based on integrity verification |
EP3373178A1 (en) * | 2017-03-08 | 2018-09-12 | Secure-IC SAS | Comparison of execution context data signatures with references |
CN107797895A (en) * | 2017-05-08 | 2018-03-13 | 中国人民解放军国防科学技术大学 | A kind of secure virtual machine monitoring method and system |
CN108958879B (en) * | 2017-05-24 | 2021-02-26 | 华为技术有限公司 | Monitoring method and device for virtual machine |
CN107391225A (en) * | 2017-07-13 | 2017-11-24 | 北京航空航天大学 | A kind of monitoring method and system based on more EPT lists |
CN107368739B (en) * | 2017-07-26 | 2020-02-07 | 北京理工大学 | Kernel drive monitoring method and device |
CN107506638B (en) * | 2017-08-09 | 2020-10-16 | 南京大学 | Kernel control flow abnormity detection method based on hardware mechanism |
CN107479946B (en) * | 2017-08-16 | 2020-06-16 | 南京大学 | Interactive behavior monitoring scheme of kernel module |
CN108171061B (en) * | 2018-01-16 | 2021-02-02 | 武汉轻工大学 | Android system kernel safety detection method and device |
CN108763927A (en) * | 2018-01-16 | 2018-11-06 | 武汉轻工大学 | A kind of cloud system safety detection method and device |
CN110348252B (en) | 2018-04-02 | 2021-09-03 | 华为技术有限公司 | Trust zone based operating system and method |
CN108469984B (en) * | 2018-04-17 | 2021-07-30 | 哈尔滨工业大学 | Virtual machine introspection function level-based dynamic detection system and method for inner core of virtual machine |
CN109271787A (en) * | 2018-07-03 | 2019-01-25 | ***股份有限公司 | A kind of operating system security active defense method and operating system |
CN110892388B (en) | 2018-07-11 | 2022-07-22 | 华为技术有限公司 | Method and device for enhancing isolation of user space and kernel space |
CN109522050B (en) * | 2018-09-10 | 2020-11-17 | 上海交通大学 | Memory data real-time recording method and system based on processor control flow recording characteristics |
CN109388948B (en) * | 2018-11-05 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Virtualization technology-based potential malware analysis method and related device |
CN111177716B (en) * | 2019-06-14 | 2024-04-02 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for acquiring executable file in memory |
CN111177703B (en) * | 2019-12-31 | 2023-03-31 | 青岛海尔科技有限公司 | Method and device for determining data integrity of operating system |
CN111400702B (en) * | 2020-03-24 | 2023-06-27 | 上海瓶钵信息科技有限公司 | Virtualized operating system kernel protection method |
CN111881485B (en) * | 2020-07-14 | 2022-04-05 | 浙江大学 | Core sensitive data integrity protection method based on ARM pointer verification |
CN112100686B (en) * | 2020-08-28 | 2022-04-08 | 浙江大学 | Core code pointer integrity protection method based on ARM pointer verification |
CN112631671A (en) * | 2020-12-31 | 2021-04-09 | 东软睿驰汽车技术(沈阳)有限公司 | Method and device for initializing operating system |
CN112989326A (en) * | 2021-04-08 | 2021-06-18 | 北京字节跳动网络技术有限公司 | Instruction sending method and device |
CN117688552B (en) * | 2024-01-30 | 2024-04-12 | 龙芯中科技术股份有限公司 | Stack space protection method, electronic device, storage medium and computer program product |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
CN103093150A (en) * | 2013-02-18 | 2013-05-08 | 中国科学院软件研究所 | Dynamic integrity protection method based on credible chip |
CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030101381A1 (en) * | 2001-11-29 | 2003-05-29 | Nikolay Mateev | System and method for virus checking software |
-
2015
- 2015-05-08 CN CN201510234249.3A patent/CN104809401B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101226577A (en) * | 2008-01-28 | 2008-07-23 | 南京大学 | Method for protecting microkernel OS integrality based on reliable hardware and virtual machine |
CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
CN103093150A (en) * | 2013-02-18 | 2013-05-08 | 中国科学院软件研究所 | Dynamic integrity protection method based on credible chip |
CN103699498A (en) * | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
Non-Patent Citations (1)
Title |
---|
一个基于硬件虚拟化的内核完整性监控方法;李珣等;《计算机科学》;20111231;第38卷(第12期);第68-72页 * |
Also Published As
Publication number | Publication date |
---|---|
CN104809401A (en) | 2015-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104809401B (en) | A kind of operating system nucleus completeness protection method | |
RU2686552C2 (en) | Systems and methods for presenting a result of a current processor instruction when exiting from a virtual machine | |
KR102189296B1 (en) | Event filtering for virtual machine security applications | |
TWI667611B (en) | Data processing apparatus and method therefor | |
US10140448B2 (en) | Systems and methods of asynchronous analysis of event notifications for computer security applications | |
US9129106B2 (en) | Systems and methods for secure in-VM monitoring | |
CN102096786A (en) | Cross-platform safety protection system based on hardware virtualization | |
US20050076186A1 (en) | Systems and methods for improving the x86 architecture for processor virtualization, and software systems and methods for utilizing the improvements | |
CN109643290A (en) | For having the technology of the memory management of the object-oriented with extension segmentation | |
JP2005122711A (en) | Method for improving processor virtualization and system for processing synthetic instruction | |
WO2002052404A2 (en) | Processor mode for limiting the operation of guest software r unning on a virtual machine supported by a monitor | |
CN107479946B (en) | Interactive behavior monitoring scheme of kernel module | |
CN110059453A (en) | A kind of container virtualization safety reinforced device and method | |
EP3864555B1 (en) | Verifying a stack pointer | |
Deng et al. | Dancing with wolves: Towards practical event-driven vmm monitoring | |
Shuo et al. | Prevent kernel return-oriented programming attacks using hardware virtualization | |
Tang et al. | Secure and efficient in-hypervisor memory introspection using nested virtualization | |
Sparks et al. | Windows Rootkits a game of" hide and seek" | |
US10019576B1 (en) | Security control system for protection of multi-core processors | |
Liu et al. | HyperPS: a hypervisor monitoring approach based on privilege separation | |
Zhou et al. | Protecting Virtual Machines against Untrusted Hypervisor on ARM64 Cloud Platform | |
Ding et al. | Improving flask implementation using hardware assisted in-VM isolation | |
Silakov | Using Hardware-Assisted Virtualization to Protect Application Address Space Inside Untrusted Environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |