[go: up one dir, main page]

CN105117649B - A kind of anti-virus method and system for virtual machine - Google Patents

A kind of anti-virus method and system for virtual machine Download PDF

Info

Publication number
CN105117649B
CN105117649B CN201510458356.4A CN201510458356A CN105117649B CN 105117649 B CN105117649 B CN 105117649B CN 201510458356 A CN201510458356 A CN 201510458356A CN 105117649 B CN105117649 B CN 105117649B
Authority
CN
China
Prior art keywords
virus
virtual machine
virtual
memory pages
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510458356.4A
Other languages
Chinese (zh)
Other versions
CN105117649A (en
Inventor
唐宏伟
赵晓芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201510458356.4A priority Critical patent/CN105117649B/en
Publication of CN105117649A publication Critical patent/CN105117649A/en
Application granted granted Critical
Publication of CN105117649B publication Critical patent/CN105117649B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of anti-virus methods for virtual machine, including:Step 1, the access for the first time of the more new content for the memory pages occurred on the memory pages for distributing to virtual machine on host is intercepted and captured;Step 2, the content of pages of the memory pages is scanned;Step 3, according to the scanning as a result, remove the content of pages of the memory pages, or restore the access to the memory pages.The present invention also provides a kind of Anti-Virus for virtual machine.Anti-Virus may be implemented independent of client operating system in technical solution of the present invention;It is identified before Virus execution and prevents the virus;The data volume of virus scan is reduced, scan efficiency is improved.

Description

一种用于虚拟机的防病毒方法与系统Antivirus method and system for virtual machine

技术领域technical field

本发明涉及计算机虚拟化技术领域,具体地说,本发明涉及一种用于虚拟机的防病毒方法和系统。The invention relates to the technical field of computer virtualization, in particular, the invention relates to an antivirus method and system for a virtual machine.

背景技术Background technique

现有的针对虚拟机环境的防病毒技术主要有两种。一种是如附图1所示的结构,与物理机环境下的防病毒方式相同,即在虚拟机客户操作系统中安装完整的杀毒软件,杀毒软件运行在客户操作系统之上,对文件等信息进行病毒扫描和处理。另一种是如附图2所示的轻代理架构的防病毒系统,例如,由公司提出的vShield Endpoint架构,该方案具体包括:经过安全增强的安全虚拟设备、运行于被保护的虚拟机中的精简代理(EpsecThin Agent),以及用于支持安全虚拟设备和精简代理之间通信的虚拟化管理程序模块(VMware Endpoint ESX)。该方案通过安装于虚拟机内部的精简代理监控虚拟机内部的操作系统活动,并触发安全虚拟设备中的防病毒引擎实施病毒扫描,由防病毒引擎将病毒扫描结果经由精简代理返回给被保护的虚拟机。该方案支持在文件访问时对文件进行实时的扫描,以及由安全虚拟设备中的防病毒引擎发起的计划性文件扫描操作。通过运行在虚拟机内部的精简代理与安全虚拟设备中的虚拟化管理程序模块,将病毒扫描任务从虚拟机卸载到安全虚拟设备中,可以避免前述第一种防病毒技术存在的主要问题之一:在虚拟化的环境下造成“杀毒风暴”(AV storm,antivirus storm),即当一台宿主机上同时扫描多个虚拟机时的计算资源需求会在短时间内激增,进而导致服务降级。但是,该架构自身却存在另一个方面的问题,即被保护的虚拟机中的待扫描文件需要先通过虚拟化管理程序模块提供的通信通道传输到安全虚拟设备中才能进行病毒扫描,文件数据的传输会消耗宿主物理服务器上的资源。There are mainly two types of existing antivirus technologies for virtual machine environments. One is the structure shown in Figure 1, which is the same as the anti-virus method in the physical machine environment, that is, a complete anti-virus software is installed in the guest operating system of the virtual machine, and the anti-virus software runs on the guest operating system to protect files, etc. The information is scanned and processed for viruses. Another kind is the antivirus system of the light agent structure as shown in accompanying drawing 2, for example, by The vShield Endpoint architecture proposed by the company specifically includes: a security-enhanced security virtual device, a thin agent (EpsecThin Agent) running in the protected virtual machine, and an Epsec Thin Agent used to support communication between the security virtual device and the thin agent Hypervisor module (VMware Endpoint ESX). This solution monitors the operating system activities inside the virtual machine through the thin agent installed inside the virtual machine, and triggers the antivirus engine in the security virtual device to perform virus scanning, and the antivirus engine returns the virus scanning result to the protected computer via the thin agent. virtual machine. This solution supports real-time scanning of files when they are accessed, as well as scheduled file scanning operations initiated by the antivirus engine in the security virtual appliance. One of the main problems of the aforementioned first antivirus technology can be avoided by offloading the virus scanning task from the virtual machine to the security virtual appliance through the thin agent running inside the virtual machine and the virtualization hypervisor module in the security virtual appliance : In a virtualized environment, an "antivirus storm" (AV storm, antivirus storm) is caused, that is, when multiple virtual machines are simultaneously scanned on a host machine, the demand for computing resources will increase sharply in a short period of time, resulting in service degradation. However, there is another problem in this architecture itself, that is, the files to be scanned in the protected virtual machine need to be transmitted to the security virtual device through the communication channel provided by the virtualization hypervisor module before virus scanning can be performed. Transfers consume resources on the host physical server.

另外,上述现有的防病毒技术的一个共同特点是,需要依托于客户操作系统运行,进而使得在从客户操作系统启动到防病毒软件(或代理)正 常工作之间的时间内系统处于无防护状态,给病毒的入侵以可乘之机。例如,“引导区病毒”正是在操作系统启动的过程中潜入内存以入侵计算机系统。另外,上述现有的防病毒系统由于其自身依赖于客户操作系统运行,因此其本身的有效性也难以得到很好的保障,如,入侵者可能会强行关闭防病毒系统,从而绕开病毒防护而入侵系统。In addition, a common feature of the above-mentioned existing anti-virus technologies is that they need to rely on the guest operating system to run, so that the system is unprotected during the period from the start of the guest operating system to the normal operation of the anti-virus software (or agent). state, giving the virus an opportunity to invade. For example, the "boot sector virus" sneaks into the memory during the startup process of the operating system to invade the computer system. In addition, the above-mentioned existing anti-virus system relies on the operation of the client operating system, so its effectiveness cannot be well guaranteed. For example, an intruder may forcibly shut down the anti-virus system, thereby bypassing the virus protection. And invade the system.

此外,现有的防病毒系统往往采用全系统文件扫描的方式排查病毒,不仅费时,而且需要消耗大量计算机资源,因此,在扫描过程中,往往会影响正常任务的处理,使得计算机的处理速度明显降低。In addition, the existing anti-virus systems often use system-wide file scanning to check for viruses, which is not only time-consuming, but also consumes a lot of computer resources. reduce.

发明内容Contents of the invention

本发明的目的是提供一种能够克服上述技术问题的解决方案。The purpose of the present invention is to provide a solution capable of overcoming the above-mentioned technical problems.

本发明提供了一种用于虚拟机的防病毒方法,包括:步骤1,截获在宿主机上分配给虚拟机的内存页面上发生的针对所述内存页面的更新内容的首次访问;步骤2,扫描所述内存页面的页面内容;步骤3,根据所述扫描的结果,清除所述内存页面的页面内容,或恢复对所述内存页面的访问。The present invention provides an antivirus method for a virtual machine, comprising: step 1, intercepting the first access to the update content of the memory page that occurs on the memory page allocated to the virtual machine on the host machine; step 2, Scanning the page content of the memory page; step 3, clearing the page content of the memory page or restoring access to the memory page according to the scanning result.

优选地,所述步骤1还包括:通过动态调整宿主机上分配给虚拟机的内存页面的访问权限截获在宿主机上分配给虚拟机的内存页面上发生的针对所述内存页面的更新内容的首次访问;其中,所述访问权限中的“可写”与“可执行”权限在其中之一处于使能状态的情况下,另一个权限处于非使能状态。Preferably, the step 1 further includes: intercepting the update content of the memory page allocated to the virtual machine on the host machine by dynamically adjusting the access rights of the memory page allocated to the virtual machine on the host machine Access for the first time; wherein, when one of the "writable" and "executable" permissions in the access permissions is enabled, the other permission is disabled.

优选地,所述步骤3还包括:在所述扫描结果为存在病毒的情况下,清除所述内存页面的页面内容,且定位并处理虚拟机中的所述病毒。Preferably, the step 3 further includes: when the scanning result shows that there is a virus, clearing the page content of the memory page, and locating and processing the virus in the virtual machine.

优选地,所述步骤3还包括:在所述扫描结果为存在病毒的情况下,根据预设的杀毒策略处理所述病毒,和/或将所述病毒的信息通知给虚拟机的用户。Preferably, the step 3 further includes: when the scanning result shows that there is a virus, processing the virus according to a preset anti-virus policy, and/or notifying the user of the virtual machine of the virus information.

优选地,所述步骤2还包括:使用与病毒程序入口在同一内存页面中的病毒特征码扫描所述内存页面的页面内容。Preferably, the step 2 further includes: scanning the page content of the memory page by using the virus signature code in the same memory page as the virus program entry.

本发明还提供了一种用于虚拟机的防病毒系统,基于置于宿主机之上的虚拟机监视器。所述系统包括:虚拟防病毒引擎,用于基于病毒内存特征码扫描内存数据,并将扫描结果反馈给虚拟防病毒扩展模块;病毒内存特征码数据库,用于存储所述病毒内存特征码;所述虚拟防病毒扩展模块, 置于所述虚拟机监视器中,用于截获在所述宿主机上分配给虚拟机的内存页面上发生的针对所述内存页面的更新内容的首次访问,并通知所述虚拟防病毒引擎对所述内存页面进行扫描。The invention also provides an antivirus system for a virtual machine, which is based on a virtual machine monitor placed on a host machine. The system includes: a virtual antivirus engine, used to scan memory data based on virus memory signatures, and feed back scanning results to the virtual antivirus extension module; a virus memory signature database, used to store the virus memory signatures; The virtual antivirus extension module is placed in the virtual machine monitor, and is used to intercept the first access to the updated content of the memory page that occurs on the memory page allocated to the virtual machine on the host machine, and notify The virtual antivirus engine scans the memory page.

优选地,所述虚拟防病毒扩展模块,用于通过动态调整所述宿主机上分配给虚拟机的内存页面的访问权限截获在所述宿主机上分配给虚拟机的内存页面上发生的针对所述内存页面的更新内容的首次访问;其中,所述访问权限中的“可写”与“可执行”权限在其中一个权限处于使能状态的情况下,另一个权限处于非使能状态。Preferably, the virtual anti-virus extension module is configured to dynamically adjust the access rights of the memory pages allocated to the virtual machines on the host to intercept all attacks occurring on the memory pages allocated to the virtual machines on the host The first access to the updated content of the memory page; wherein, in the access permissions, when one of the permissions of "writable" and "executable" is enabled, the other permission is disabled.

优选地,所述虚拟防病毒引擎为多线程和可重入架构;所述病毒内存特征码数据库,存储于所述宿主机上,在多个并发的所述虚拟防病毒引擎之间共享;和/或所述病毒内存特征码为与病毒程序入口在同一内存页面中的病毒特征码。Preferably, the virtual antivirus engine is a multi-threaded and reentrant architecture; the virus memory signature database is stored on the host computer and shared between multiple concurrent virtual antivirus engines; and /or the virus memory signature is a virus signature in the same memory page as the entry of the virus program.

优选地,所述系统还包括:虚拟防病毒代理,处于虚拟机内部,用于接收并根据来自所述虚拟防病毒扩展模块的信息处理查出的病毒;所述虚拟防病毒扩展模块,还用于定位所述扫描结果中查出的病毒的来源,并将所述病毒的信息发送给所述虚拟防病毒代理。Preferably, the system further includes: a virtual antivirus agent, located inside the virtual machine, for receiving and processing the detected virus according to the information from the virtual antivirus extension module; the virtual antivirus extension module also uses The source of the virus found in the scanning result is located, and the virus information is sent to the virtual antivirus agent.

优选地,所述防病毒代理,用于根据来自所述虚拟防病毒扩展模块的信息和预设的杀毒策略处理所述病毒,和/或与虚拟机的用户进行通信。Preferably, the antivirus agent is configured to process the virus according to information from the virtual antivirus extension module and a preset antivirus strategy, and/or communicate with a user of a virtual machine.

与现有技术相比,本发明提出的技术方案具有以下优点:Compared with the prior art, the technical solution proposed by the present invention has the following advantages:

本发明的技术方案可以实现防病毒系统不依赖于客户操作系统;在病毒程序执行之前准确识别该病毒并加以阻止;减少病毒扫描的数据量,提高扫描效率,从而最大限度地保障虚拟机的运行性能。The technical solution of the present invention can realize that the anti-virus system does not depend on the client operating system; accurately identify and block the virus before the virus program is executed; reduce the amount of virus scanning data and improve scanning efficiency, thereby maximally ensuring the operation of the virtual machine performance.

附图说明Description of drawings

为了更清楚地说明本发明的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图不构成对于本发明的限制。In order to illustrate the technical solution of the present invention more clearly, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Apparently, the accompanying drawings in the following description do not limit the present invention.

图1是根据现有技术的第一种防病毒技术的系统示意图;Fig. 1 is a system schematic diagram of the first anti-virus technology according to the prior art;

图2是根据现有技术的第二种防病毒技术的系统示意图;Fig. 2 is a system schematic diagram of the second antivirus technology according to the prior art;

图3是根据本发明的实施例的防病毒系统示意图;Fig. 3 is a schematic diagram of an antivirus system according to an embodiment of the present invention;

图4是根据本发明的实施例的防病毒方法的流程示意图。Fig. 4 is a schematic flowchart of an antivirus method according to an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明做进一步地描述。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

图3示出了根据本发明的实施例的防病毒系统示意图。如图3所示,根据本发明的实施例,用于虚拟机的防病毒系统基于置于宿主机之上的虚拟机监视器(Virtual MachineMonitor,VMM)实现,该系统包括,虚拟防病毒引擎(VirtAV-engine)、病毒内存特征码数据库、虚拟防病毒扩展模块(VirtAV-stub),以及虚拟防病毒代理(VirtAV-agent)。Fig. 3 shows a schematic diagram of an antivirus system according to an embodiment of the present invention. As shown in FIG. 3 , according to an embodiment of the present invention, the antivirus system for a virtual machine is implemented based on a virtual machine monitor (Virtual Machine Monitor, VMM) placed on the host computer, and the system includes a virtual antivirus engine ( VirtAV-engine), virus memory signature database, virtual antivirus expansion module (VirtAV-stub), and virtual antivirus agent (VirtAV-agent).

VirtAV-engine是基于病毒内存特征码的扫描引擎。该引擎采用多线程架构和可重入的设计方法具体实现,运行在虚拟机的虚拟中央处理器(虚拟CPU,VCPU)上下文中,工作在宿主机的用户态,用于同步扫描内存中的可执行代码以查找病毒。该扫描引擎可以采用常用的可用于字符串匹配的算法实现,诸如AC多模式匹配算法、BM单模式串匹配算法,等等。具体而言,VirtAV-engine用于扫描用户态的缓冲区中的待扫描内存数据,并将扫描结果反馈给VirtAV-stub。VirtAV-engine is a scanning engine based on virus memory signatures. The engine is implemented with a multi-threaded architecture and a reentrant design method. It runs in the context of the virtual central processing unit (virtual CPU, VCPU) of the virtual machine and works in the user mode of the host machine. It is used to synchronously scan the available memory in the memory Execute code to find viruses. The scanning engine can be implemented by commonly used algorithms for string matching, such as AC multi-pattern matching algorithm, BM single-pattern string matching algorithm, and so on. Specifically, the VirtAV-engine is used to scan the memory data to be scanned in the buffer of the user mode, and feed back the scanning result to the VirtAV-stub.

前述病毒内存特征码为遵循以下原则选取的病毒特征码:能够唯一标识该病毒,即将该病毒与其它病毒及非病毒文件准确区分开;可以由一个或多个字符串组成。优选地,前述病毒内存特征码还为与病毒程序的入口在同一个内存页面的特征码。由于病毒程序在加载到内存的过程中采用操作系统“按需调页”的方式,即在VCPU即将执行病毒程序代码时才将病毒程序代码以页面(一般大小为4096字节)为单位从病毒源文件中读取到内存,进而从内存中通过取指令来执行。因此,基于与病毒程序的入口在同一个内存页面的特征码进行病毒扫描能够在病毒程序的第一条指令被执行之前准确发现该病毒。The aforementioned virus memory signature is a virus signature selected according to the following principles: it can uniquely identify the virus, that is, it can be accurately distinguished from other viruses and non-virus files; it can be composed of one or more character strings. Preferably, the aforementioned virus memory signature is also a signature on the same memory page as the entry of the virus program. Because the virus program adopts the "on-demand paging" mode of the operating system during the process of loading into the memory, that is, the virus program code is transferred from the virus program code in units of pages (generally 4096 bytes) when the VCPU is about to execute the virus program code. The memory is read from the source file, and then executed by fetching instructions from the memory. Therefore, virus scanning based on the feature code in the same memory page as the entry of the virus program can accurately detect the virus before the first instruction of the virus program is executed.

该病毒内存特征码的选取可以通过纯人工选取,也可以在现有的程序辅助手段辅助下进行选取。The selection of the virus memory characteristic code can be selected purely manually, and can also be selected with the assistance of existing program auxiliary means.

包含前述病毒内存特征码的病毒内存特征码数据库,如图3所示,存储在宿主机上,在多个并发的VirtAV-engine之间共享。基于这种结构,由于在宿主机上只需存储一份内存特征码数据库,因此数据库的更新只需要在共享的一个数据库上进行即可,从而避免了病毒库更新风暴问题。The virus memory signature database containing the aforementioned virus memory signatures, as shown in Figure 3, is stored on the host computer and shared between multiple concurrent VirtAV-engines. Based on this structure, since only one memory signature database needs to be stored on the host machine, the update of the database only needs to be performed on one shared database, thus avoiding the virus database update storm problem.

进一步地,根据本发明的一个实施例,基于现有的虚拟机多VCPU并行的特性,并发的每一个VirtAV-engine对应一个VCPU的进程,进而防病毒系统针对虚拟机的每个VCPU的指令流进行独立的包括病毒扫描与 查杀的杀毒过程;在该杀毒过程中,引发杀毒的虚拟机VCPU会被暂停下来,待杀毒完成后再恢复运行,而虚拟机的其它VCPU仍能够不被打扰地继续运行。因此,该防病毒系统可以充分利用虚拟机多VCPU的并行性,尽可能小地影响虚拟机的运行性能。Further, according to an embodiment of the present invention, based on the parallel characteristics of multiple VCPUs of the existing virtual machine, each concurrent VirtAV-engine corresponds to a process of a VCPU, and then the antivirus system is directed at the instruction flow of each VCPU of the virtual machine Carry out an independent antivirus process including virus scanning and killing; during the antivirus process, the VCPU of the virtual machine that caused the antivirus will be suspended, and will resume operation after the antivirus is completed, while other VCPUs of the virtual machine can still be undisturbed keep running. Therefore, the antivirus system can make full use of the parallelism of multiple VCPUs of the virtual machine, and affect the running performance of the virtual machine as little as possible.

VirtAV-stub是对VMM内存虚拟化功能模块的扩展,用于通过截获发生在分配给虚拟机的宿主机内存页面上的“更新后首次执行”事件来插入针对内存数据的病毒扫描操作。当截获到该事件后,产生该事件的虚拟机VCPU被暂停下来,相应的物理CPU通过VMEXIT指令进入到host模式,VirtAV-stub将待扫描的内存数据传输到用户态的缓冲区中,供VirtAV-engine扫描。VirtAV-engine扫描完成后,将扫描的结果反馈给VirtAV-stub。如果没有发现病毒,VirtAV-stub通过VMENTER指令将物理CPU切换回guest模式,恢复虚拟机VCPU及相应的客户操作系统和应用程序的执行。如果发现了病毒,VirtAV-stub清除内存页面中的病毒代码,再设置客户操作系统中的相应页表项,以使得在客户操作系统内部相应的内存页面不可执行,进而使得病毒程序被客户操作系统终止。其中,所述guest模式为CPU在进入客户操作系统运行时的模式;所述host模式为CPU在进入VMM运行时的模式。VirtAV-stub is an extension of the VMM memory virtualization function module, which is used to insert a virus scanning operation for memory data by intercepting the "first execution after update" event that occurs on the host memory page allocated to the virtual machine. When the event is intercepted, the virtual machine VCPU that generated the event is suspended, the corresponding physical CPU enters the host mode through the VMEXIT instruction, and the VirtAV-stub transfers the memory data to be scanned to the user-mode buffer for VirtAV -engine scan. After the VirtAV-engine scan is completed, the result of the scan is fed back to the VirtAV-stub. If no virus is found, the VirtAV-stub switches the physical CPU back to the guest mode through the VMENTER command, and resumes the execution of the virtual machine VCPU and the corresponding guest operating system and application program. If a virus is found, VirtAV-stub clears the virus code in the memory page, and then sets the corresponding page table entry in the guest operating system, so that the corresponding memory page in the guest operating system cannot be executed, and then the virus program is blocked by the guest operating system termination. Wherein, the guest mode is the mode when the CPU enters the guest operating system to run; the host mode is the mode when the CPU enters the VMM to run.

前述分配给虚拟机的宿主机内存页面的“更新后首次执行”事件,即为宿主机上的分配给某个虚拟机的内存页面在被更新后首次被访问的情况。根据本发明的一个实施例,基于内存虚拟化二维分页架构,VirtAV-stub通过动态调整宿主机上的物理内存页面的访问权限来实现对所述“更新后首次执行”事件的截获。进一步地,根据本发明的一个实施例,VirtAV-stub基于“可写与可执行权限不同时使能”的权限设置规则,对宿主机上分配给虚拟机的内存页面的访问权限进行动态调整。进而,虚拟机VCPU在被更新过的内存页面上发出的第一个取指令操作即会因权限违规而产生VMEXIT事件(即与该虚拟机VCPU相应的物理CPU通过VMEXIT指令进入到host模式)而被VirtAV-stub截获。The aforementioned "first execution after update" event of the memory page of the host machine allocated to the virtual machine means that the memory page allocated to a virtual machine on the host machine is accessed for the first time after being updated. According to an embodiment of the present invention, based on the memory virtualization two-dimensional paging architecture, the VirtAV-stub implements the interception of the "first execution after update" event by dynamically adjusting the access rights of the physical memory pages on the host machine. Further, according to an embodiment of the present invention, the VirtAV-stub dynamically adjusts the access rights of the memory pages allocated to the virtual machine on the host machine based on the permission setting rule of "enabling different writable and executable permissions". Furthermore, the first instruction fetch operation issued by the virtual machine VCPU on the updated memory page will generate a VMEXIT event due to a permission violation (that is, the physical CPU corresponding to the virtual machine VCPU enters the host mode through the VMEXIT instruction) and Intercepted by VirtAV-stub.

在发现病毒的情况下,VirtAV-stub还用于定位病毒的来源,并通过诸如VIRTIO等的虚拟输入输出设备接口与运行在客户操作系统内部的VirtAV-agent通信,以将病毒的基本信息(如病毒名、执行病毒程序的虚拟机的进程(PID,Process Identification)、病毒文件名,等等)通知给VirtAV-agent,由其在客户操作系统内部对病毒文件进行隔离或删除、记录 病毒日志,以及将此病毒事件通知相应的虚拟机的用户。In the case of finding a virus, the VirtAV-stub is also used to locate the source of the virus, and communicates with the VirtAV-agent running inside the guest operating system through a virtual input and output device interface such as VIRTIO to transfer the basic information of the virus (such as The virus name, the process (PID, Process Identification) of the virtual machine that executes the virus program, the virus file name, etc.) are notified to the VirtAV-agent, which isolates or deletes the virus file and records the virus log in the guest operating system. And the user of the corresponding virtual machine is notified of this virus event.

VirtAV-agent是运行在虚拟机内部的代理程序,用于作为防病毒系统与虚拟机的用户的交互接口。该代理程序仅用于发现病毒后的处置(包括前述的对病毒文件进行隔离或删除、记录病毒日志,等等)和用户通知。由前述可知,防病毒系统本身的防病毒工作(包括对病毒的扫描、清除内存页面中的病毒代码,以及终止病毒的执行)并不依赖于该代理程序,因此,该代理程序的失效不会影响防病毒系统本身的防病毒功能。VirtAV-agent is an agent program running inside the virtual machine, and is used as an interactive interface between the antivirus system and the user of the virtual machine. The agent program is only used for handling after the virus is found (including the aforementioned isolation or deletion of virus files, recording virus logs, etc.) and user notification. As can be seen from the foregoing, the anti-virus work of the anti-virus system itself (including scanning for viruses, clearing virus codes in memory pages, and terminating virus execution) does not depend on the agent program, so the failure of the agent program will not Affects the antivirus functionality of the antivirus system itself.

综上所述,根据本发明的防病毒系统是基于宿主机内存视图的病毒扫描方式的防病毒系统。一方面,由于在客户操作系统中对于共享链接库文件、二进制文件等文件都采用内存文件缓存的形式进行加速访问,同时也向不同的进程提供文件的共享访问,而这些文件在宿主机内存视图中仅存储一份,因此,根据本发明的防病毒系统针对每一个可执行文件的病毒扫描仅需进行一次;进一步地,当多个VCPU在同一个内存页面上产生前述“更新后首次执行”事件时,也只需扫描一次即可,从而避免对相同的内容进行多次重复扫描,进而在确保扫描全覆盖的前提下,能够有效减少病毒扫描数量、提高扫描效率,从而避免现有技术采用基于文件的病毒扫描方式耗时、资源消耗大等弊端,最大限度地保障虚拟机的运行性能。另一方面,由于根据本发明的防病毒系统是基于宿主机内存视图的病毒扫描方式,通过截获发生在分配给虚拟机的宿主机内存页面上的“更新后首次执行”事件,能够在病毒程序的第一条指令被执行之前发现该病毒,进而实现对病毒的实时查杀,更加及时的阻止病毒对计算机系统造成危害。To sum up, the antivirus system according to the present invention is an antivirus system based on the virus scanning mode of the memory view of the host computer. On the one hand, because in the guest operating system, shared link library files, binary files and other files are accessed in the form of memory file cache to accelerate access, and at the same time, shared access to files is provided to different processes, and these files are stored in the host memory view. Therefore, the antivirus system according to the present invention only needs to perform virus scanning for each executable file once; further, when multiple VCPUs generate the aforementioned "first execution after updating" on the same memory page In the event of an event, it only needs to be scanned once, thereby avoiding repeated scanning of the same content multiple times, and on the premise of ensuring full scan coverage, it can effectively reduce the number of virus scans and improve scanning efficiency, thereby avoiding the use of existing technologies The file-based virus scanning method has disadvantages such as time-consuming and resource-intensive consumption, so as to ensure the operating performance of the virtual machine to the greatest extent. On the other hand, because the antivirus system according to the present invention is based on the virus scanning mode of the host machine memory view, by intercepting the event of "executing for the first time after updating" that occurs on the host machine memory page allocated to the virtual machine, the virus program can The virus is found before the first instruction is executed, and then the virus is detected and killed in real time, and the virus is prevented from causing harm to the computer system in a more timely manner.

图4示出了根据本发明的实施例的防病毒方法的流程示意图。Fig. 4 shows a schematic flowchart of an antivirus method according to an embodiment of the present invention.

如图4所示,下面以虚拟机客户操作系统上的进程执行二进制可执行文件(如Linux操作系统中的ELF格式文件)为例,描述根据本发明的防病毒方法,其中实线箭头所示为对文件或页表的处理操作,虚线箭头所示为其他类型的执行流程,不同的虚线用于区分流程在系统中所处不同位置,比如客户虚拟机(以下简称为客户机)、客户进程、客户操作系统、虚拟机监视器以及防病毒引擎等。As shown in Figure 4, the process execution binary executable file (such as the ELF format file in the Linux operating system) on the virtual machine guest operating system is taken as an example below to describe the anti-virus method according to the present invention, wherein the solid arrow shows For the processing of files or page tables, the dotted arrows show other types of execution processes, and different dotted lines are used to distinguish the different positions of the process in the system, such as the client virtual machine (hereinafter referred to as the client), the client process , guest operating systems, virtual machine monitors, and antivirus engines.

具体流程如下:The specific process is as follows:

客户机进程发起execve()系统调用以请求执行二进制文件;execve()系统调用经过相应的权限检查后,为该二进制文件分配虚拟内存空间并建立虚拟内存与文件的映射(如图4中所示的mmap()),但此时并不会为其分 配客户机物理内存;进程执行到二进制文件时,由于尚未分配相应的客户机物理内存,进而导致发生缺页中断(Page Fault);The client process initiates the execve () system call to request the execution of the binary file; after the execve () system call passes through the corresponding permission check, it allocates a virtual memory space for the binary file and establishes a mapping between the virtual memory and the file (as shown in Figure 4 mmap()), but it will not allocate client physical memory for it at this time; when the process executes to the binary file, because the corresponding client physical memory has not been allocated, a page fault occurs (Page Fault);

该缺页中断被VMM截获;The page fault interrupt is intercepted by the VMM;

VMM处理客户机的缺页中断,为其分配宿主机物理内存,并建立影子页表项,进一步而言,可以建立EPT(Extended Page Table,扩展页表)页表项;VMM中的VirtAV-stub将页表项中的“写允许”位打开,“执行允许”位关闭,从而使得进程可以将二进制文件的代码段加载到该内存页面中;VMM向该客户机注入缺页中断,客户操作系统处理缺页中断、填充页表,从二进制文件中读取代码段到新分配的页面中,并恢复进程的执行;The VMM handles the page fault interrupt of the client, allocates the host physical memory for it, and establishes a shadow page table entry. Further, an EPT (Extended Page Table, extended page table) page table entry can be established; VirtAV-stub in the VMM Turn on the "write permission" bit in the page table entry and turn off the "execution permission" bit, so that the process can load the code segment of the binary file into the memory page; the VMM injects a page fault interrupt into the guest, and the guest operating system Handle page faults, fill page tables, read code segments from binary files into newly allocated pages, and resume process execution;

进程执行页面中的代码,由于前述VMM中的VirtAV-stub在影子页表中关闭了“执行允许”位,从而产生执行异常;The process executes the code in the page, because the VirtAV-stub in the aforementioned VMM turns off the "execution permission" bit in the shadow page table, resulting in an execution exception;

该执行异常被VMM截获;The execution exception is intercepted by the VMM;

VMM中的VirtAV-stub将该页面的地址通知给VirtAV-engine;VirtAV-engine利用虚拟机中现有的虚拟机自省(Virtual Machine Introspection,VMI)模块提供的虚拟机内存访问接口读取内存页面并进行扫描,查找病毒特征码,并将结果反馈给VirtAV-stub:The VirtAV-stub in the VMM notifies the address of the page to the VirtAV-engine; the VirtAV-engine utilizes the virtual machine memory access interface provided by the existing virtual machine introspection (Virtual Machine Introspection, VMI) module in the virtual machine to read the memory page and Do a scan, look for virus signatures, and feed the results back to VirtAV-stub:

如果前述查毒结果为发现病毒,VirtAV-stub再次向该客户机中注入异常,即关闭相应的影子页表的“执行允许”位,使得该客户机恢复运行时中止该进程的执行;并且,VirAV-stub通过前述VMI模块提供的相关访问接口将包含病毒特征码的内存页面清零以清除病毒;If the result of the aforementioned virus checking is to find a virus, the VirtAV-stub injects an exception in the client computer again, that is, closes the "execution permission" bit of the corresponding shadow page table, so that the execution of the process is aborted when the client computer recovers; and, VirAV-stub clears the memory page containing the virus signature code to clear the virus through the relevant access interface provided by the aforementioned VMI module;

如果前述查毒结果为没有发现病毒,VirtAV-stub打开相应的影子页表中的“执行允许”位,关闭“写允许”位,并恢复该客户机的运行,从而该客户机的相应进程得以安全执行;当该客户机尝试向打开了“执行允许”位的客户机内存页面中写入数据时,VMM中的VirtAV-stub能够拦截该事件,在完成相应的权限检查后,打开该页面的“写允许”位,同时关闭“执行允许”位,以使得该客户机内部合法的内存页面写操作能够得以执行。If the result of the aforementioned antivirus screening is that no virus is found, VirtAV-stub opens the "execution permission" bit in the corresponding shadow page table, closes the "write permission" bit, and resumes the operation of the client computer, so that the corresponding process of the client computer can be Safe execution; when the client tries to write data to the client memory page with the "execution permission" bit turned on, the VirtAV-stub in the VMM can intercept the event, and after completing the corresponding permission check, open the page's "write enable" bit, and turn off the "execute enable" bit at the same time, so that the legal memory page write operation inside the client can be executed.

根据本发明的一个实施例,发现虚拟机内存中存在病毒后,还进一步定位病毒的来源。下面以定位病毒源文件为例,描述发现病毒后的处理流程。According to an embodiment of the present invention, after the virus is found in the memory of the virtual machine, the source of the virus is further located. The following takes locating a virus source file as an example to describe the processing flow after a virus is found.

首先,VirtAV-stub通过前述VMI模块提供的相关访问接口定位虚拟机VCPU当前指令流相应的进程,以及该进程的虚拟地址空间映射表(该 映射表记录了虚拟地址空间中各个区间的起止地址、属性、所映射的文件等信息),进而,根据VCPU当前指令的虚拟地址确定病毒指令所在的进程虚拟地址空间的区间,找到对应的病毒源文件。之后,VirtAV-stub通过诸如VIRTIO等的虚拟输入输出设备接口与运行在客户操作系统内部的VirtAV-agent通信,将病毒的基本信息(如病毒名、执行病毒程序的虚拟机的进程(PID,ProcessIdentification)、病毒文件名,等等)通知给VirtAV-agent。最后,VirtAV-agent根据预设的杀毒策略在客户操作系统内部对病毒文件进行隔离或删除、记录病毒日志,以及将此病毒事件通知相应的虚拟机的管理员或相关用户。First, VirtAV-stub locates the process corresponding to the current instruction flow of the virtual machine VCPU through the relevant access interface provided by the aforementioned VMI module, and the virtual address space mapping table of the process (the mapping table records the start and end addresses of each interval in the virtual address space, attributes, mapped files, etc.), and then, according to the virtual address of the current instruction of the VCPU, determine the interval of the process virtual address space where the virus instruction is located, and find the corresponding virus source file. Afterwards, the VirtAV-stub communicates with the VirtAV-agent running inside the guest operating system through virtual input and output device interfaces such as VIRTIO, and the basic information of the virus (such as the process of the virus name, the virtual machine that executes the virus program (PID, ProcessIdentification) ), virus file name, etc.) to notify VirtAV-agent. Finally, the VirtAV-agent isolates or deletes the virus file in the guest operating system according to the preset antivirus policy, records the virus log, and notifies the administrator or relevant user of the corresponding virtual machine of the virus event.

应用上述实施例所述的方法,可以实现防病毒系统不依赖于客户操作系统;在病毒程序执行之前准确识别该病毒并加以阻止;减少病毒扫描的数据量,提高扫描效率,从而最大限度地保障虚拟机的运行性能。By applying the method described in the above-mentioned embodiments, it is possible to realize that the anti-virus system does not depend on the client operating system; accurately identify and block the virus before the execution of the virus program; reduce the amount of virus scanning data and improve scanning efficiency, thereby maximizing protection The performance of the virtual machine.

以上所述仅为本发明示意性的具体实施方式,并非用以限定本发明的范围。任何本领域的技术人员,在不脱离本发明的构思和原则的前提下所作的等同变化、修改与结合,均应属于本发明保护的范围。The above descriptions are only illustrative specific implementations of the present invention, and are not intended to limit the scope of the present invention. Any equivalent changes, modifications and combinations made by those skilled in the art without departing from the concept and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. a kind of anti-virus method for virtual machine, which is characterized in that the method includes:
Step 1, the update for the memory pages occurred on the memory pages for distributing to virtual machine on host is intercepted and captured The access for the first time of content;
Step 2, the content of pages of the memory pages is scanned;
Step 3, according to the scanning as a result, remove the content of pages of the memory pages, or restore to the memory pages Access.
2. anti-virus method according to claim 1, which is characterized in that the step 1 further includes:
It is intercepted and captured by the access authority for the memory pages for distributing to virtual machine on dynamic adjustment host and is distributed on host The access for the first time of the more new content for the memory pages occurred on the memory pages of virtual machine;
Wherein, " writeable " in the access authority and " executable " permission be in the case where one of wherein in enabled state, Another permission is in non-enabled state.
3. anti-virus method according to claim 1, which is characterized in that the step 3 further includes:
It is to deposit the content of pages for removing the memory pages in the case of viruses, and position and locate in the result of the scanning Manage the virus in virtual machine.
4. anti-virus method according to claim 3, which is characterized in that the step 3 further includes:
It is to deposit in the case of viruses in the result of the scanning, handles the virus according to preset Killing Tactics, and/or The information of the virus is notified to the user of virtual machine.
5. anti-virus method according to any one of claim 1 to 4, which is characterized in that the step 2 further includes:
Use the content of pages that the memory pages are scanned with virus signature of the Virus entrance in same memory pages.
6. a kind of Anti-Virus for virtual machine, based on the virtual machine monitor being placed on host, which is characterized in that The system comprises:
Virtual antivirus engine for scanning internal storage data based on viral memory features code, and scanning result is fed back to virtually Anti-virus expansion module;
Viral memory features code database, for storing the viral memory features code;
The virtual anti-virus expansion module, is placed in the virtual machine monitor, distributes on the host for intercepting and capturing To the access for the first time of the more new content for the memory pages occurred on the memory pages of virtual machine, and notify described virtual Antivirus engine is scanned the memory pages.
7. Anti-Virus according to claim 6, which is characterized in that
The virtual anti-virus expansion module, for adjusting the memory pages for distributing to virtual machine on the host by dynamic Access authority intercept and capture occur on the memory pages for distributing to virtual machine on the host for the memory pages The access for the first time of more new content;
Wherein, a case where permission is in enabled state wherein of " writeable " and " executable " permission in the access authority Under, another permission is in non-enabled state.
8. Anti-Virus according to claim 6, which is characterized in that
The virtual antivirus engine is multithreading and can reentry framework;
The virus memory features code database, is stored on the host, draws in multiple concurrent virtual anti-viruses It is shared between holding up;And/or
The virus memory features code is the virus signature with Virus entrance in same memory pages.
9. Anti-Virus according to claim 6, which is characterized in that the system also includes:
Virtual anti-virus agent is in virtual machine internal, for receiving and according to from the virtual anti-virus expansion module The virus that information processing is found;
The virtual anti-virus expansion module is also used to position the source for the virus found in the scanning result, and will be described The information of virus is sent to the virtual anti-virus agent.
10. Anti-Virus according to claim 9, which is characterized in that
The anti-virus agent, for according at information and preset Killing Tactics from the virtual anti-virus expansion module The virus is managed, and/or is communicated with the user of virtual machine.
CN201510458356.4A 2015-07-30 2015-07-30 A kind of anti-virus method and system for virtual machine Active CN105117649B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510458356.4A CN105117649B (en) 2015-07-30 2015-07-30 A kind of anti-virus method and system for virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510458356.4A CN105117649B (en) 2015-07-30 2015-07-30 A kind of anti-virus method and system for virtual machine

Publications (2)

Publication Number Publication Date
CN105117649A CN105117649A (en) 2015-12-02
CN105117649B true CN105117649B (en) 2018-11-30

Family

ID=54665634

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510458356.4A Active CN105117649B (en) 2015-07-30 2015-07-30 A kind of anti-virus method and system for virtual machine

Country Status (1)

Country Link
CN (1) CN105117649B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106951775A (en) * 2016-01-06 2017-07-14 梁洪亮 A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology
CN106055976B (en) * 2016-05-16 2021-05-28 新华三技术有限公司 File detection method and sandbox controller
CN106339628A (en) * 2016-08-16 2017-01-18 天津大学 Hardware anti-virus device based on microarchitecture level
CN106778240A (en) * 2016-11-18 2017-05-31 航天恒星科技有限公司 A kind of virtual machine virus method method and device
US10546120B2 (en) * 2017-09-25 2020-01-28 AO Kaspersky Lab System and method of forming a log in a virtual machine for conducting an antivirus scan of a file
CN110058921B (en) * 2019-03-13 2021-06-22 上海交通大学 Client virtual machine memory dynamic isolation and monitoring method and system
CN111459609B (en) * 2020-03-10 2024-04-19 奇安信科技集团股份有限公司 Virtual machine security protection method, device and electronic device
CN114969737A (en) * 2022-05-26 2022-08-30 深信服科技股份有限公司 Virus processing method, device, electronic equipment and medium
CN115374444B (en) * 2022-10-27 2022-12-27 北京安帝科技有限公司 Virus detection method and device based on virtual host behavior analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364988A (en) * 2008-09-26 2009-02-11 深圳市迅雷网络技术有限公司 A method and device for determining webpage security
CN102375946A (en) * 2010-08-19 2012-03-14 腾讯科技(深圳)有限公司 Method and device for detecting webpage trojan
CN104080058A (en) * 2014-06-16 2014-10-01 百度在线网络技术(北京)有限公司 Information processing method and device
CN104156389A (en) * 2014-07-04 2014-11-19 重庆邮电大学 Deep packet detecting system and method based on Hadoop platform
CN104298918A (en) * 2014-09-12 2015-01-21 北京云巢动脉科技有限公司 Virus scanning method and system based on data block in virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364988A (en) * 2008-09-26 2009-02-11 深圳市迅雷网络技术有限公司 A method and device for determining webpage security
CN102375946A (en) * 2010-08-19 2012-03-14 腾讯科技(深圳)有限公司 Method and device for detecting webpage trojan
CN104080058A (en) * 2014-06-16 2014-10-01 百度在线网络技术(北京)有限公司 Information processing method and device
CN104156389A (en) * 2014-07-04 2014-11-19 重庆邮电大学 Deep packet detecting system and method based on Hadoop platform
CN104298918A (en) * 2014-09-12 2015-01-21 北京云巢动脉科技有限公司 Virus scanning method and system based on data block in virtual machine

Also Published As

Publication number Publication date
CN105117649A (en) 2015-12-02

Similar Documents

Publication Publication Date Title
CN105117649B (en) A kind of anti-virus method and system for virtual machine
US11841966B2 (en) Inhibiting memory disclosure attacks using destructive code reads
US8010667B2 (en) On-access anti-virus mechanism for virtual machine architecture
US11645390B2 (en) Cloud-based method to increase integrity of a next generation antivirus (NGAV) security solution in a virtualized computing environment
US11106792B2 (en) Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares
Srinivasan et al. Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring
CN111324891B (en) System and method for container file integrity monitoring
US8250519B2 (en) Forcing registered code into an execution context of guest software
Shinagawa et al. Bitvisor: a thin hypervisor for enforcing i/o device security
US8938723B1 (en) Use of GPU for support and acceleration of virtual machines and virtual environments
US12032494B2 (en) Kernel integrity protection method and apparatus
CN102231138B (en) Accurate memory data acquisition system and method for computer
US20170357592A1 (en) Enhanced-security page sharing in a virtualized computer system
US20130227680A1 (en) Automated protection against computer exploits
Qi et al. ForenVisor: A tool for acquiring and preserving reliable data in cloud live forensics
US20170053118A1 (en) Changed Block Tracking Driver for Agentless Security Scans of Virtual Disks
CN109597675B (en) Virtual machine malware behavior detection method and system
US10489185B2 (en) Hypervisor-assisted approach for locating operating system data structures based on attribute matching
US20180267818A1 (en) Hypervisor-assisted approach for locating operating system data structures based on notification data
Kourai et al. Efficient VM introspection in KVM and performance comparison with Xen
US10514945B2 (en) Host-based virtual machine introspection with dynamic guest assistance
CN107608758A (en) A kind of virtual machine file integrality monitoring method and system
US9785492B1 (en) Technique for hypervisor-based firmware acquisition and analysis
CN103425563B (en) Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology
CN105550574A (en) Side-channel attack evidence collecting system and method based on memory activity

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant