CN114265775B - Hardware-assisted virtualized environment core detection method and system - Google Patents
Hardware-assisted virtualized environment core detection method and system Download PDFInfo
- Publication number
- CN114265775B CN114265775B CN202111576319.5A CN202111576319A CN114265775B CN 114265775 B CN114265775 B CN 114265775B CN 202111576319 A CN202111576319 A CN 202111576319A CN 114265775 B CN114265775 B CN 114265775B
- Authority
- CN
- China
- Prior art keywords
- vmcall
- virtualized environment
- operate
- detection program
- privilege
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 claims abstract description 21
- 230000015654 memory Effects 0.000 claims description 28
- 230000006870 function Effects 0.000 claims description 21
- 230000002035 prolonged effect Effects 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 claims 1
- 238000004458 analytical method Methods 0.000 description 10
- 230000003068 static effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a hardware-assisted virtualized environment core detection method and a system, wherein the method comprises the following steps: s1: when the detection program has the common authority to operate the VMCALL, the VMCALL virtualization expansion instruction is based on to actively perform VMExit, call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists is judged according to the default return value; s2: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register, different return values can be obtained, and whether the virtualized environment exists is judged according to the return values; s3: when the detecting program has the privilege authority to operate the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualized environment exists is judged; s4: when the detection program has privilege rights to operate on the L2C, whether the virtualized environment exists or not is judged by expelling a specific L2C Cache group according to the expelling condition of the Cache group.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a hardware-assisted virtualization environment core detection method and system.
Background
Software analysis techniques include static analysis and dynamic analysis. The static analysis obtains the disassembled code of the software to be analyzed by performing operations such as decompilation and the like on the executable program, and further analyzes the logic and specific behaviors of the software by analyzing the disassembled code. The static analysis does not need to actually run the program, so that the method is a very convenient and quick software analysis method, but the analysis of the reinforcement software is difficult to process, and meanwhile, some running flow static analysis cannot be analyzed. Dynamic analysis then typically operates the program physically in an isolated environment by means of virtualization techniques, with different execution paths being obtained through different inputs, analyzing the run branches and results to deconstruct the execution logic of the software. By constantly adjusting the inputs, the internal execution logic of the software to be analyzed can be known relatively completely, but advanced software will deliberately hide its own behavior when it is found that it is dynamically analyzed, thus misleading the analysis results. Many software, to prevent cracking or analysis, is subject to varying degrees of confusion or reinforcement, and often requires detection of the operating environment in order to circumvent dynamic analysis, conceal its own behavior in time, or terminate operation. Therefore, how to determine whether a program is running in a user virtual machine or in a native bare metal OS environment is a problem to be solved.
Disclosure of Invention
In order to solve the technical problems, the invention provides a hardware-assisted virtualized environment core detection method and a system.
The technical scheme of the invention is as follows: a hardware-assisted virtualized environment core detection method comprises the following steps:
Step S1: when the detection program has the common authority to operate the VMCALL, the VMCALL virtualization expansion instruction is based to actively perform VM Exit, call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists is judged according to the default return value;
Step S2: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register, and obtaining the return value of a specific Hypercall processing function corresponding to different VMCALL parameters, thereby judging whether the virtualized environment exists or not according to the return value;
Step S3: when the detecting program has the privilege authority to operate the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualized environment exists is judged;
Step S4: when the detection program has privilege rights to operate on the L2C, whether the virtualized environment exists or not is judged by expelling a specific L2C Cache group according to the expelling condition of the Cache group.
Compared with the prior art, the invention has the following advantages:
1. Since traditional virtualization detection is based mainly on some fingerprint traces presented on the virtual machine when the Hypervisor is implemented, these fingerprints are easily removed by Hypervisor updates; moreover, the current mainstream Hypervisor implementation is almost built on hardware-assisted virtualization acceleration, so that isolation is stronger and virtualized fingerprints are fewer. In order to solve the problem, the invention discloses a hardware-assisted virtualized environment core detection method which is based on hardware-assisted virtualized extension and micro-architecture characteristics and does not depend on the trace of a Hypervisor, so that the method is not easy to avoid or remove.
2. The invention can select different modules according to different authorities owned by the user program, has wider applicability and higher expandability.
3. The invention utilizes the virtualization detection based on the PP technology and only depends on the property of the virtual environment SLAT, thus being applicable to not only the hardware-assisted full-virtualization environment, but also the paravirtualization or sandbox environment.
Drawings
FIG. 1 is a flowchart of a method for detecting a core of a hardware-assisted virtualized environment according to an embodiment of the invention;
FIG. 2 is a diagram of access memories before and after setting CD bits in an embodiment of the present invention;
FIG. 3 is a diagram illustrating L2C eviction detection in accordance with an embodiment of the invention;
fig. 4 is a block diagram of a hardware-assisted virtualized environment core detection system according to an embodiment of the invention.
Detailed Description
The invention provides a hardware-assisted virtualization environment core detection method which has wider applicability and expansibility, and has better detection stability due to the hardware-assisted virtualization expansion and micro-architecture characteristics based on the bottom layer.
The present invention will be further described in detail below with reference to the accompanying drawings by way of specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
For a better understanding of the following examples, the techniques used and some of the noun abbreviations are explained as follows:
The system virtualization technology is widely used in cloud environment and local environment, so that the utilization rate of resources is greatly improved, and a virtualized operating environment isolated from a host system is provided. Typical virtual machine managers are open-sourced, such as KVM, xen, etc., commercially closed-sourced, such as HyperV, VMware work, etc., and are also known as hypervisors. Since the hardware-assisted virtualization mechanism provides hardware support for virtualization, hardware-assisted based full virtualization techniques provide better security isolation protection and higher performance. Intel VT-x, AMD-V, ARM Virtualization, etc., all provide support for hardware-assisted virtualization.
Based on CPU Cache side channel timing attack is an attack form widely used in the side channel attack field, an attacker indirectly deduces the memory access mode of the victim by timing the access time length of the shared Cache of the memory mapping of the victim program to access a specific area and by utilizing the difference of the access time length, thereby obtaining the confidential code or data of the victim. PP is a typical attack technique for performing a Cache side channel, and is mainly divided into three steps: an attacker builds an eviction set, accesses corresponding memories in the eviction set to fill a specific one or more Cache groups; then waiting a predetermined time for the victim to access the memory mapped to the same Cache set; and the attacker reads the memory corresponding to the Cache group filled by the attacker again, and measures and analyzes the access time of the memory corresponding to the read Cache group.
Example 1
As shown in fig. 1, the method for detecting a core of a hardware-assisted virtualized environment according to the embodiment of the invention includes the following steps:
Step S1: when the detection program has the common authority to operate the VMCALL, the VMCALL virtualization expansion instruction is based to actively perform VM Exit, call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists is judged according to the default return value;
step S2: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register, and acquiring the return value of a specific Hypercall processing function corresponding to different VMCALL parameters, thereby judging whether the virtualized environment exists according to the return value;
Step S3: when the detecting program has the privilege authority to operate the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualized environment exists is judged;
Step S4: when the detection program has privilege rights to operate on the L2C, whether the virtualized environment exists or not is judged by expelling a specific L2C Cache group according to the expelling condition of the Cache group.
In the embodiment of the method, the hardware auxiliary virtualization mechanism and the micro-architecture characteristic of the processor are comprehensively utilized, the authority which can be possessed by the detection program is considered, different detection modes are provided according to different authorities, and the integration can be conveniently carried out. When the detection program only has the common right, the VM Exit is actively carried out based on the VMCALL virtualization extension instruction, and the call is sent to the Hypercall processing function in the Hypervisor, so that the call result is obtained. When the detecting program can apply for the privilege, the VMCALL privilege level detection, the CR0 privilege level detection and the L2C privilege level detection can be called according to actual conditions, so that a calling result is obtained. And analyzing the calling result to determine whether the detection program runs in the user virtual machine or the local bare metal OS environment.
In one embodiment, step S1 described above: when the detection program has the common authority to operate on the VMCALL, the VMCALL virtualization extension instruction is based on to actively perform VM Exit, call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists or not is judged according to the default return value, which specifically comprises the following steps:
When detecting that a program has ordinary authority to operate on VMCALL, actively calling VMCALL in a local environment can cause hardware exception, so that program error is caused, the method can be successfully executed when calling VMCALL in a virtual machine, a default return value can be obtained after VM Exit is trapped into Hypervisor, and whether the virtualized environment exists is judged according to the default return value;
When the detection program has the common right, the hardware virtualization extension instruction VMCALL and the corresponding Hypercall mechanism are mainly utilized. The virtualization platform provided by Intel VT-x has two operating environments, VRM mode and VNRM mode, respectively. As with the OS providing a system call interface to user space, a Hypervisor operating under VRM based on hardware-assisted virtualization needs to provide some specific interfaces to virtual machine calls operating under VNRM, which are presented in Hypercall. And actively calling a VMCALL instruction in an assembly form in the detection program, immediately generating VM Exit after the CPU detects the VMCALL, switching the CPU to a VRM mode for execution, and entering the running environment into the Hypervisor. The Hypercall processing function in the Hypervisor detects that the privilege level before the vCPU is not the highest privilege level, and then the privilege level is transferred to the default return result of the virtual register, and the detection program in the virtual machine obtains the return value from the virtual register after the VM Entry occurs to the CPU. When the detection program runs in the local environment, the detection program can cause hardware exception to interrupt running and return no value because the instruction in VNRM mode is not supported. Thus, depending on the different execution conditions and return values, it is possible to distinguish whether or not to run in a virtualized environment.
In one embodiment, step S2 above: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register, and obtaining the return value of a specific Hypercall processing function corresponding to different VMCALL parameters, thereby judging whether the virtualized environment exists according to the return value, specifically comprising:
When the detection program has privilege rights to VMCALL operation, a specific parameter value is attached to a virtual register when a VMCALL instruction is called, and different Hypercall processing functions are called according to different parameter values to obtain different return values; when the detection program runs in a local environment, errors can be caused due to incompatibility of instructions, and a return value cannot be obtained; and judging whether the virtualized environment exists or not according to the returned value.
When the detection program runs in the kernel mode of the OS and has the privilege authority to operate on the VMCALL, the virtualization is detected by utilizing the instruction set difference of the support of the VMCALL in different CPU modes, and the detection of finer granularity can be realized. The detection program actively calls a VMCALL instruction in an assembly form, analyzes register parameters corresponding to different Hypercall processing functions according to the main stream Hypervisor open source code and the document description, passes through the VMCALL instruction when in call, and attaches specific parameter values to a virtual register. After the CPU generates VM Exit, the Hypervisor detects that the privilege level before the CPU is the highest privilege level, then the parameter values in the virtual register are obtained from the VMCS, different Hypercall processing functions are called according to the different parameter values, different values are returned, and the detection program in the virtual machine obtains the return value from the virtual register after the CPU generates VM Entry. Different expected return values can be obtained as long as different parameters are passed in the virtual machine internal detection program. However, when the detection program runs in a local environment, the return value cannot be obtained because of errors caused by incompatibility of instructions.
In one embodiment, the step S3: when a detecting program has privilege rights to operate on CR0, the CD bit of a CR0 register is changed to check the influence on the system performance, so as to judge whether a virtualized environment exists or not, which specifically comprises the following steps:
When the detection program has privilege rights to operate CR0, setting the CD bit of the CR0 register in the virtualized environment does not actually affect the physical CPU; when the detection program runs in a local environment, setting the CD position can actually influence the physical CPU, so that the state of the physical Cache is changed, and the access time is prolonged; and comparing the access time before and after CD setting so as to judge whether the virtualized environment exists.
The CD bit on the CR0 register controls whether the global code or data of the system can be cached and accelerated by the Cache in the CPU, and the change of the CD bit has obvious difference on the system performance. As shown in fig. 2, when the detection program has the privilege authority to operate on CR0, the memory data can be accessed densely for a plurality of times, and the total time for accessing the memory is recorded; then the detection program sets the CD position, so that the Cache cannot Cache the memory content, then the memory data are accessed densely again, and the total time for accessing the memory for the second time is recorded; the two times are then compared. If the detection program runs in the virtualized environment, when the CD bit of CR0 is modified, the virtual vCR0 provided by the Hypervisor to the virtual machine is modified, and the virtual machine can complete the modification setting, but does not essentially affect the physical CPU. However, when the detection program runs in the local environment, the setting of the CD bit by the program in the kernel mode will actually affect the CPU, which will result in a significantly longer access time. By comparing the access time before and after setting, whether the operation is in the virtualized environment or the local environment can be distinguished.
In one embodiment, step S4 above: when the detection program has privilege rights to operate on the L2C, by expelling a specific L2C Cache set, judging whether a virtualized environment exists according to the expelling condition of the Cache set, and specifically comprising the following steps:
When the detection program has privilege rights to operate L2C and operates in a local environment, the real physical memory address is obtained through the pagemap interface, so that the correct index to the Cache group is positioned, the average access time of the target Cache group has an obvious peak value, and when the detection program operates in a virtualized environment, the obtained physical address is not the address of the real physical memory, so that the positioned Cache group is not the expected target Cache group; the detection program can judge the running environment by comparing the average access time of the target Cache group and all the Cache groups.
In the step, different understanding of physical addresses in virtualization and local environments is utilized, the eviction is performed on the L2C based on the PP technology, and the difference between the memory access time mapped to the target Cache group and the memory access time of other Cache groups is observed. As shown in fig. 3, the detection program first needs to apply for the virtual memory on the function stack, and then obtains the physical address of the corresponding virtual memory through the pagemap interface. The Cache set of L2C is indexed by physical memory address, since the typical size of CACHE LINE is 64 Bytes, i.e., indexed by the lowest 0-5 bits, then the Cache set is indexed from the 6 th bit of the physical address. And obtaining the eviction sets corresponding to all the Cache groups by continuously searching and storing the eviction sets corresponding to the Cache groups, namely, a group of memory addresses mapped to the same Cache group. The detection program selects one Cache set as a target observation set, randomly selects one Cache set and finds another set of eviction sets using the same method for this set. The detection program firstly accesses all the eviction sets, the access process caches the memory blocks into corresponding Cache groups in the CPU, and the former content on the L2C is replaced at the same time; then, one or more addresses of the eviction set corresponding to the target Cache group are accessed, so that new memory contents are cached to the target Cache group and original contents are replaced; then sequentially accessing all the eviction sets, and timing the time of accessing the eviction sets; the above procedure was repeated and the average time counted. When the detection program runs in the local environment, the internal program of the virtual machine obtains a real physical memory address through the pagemap interface, and the real physical memory address can be correctly indexed to the Cache group through the designated bit of the physical memory address. However, when the detection program runs in the virtualized environment, the physical address acquired by the internal program of the virtual machine is not the address of the real physical memory, and meanwhile, because the virtual machine is used as a process on the host machine and cross-core scheduling exists, the virtualized environment also has more noise influence to pollute the Cache. The average access time of all the Cache groups observed in the virtualized environment is very chaotic and irregular under the influence of various factors; however, in the local environment, since the Cache set can be correctly located, it can be observed that there is a significant peak in the average access time of the target Cache set, while the average access time of other Cache sets is lower. The detection program can judge the running environment by comparing the average access time of the target Cache group and all the Cache groups.
Since traditional virtualization detection is based mainly on some fingerprint traces presented on the virtual machine when the Hypervisor is implemented, these fingerprints are easily removed by Hypervisor updates; moreover, the current mainstream Hypervisor implementation is almost built on hardware-assisted virtualization acceleration, so that isolation is stronger and virtualized fingerprints are fewer. In order to solve the problem, the invention discloses a hardware-assisted virtualized environment core detection method which is based on hardware-assisted virtualized extension and micro-architecture characteristics and does not depend on the trace of a Hypervisor, so that the method is not easy to avoid or remove. The invention can select different modules according to different authorities owned by the user program, has wider applicability and higher expandability. The invention utilizes the virtualization detection based on the PP technology and only depends on the property of the virtual environment SLAT, thus being applicable to not only the hardware-assisted full-virtualization environment, but also the paravirtualization or sandbox environment.
Example two
As shown in fig. 4, an embodiment of the present invention provides a hardware-assisted virtualized environment core detection system, which includes the following modules:
the VMCALL ordinary authority detection module 51 is configured to actively perform VM Exit based on a VMCALL virtualization extension instruction when the detection program has ordinary authority to operate on VMCALL, send a call to a Hypercall processing function in the Hypervisor, and determine whether a virtualized environment exists according to a default return value;
the VMCALL privilege detection module 52 is configured to call VMCALL and transfer parameters through a general register when the detection program has privilege to operate on VMCALL, obtain return values of specific Hypercall processing functions corresponding to different VMCALL parameters, and determine whether a virtualized environment exists according to the return values;
The CR0 privilege authority detection module 53 is configured to, when detecting that the program has privilege authority to operate on CR0, check an influence on system performance by changing a CD bit of a CR0 register, thereby determining whether a virtualized environment exists;
The L2C privilege authority detection module 54 is configured to determine, when the detecting program has privilege authority to operate on L2C, whether the virtualized environment exists by evicting a specific Cache set of L2C according to an eviction condition of the Cache set.
The above examples are provided for the purpose of describing the present invention only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalents and modifications that do not depart from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (6)
1. The hardware-assisted virtualized environment core detection method is characterized by comprising the following steps of:
Step S1: when the detection program has the common authority to operate the VMCALL, the VMCALL virtualization expansion instruction is based on to actively perform VMExit, call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists is judged according to the default return value;
Step S2: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting parameters through a general register, and obtaining the return value of a specific Hypercall processing function corresponding to different VMCALL parameters, thereby judging whether the virtualized environment exists or not according to the return value;
Step S3: when the detecting program has the privilege authority to operate the CR0, the CD bit of the CR0 register is changed to check the influence on the system performance, so that whether the virtualized environment exists is judged;
Step S4: when the detection program has privilege rights to operate on the L2C, whether the virtualized environment exists or not is judged by expelling a specific L2C Cache group according to the expelling condition of the Cache group.
2. The method for detecting a core of a hardware-assisted virtualized environment according to claim 1, wherein the step S1: when the detection program has the common authority to operate on the VMCALL, the VMExit is actively carried out based on the VMCALL virtualization extension instruction, the call is sent to the Hypercall processing function in the Hypervisor, and whether the virtualization environment exists or not is judged according to the default return value, and the method specifically comprises the following steps:
When a detection program has ordinary authority to operate on the VMCALL, actively calling the VMCALL in a local environment can cause hardware abnormality, thereby causing program error; and the method can be successfully executed when the VMCALL is called in the virtualized environment, and a default return value can be obtained after the VMExit is trapped in the Hypervisor, so that whether the virtualized environment exists or not is judged according to the default return value.
3. The method for detecting a core of a hardware-assisted virtualized environment according to claim 1, wherein the step S2: when the detection program has privilege rights to operate the VMCALL, calling the VMCALL and transmitting different parameters through a general register, and obtaining the return value of a specific Hypercall processing function corresponding to the different VMCALL parameters, thereby judging whether the virtualized environment exists or not according to the return value, specifically comprising:
when the detection program has privilege rights to VMCALL operation, a specific parameter value is attached to a virtual register when a VMCALL instruction is called, and different Hypercall processing functions are called according to different parameter values, and different return values are obtained; when the detection program runs in a local environment, errors can be caused due to incompatibility of instructions, and a return value cannot be obtained; and judging whether the virtualized environment exists or not according to the return value.
4. The method for detecting a core of a hardware-assisted virtualized environment according to claim 1, wherein the step S3: when a detecting program has privilege rights to operate on CR0, the CD bit of a CR0 register is changed to check the influence on the system performance, so as to judge whether a virtualized environment exists or not, which specifically comprises the following steps:
when the detection program has privilege rights to operate CR0, setting the CD bit of the CR0 register in the virtualized environment does not actually affect the physical CPU; when the detection program runs in a local environment, setting the CD position can actually influence a physical CPU, so that the state of a physical Cache is changed, and the access time is prolonged; and comparing the access time before and after CD setting so as to judge whether the virtualized environment exists.
5. The method for detecting a core of a hardware-assisted virtualized environment according to claim 1, wherein the step S4: when a detection program has privilege rights to operate on L2C, by expelling a specific L2C Cache set, judging whether a virtualized environment exists or not according to the expelling condition of the Cache set, wherein the method specifically comprises the following steps:
when the detection program runs in a local environment, the real physical memory address is obtained through the pagemap interface, so that the correct index is positioned to the Cache group, the average access time of the target Cache group has an obvious peak value, when the detection program runs in a virtualized environment, the obtained physical address is not the address of the real physical memory, the positioned Cache group is not the expected target Cache group, and the detection program can judge the running environment by comparing the average access time of the target Cache group and all the Cache groups.
6. A hardware-assisted virtualized environment core detection system, comprising the following modules:
The VMCALL ordinary authority detection module is used for actively carrying out VMExit based on a VMCALL virtualization extension instruction when the detection program has ordinary authority to operate the VMCALL, sending a call to a Hypercall processing function in the Hypervisor, and judging whether a virtualized environment exists according to a default return value;
The VMCALL privilege detection module is used for calling VMCALL and transmitting parameters through a general register when a detection program has privilege to operate the VMCALL, and can obtain the return values of specific Hypercall processing functions corresponding to different VMCALL parameters, thereby judging whether a virtualized environment exists or not according to the return values;
the CR0 privilege detection module is used for detecting the influence on the system performance by changing the CD bit of the CR0 register when detecting that the program has privilege to operate CR0, so as to judge whether a virtualized environment exists;
The L2C privilege detection module is used for judging whether the virtualized environment exists or not according to the eviction condition of the Cache group by evicting the specific L2C Cache group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111576319.5A CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111576319.5A CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114265775A CN114265775A (en) | 2022-04-01 |
| CN114265775B true CN114265775B (en) | 2024-05-24 |
Family
ID=80828541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111576319.5A Active CN114265775B (en) | 2021-12-21 | 2021-12-21 | Hardware-assisted virtualized environment core detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114265775B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116515A (en) * | 2011-09-28 | 2013-05-22 | 西门子公司 | Method and virtualisation software for producing independent time sources for virtual runtime environments |
| CN104025050A (en) * | 2011-12-28 | 2014-09-03 | Ati科技无限责任公司 | Changing between virtual machines on a graphics processing unit |
| CN106406974A (en) * | 2015-07-30 | 2017-02-15 | 中兴通讯股份有限公司 | High-performance timer implementation method used for virtual machine, and virtual machine |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN111782335A (en) * | 2019-04-03 | 2020-10-16 | Sap欧洲公司 | Through the extended application mechanism of the in-process operating system |
| CN112416508A (en) * | 2019-08-23 | 2021-02-26 | 无锡江南计算技术研究所 | CPU virtualization method based on privilege instruction library |
| CN112464231A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Threat detection method and system based on virtual machine |
-
2021
- 2021-12-21 CN CN202111576319.5A patent/CN114265775B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116515A (en) * | 2011-09-28 | 2013-05-22 | 西门子公司 | Method and virtualisation software for producing independent time sources for virtual runtime environments |
| CN104025050A (en) * | 2011-12-28 | 2014-09-03 | Ati科技无限责任公司 | Changing between virtual machines on a graphics processing unit |
| CN106406974A (en) * | 2015-07-30 | 2017-02-15 | 中兴通讯股份有限公司 | High-performance timer implementation method used for virtual machine, and virtual machine |
| CN106934281A (en) * | 2017-03-30 | 2017-07-07 | 兴华永恒(北京)科技有限责任公司 | A kind of method for building up of the virtual machine countermeasure techniques based on hardware virtualization technology |
| CN111782335A (en) * | 2019-04-03 | 2020-10-16 | Sap欧洲公司 | Through the extended application mechanism of the in-process operating system |
| CN112416508A (en) * | 2019-08-23 | 2021-02-26 | 无锡江南计算技术研究所 | CPU virtualization method based on privilege instruction library |
| CN112464231A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Threat detection method and system based on virtual machine |
Non-Patent Citations (3)
| Title |
|---|
| 基于AMD硬件内存加密机制的关键数据保护方案;吴宇明;刘宇涛;陈海波;;信息安全学报;20180115(01);全文 * |
| 基于VMFUNC的虚拟机自省触发机制;刘维杰;王丽娜;谈诚;徐来;;计算机研究与发展;20171015(10);全文 * |
| 基于硬件虚拟化的虚拟机内核完整性保护;杨晓晖;许烨;;河北大学学报(自然科学版);20180325(02);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114265775A (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6411494B2 (en) | Page fault injection in virtual machines | |
| EP3764239B1 (en) | Method and device for enhancing isolation between user space and kernel space | |
| CN103460179B (en) | Method and apparatus for transparently instrumenting an application | |
| US7376949B2 (en) | Resource allocation and protection in a multi-virtual environment | |
| US8954959B2 (en) | Memory overcommit by using an emulated IOMMU in a computer system without a host IOMMU | |
| US10296470B2 (en) | Systems and methods for dynamically protecting a stack from below the operating system | |
| US9424427B1 (en) | Anti-rootkit systems and methods | |
| US8887139B2 (en) | Virtual system and method of analyzing operation of virtual system | |
| KR20190096959A (en) | Event filtering for virtual machine security applications | |
| US20170103206A1 (en) | Method and apparatus for capturing operation in a container-based virtualization system | |
| US9158562B2 (en) | Method and apparatus for supporting virtualization of loadable module | |
| US10061918B2 (en) | System, apparatus and method for filtering memory access logging in a processor | |
| CN111556996B (en) | Controlling guard tag checking on memory accesses | |
| US10311233B2 (en) | Generic unpacking of program binaries | |
| CN111566628B (en) | Apparatus and method for controlling guard tag checking in memory access | |
| CN114265775B (en) | Hardware-assisted virtualized environment core detection method and system | |
| Che et al. | Performance combinative evaluation of typical virtual machine monitors | |
| US20250139034A1 (en) | Probation of direct memory access device used for direct device assignment | |
| US20250139235A1 (en) | Detection of malicious direct memory access device used for direct device assignment | |
| US20240020377A1 (en) | Build system monitoring for detecting abnormal operations | |
| CN113268726A (en) | Program code execution behavior monitoring method and computer equipment | |
| CN119645872A (en) | A fuzzy testing method and device for closed source operating system | |
| HK1216679B (en) | Page fault injection in virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |