专利汇可以提供Methods and apparatuses for monitoring activities of virtual machines专利检索,专利查询,专利分析的服务。并且Embodiments of a method and apparatus for monitoring activity on a virtual machine are generally described herein. The activity may be monitored by a first hypervisor and the virtual machine may be controlled by a second hypervisor. In some embodiments, the method includes setting a breakpoint in a kernel function of the virtual machine. The method may further include generating a page fault, responsive to the virtual machine halting execution at the breakpoint, to cause the second hypervisor to page in contents of a memory location accessed by the kernel function. The method may further include inspecting the contents of the memory location to detect activity in the virtual machine.,下面是Methods and apparatuses for monitoring activities of virtual machines专利的具体信息内容。
What is claimed is:
This patent application claims the benefit of priority to John Wagner U.S. Provisional Patent Application Ser. No. 61/643,692, titled “TRUSTED VIRTUAL MACHINE INCLUDING HYPERDRIVE AND METHOD,” filed on May 7, 2012, which is hereby incorporated by reference herein in its entirety.
Some embodiments relate to nested hypervisors. Some embodiments relate to using a bare-metal hypervisor to detect activity on a virtual machine controlled by a hypervisor nested in the bare-metal hypervisor.
The government hosts an increasing number of services in the cloud. Cloud clients may push their own virtual machine images into the cloud and this may have security implications for both clients and service hosts. Because clients control the configuration of the virtual machines, it is not always possible to install monitoring software inside the guest system. Monitoring activity may also be complicated due to the variety of configurations that clients of the cloud system may deploy. Further, cloud system administrators may not trust monitoring systems that they did not themselves develop.
Thus, there is a general need to gain introspection into the virtual machine guest systems of a cloud hypervisor to monitor the guests without modifying the guest system or the cloud hypervisor.
The following description and the drawings sufficiently illustrate specific embodiments to enable those skilled in the art to practice them. Other embodiments may incorporate structural, logical, electrical, process, and other changes. Portions and features of some embodiments may be included in, or substituted for, those of other embodiments. Embodiments set forth in the claims encompass all available equivalents of those claims.
As computing resources continue to progress toward cloud-based solutions, introspection into virtual machines operating in the cloud will become an ever increasing challenge. Achieving introspection becomes more difficult as the complexity and number of processors and hypervisors and the variety of virtual machines supported by host systems grows. Example embodiments may provide methods and apparatuses for monitoring activity on virtual machines without changes to the virtual machines or to the cloud hypervisors controlling the virtual machines.
The first hypervisor 110 may run a second hypervisor 130 such that the second hypervisor 130 may be said to be “nested” with the first hypervisor 110. The second hypervisor 130 may be a commercially available hypervisor, and the second hypervisor 130 may be referred to as a cloud hypervisor. The second hypervisor may also be a bare-metal hypervisor that is, however, different from the first hypervisor. Examples of commercially available hypervisors may include: XEN available from Citrix Systems, Inc. of Fort Lauderdale, Fla., and ESXi available from VMware of Palo Alto, Calif. Other hypervisors may also be utilized.
The second hypervisor 130 may manage and monitor guest operating systems forming one or more virtual machines 135. One or more operating systems may be utilized on the virtual machines 135. For example, virtual machine 135-1 may utilize a version of MICROSOFT WINDOWS SERVER, and virtual machine 135-2 may utilize a version of LINUX. Other operating systems in various combinations forming any number of virtual machines may be accommodated depending on the performance capabilities of the processor 120 and the hardware of the host system 125.
In example embodiments, the first hypervisor 110 may monitor activity in the virtual machine by setting breakpoints in kernel functions of the virtual machine 135 as described below with respect to
The computer 200 may include a first hypervisor 210. The first hypervisor 210 may be appropriate for performing the functionalities of the first hypervisor 110 (
The first hypervisor 210 may set a breakpoint in an address of a kernel function of a virtual machine 135 (
In some embodiments, the first hypervisor 210 may calculate addresses of kernel functions as offsets from the root address of the OS kernel. In an example embodiment, the first hypervisor 210 may read OS data structures to identify the offset of the kernel function based on the kernel function name. Based on the offset of the kernel function from the root address of the OS kernel, the first hypervisor 210 may determine the starting address of the kernel function. The first hypervisor 110 may set a kernel function breakpoint at the starting address of the kernel function.
The first hypervisor 210 may generate a page fault responsive to the virtual machine 135 halting execution at the kernel function breakpoint. The page fault may cause the second hypervisor 130 to page in contents of a memory location that may be accessed by the kernel function. The first hypervisor 210 may determine this memory location by reading its address from the parameters on the processor stack created when the kernel function was invoked.
The page fault may include an indication of this memory location. The page fault may be an extended page table (EPT) fault, and the page fault may comprise a VMExit command.
The page fault may cause the second hypervisor 130 to exit the virtual machine 135. The page fault may inform the second hypervisor 130 that an entry is missing in the EPT, and that the second hypervisor 130 should fetch memory at the specified memory location to add to the EPT.
Upon fetching the requested memory, the second hypervisor 130 may re-enter the virtual machine 135. Once the first hypervisor 210 receives notification that the second hypervisor 130 has re-entered the virtual machine 135, the first hypervisor 210 may be aware that the requested memory has been paged-in by the processor 120 and is available for the first hypervisor 210 to examine. The first hypervisor 210 may then examine the memory at the memory location to detect activity, in particular suspicious activity. The first hypervisor 210 may determine that a page of memory contents to be inspected has been paged out by the second hypervisor 130. In at least this situation, in example embodiments, the first hypervisor 210 may generate a second page fault to cause the second hypervisor 130 to page in additional memory.
The first hypervisor 210 may be arranged to select a virtual machine 135 from a plurality of virtual machines 135 for monitoring. To monitor a virtual machine 135 of the plurality of virtual machines 135, the first hypervisor 210 may set a breakpoint in the address space of the desired virtual machine 135. The first hypervisor 210 may determine which addresses are mapped to virtual machines 135 by receiving a notification, for example via a VMEnter command, that the second hypervisor 130 has entered into a virtual machine 135. When the second hypervisor 130 enters a virtual machine 135, the notification to the first hypervisor 210 may include a root address, into an address translation table, for the virtual machine 135. The address translation table may be an EPT. The first hypervisor 210 may record the root addresses in the EPT for each of the plurality of virtual machines 135 to identify a desired virtual machine 135 for monitoring. The identification of a virtual machine 135 may be used by the first hypervisor 210 to enable the appropriate kernel function breakpoint for a virtual machine 135 when it is activated by the second hypervisor 130, for example via a VMEnter command.
The computer 200 may include a communication interface 224. The communication interface 224 may be appropriate for performing the functionalities of the NIC 124 (
The computer 200 may include memory 230. In one embodiment, the memory 220 includes, but is not limited to, random access memory (RAM), dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), double data rate (DDR) SDRAM (DDR-SDRAM), or any device capable of supporting high-speed buffering of data. The processor 220 may cause the memory 230 to page-in contents of memory that were paged-out by the second hypervisor 130, for inspection by the first hypervisor 210.
The computer 200 may include an address translation table 235. The address translation table 235 may reside in memory 230 or in a separate memory storage (not shown in
The computer 200 may include computer instructions 240 that, when implemented on the computer 200, cause the computer 200 to implement functionality in accordance with example embodiments. The instructions 240 may be stored on a computer-readable storage device, which may be read and executed by at least one processor 220 to perform the operations described herein. In some embodiments, the instructions 240 are stored on the processor 220 or the memory 230 such that the processor 220 or the memory 230 acts as computer-readable media. A computer-readable storage device may include any non-transitory mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a computer-readable storage device may include ROM, RAM, magnetic disk storage media, optical storage media, flash-memory devices, and other storage devices and media.
The instructions 240 may, when executed on the computer 200, cause the computer 200 to install a first hypervisor 210 on the computer 200. The first hypervisor may be a bare-metal hypervisor. The instructions may cause the computer 200 to use the first hypervisor 210 to set a breakpoint in a kernel function of a virtual machine 135 (
The instructions 240 may cause the computer 200 to generate a page fault, responsive to the virtual machine 135 halting execution at the breakpoint, to cause the second hypervisor 130 to page in contents of a memory location accessed by the kernel function. The instructions 240 may cause the computer 200 to inspect the contents of the memory location to detect activity in the virtual machine 135.
In operation 310, the first hypervisor 110 may set a breakpoint in a kernel function of the virtual machine 135. The first hypervisor may determine the address for the breakpoint as described above with respect to
In operation 320, the first hypervisor 110 may generate a page fault, responsive to the virtual machine 135 halting execution at the breakpoint, to cause the second hypervisor 130 to page in contents of a memory location accessed by the kernel function. The first hypervisor 110 may retrieve a parameter of the kernel function indicating the memory location to be inspected. The first hypervisor 110 may provide the parameter to the second hypervisor 130 during generation of the page fault. The page fault may indicate that an EPT entry is missing. The page fault may include a VMExit command.
In operation 330, the first hypervisor 110 may inspect the contents of the memory location to detect activity in the virtual machine 135. The first hypervisor 110 may determine that a page of memory contents to be inspected has been paged out by the second hypervisor 130, and the first hypervisor 110 may then generate a second page fault to cause the second hypervisor 130 to page in additional memory.
In operation 410, the first hypervisor 110 may install itself on a processor 220 (
In operation 820, the first hypervisor 110 may detect that the second hypervisor 130 has initialized a first virtual machine by examining a virtual memory table corresponding to the second hypervisor 130.
In operation 830, the first hypervisor 110 may determine addresses for locations of interest on the first virtual machine.
In operation 840, the first hypervisor 110 may generate a page fault condition. The page fault condition may indicate that an entry is missing in the virtual memory table. The page fault condition may cause the second hypervisor 130 to provide memory contents for memory at the location of interest. Generating the fault condition may comprise generating a virtual machine exit command. The method 400 may further comprise reading the memory contents responsive to receiving a notification that the second hypervisor 130 has re-entered the virtual machine.
The Abstract is provided to comply with 37 C.F.R. Section 1.72(b) requiring an abstract that will allow the reader to ascertain the nature and gist of the technical disclosure. It is submitted with the understanding that it will not be used to limit or interpret the scope or meaning of the claims. The following claims are hereby incorporated into the detailed description, with each claim standing on its own as a separate embodiment.
标题 | 发布/更新时间 | 阅读量 |
---|---|---|
通过云文件系统实现云存储接入的方法和装置 | 2020-08-14 | 2 |
一种具有可控形貌的Pd金属纳米晶体内核的Pd/UiO-66催化剂及其制备方法 | 2021-06-05 | 1 |
用于处理加速处理装置中的网络消息的方法和系统 | 2020-12-11 | 1 |
一种基于ARM9的海底观测网节点电路 | 2021-03-13 | 1 |
一种星型聚合物稳定的pH响应性乳液及制备方法和应用 | 2021-02-06 | 0 |
numa架构下的报文转发方法、装置、存储介质及电子设备 | 2021-02-07 | 1 |
片剂 | 2021-03-11 | 1 |
一种分布式实时存储装置及其数据传输方法 | 2020-08-05 | 2 |
用于监视网络性能的监视控制器及因此执行的方法 | 2020-11-22 | 1 |
一种处理器多电源管理控制装置、系统及方法 | 2023-03-16 | 0 |
高效检索全球专利专利汇是专利免费检索,专利查询,专利分析-国家发明专利查询检索分析平台,是提供专利分析,专利查询,专利检索等数据服务功能的知识产权数据服务商。
我们的产品包含105个国家的1.26亿组数据,免费查、免费专利分析。
专利汇分析报告产品可以对行业情报数据进行梳理分析,涉及维度包括行业专利基本状况分析、地域分析、技术分析、发明人分析、申请人分析、专利权人分析、失效分析、核心专利分析、法律分析、研发重点分析、企业专利处境分析、技术处境分析、专利寿命分析、企业定位分析、引证分析等超过60个分析角度,系统通过AI智能系统对图表进行解读,只需1分钟,一键生成行业专利分析报告。