CN111444508B - CPU vulnerability detection device and method based on virtual machine - Google Patents
CPU vulnerability detection device and method based on virtual machine Download PDFInfo
- Publication number
- CN111444508B CN111444508B CN201811611543.1A CN201811611543A CN111444508B CN 111444508 B CN111444508 B CN 111444508B CN 201811611543 A CN201811611543 A CN 201811611543A CN 111444508 B CN111444508 B CN 111444508B
- Authority
- CN
- China
- Prior art keywords
- module
- instruction
- preset
- unknown
- cpu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 312
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 230000008569 process Effects 0.000 claims abstract description 283
- 238000012544 monitoring process Methods 0.000 claims abstract description 82
- 230000007123 defense Effects 0.000 claims description 40
- 238000004891 communication Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 7
- 238000012549 training Methods 0.000 claims description 7
- 238000010801 machine learning Methods 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 101150093240 Brd2 gene Proteins 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a CPU vulnerability detection device and method based on virtual machine realization, comprising the following steps: the system comprises a process monitoring module and a driving module; the process monitoring module is suitable for sending the process information of the unknown process to the cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server; the driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so as to enable the host device to monitor whether the unknown process executes the instruction related to the CPU loophole or not, and providing the monitoring result returned by the host device to the process monitoring module so as to enable the process monitoring module to process according to the monitoring result returned by the host device. The method can realize the monitoring of the instruction level, further monitor each instruction related to the CPU loophole and realize more comprehensive defending effect.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a CPU vulnerability detection device and method based on virtual machine implementation.
Background
The vulnerability of the central processing unit (Central Processing Unit, CPU) clearly belongs to a high-risk vulnerability, and once a malicious program initiates an attack by using the CPU vulnerability, immeasurable negative effects are caused on personal equipment of a user, and even serious problems such as equipment paralysis are caused.
In the prior art, whether an attack action aiming at a CPU vulnerability exists can only be judged by monitoring an interface provided by an operating system. For example, when a malicious program tries to initiate an attack behavior against a CPU bug by calling an interface provided by an operating system, the malicious behavior can be monitored and intercepted by setting a monitoring manner such as a hook at the interface provided by the operating system.
The inventors have found in the practice of the present invention that the above-described approach in the prior art suffers from at least the following drawbacks: the interception operation of malicious behavior can only be realized from the level of an interface provided by an operating system, and once a malicious program bypasses the interface provided by the operating system and directly enters the operating system, serious consequences can be caused.
Disclosure of Invention
The present invention has been made in view of the above-mentioned problems, and it is an object of the present invention to provide a virtual machine-based CPU vulnerability detection apparatus and method that overcomes or at least partially solves the above-mentioned problems.
According to one aspect of the present invention, there is provided a CPU vulnerability detection apparatus implemented based on a virtual machine, including: the system comprises a process monitoring module and a driving module; wherein,
The process monitoring module is suitable for sending the process information of the unknown process to the cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server;
The driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device can monitor whether the unknown process executes the instruction related to the CPU loophole or not, and providing the monitoring result returned by the host device to the process monitoring module so that the process monitoring module can process according to the monitoring result returned by the host device.
According to another aspect of the present invention, there is provided a method for detecting a CPU vulnerability based on the above CPU vulnerability detection apparatus, including:
When an unknown process is monitored, process information of the unknown process is sent to a cloud server;
When the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server, process information of the unknown process is sent to a preset host device so that the host device can monitor whether the unknown process executes instructions related to CPU loopholes or not;
And processing according to the monitoring result returned by the host device.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface are communicated with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the CPU vulnerability detection method based on the CPU vulnerability detection device.
According to still another aspect of the present invention, there is provided a computer storage medium, in which at least one executable instruction is stored, the executable instruction causing a processor to perform operations corresponding to a CPU vulnerability detection method implemented based on a CPU vulnerability detection device as described above.
According to the CPU vulnerability detection device and method based on the virtual machine, disclosed by the invention, the unknown process can be determined whether to be a process of a preset level by querying the cloud server when the unknown process is monitored through the interaction of the process monitoring module and the driving module, and when the query result is yes, the process information of the unknown process is sent to a preset host device through the driving module and is processed according to the monitoring result returned by the host device. By means of the method, the unknown process can be identified through the virtual machine and matched with the host device, whether the unknown process executes an instruction related to the CPU loophole or not is detected, and then the defending function is achieved at the instruction level.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 is a schematic diagram of a CPU vulnerability detection apparatus based on virtual machine implementation according to one embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a CPU vulnerability detection apparatus based on a virtual machine implementation according to another embodiment of the present invention;
FIG. 3 is a flowchart of a method for detecting a CPU vulnerability based on a CPU vulnerability detection device according to another embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a schematic structural diagram of a CPU vulnerability detection apparatus implemented based on a virtual machine according to an embodiment of the present invention. As shown in fig. 1, the apparatus includes: a process monitoring module 11, and a driving module 12; the process monitoring module 11 is adapted to send process information of an unknown process to the cloud server when the unknown process is monitored, and provide the process information of the unknown process to the driving module 12 when the unknown process is determined to be a process with a preset level according to a query result returned by the cloud server. The driving module 12 is adapted to send the process information of the unknown process provided by the process monitoring module 11 to a preset host device, so that the host device monitors whether the unknown process executes the instruction related to the CPU bug, and provides the monitoring result returned by the host device to the process monitoring module, so that the process monitoring module processes according to the monitoring result returned by the host device.
The process monitoring module is mainly used for monitoring all unknown processes, determining whether all the unknown processes are security processes through inquiring the cloud server, and providing the process information of the unknown processes to a preset host device through the driving module if the inquiring result is negative, so that the host device can monitor whether the unknown processes execute instructions related to the CPU loopholes.
Therefore, according to the CPU vulnerability detection device based on the virtual machine, disclosed by the invention, the unknown process can be determined whether to be a process of a preset level by querying the cloud server when the unknown process is monitored through the interaction of the process monitoring module and the driving module, and when the query result is yes, the process information of the unknown process is sent to the preset host device through the driving module and is processed according to the monitoring result returned by the host device. By means of the method, the unknown process can be identified through the virtual machine and matched with the host device, whether the unknown process executes an instruction related to the CPU loophole or not is detected, and then the defending function is achieved at the instruction level. According to the method, a more comprehensive defending effect can be achieved, and even if an unknown process bypasses an interface provided by an operating system and directly enters the operating system, the unknown process can be intercepted through instructions, so that the system safety is improved.
Fig. 2 is a schematic structural diagram of a CPU vulnerability detection apparatus 20 based on a virtual machine implementation according to another embodiment of the present invention. As shown in fig. 2, the apparatus includes: a process monitoring module 11, and a driving module 12. Optionally, the process monitoring module 11 further includes: process management module 111, defense module 112, and cloud search module 113. The process management module 111 and the cloud search module 113 are respectively connected to the defense module 112, and the defense module 112 is further connected to the driving module 12. And, further optionally, the apparatus further comprises: the shared memory module 13 is connected to the driving module 12 and the preset host device 30, and is adapted to store the monitoring result returned by the preset host device 30 for the driving module 22 to read. Wherein, the host device 30 is further provided therein with a host monitoring module.
As can be seen, the CPU hole detection device 20 in this embodiment is a virtual machine device, in which a virtual operating system is installed. The virtual operating system may be, for example, a Windows system or the like. The host device 30 is a host device corresponding to the virtual machine device, and a host operating system corresponding to the virtual operating system is installed in the host device. For convenience of description, the virtual machine device implemented by the CPU hole detection device 20 may also be simply referred to as a Guest terminal, and the Host device implemented by the Host device 30 may be simply referred to as a Host terminal. The Guest end can realize the CPU vulnerability detection function under the support of the Host end.
The specific working principles of each module included in the CPU vulnerability detection apparatus 20 provided in the embodiment of the present invention are described below:
the process monitoring module 11 is mainly used for monitoring each process. Each time a process is started, the process monitoring module 11 can acquire relevant information of the started process so as to continuously monitor the process. In order to ensure that the process monitoring module 11 can monitor the corresponding start event and perform timely and effective monitoring at the first time of process start, the process monitoring module 11 in this embodiment further includes: the process management module 111 and the defense module 112. The process management module 111 is configured to register callback information of each process through the defense module 112, and send callback notification to the defense module 112 when the registered process executes. It follows that the process management module can register callback information of each process and/or thread with the defending module in advance to create callback functions corresponding to each process and/or thread. Accordingly, when a process and/or thread that has been registered executes, a callback notification will be sent to the defense module 112 through the corresponding callback function. The defending module 112 is configured to, when receiving the callback notification sent by the process management module 111, obtain process information of an unknown process corresponding to the callback notification, and send the obtained process information of the unknown process to the Yun Cha module 113. The process information of the unknown process comprises: process name, process identification (e.g., ID or PID of the process), path of the process, etc. The cloud query module 113 is configured to send the process information of the unknown process sent by the defense module 112 to the cloud server, and return the query result returned by the cloud server to the defense module 112. The cloud server stores relevant information of processes with known security levels. For example, a process level table is maintained on the cloud server, and information about processes of various levels is stored in the process level table. Wherein, the level of the process can be divided into: risk level, security level, and suspicious level. Alternatively, the level information may be represented by a black-and-white list, for example, the security level of a process stored in the white list, the risk level of a process stored in the black list, and the suspicious level of a process stored in the gray list. Accordingly, the defense module 112 may execute corresponding processing according to the query results of different levels, and provide the process information of the unknown process to the driving module when determining that the unknown process is a process of a preset level according to the query result returned by the cloud server, so that the driving module sends the process information of the unknown process to the preset host device for monitoring of the instruction level. The preset level may be various unsafe levels such as suspicious level and/or dangerous level. For example, in one particular implementation, the defense module 112 performs the following operations: if the level of the unknown process is the security level, releasing the unknown process; if the level of the unknown process is a dangerous level, intercepting the unknown process (e.g., killing the unknown process to prevent the unknown process from continuing to run); and if the level of the unknown process is the suspicious level, providing the process information of the unknown process to the driving module.
Therefore, each process started in the current system can be monitored at the first time through the process monitoring module 11, and the security level of each started process is queried in real time by means of the cloud server, so that the real-time protection function of the process with the non-security level is realized.
In addition, the driving module 12 is configured to send the process information of the unknown process provided by the process monitoring module 11 to a preset host device, so that the host device monitors whether the unknown process executes an instruction related to the CPU bug, and provides a monitoring result returned by the host device to the process monitoring module, so that the process monitoring module processes the monitoring result returned by the host device. Since the operating systems running in the CPU hole detection apparatus 20 and the host apparatus 30 are the virtual operating system and the host operating system, respectively, in order to facilitate the implementation of the cross-operating system communication function, in this embodiment, a driving module 12 is further provided. The driver module 12 is dedicated to enabling communication between the virtual operating system and the host operating system.
In addition, optionally, in this embodiment, in order to further facilitate the intercommunication between the virtual operating system and the host operating system, the CPU vulnerability detection device 20 further includes a shared memory module 13, which is respectively connected to the driving module 12 and the preset host device 30, and adapted to store the monitoring result returned by the preset host device for the driving module 12 to read. The shared memory module can buffer the process data corresponding to the process, and the buffered process data can be accessed by the virtual operating system and the host operating system simultaneously, so that the data sharing among a plurality of processes can be realized under the condition of multiple processes, and the communication efficiency between the virtual operating system and the host operating system is improved.
The specific functions of the host device 30 are described below: the host device 30 is used for monitoring whether an unknown process executes an instruction related to the CPU bug, and providing a monitoring result to the process monitoring module through the driving module, so that the process monitoring module processes according to the monitoring result returned by the host device.
In particular, the preset host device 30 is configured to inject a preset monitoring code into an unknown process corresponding to the process information, so as to obtain an instruction corresponding to the unknown process through the preset monitoring code, and determine, according to a preset vulnerability defense rule, whether the instruction corresponding to the unknown process is an instruction related to a CPU vulnerability. The preset vulnerability defense rule includes at least one of the following: and a rule for defending according to whether the instruction frequency is greater than a preset frequency threshold value and a rule for defending according to whether the instruction sequence and/or the instruction sequence combination are matched with the preset loophole instruction sequence characteristics. And, the preset vulnerability instruction sequence features stored in the preset vulnerability defense rules include at least one of the following: an instruction sequence feature corresponding to a cache line clear instruction, an instruction sequence feature corresponding to a read time tag counter opcode instruction, and an instruction sequence feature corresponding to a read TSC register instruction.
One specific implementation of injecting a preset monitor code into an unknown process corresponding to process information is given below. In this manner, the preset monitor code is a dynamic link library DLL.
First, the memory address space of an unknown process needs to be determined, and then a DLL is injected into the memory address space of the unknown process so that the DLL becomes a part of the unknown process. In this embodiment, the DLL is configured to implement a virtual CPU environment by using a virtual machine, so that an unknown process runs in the virtual CPU environment. That is, after the DLL injects the unknown process, the virtual CPU environment and other various hardware environments can be simulated by the virtual machine, and the virtual CPU environment is provided to the unknown process, so that the unknown process is switched from the real CPU environment to the virtual CPU environment for operation, and the switching process can be specifically implemented by means of communication with the unknown process, message forwarding, and the like. By the method, the aim of supervising the unknown process through the dynamic link library DLL can be fulfilled.
The dynamic link library DLL then obtains instructions corresponding to the unknown process. Specifically, since the DLL is equivalent to a virtual machine capable of supporting the running of a process, an unknown process runs in a virtual CPU environment created by the DLL through the virtual machine in the dynamic link library, and thus each instruction sent by the unknown process through the operating system is taken over by the DLL, and accordingly, the DLL can acquire all instructions corresponding to the unknown process.
And finally, judging whether the instruction corresponding to the unknown process is the instruction related to the CPU loophole according to the preset loophole defense rule. In this manner, the preset vulnerability defense rule includes at least one of the following two rules:
The first vulnerability defense rule is: and a rule for defending according to whether the instruction frequency is greater than a preset frequency threshold value. Specifically, the inventors found in the course of implementing the present invention that: when a malicious process initiates an attack, the purpose of the attack is achieved by sending the instruction for a plurality of times in a short period. Accordingly, screening for malicious instructions is facilitated by monitoring instruction frequency. For example, in this embodiment, a preset frequency threshold is determined according to the preset frequency threshold, and when the number of hits to a preset vulnerability instruction within one second exceeds the preset frequency threshold, it is determined that the instruction meets the vulnerability defense rule. The preset loophole instruction may be a predetermined instruction related to the CPU loophole.
The second vulnerability defense rule is: and (3) carrying out defense rules according to whether the instruction sequences and/or the instruction sequence combinations are matched with the preset loophole instruction sequence characteristics. The preset loophole instruction sequence features are generated according to a preset instruction related to the CPU loophole. The loophole instruction sequence feature may be a single sequence feature of a single instruction or a sequence set feature of an instruction set formed by a plurality of instructions. For example, the vulnerability instruction sequence features include: an instruction sequence feature corresponding to a cache line clear instruction (e.g., CLFLUSH instruction), an instruction sequence feature corresponding to a read time tag counter opcode instruction (e.g., RDTSC instruction), and/or an instruction sequence feature corresponding to a read TSC register instruction (e.g., RDTSCP instruction), etc. The instructions related to the CPU loophole may include CLFLUSHOPT instructions (i.e., flush cache line optimized instructions) in addition to the CLFLUSH instructions, RDTSC instructions, and RDTSCP instructions mentioned above, through which the purpose of attacking the CPU loophole can be achieved, and thus, in the present invention, an important monitoring of these instructions is required. Specifically, the vulnerability instruction sequence feature set according to the instruction may include the whole content of the instruction, or may include only feature content extracted from the instruction. In addition, considering that it is sometimes necessary to achieve the objective of attack by a set of instructions consisting of a plurality of different instructions, the vulnerability instruction sequence feature may further include: a plurality of instruction features arranged in sequence. In a specific example, the preset loophole instruction sequence features include the following instruction sequences and/or instruction sequence combinations: reading a TSC register instruction, and/or a clear instruction; and the instruction between the two instructions for reading the TSC register is a preset vulnerability characteristic instruction; the preset vulnerability characteristic instruction comprises the following steps: data transfer instructions (e.g., MOV instructions). The instruction for reading the TSC register comprises an instruction, and the instruction for clearing comprises a CFLUSH instruction. For example, when the CPU execution has executed RDTSCP instructions followed by CFLUSH instructions, and the instructions between the two RDTSCP instructions meet the CPU vulnerability characteristics (e.g., the instructions between the two RDTSCP instructions are MOV memory instructions), it is determined that the vulnerability defense rules are met, and precautions should be taken. Preferably, a limit of the execution times may be further increased: for example, when the CPU sequentially executes RDTSCP instructions and CFLUSH instructions, and the instruction between the two RDTSCP instructions accords with the CPU vulnerability characteristics, and the execution times is greater than a preset times threshold, it is determined that the vulnerability defense rule is met and the vulnerability defense rule should be prevented. In addition, compliance with vulnerability defense rules can also be determined when the CPU clears (flush) memory RDTSCP instructions are accessed.
In specific implementation, the preset vulnerability defense rule may be created in advance through a machine learning manner: firstly, respectively injecting sample monitoring codes into each sample process, and taking over instructions corresponding to each sample process by the sample monitoring codes so as to enable the instructions corresponding to each sample process to be executed in a virtual CPU environment; then, training the instructions corresponding to each sample process and instruction execution results through a machine learning algorithm, and determining preset vulnerability defense rules according to the training results. The sample monitoring code is similar to the preset monitoring code and can be realized through a DLL, and the sample monitoring code is used for simulating a virtual CPU environment through a virtual machine so as to enable a sample process to run in the virtual CPU environment. Accordingly, the sample monitoring code can monitor all instructions related to the sample process, and the sample monitoring code can acquire the execution results of all instructions by taking over all instructions related to the sample process and assisting in instruction execution, so that malicious instructions (i.e. instructions related to CPU vulnerabilities) can be conveniently extracted according to the execution results, and further, the instruction characteristics of the malicious instructions are learned through a training process, so that the vulnerability defense rules are expanded. Through a machine learning mode, instructions of a large number of samples can be learned to determine whether each instruction is a malicious instruction or not, and further the characteristics of the malicious instruction are extracted, so that the comprehensiveness and accuracy of vulnerability defense rules are improved.
When the instruction corresponding to the unknown process is judged to be the instruction related to the CPU vulnerability, the unknown process can be determined to be a malicious process, and the attack is intended to be initiated by utilizing the CPU vulnerability. Accordingly, interception is required for unknown processes in order to defend against attacks. Specifically, when intercepting an unknown process, the method can be realized in various modes, for example, the unknown process can be directly killed, so as to avoid the process from continuously launching the attack; for another example, instructions corresponding to an unknown process may also be intercepted, such that only one or more malicious instructions are intercepted, thereby avoiding miskilling the process. The intercepting operation may be performed directly by the host device or may be performed by the host device through the virtual machine device by the driving module, which is not limited in the present invention.
In addition, when the instruction corresponding to the unknown process is judged not to be the instruction related to the CPU loophole, the dynamic link library DLL can also take over the instruction corresponding to the unknown process so as to enable the instruction corresponding to the unknown process to be executed in the virtual CPU environment; and acquiring an execution result of an instruction corresponding to the unknown process, and updating a preset vulnerability defense rule according to the instruction corresponding to the unknown process when the execution result is a result related to the CPU vulnerability. Specifically, the dynamic link library DLL takes over the instructions corresponding to the unknown processes, so that the instructions corresponding to the unknown processes can be executed in the virtual CPU environment in a mode of executing the instructions corresponding to the unknown processes in the virtual CPU environment, and the execution results are monitored, so that the execution motivations of all the unknown instructions are accurately determined, and further, the vulnerability defense rules are updated.
In summary, the dynamic link library DLL file in this embodiment can implement a virtual CPU environment through a virtual machine. The method can identify an unknown process through the virtual machine and cooperate with the host device, so that whether the unknown process executes an instruction related to the CPU loophole is detected, and a defense function is realized at the instruction level. According to the method, a more comprehensive defending effect can be achieved, and even if an unknown process bypasses an interface provided by an operating system and directly enters the operating system, the unknown process can be intercepted through instructions, so that the system safety is improved. By means of the method in the embodiment, the process can be monitored from the instruction level, and because the instructions are finer, compared with the traditional method for monitoring interfaces provided by an operating system or a CPU, the monitoring range is enlarged, and the monitoring accuracy is improved. The method can inject the DLL of the process virtual machine (namely the virtual machine providing the process running environment) into the process, the subsequent process can be executed in the process virtual machine DLL, correspondingly, the DLL can monitor the process at the instruction level, can intercept the instruction conforming to the vulnerability defense rule if the instruction is monitored, and can trigger an alarm to prompt a user. In addition, the scheme can simulate the CPU from the Ring3 (namely Ring 3) layer to realize monitoring, so that the content of the instruction level can be monitored. In addition, the DLL injection method provided by the embodiment can realize the DLL injection process without changing the process running environment, so that the injection process and the subsequent monitoring process are completely unaware of the user, and the user experience is improved. In the conventional manner, when a suspicious process is found, the suspicious process needs to be killed first, and then restarted, for example, the suspicious process is restarted by calling the monitored unknown process through a proxy process, however, in this manner, when the suspicious process is killed, the user is affected, and the father process and the running environment (such as cmdline and the like) of the restarted process are changed, so that the user cannot feel nothing, and the suspicious process is easy to find abnormality. In contrast, the mode in the invention not only realizes no perception of the user, but also is not easy to be perceived by suspicious processes, and has better practicability.
Fig. 3 is a schematic flow chart of a method for detecting a CPU vulnerability, which is implemented based on the CPU vulnerability detection apparatus provided in any one of the above embodiments, according to another embodiment of the present invention, as shown in fig. 3, where the method includes:
step S310: and when the unknown process is monitored, sending the process information of the unknown process to a cloud server.
Step S320: when the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server, process information of the unknown process is sent to a preset host device, so that the host device can monitor whether the unknown process executes instructions related to CPU loopholes or not.
Step S330: and processing according to the monitoring result returned by the host device.
The specific implementation details of the above steps may refer to descriptions of corresponding parts in the device embodiments, which are not repeated herein.
The embodiment of the application provides a nonvolatile computer storage medium, which stores at least one executable instruction, and the computer executable instruction can execute the CPU vulnerability detection method based on the virtual machine implementation in any method embodiment.
Fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention is not limited to the specific implementation of the electronic device.
As shown in fig. 4, the electronic device may include: a processor 402, a communication interface (Communications Interface) 404, a memory 406, and a communication bus 408.
Wherein:
Processor 402, communication interface 404, and memory 406 communicate with each other via communication bus 408.
A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.
The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the embodiment of the method for detecting a CPU vulnerability based on the virtual machine implementation.
In particular, program 410 may include program code including computer-operating instructions.
The processor 402 may be a central processing unit CPU, or an Application-specific integrated Circuit ASIC (Application SPECIFIC INTEGRATED Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the electronic device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
Memory 406 for storing programs 410. Memory 406 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Program 410 may be specifically configured to cause processor 402 to perform relevant steps in the embodiments of the virtual machine based CPU vulnerability detection method described above.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a virtual machine based CPU vulnerability detection apparatus according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Claims (12)
1. A virtual machine implementation-based CPU vulnerability detection apparatus, comprising: the system comprises a process monitoring module and a driving module; wherein,
The process monitoring module is suitable for sending the process information of the unknown process to the cloud server when the unknown process is monitored, and providing the process information of the unknown process to the driving module when the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server;
The driving module is suitable for sending the process information of the unknown process provided by the process monitoring module to a preset host device so that the host device monitors whether the unknown process executes instructions related to the CPU loopholes according to preset loopholes rules, and provides monitoring results returned by the host device to the process monitoring module so that the process monitoring module processes the instructions and training results of training the instruction execution results corresponding to each sample process according to the monitoring results returned by the host device, wherein the preset loopholes rules are determined through a machine learning algorithm.
2. The apparatus of claim 1, wherein the process monitoring module specifically comprises: the system comprises a process management module, a defense module and a cloud checking module; the process management module and the cloud search module are respectively connected with the defense module, and the defense module is further connected with the driving module.
3. The apparatus according to claim 2, wherein the process management module is adapted to register callback information of each process by the defense module and send callback notification to the defense module when the registered process is executed;
The defending module is suitable for acquiring the process information of the unknown process corresponding to the callback notification when receiving the callback notification sent by the process management module, and sending the acquired process information of the unknown process to the cloud checking module;
The cloud searching module is suitable for sending the process information of the unknown process sent by the defending module to a cloud server and returning the query result returned by the cloud server to the defending module.
4. A device according to any one of claims 1-3, wherein the device further comprises:
And the shared memory module is respectively connected with the driving module and the preset host device and is suitable for storing the monitoring result returned by the preset host device so as to be read by the driving module.
5. The apparatus of any of claims 1-4, wherein the CPU vulnerability detection apparatus is a Windows system-based implemented virtual machine.
6. The apparatus according to any one of claims 1-5, wherein the preset host device is configured to inject a preset monitor code into an unknown process corresponding to the process information, so as to obtain an instruction corresponding to the unknown process through the preset monitor code, and determine, according to a preset vulnerability defense rule, whether the instruction corresponding to the unknown process is an instruction related to a CPU vulnerability.
7. The apparatus of claim 6, wherein the preset vulnerability defense rules comprise at least one of:
And a rule for defending according to whether the instruction frequency is greater than a preset frequency threshold value and a rule for defending according to whether the instruction sequence and/or the instruction sequence combination are matched with the preset loophole instruction sequence characteristics.
8. The apparatus of claim 7, wherein the preset vulnerability instruction sequence features stored in the preset vulnerability defense rules comprise at least one of:
An instruction sequence feature corresponding to a cache line clear instruction, an instruction sequence feature corresponding to a read time tag counter opcode instruction, and an instruction sequence feature corresponding to a read TSC register instruction.
9. The apparatus of claim 8, wherein the preset monitoring code comprises: and the dynamic link library DLL file is used for realizing a virtual CPU environment through a virtual machine.
10. A CPU vulnerability detection method implemented based on the CPU vulnerability detection apparatus of any one of claims 1-9, comprising:
When an unknown process is monitored, process information of the unknown process is sent to a cloud server;
when the unknown process is determined to be a process with a preset level according to the query result returned by the cloud server, process information of the unknown process is sent to a preset host device so that the host device can monitor whether the unknown process executes instructions related to CPU vulnerabilities, wherein the preset vulnerability rules are determined through a machine learning algorithm for training instructions corresponding to each sample process and training results of instruction execution results;
And processing according to the monitoring result returned by the host device.
11. An electronic device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
The memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform operations corresponding to the virtual machine based CPU vulnerability detection method according to claim 10.
12. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the virtual machine based CPU vulnerability detection method of claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811611543.1A CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811611543.1A CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111444508A CN111444508A (en) | 2020-07-24 |
| CN111444508B true CN111444508B (en) | 2024-06-18 |
Family
ID=71626502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811611543.1A Active CN111444508B (en) | 2018-12-27 | 2018-12-27 | CPU vulnerability detection device and method based on virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111444508B (en) |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8474004B2 (en) * | 2006-07-31 | 2013-06-25 | Telecom Italia S.P.A. | System for implementing security on telecommunications terminals |
| US9083692B2 (en) * | 2012-05-07 | 2015-07-14 | Samsung Electronics Co., Ltd. | Apparatus and method of providing security to cloud data to prevent unauthorized access |
| RU2522019C1 (en) * | 2012-12-25 | 2014-07-10 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of detecting threat in code executed by virtual machine |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| US9639693B2 (en) * | 2013-06-28 | 2017-05-02 | Symantec Corporation | Techniques for detecting a security vulnerability |
| CN103617395B (en) * | 2013-12-06 | 2017-01-18 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
| US10176329B2 (en) * | 2015-08-11 | 2019-01-08 | Symantec Corporation | Systems and methods for detecting unknown vulnerabilities in computing processes |
| US10609079B2 (en) * | 2015-10-28 | 2020-03-31 | Qomplx, Inc. | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management |
| CN105740046B (en) * | 2016-01-26 | 2019-01-29 | 华中科技大学 | A kind of virtual machine process behavior monitoring method and system based on dynamic base |
| CN106850582B (en) * | 2017-01-05 | 2020-01-10 | 中国电子科技网络信息安全有限公司 | APT advanced threat detection method based on instruction monitoring |
-
2018
- 2018-12-27 CN CN201811611543.1A patent/CN111444508B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111444508A (en) | 2020-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11716348B2 (en) | Malicious script detection | |
| US9781144B1 (en) | Determining duplicate objects for malware analysis using environmental/context information | |
| US9842208B2 (en) | Method, apparatus and system for detecting malicious process behavior | |
| US10516671B2 (en) | Black list generating device, black list generating system, method of generating black list, and program of generating black list | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| US20230262076A1 (en) | Malicious domain generation algorithm (dga) detection in memory of a data processing unit using machine learning detection models | |
| CN111444509B (en) | CPU vulnerability detection method and system based on virtual machine | |
| US20220201016A1 (en) | Detecting malicious threats via autostart execution point analysis | |
| Taylor et al. | Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the-Wire. | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN105844161A (en) | Security defense method, device and system | |
| CN111382440B (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN111291368B (en) | Method and system for defending CPU loopholes | |
| CN111444508B (en) | CPU vulnerability detection device and method based on virtual machine | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| CN110674501B (en) | Malicious drive detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |