WO2025066589A1

WO2025066589A1 - Host machine, virtualization instance introspection method, and storage medium

Info

Publication number: WO2025066589A1
Application number: PCT/CN2024/111330
Authority: WO
Inventors: 郭蔚; 朱延海; 徐权; 曾嘉豪; 徐誉畅
Original assignee: Alibaba Cloud Computing Ltd
Current assignee: Alibaba Cloud Computing Ltd
Priority date: 2023-09-26
Filing date: 2024-08-12
Publication date: 2025-04-03
Anticipated expiration: 2026-03-26
Also published as: CN116991543B; CN116991543A

Abstract

Embodiments of the present disclosure provide a host machine, a virtualization instance introspection method, and a storage medium. A kernel address space of a virtualization instance is mapped to a user mode address space of a host machine, so that the user mode address space of the host machine stores kernel data and kernel functions corresponding to the virtualization instance. In response to a security check request, on the basis of a memory mapping relationship between the kernel address space of the virtualization instance and the user mode address space of the host machine, a virtualization manager may obtain kernel data associated with the security check request from the user mode address space of the host machine, and provide the kernel data to a security check program deployed on the host machine outside the virtualization instance. In this way, the security check program can obtain the kernel data of the virtualization instance, that is, obtain semantics of an operating system level of the virtualization instance, which fills the semantic gap between a virtual machine and the virtualization instance, and realizes the virtualization instance introspection across the semantic gap.

Description

Host machine, virtualization instance introspection method and storage medium

本公开要求于2023年09月26日提交中国专利局、申请号为202311249724.5、申请名称为“宿主机、虚拟化实例自省方法及存储介质”的中国专利申请的优先权，其全部内容通过引用结合在本公开中。This disclosure claims the priority of the Chinese patent application filed with the China Patent Office on September 26, 2023, with application number 202311249724.5 and application name “Host machine, virtualization instance introspection method and storage medium”, the entire contents of which are incorporated by reference in this disclosure.

Technical Field

本公开涉及云计算技术领域，尤其涉及一种宿主机、虚拟化实例自省方法及存储介质。The present disclosure relates to the technical field of cloud computing, and in particular to a host machine, a virtualization instance introspection method, and a storage medium.

Background Art

近年来，云计算、虚拟化技术的广泛应用，在一台主机上可部署多台虚拟机，提供针对不同用户的多种服务。随之而来的各种安全问题逐步暴露，相对于传统的物理主机，对虚拟机安全威胁的影响范围相对增加，虚拟机的安全问题更应得到重视。In recent years, with the widespread application of cloud computing and virtualization technology, multiple virtual machines can be deployed on a host to provide a variety of services for different users. Various security issues have gradually been exposed. Compared with traditional physical hosts, the impact of security threats on virtual machines has increased, and the security issues of virtual machines should be paid more attention.

虚拟机自省(Virtual Machine Introspection，VMI)是一种应用于虚拟化环境，从虚拟机外部增强虚拟机安全的一种方法。该技术通过直接扫描虚拟机运行时的内存、磁盘、监测网络行为等操作，可进行杀毒、网络防火墙等安全操作。Virtual Machine Introspection (VMI) is a method used in virtualized environments to enhance the security of virtual machines from outside the virtual machine. This technology can perform security operations such as antivirus and network firewall by directly scanning the memory and disk of the virtual machine while it is running and monitoring network behavior.

其中，安全检测软件运行在虚拟机外部的宿主机上，相比运行在虚拟机内部的传统检测方案，安全检测软件的安全性不再受虚拟机环境的影响，即使虚拟机受到入侵，基于宿主机和虚拟机之间的隔离性，安全检测软件也能正常执行。然而，宿主机与虚拟机的隔离性，也增加了虚拟机自省技术的实现难度，为应用虚拟机自省技术增强虚拟机安全的应用带来了很大的挑战。Among them, the security detection software runs on the host machine outside the virtual machine. Compared with the traditional detection solution running inside the virtual machine, the security of the security detection software is no longer affected by the virtual machine environment. Even if the virtual machine is invaded, the security detection software can still execute normally based on the isolation between the host machine and the virtual machine. However, the isolation between the host machine and the virtual machine also increases the difficulty of implementing virtual machine introspection technology, which brings great challenges to the application of virtual machine introspection technology to enhance virtual machine security.

发明内容Summary of the invention

本公开的多个方面提供一种宿主机、虚拟化实例自省方法及存储介质，用以实现跨越语义鸿沟的虚拟化实例自省。Multiple aspects of the present disclosure provide a host machine, a virtualization instance introspection method, and a storage medium to implement virtualization instance introspection across a semantic gap.

第一方面，本公开实施例提供一种宿主机，所述宿主机上部署有虚拟化管理器、被所述虚拟化管理器管理的虚拟化实例，以及位于所述虚拟化实例外部的安全检测程序；所述虚拟化管理器面向所述安全检测程序提供安全检测服务接口，以与所述安全检测程序进行交互；In a first aspect, an embodiment of the present disclosure provides a host machine, on which a virtualization manager, a virtualization instance managed by the virtualization manager, and a security detection program located outside the virtualization instance are deployed; the virtualization manager provides a security detection service interface to the security detection program to interact with the security detection program;

所述虚拟化管理器，用于将所述虚拟化实例的内核地址空间映射到所述宿主机的用户态地址空间中的目标地址空间，所述目标地址空间中存储有所述虚拟化实例对应的内核数据和内核函数；以及The virtualization manager is used to map the kernel address space of the virtualization instance to a target address space in the user state address space of the host machine, wherein the target address space stores kernel data and kernel functions corresponding to the virtualization instance; and

接收所述安全检测程序发送的安全检测请求，基于所述虚拟化实例的内核地址空间与所述宿主机的用户态地址空间之间的内存映射关系，从所述目标地址空间中获取所述安全检测请求关联的目标数据对象，所述目标数据对象包括所述虚拟化实例的至少部分内核数据，并将所述目标数据对象提供给所述安全检测程序，以供所述安全检测程序基于所述目标数据对象对所述虚拟化实例进行安全检测。receiving a security detection request sent by the security detection program, obtaining a target data object associated with the security detection request from the target address space based on a memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine, wherein the target data object includes at least part of the kernel data of the virtualization instance, and providing the target data object to the security detection program for the security detection program to detect the target data object based on the target address space. The target data object performs security detection on the virtualized instance.

第二方面，本公开实施例还提供一种虚拟化实例自省方法，应用于宿主机上部署的虚拟化管理器，所述宿主机上还部署有所述虚拟化管理器对应的虚拟化实例以及安全检测程序，且所述虚拟化实例的内核地址空间被映射到所述宿主机的用户态地址空间中的目标地址空间；所述方法包括：In a second aspect, an embodiment of the present disclosure further provides a virtualization instance introspection method, which is applied to a virtualization manager deployed on a host machine, wherein a virtualization instance corresponding to the virtualization manager and a security detection program are also deployed on the host machine, and a kernel address space of the virtualization instance is mapped to a target address space in a user state address space of the host machine; the method comprises:

接收所述安全检测程序发送的安全检测请求；Receiving a security detection request sent by the security detection program;

基于所述虚拟化实例的内核地址空间与所述宿主机的用户态地址空间之间的内存映射关系，从所述目标地址空间中获取安全检测请求关联的目标数据对象，所述目标数据对象包括所述虚拟化实例的至少部分内核数据；Based on a memory mapping relationship between the kernel address space of the virtualized instance and the user state address space of the host machine, obtaining a target data object associated with the security detection request from the target address space, wherein the target data object includes at least part of the kernel data of the virtualized instance;

将所述目标数据对象提供给所述安全检测程序，以供所述安全检测程序基于所述目标数据对象对所述虚拟化实例进行安全检测。The target data object is provided to the security detection program so that the security detection program performs security detection on the virtualization instance based on the target data object.

第三方面，本公开实施例还提供一种虚拟化实例自省方法，应用于宿主机上部署的安全检测程序，所述宿主机上还部署有虚拟化管理器和虚拟化实例，且所述虚拟化实例的内核地址空间被映射到所述宿主机的用户态地址空间中的目标地址空间；所述方法包括：In a third aspect, an embodiment of the present disclosure further provides a virtualization instance introspection method, which is applied to a security detection program deployed on a host machine, wherein a virtualization manager and a virtualization instance are also deployed on the host machine, and a kernel address space of the virtualization instance is mapped to a target address space in a user state address space of the host machine; the method comprises:

根据对所述虚拟化实例进行安全检测的安全检测需求，从多种虚拟化实例自省模式中，选择目标虚拟化实例自省模式；According to the security detection requirement for the virtualized instance, a target virtualized instance introspection mode is selected from a plurality of virtualized instance introspection modes;

根据所述目标虚拟化实例自省模式的标识，生成安全检测请求；Generate a security detection request according to the identifier of the introspection mode of the target virtualization instance;

将所述安全检测请求发送给所述虚拟化管理器，以供所述虚拟化管理器基于所述虚拟化实例的内核地址空间与所述宿主机的用户态地址空间之间的内存映射关系和所述目标虚拟化实例自省模式的标识，从所述目标地址空间中获取所述安全检测请求关联的目标数据对象，所述目标数据对象包括所述虚拟化实例的至少部分内核数据；Sending the security detection request to the virtualization manager, so that the virtualization manager obtains a target data object associated with the security detection request from the target address space based on a memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine and an identifier of the introspection mode of the target virtualization instance, wherein the target data object includes at least part of the kernel data of the virtualization instance;

接收所述虚拟化管理器返回的所述目标数据对象，并根据所述目标数据对象对所述虚拟化实例进行安全检测。The target data object returned by the virtualization manager is received, and security detection is performed on the virtualization instance according to the target data object.

第四方面，本公开实施例还提供一种电子设备，所述电子设备能够作为宿主机实现，所述宿主机上部署有虚拟化管理器、被所述虚拟化管理器管理的虚拟化实例，以及位于所述虚拟化实例外部的安全检测程序；所述虚拟化管理器面向所述安全检测程序提供安全检测服务接口，以与所述安全检测程序进行交互；In a fourth aspect, an embodiment of the present disclosure further provides an electronic device, which can be implemented as a host machine, on which a virtualization manager, a virtualization instance managed by the virtualization manager, and a security detection program located outside the virtualization instance are deployed; the virtualization manager provides a security detection service interface to the security detection program to interact with the security detection program;

所述电子设备还包括：存储器和处理器；所述存储器中存储有所述虚拟化管理器对应的程序代码和所述安全检测程序；其中，所述处理器与所述存储器耦合，用于执行所述虚拟化管理器对应的程序代码，以用于实现本公开第二方面提供的宿主机自省方法中的步骤；以及用于执行所述安全检测程序，以用于实现本公开第三方面提供的宿主机自省方法中的步骤。The electronic device also includes: a memory and a processor; the memory stores the program code corresponding to the virtualization manager and the security detection program; wherein the processor is coupled to the memory, and is used to execute the program code corresponding to the virtualization manager to implement the steps in the host introspection method provided in the second aspect of the present disclosure; and is used to execute the security detection program to implement the steps in the host introspection method provided in the third aspect of the present disclosure.

第五方面，本公开实施例还提供一种存储有计算机指令的计算机可读存储介质，当所述计算机指令被一个或多个处理器执行时，致使所述一个或多个处理器执行上述虚拟化实例自省方法中的步骤。 In a fifth aspect, an embodiment of the present disclosure further provides a computer-readable storage medium storing computer instructions, which, when executed by one or more processors, causes the one or more processors to execute the steps in the above-mentioned virtualization instance introspection method.

第六方面，本公开实施例还提供一种计算机程序产品，包括计算机程序，该计算机程序被处理器执行时实现上述虚拟化实例自省方法中的步骤。In a sixth aspect, an embodiment of the present disclosure further provides a computer program product, including a computer program, which implements the steps in the above-mentioned virtualization instance introspection method when executed by a processor.

在本公开实施例中，通过将虚拟化实例的内核地址空间映射到宿主机的用户态地址空间，实现宿主机的用户态地址空间对虚拟化实例对应的内核数据和内核函数的存储。虚拟化管理器在响应安全检测请求时，可基于虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从宿主机的用户态地址空间中获取安全检测请求关联的内核数据，并提供给部署于虚拟化实例的外部的宿主机上的安全检测程序，使得安全检测程序可获取虚拟化实例的内核数据，即获取虚拟化实例的操作系统层面的语义，跨越了虚拟机与虚拟化实例之间的语义鸿沟，实现了跨越语义鸿沟的虚拟化实例自省。In the disclosed embodiment, by mapping the kernel address space of the virtualized instance to the user-state address space of the host machine, the host machine's user-state address space can store kernel data and kernel functions corresponding to the virtualized instance. When responding to a security detection request, the virtualization manager can obtain the kernel data associated with the security detection request from the host machine's user-state address space based on the memory mapping relationship between the kernel address space of the virtualized instance and the host machine's user-state address space, and provide it to a security detection program on a host machine deployed outside the virtualized instance, so that the security detection program can obtain the kernel data of the virtualized instance, that is, obtain the semantics of the virtualized instance at the operating system level, thereby bridging the semantic gap between the virtual machine and the virtualized instance, and realizing virtualized instance introspection across the semantic gap.

BRIEF DESCRIPTION OF THE DRAWINGS

此处所说明的附图用来提供对本公开的进一步理解，构成本公开的一部分，本公开的示意性实施例及其说明用于解释本公开，并不构成对本公开的不当限定。在附图中：The drawings described herein are used to provide a further understanding of the present disclosure and constitute a part of the present disclosure. The illustrative embodiments of the present disclosure and their descriptions are used to explain the present disclosure and do not constitute an improper limitation on the present disclosure. In the drawings:

图1为本公开实施例提供的宿主机的内部系统结构示意图；FIG1 is a schematic diagram of the internal system structure of a host machine provided by an embodiment of the present disclosure;

图2-图4为本公开实施例提供的虚拟化实例自省过程示意图；2-4 are schematic diagrams of a virtualization instance introspection process provided by an embodiment of the present disclosure;

图5为本公开实施例提供的虚拟化实例自省方法的流程示意图；FIG5 is a flow chart of a virtualization instance introspection method provided by an embodiment of the present disclosure;

图6为本公开实施例提供的电子设备的结构示意图。FIG. 6 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present disclosure.

DETAILED DESCRIPTION

为使本公开的目的、技术方案和优点更加清楚，下面将结合本公开具体实施例及相应的附图对本公开技术方案进行清楚、完整地描述。显然，所描述的实施例仅是本公开一部分实施例，而不是全部的实施例。基于本公开中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本公开保护的范围。In order to make the purpose, technical solutions and advantages of the present disclosure clearer, the technical solutions of the present disclosure will be clearly and completely described below in combination with the specific embodiments of the present disclosure and the corresponding drawings. Obviously, the described embodiments are only part of the embodiments of the present disclosure, not all of the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present disclosure.

为了实现虚拟化实例自省，在本公开一些实施例中，通过将虚拟化实例的内核地址空间映射到宿主机的用户态地址空间，实现宿主机的用户态地址空间对虚拟化实例对应的内核数据和内核函数的存储。虚拟化管理器在响应安全检测请求时，可基于虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从宿主机的用户态地址空间中获取安全检测请求关联的内核数据，并提供给部署于虚拟化实例的外部的宿主机上的安全检测程序，使得安全检测程序可获取虚拟化实例的内核数据，即获取虚拟化实例的操作系统层面的语义，跨越了虚拟机与虚拟化实例之间的语义鸿沟，实现了跨越语义鸿沟的虚拟化实例自省。In order to realize the introspection of virtualized instances, in some embodiments of the present disclosure, the kernel address space of the virtualized instance is mapped to the user state address space of the host machine, so that the user state address space of the host machine can store the kernel data and kernel functions corresponding to the virtualized instance. When responding to a security detection request, the virtualization manager can obtain the kernel data associated with the security detection request from the user state address space of the host machine based on the memory mapping relationship between the kernel address space of the virtualized instance and the user state address space of the host machine, and provide it to the security detection program deployed on the host machine outside the virtualized instance, so that the security detection program can obtain the kernel data of the virtualized instance, that is, obtain the semantics of the virtualized instance at the operating system level, cross the semantic gap between the virtual machine and the virtualized instance, and realize the introspection of the virtualized instance across the semantic gap.

以下结合附图，详细说明本公开各实施例提供的技术方案。The technical solutions provided by various embodiments of the present disclosure are described in detail below in conjunction with the accompanying drawings.

应注意到：相同的标号在下面的附图以及实施例中表示同一物体，因此，一旦某一物体在一个附图或实施例中被定义，则在随后的附图和实施例中不需要对其进行进一步讨论。It should be noted that the same reference numerals denote the same objects in the following drawings and embodiments, and therefore, once an object is defined in one drawing or embodiment, it does not need to be further discussed in the subsequent drawings and embodiments.

图1为本公开实施例提供的宿主机的内部系统结构示意图。宿主机S10可实现为任何具有计算、存储等功能的计算机设备，如服务器或终端设备等。终端设备可为电脑、工作站或手机等。如图1所示，宿主机S10上部署有虚拟化管理器10、被虚拟化管理器10管理的虚拟化实例20，以及，位于虚拟化实例外部的安全检测程序30。 FIG1 is a schematic diagram of the internal system structure of a host machine provided by an embodiment of the present disclosure. The host machine S10 can be implemented as any computer device with computing, storage and other functions, such as a server or a terminal device. The terminal device can be a computer, a workstation or a mobile phone. As shown in FIG1 , a virtualization manager 10, a virtualization instance 20 managed by the virtualization manager 10, and a security detection program 30 located outside the virtualization instance are deployed on the host machine S10.

在本实施例中，虚拟化实例20是指利用虚拟机技术，在一台宿主机上部署的多台虚拟服务器，可提供不同的服务。虚拟化实例20可为虚拟机(Virtual Machine，VM)、容器或容器组(如Pod等)。虚拟化实例20也可称为客户端(Guest)。宿主机操作系统负责在多个虚拟化实例20之间分配硬件资源，让多个虚拟化实例20彼此独立。In this embodiment, the virtualization instance 20 refers to multiple virtual servers deployed on a host machine using virtual machine technology, which can provide different services. The virtualization instance 20 can be a virtual machine (VM), a container or a container group (such as Pod, etc.). The virtualization instance 20 can also be called a client (Guest). The host operating system is responsible for allocating hardware resources among multiple virtualization instances 20, making multiple virtualization instances 20 independent of each other.

如图1所示，宿主机S10划分为用户态和内核态。虚拟化实例20和虚拟化管理器10部署于宿主机S10的用户态。其中，内核态和用户态为操作系统的两种不同的运行状态。在内核态下，可运行操作系统程序，操作硬件；而在用户态下只能运行应用程序。As shown in FIG1 , the host machine S10 is divided into a user state and a kernel state. The virtualization instance 20 and the virtualization manager 10 are deployed in the user state of the host machine S10. The kernel state and the user state are two different operating states of the operating system. In the kernel state, the operating system program can be run and the hardware can be operated; in the user state, only the application program can be run.

虚拟化实例20又可划分为用户态和内核态。虚拟化实例20的用户态地址空间，用于存储虚拟化实例20的用户态数据。虚拟化实例20的内核态地址空间，用于存储虚拟化实例20对应的内核态数据，如内核数据及内核函数等。The virtualization instance 20 can be divided into user state and kernel state. The user state address space of the virtualization instance 20 is used to store user state data of the virtualization instance 20. The kernel state address space of the virtualization instance 20 is used to store kernel state data corresponding to the virtualization instance 20, such as kernel data and kernel functions.

虚拟化管理器10是指对虚拟化实例20进行管理的计算机程序，可实现为软件功能模块或插件等。虚拟化实例20的操作系统可虚拟化管理器10与硬件进行通信。虚拟化实例20的实现形式不同，虚拟化管理器10不同。The virtualization manager 10 is a computer program for managing the virtualization instance 20, which can be implemented as a software function module or a plug-in, etc. The operating system of the virtualization instance 20 can enable the virtualization manager 10 to communicate with the hardware. The virtualization manager 10 is different depending on the implementation form of the virtualization instance 20.

例如，在虚拟化实例20为容器或容器组的实施例中，可使用操作系统虚拟化架构将宿主机S10单个的操作系统划分为多个容器，使用容器管理器进行管理。多个是指2个或2个以上。宿主机操作系统负责在多个容器之间分配硬件资源，让多个容器彼此独立。相应地，虚拟化管理器10实现为容器管理器。For example, in an embodiment where the virtualization instance 20 is a container or a container group, the operating system virtualization architecture can be used to divide the single operating system of the host S10 into multiple containers, and the container manager can be used to manage them. Multiple refers to 2 or more. The host operating system is responsible for allocating hardware resources among multiple containers so that multiple containers are independent of each other. Accordingly, the virtualization manager 10 is implemented as a container manager.

又例如，在虚拟化实例20为虚拟机的实施例中，不再对底层的硬件资源进行划分，而是在宿主机的操作系统上加装了虚拟机管理器(Virtual Machine Monitor，VMM)，虚拟层作为应用级别的软件而存在，不涉及操作系统内核。虚拟层会给每个虚拟机模拟一套独立的硬件设备，包含处理器、内存、主板、显卡、网卡等硬件资源，在其上安装客户端操作系统。相应地，虚拟化管理器实现为VMM。For another example, in an embodiment where the virtualization instance 20 is a virtual machine, the underlying hardware resources are no longer divided, but a virtual machine manager (VMM) is installed on the host machine's operating system. The virtual layer exists as application-level software and does not involve the operating system kernel. The virtual layer simulates a set of independent hardware devices for each virtual machine, including hardware resources such as processors, memory, motherboards, graphics cards, and network cards, and installs the client operating system on them. Accordingly, the virtualization manager is implemented as a VMM.

在本实施例中，安全检测程序30是指对虚拟化实例20进行安全检测的计算机程序，部署于虚拟化实例20外部的宿主机的用户态，实现虚拟化实例自省。在本实施例中，虚拟化实例自省是一种应用于虚拟化环境，从虚拟化实例外部增强虚拟化实例安全的一种方法。这样，安全检测程序30的安全性不再受虚拟化环境的影响，即便虚拟化实例20受到入侵，基于宿主机和虚拟化实例20之间的隔离性，入侵程序也无法干扰安全检测程序30，使得安全检测程序30能够正常运行，可提高安全检测程序的安全性。In this embodiment, the security detection program 30 refers to a computer program that performs security detection on the virtualized instance 20, which is deployed in the user state of the host machine outside the virtualized instance 20 to realize virtualized instance self-reflection. In this embodiment, virtualized instance self-reflection is a method applied to a virtualized environment to enhance the security of the virtualized instance from the outside of the virtualized instance. In this way, the security of the security detection program 30 is no longer affected by the virtualized environment. Even if the virtualized instance 20 is invaded, based on the isolation between the host machine and the virtualized instance 20, the intrusion program cannot interfere with the security detection program 30, so that the security detection program 30 can run normally, which can improve the security of the security detection program.

然而，宿主机与虚拟化实例之间的隔离性，也带来了语义鸿沟(Semantic Gap)问题，即宿主机中的安全检测程序30无法获知虚拟化实例的内部语义，给利用虚拟化实例自省技术增强虚拟化实例安全的应用带来了困难。换句话说，宿主机与虚拟化实例之间的界面是虚拟化技术相关的寄存器等，没有安全检测程序30希望得到的虚拟化实例的操作系统层面上的语义，导致安全检测程序30无法获知虚拟化实例的操作系统层面上的语义，即为语义鸿沟。However, the isolation between the host and the virtualized instance also brings about the semantic gap problem, that is, the security detection program 30 in the host cannot know the internal semantics of the virtualized instance, which brings difficulties to the application of using virtualized instance introspection technology to enhance the security of the virtualized instance. In other words, the interface between the host and the virtualized instance is the registers related to the virtualization technology, etc., which do not have the semantics of the virtualized instance at the operating system level that the security detection program 30 wants to obtain, resulting in the security detection program 30 being unable to know the semantics of the virtualized instance at the operating system level, which is the semantic gap.

在本实施例中，为了解决上述技术问题，实现跨越语义鸿沟的虚拟化实例自省，虚拟化管理器10将虚拟化实例的内核地址空间映射到宿主机S10的用户态地址空间中的目标地址空间。具体地，虚拟化管理器10可在虚拟化实例创建过程中，从宿主机S10的用户态地址空间中的空闲地址空间中，为虚拟化实例分配目标地址空间；并建立虚拟化实例的内核地址空间与目标地址空间之间的内存映射关系，实现虚拟化实例20的内核态地址空间，与宿主机S10的用户态地址空间中的目标地址空间之间的内存映射。In this embodiment, in order to solve the above technical problems and realize the introspection of virtualized instances across the semantic gap, the virtualization manager 10 maps the kernel address space of the virtualized instance to the target address space in the user state address space of the host machine S10. Specifically, during the process of creating the virtualized instance, the virtualization manager 10 can allocate the target address space to the virtualized instance from the free address space in the user state address space of the host machine S10; and establish a memory mapping relationship between the kernel address space of the virtualized instance and the target address space, so as to realize the kernel state address space of the virtualized instance 20. The memory mapping between the target address space in the user state address space of the host machine S10 and the target address space in the user state address space of the host machine S10.

其中，虚拟化实例20的内核态地址空间与宿主机S10的用户态地址空间中的目标地址空间之间的映射，实质为虚拟化实例20的内核态地址空间存储的数据的映射，即将虚拟化实例20的内核态地址空间与宿主机S10的用户态地址空间中的目标地址空间，可将虚拟化实例20的内核态地址空间存储的数据(如虚拟化实例对应的内核数据及内核函数)，存储至宿主机S10的用户态地址空间中的目标地址空间。这样，宿主机S10的用户态地址空间中的目标地址空间，存储有虚拟化实例20对应的内核数据及内核函数等。Among them, the mapping between the kernel state address space of the virtualization instance 20 and the target address space in the user state address space of the host machine S10 is essentially the mapping of the data stored in the kernel state address space of the virtualization instance 20, that is, the kernel state address space of the virtualization instance 20 and the target address space in the user state address space of the host machine S10. The data stored in the kernel state address space of the virtualization instance 20 (such as the kernel data and kernel functions corresponding to the virtualization instance) can be stored in the target address space in the user state address space of the host machine S10. In this way, the target address space in the user state address space of the host machine S10 stores the kernel data and kernel functions corresponding to the virtualization instance 20.

由于宿主机S10的用户态地址空间中的目标地址空间，存储有虚拟化实例20对应的内核数据及内核函数，因此，部署于宿主机S10的用户态的虚拟化管理器10可从目标地址空间获取虚拟化实例20的操作系统层面的语义，即获取虚拟化实例20对应的内核数据，消除虚拟化实例20与宿主机S10之间的语义鸿沟。Since the target address space in the user state address space of the host machine S10 stores the kernel data and kernel functions corresponding to the virtualization instance 20, the virtualization manager 10 deployed in the user state of the host machine S10 can obtain the operating system-level semantics of the virtualization instance 20 from the target address space, that is, obtain the kernel data corresponding to the virtualization instance 20, thereby eliminating the semantic gap between the virtualization instance 20 and the host machine S10.

具体地，安全检测程序30可根据安全检测需求，向虚拟化管理器10发送安全检测请求。该安全检测请求用于请求对虚拟化实例20进行安全监测。虚拟化管理器10可接收该安全检测请求(对应图1步骤1)。为了实现虚拟化管理器10和安全检测程序30之间的交互，可在虚拟化管理器10上设置面向安全检测程序30的安全检测服务接口101，以与安全检测程序30交互。Specifically, the security detection program 30 may send a security detection request to the virtualization manager 10 according to the security detection requirements. The security detection request is used to request security monitoring of the virtualized instance 20. The virtualization manager 10 may receive the security detection request (corresponding to step 1 of FIG. 1 ). In order to achieve interaction between the virtualization manager 10 and the security detection program 30, a security detection service interface 101 for the security detection program 30 may be set on the virtualization manager 10 to interact with the security detection program 30.

在本实施例中，不限定安全检测服务接口101的具体实现形式。如安全检测服务接口101可实现为远程过程调用(Remote Procedure Call，RPC)接口、套接字(Socket)接口或应用编程接口(Application Programming Interface，API)等。In this embodiment, the specific implementation form of the security detection service interface 101 is not limited. For example, the security detection service interface 101 can be implemented as a remote procedure call (RPC) interface, a socket interface, or an application programming interface (API).

在一些实施例中，安全检测服务接口101实现为RPC接口，则安全检测程序30可通过RPC方式调用安全检测服务接口101，并通过安全检测服务接口101向虚拟化管理器10发送安全检测请求。相应地，虚拟化管理器10可通过安全检测服务接口101获取安全检测请求。In some embodiments, the security detection service interface 101 is implemented as an RPC interface, and the security detection program 30 can call the security detection service interface 101 through the RPC method, and send a security detection request to the virtualization manager 10 through the security detection service interface 101. Accordingly, the virtualization manager 10 can obtain the security detection request through the security detection service interface 101.

进一步，虚拟化管理器10可响应于安全检测请求，基于上述虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取安全检测请求关联的目标数据对象。该目标数据对象包括虚拟化实例20的至少部分内核数据。目标数据对象包括的内核数据，可包括从目标地址空间直接读取的内核数据，也可包括响应安全检测请求的过程中由虚拟化实例20中的内核函数产生的内核数据等。Further, the virtualization manager 10 may, in response to the security detection request, obtain the target data object associated with the security detection request from the target address space based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine. The target data object includes at least part of the kernel data of the virtualization instance 20. The kernel data included in the target data object may include kernel data directly read from the target address space, and may also include kernel data generated by the kernel function in the virtualization instance 20 in the process of responding to the security detection request, etc.

其中，安全检测请求请求监测的目标对象不同，获取的目标数据对象也就不同。目标对象和目标数据对象是从不同角度进行的定义，从安全检测程序的角度来看，将其需要检测的对象称为目标对象；对目标对象进行监测得到的相关数据称为目标数据对象。在一些应用场景中，如果请求对一些内核数据进行监测，那么内核数据既有目标对象也是目标数据对象；当然，如果在一些应用场景中，请求对一些内核函数、进程或线程等进行监测，那么这些内核函数、进程或线程为目标对象，进程或线程产生的相关数据为目标数据对象。也就是说，目标对象与目标数据对象可能相同，也可能不相同。下面对目标对象和目标数据对象进行简单的示例性说明。例如，安全检测请求请求监测某些内核数据，则目标数据对象可实现为被监测的内核数据等。又例如，安全检测请求请求监测某内核函数，则目标数据对象可实现为被监测的内核函数运行过程中产生的内核数据等。安全检测请求请求监测的目标对象不同，从目标地址空间获取目标数据对象的实施方式也有所差异。这部分内容将在下文实施例中进行详细描述，在此暂不赘述。Among them, the target object that the security detection request requests to monitor is different, and the target data object obtained is also different. The target object and the target data object are defined from different perspectives. From the perspective of the security detection program, the object that needs to be detected is called the target object; the related data obtained by monitoring the target object is called the target data object. In some application scenarios, if a request is made to monitor some kernel data, then the kernel data has both a target object and a target data object; of course, if in some application scenarios, a request is made to monitor some kernel functions, processes or threads, etc., then these kernel functions, processes or threads are target objects, and the related data generated by the processes or threads are target data objects. In other words, the target object and the target data object may be the same or different. The following is a simple exemplary description of the target object and the target data object. For example, if the security detection request requests to monitor certain kernel data, then the target data object can be implemented as the kernel data to be monitored, etc. For another example, if the security detection request requests to monitor a kernel function, then the target data object can be implemented as the kernel data generated during the operation of the kernel function to be monitored, etc. The target objects that the security detection request requests to monitor are different, and the implementation methods for obtaining the target data object from the target address space are also different. This part is inside The content will be described in detail in the following embodiments and will not be described here in detail.

进一步，虚拟化管理器10可将目标数据对象提供给安全检测程序30。具体地，虚拟化管理器10可通过安全检测服务接口101，将目标数据对象提供给安全检测程序30。Furthermore, the virtualization manager 10 may provide the target data object to the security detection program 30. Specifically, the virtualization manager 10 may provide the target data object to the security detection program 30 through the security detection service interface 101.

在一些实施例中，虚拟化管理器10可将目标数据对象转换为安全检测服务接口101支持的目标协议格式；并通过安全检测服务接口101，将具有目标协议格式的目标数据对象提供给安全检测程序30。In some embodiments, the virtualization manager 10 may convert the target data object into a target protocol format supported by the security detection service interface 101 ; and provide the target data object in the target protocol format to the security detection program 30 through the security detection service interface 101 .

例如，安全检测服务接口为RPC接口，则安全检测服务接口101支持的目标协议格式为RPC协议格式。虚拟化管理器10可将目标数据对象转换为RPC协议格式；并通过安全检测服务接口，将具有RPC协议格式的目标数据对象提供给安全检测程序30。又例如，安全检测服务接口为Socket接口，安全检测服务接口支持的目标协议格式为Socket协议格式。虚拟化管理器10可将目标数据对象转换为Socket协议格式；并通过安全检测服务接口101，将具有Socket协议格式的目标数据对象提供给安全检测程序30等。For example, if the security detection service interface is an RPC interface, the target protocol format supported by the security detection service interface 101 is the RPC protocol format. The virtualization manager 10 can convert the target data object into the RPC protocol format; and provide the target data object in the RPC protocol format to the security detection program 30 through the security detection service interface. For another example, if the security detection service interface is a Socket interface, the target protocol format supported by the security detection service interface is the Socket protocol format. The virtualization manager 10 can convert the target data object into the Socket protocol format; and provide the target data object in the Socket protocol format to the security detection program 30 through the security detection service interface 101, etc.

相应地，安全检测程序30可基于目标数据对象，对虚拟化实例20进行安全检测。其中，安全检测请求请求监测的目标对象不同，对虚拟化实例20进行安全检测的具体实施方式也不同，这部分内容将在下文实施例中进行详述，在此暂不赘述。Accordingly, the security detection program 30 can perform security detection on the virtualized instance 20 based on the target data object. The specific implementation method of the security detection on the virtualized instance 20 is different depending on the target object monitored by the security detection request, which will be described in detail in the following embodiments and will not be repeated here.

在本实施例中，通过将虚拟化实例的内核地址空间映射到宿主机的用户态地址空间中的目标地址空间，实现宿主机的用户态地址空间对虚拟化实例对应的内核数据和内核函数的存储。这样，虚拟化管理器在响应安全检测请求时，可基于虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从宿主机的用户态地址空间中获取安全检测请求关联的内核数据，并将安全检测请求关联的内核数据提供给部署于虚拟化实例的外部的宿主机上的安全检测程序，使得安全检测程序可获取虚拟化实例的内核数据，即虚拟化实例的操作系统层面的语义，跨越了虚拟机与虚拟化实例之间的语义鸿沟，实现了跨越语义鸿沟的虚拟化实例自省。In this embodiment, by mapping the kernel address space of the virtualized instance to the target address space in the user state address space of the host machine, the host machine's user state address space stores the kernel data and kernel functions corresponding to the virtualized instance. In this way, when responding to a security detection request, the virtualization manager can obtain the kernel data associated with the security detection request from the host machine's user state address space based on the memory mapping relationship between the kernel address space of the virtualized instance and the user state address space of the host machine, and provide the kernel data associated with the security detection request to a security detection program on a host machine deployed outside the virtualized instance, so that the security detection program can obtain the kernel data of the virtualized instance, that is, the semantics of the virtualized instance at the operating system level, thereby bridging the semantic gap between the virtual machine and the virtualized instance, and realizing virtualized instance self-reflection across the semantic gap.

下面结合安全检测请求请求监测的目标对象，对上述虚拟化管理器在从宿主机的用户态地址空间中的目标地址空间中获取安全检测请求关联的目标数据对象的具体实施方式进行示例性说明。In conjunction with the target object monitored by the security detection request, the specific implementation method of the virtualization manager obtaining the target data object associated with the security detection request from the target address space in the user mode address space of the host machine is exemplarily described below.

如图2所示，在一些实施例中，安全检测请求请求监测的目标对象为特定的内核数据(定义为目标内核数据)，则目标数据对象可实现为目标内核数据。例如，目标数据对象可为执行查询进程命令所需的用于描述进程的结构体及特定属性等。其中，用于描述进程的结构体被装载到内存里并且包含进程的信息，包括：进程号(PID)、进程名(Comm)、进程的状态(State)、进程运行的时间及进程内存管理信息等。在找到任何一个进程的情况下，就可以通过当前进程的任务(task)成员变量中next指针值得到下一进程的用于描述进程的结构体地址，如此，依次遍历即可找到所有的进程的用于描述进程的结构体。例如，在Linux系统中，查询进程命令可为PS命令，用于描述进程的结构体为task_struct。As shown in FIG. 2 , in some embodiments, the target object of the security detection request request monitoring is specific kernel data (defined as target kernel data), and the target data object can be implemented as target kernel data. For example, the target data object can be a structure and specific attributes required to execute the query process command for describing the process. Among them, the structure used to describe the process is loaded into the memory and contains information about the process, including: process number (PID), process name (Comm), process state (State), process running time and process memory management information. When any process is found, the address of the structure used to describe the process of the next process can be obtained through the next pointer value in the task member variable of the current process. In this way, the structure used to describe the process of all processes can be found by traversing in sequence. For example, in the Linux system, the query process command can be a PS command, and the structure used to describe the process is task_struct.

在该实施例中，如图2所示，安全检测程序30可根据实际检测需求，确定待监测的目标内核数据；并将目标内核数据的标识封装至安全检测请求。之后，可将安全检测请求发送给虚拟化管理器10(对应图2步骤1)。虚拟化管理器10可响应于安全检测请求，创建线程模块102，该线程模块102用于获取安全检测请求请求监测的内核数据。进一步，虚拟化管理器10可将安全检测请求提供给线程模块102(对应图2步骤2)。线程模块102 可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取安全检测请求请求监测的目标内核数据，作为目标数据对象(对应图2步骤3)。In this embodiment, as shown in FIG2 , the security detection program 30 can determine the target kernel data to be monitored according to the actual detection requirements; and encapsulate the identifier of the target kernel data into the security detection request. Afterwards, the security detection request can be sent to the virtualization manager 10 (corresponding to step 1 in FIG2 ). The virtualization manager 10 can create a thread module 102 in response to the security detection request, and the thread module 102 is used to obtain the kernel data requested to be monitored by the security detection request. Further, the virtualization manager 10 can provide the security detection request to the thread module 102 (corresponding to step 2 in FIG2 ). Thread module 102 Based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, the target kernel data monitored by the security detection request can be obtained from the target address space as the target data object (corresponding to step 3 of Figure 2).

具体地，线程模块102可从安全检测请求中，获取待监测的内核数据的标识；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取待监测的内核数据的标识对应的内核数据，作为安全检测请求请求监测的目标内核数据，即作为目标数据对象。Specifically, the thread module 102 can obtain the identifier of the kernel data to be monitored from the security detection request; and based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine, obtain the kernel data corresponding to the identifier of the kernel data to be monitored from the target address space as the target kernel data to be monitored by the security detection request, that is, as the target data object.

在本实施例中，线程模块102可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，访问目标地址空间；并从目标地址空间，直接获取安全检测请求请求监测的目标内核数据，作为目标数据对象。In this embodiment, the thread module 102 can access the target address space based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine; and directly obtain the target kernel data requested to be monitored by the security detection request from the target address space as the target data object.

当然，线程模块102也可执行虚拟化实例对应的用于数据提取的内核函数(可记为第一内核函数)；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，控制用于数据提取的内核函数从目标地址空间，获取安全检测请求请求监测的目标内核数据，作为目标数据对象。Of course, the thread module 102 can also execute the kernel function for data extraction corresponding to the virtualization instance (which can be recorded as the first kernel function); and based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine, control the kernel function for data extraction from the target address space to obtain the target kernel data requested to be monitored by the security detection request as the target data object.

进一步，线程模块102可将安全检测请求请求监测的目标内核数据提供给安全检测程序30(对应图2步骤4和5)。具体地，线程模块102可将安全检测请求请求监测的目标内核数据，转换为安全检测服务接口101支持的目标协议格式；并通过安全检测服务接口101将具有目标协议格式的目标内核数据提供给安全检测程序30(对应图2步骤4和5)。安全检测程序30可获取具有目标协议格式的目标内核数据；并对具有目标协议格式的目标内核数据进行解析，以得到安全检测请求请求监测的目标内核数据。进一步，安全检测程序30可基于安全检测请求请求监测的目标内核数据，对虚拟化实例30进行安全检测(对应图2步骤6)。Further, the thread module 102 may provide the target kernel data that the security detection request requests to monitor to the security detection program 30 (corresponding to steps 4 and 5 of Figure 2). Specifically, the thread module 102 may convert the target kernel data that the security detection request requests to monitor into a target protocol format supported by the security detection service interface 101; and provide the target kernel data in the target protocol format to the security detection program 30 through the security detection service interface 101 (corresponding to steps 4 and 5 of Figure 2). The security detection program 30 may obtain the target kernel data in the target protocol format; and parse the target kernel data in the target protocol format to obtain the target kernel data that the security detection request requests to monitor. Further, the security detection program 30 may perform a security check on the virtualization instance 30 based on the target kernel data that the security detection request requests to monitor (corresponding to step 6 of Figure 2).

可选地，安全检测程序30可对安全检测请求请求监测的目标内核数据进行完整性及准确度校验；若安全检测请求请求监测的目标内核数据通过完整性及准确度校验，则虚拟化实例30中的安全检测请求请求监测的目标内核数据通过安全检测。反之，虚拟化实例30中的安全检测请求请求监测的目标内核数据未通过安全检测，说明虚拟化实例30未通过安全检测，存在被入侵的可能性。例如，如图2所示，虚拟化实例20被恶意应用程序B入侵等。Optionally, the security detection program 30 may perform integrity and accuracy verification on the target kernel data monitored by the security detection request; if the target kernel data monitored by the security detection request passes the integrity and accuracy verification, the target kernel data monitored by the security detection request in the virtualization instance 30 passes the security detection. On the contrary, if the target kernel data monitored by the security detection request in the virtualization instance 30 fails the security detection, it means that the virtualization instance 30 fails the security detection and there is a possibility of being invaded. For example, as shown in FIG2 , the virtualization instance 20 is invaded by malicious application B, etc.

上述实施例示出的虚拟化实例自省模式，可定义为第一虚拟化实例自省模式。对于第一虚拟化实例自省模式：安全检测程序主动扫描虚拟化实例的内核态内存，即虚拟化实例的内核不会主动报告目标数据对象。对于虚拟化实例来说，为被动型虚拟化实例自省。这种虚拟化实例自省模式对虚拟化实例的服务性能影响较小，适用于虚拟化实例对服务性能要求较高，即虚拟化实例对服务性能较为敏感的情况。The virtualization instance introspection mode shown in the above embodiment can be defined as a first virtualization instance introspection mode. For the first virtualization instance introspection mode: the security detection program actively scans the kernel state memory of the virtualization instance, that is, the kernel of the virtualization instance will not actively report the target data object. For the virtualization instance, it is a passive virtualization instance introspection. This virtualization instance introspection mode has little impact on the service performance of the virtualization instance, and is suitable for situations where the virtualization instance has high requirements for service performance, that is, the virtualization instance is more sensitive to service performance.

下面以安全检测请求请求监测的内核数据为查询进程命令(如PS命令)所需的内核数据为例，对上述第一虚拟化实例自省模式进行示例性说明。The following takes the kernel data monitored by the security detection request as the kernel data required by the query process command (such as the PS command) as an example to exemplify the above-mentioned first virtualization instance introspection mode.

对于查询进程命令(如PS命令)，所需的内核数据可包括：用于描述进程的结构体(如task_struct列表)及特定属性等。相应地，安全检测请求可包括：查询进程命令(如PS命令)所需的内核数据的标识。For a query process command (such as a PS command), the required kernel data may include: a structure for describing the process (such as a task_struct list) and specific attributes, etc. Accordingly, the security detection request may include: an identifier of the kernel data required for the query process command (such as a PS command).

线程模块102可从安全检测请求中，获取查询进程命令(如PS命令)所需的内核数据的标识；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取描述进程的结构体(如task_struct列表)，并基于该描述进程的结构体(如task_struct列表)，在目标地址空间遍历所有进程的描述进程的结构体(如task_struct列表)，从目标地址空间获取虚拟化实例中所有进程的用于描述进程的结构体及所有进程的特定属性。The thread module 102 can obtain the number of cores required for the query process command (such as the PS command) from the security detection request. According to the identification; and based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, a structure describing the process (such as a task_struct list) is obtained from the target address space, and based on the structure describing the process (such as a task_struct list), the structures describing the process (such as a task_struct list) of all processes in the target address space are traversed, and the structures used to describe the process of all processes in the virtualization instance and the specific attributes of all processes are obtained from the target address space.

进一步，线程模块102可将所有进程的用于描述进程的结构体及所有进程的定属性，提供给安全检测程序30。安全检测程序30可基于所有进程的用于描述进程的结构体及所有进程的特定属性，对虚拟化实例进行安全检测。Furthermore, the thread module 102 may provide the structures used to describe the processes and the specific attributes of all processes to the security detection program 30. The security detection program 30 may perform security detection on the virtualized instance based on the structures used to describe the processes and the specific attributes of all processes.

上述实施例示出的第一虚拟化实例自省模式仅为示例性说明，并不构成限定。为了提高发现虚拟化实例被入侵的及时性，本公开实施例还提供另一种虚拟化实例自省模式，定义为第二虚拟化实例自省模式。第二虚拟化实例自省模式为主动型虚拟化实例自省模式，即虚拟化实例可通过虚拟化管理器及时向安全检测程序报告虚拟化实例的相关行为及数据。安全检测程序可根据虚拟化实例通过虚拟化管理器主动报告的相关内容，对虚拟化实例进行安全检测。下面对第二虚拟化实例自省模式进行详细说明。The first virtualization instance introspection mode shown in the above embodiment is only an illustrative description and does not constitute a limitation. In order to improve the timeliness of discovering that the virtualization instance has been invaded, the embodiment of the present disclosure also provides another virtualization instance introspection mode, which is defined as the second virtualization instance introspection mode. The second virtualization instance introspection mode is an active virtualization instance introspection mode, that is, the virtualization instance can report the relevant behavior and data of the virtualization instance to the security detection program in a timely manner through the virtualization manager. The security detection program can perform security detection on the virtualization instance based on the relevant content actively reported by the virtualization instance through the virtualization manager. The second virtualization instance introspection mode is described in detail below.

如图3所示，安全检测程序30可根据安全检测需求，请求检测特定的内核函数(定义为目标内核函数)。例如，特定的内核函数可为进程管理函数，如创建新进程的内核函数、在父进程中创建子进程的内核函数等。在Linux系统中，创建新进程的内核函数可为do_fork()函数；在父进程里创建子进程的内核函数可为execve()函数等。相应地，安全检测程序30可将请求监测的目标内核函数的标识，封装在安全检测请求中；并将安全检测请求发送给虚拟化管理器10(对应图3步骤1)。关于安全检测程序30将安全检测请求发送给虚拟化管理器10的实施方式，可参见上述实施例的相关内容，在此不再赘述。As shown in FIG3 , the security detection program 30 may request to detect a specific kernel function (defined as a target kernel function) according to the security detection requirements. For example, the specific kernel function may be a process management function, such as a kernel function for creating a new process, a kernel function for creating a child process in a parent process, etc. In a Linux system, the kernel function for creating a new process may be a do_fork() function; the kernel function for creating a child process in a parent process may be an execve() function, etc. Accordingly, the security detection program 30 may encapsulate the identifier of the target kernel function requested to be monitored in a security detection request; and send the security detection request to the virtualization manager 10 (corresponding to step 1 in FIG3 ). Regarding the implementation method of the security detection program 30 sending the security detection request to the virtualization manager 10, please refer to the relevant content of the above-mentioned embodiment, which will not be repeated here.

虚拟化管理器10可响应于安全检测请求，创建另一线程模块103(对应图3步骤2)。在本公开实施例中，为了便于描述和区分，将上述第一虚拟化实例自省模式中创建的线程模块102，定义为第一线程模块；将本实施例中创建的线程模块103定义为第二线程模块。The virtualization manager 10 may create another thread module 103 in response to the security detection request (corresponding to step 2 of FIG. 3 ). In the embodiment of the present disclosure, for the convenience of description and distinction, the thread module 102 created in the introspection mode of the first virtualization instance is defined as the first thread module; the thread module 103 created in this embodiment is defined as the second thread module.

进一步，第二线程模块103可在安全检测请求请求监测的目标内核函数上挂载钩子(Hook)函数(对应图3步骤3)。钩子函数可在目标内核函数运行过程中感知一些事件并通知第二线程模块103，例如可以感知目标内核被执行的事件并通知第二线程模块103该目标内核函数被执行，或者也可以感知目标内核函数执行完成的事件并通知第二线程模块103，或者也可以感知目标内核函数在运行过程中调用了某个函数或者访问了目标地址空间或者创建了某个线程等事件并通知第二线程模块103。其中，钩子函数需要感知的事件可根据应用需求灵活设置，对此不做限定。Further, the second thread module 103 may mount a hook function on the target kernel function that the security detection request requests to monitor (corresponding to step 3 of FIG. 3 ). The hook function may sense some events during the operation of the target kernel function and notify the second thread module 103, for example, it may sense the event that the target kernel is executed and notify the second thread module 103 that the target kernel function is executed, or it may sense the event that the target kernel function is executed and notify the second thread module 103, or it may sense the event that the target kernel function calls a certain function or accesses the target address space or creates a certain thread during the operation and notify the second thread module 103. Among them, the events that the hook function needs to sense can be flexibly set according to application requirements, and there is no limitation on this.

在本实施例中，钩子函数可为第二线程模块103实时挂载的，也可为第二线程模块103在其它安全检测请求执行过程中预先挂载的。In this embodiment, the hook function may be mounted in real time by the second thread module 103, or may be pre-mounted by the second thread module 103 during the execution of other security detection requests.

对于上述安全检测程序30，可根据实际安全检测需求，确定请求监测的目标内核函数的标识、目标内核函数中用于挂载钩子(Hook)函数的跟踪点(tracepoint)的标识及钩子函数的标识。进一步，安全检测程序30可将目标内核函数的标识、目标内核函数中用于挂载钩子函数的跟踪点的标识及钩子函数的标识，封装至安全检测请求中；并将安全检测请求发送至虚拟化管理器10。For the above-mentioned security detection program 30, the identifier of the target kernel function requested for monitoring, the identifier of the tracepoint in the target kernel function for mounting the hook function, and the identifier of the hook function can be determined according to the actual security detection requirements. Further, the security detection program 30 can encapsulate the identifier of the target kernel function, the identifier of the tracepoint in the target kernel function for mounting the hook function, and the identifier of the hook function into a security detection request; and send the security detection request to the virtualization manager 10.

相应地，虚拟化管理器10创建的第二线程模块103，可从安全检测请求中，获取目标内核函数的标识、目标内核函数中的跟踪点的标识及所述钩子函数的标识；并基于钩子函数的标识，获取钩子函数的代码。可选地，第二线程模块103可基于钩子函数的标识，从代码库中下载钩子函数的代码。Accordingly, the second thread module 103 created by the virtualization manager 10 can obtain the target The second thread module 103 may download the code of the hook function from the code library based on the identifier of the hook function.

进一步，第二线程模块103可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系及目标内核函数的标识，从目标地址空间确定内核函数的代码；并根据跟踪点的标识，在目标内核函数的代码中确定跟踪点；之后，可在目标地址空间，利用钩子函数的代码在跟踪点修改目标内核函数的代码，从而在目标内核函数的跟踪点上挂载上述钩子函数。Further, the second thread module 103 can determine the code of the kernel function from the target address space based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine and the identifier of the target kernel function; and determine the tracking point in the code of the target kernel function according to the identifier of the tracking point; thereafter, the code of the hook function can be used to modify the code of the target kernel function at the tracking point in the target address space, thereby mounting the above-mentioned hook function on the tracking point of the target kernel function.

钩子函数可在目标内核函数运行过程中可以感知设定的事件，并通知第二线程模块103。相应地，第二线程模块103可在钩子函数在目标内核函数运行过程中发出通知的情况下，基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标内核函数在运行过程中产生的内核数据，作为目标数据对象(对应图3步骤4)。The hook function can sense the set event during the operation of the target kernel function and notify the second thread module 103. Accordingly, the second thread module 103 can obtain the kernel data generated during the operation of the target kernel function from the target address space based on the memory mapping relationship between the kernel state address space of the virtualization instance and the user state address space of the host machine, as the target data object (corresponding to step 4 of FIG. 3 ), when the hook function issues a notification during the operation of the target kernel function.

具体地，目标内核函数在运行过程中，可将产生的内核数据存储于虚拟化实例的内核态地址空间；虚拟化管理器10可将虚拟化实例的内核态地址空间中的目标内核函数在运行过程中产生的内核数据，映射到宿主机的用户态地址空间中的目标地址空间。因此，目标地址空间存储有目标内核函数在运行过程中产生的内核数据。基于此，运行于宿主机的用户态的第二线程模块103，可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标内核函数在运行过程中产生的内核数据，作为目标数据对象。Specifically, during the operation of the target kernel function, the generated kernel data can be stored in the kernel state address space of the virtualization instance; the virtualization manager 10 can map the kernel data generated by the target kernel function in the kernel state address space of the virtualization instance during the operation to the target address space in the user state address space of the host machine. Therefore, the target address space stores the kernel data generated by the target kernel function during the operation. Based on this, the second thread module 103 running in the user state of the host machine can obtain the kernel data generated by the target kernel function during the operation from the target address space as the target data object based on the memory mapping relationship between the kernel state address space of the virtualization instance and the user state address space of the host machine.

在一些实施例中，目标内核函数为进程管理函数，则钩子函数可在进程管理函数运行过程中，通知第二线程模块103进行管理函数被执行。第二线程模块103可响应于钩子函数发出的通知，基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取在进程管理函数运行过程中所管理的目标进程的内核数据，作为目标数据对象。其中，目标进程的内核数据包括但不局限于：进程号(PID)、进程名、进程的状态(State)、进程运行的时间、进程内存管理信息及上下文数据等。上下文数据是指进程执行时处理器的寄存器中的数据。In some embodiments, the target kernel function is a process management function, and the hook function can notify the second thread module 103 to execute the management function during the operation of the process management function. The second thread module 103 can respond to the notification issued by the hook function, based on the memory mapping relationship between the kernel state address space of the virtualization instance and the user state address space of the host machine, and obtain the kernel data of the target process managed during the operation of the process management function from the target address space as the target data object. Among them, the kernel data of the target process includes but is not limited to: process number (PID), process name, process state (State), process running time, process memory management information and context data, etc. Context data refers to the data in the register of the processor when the process is executed.

例如，进程管理函数为创建新进程的内核函数，如do_fork()函数等。钩子函数可在虚拟化实例中的创建新进程的内核函数运行过程中，通知第二线程模块103创建新进程的内核函数被执行。第二线程模块103可响应于钩子函数的通知，获取创建新进程的内核函数运行过程中创建的新进程的内核数据，作为目标数据对象。For example, the process management function is a kernel function for creating a new process, such as a do_fork() function, etc. The hook function can notify the second thread module 103 that the kernel function for creating a new process is executed during the execution of the kernel function for creating a new process in the virtualized instance. The second thread module 103 can obtain the kernel data of the new process created during the execution of the kernel function for creating a new process as the target data object in response to the notification of the hook function.

进一步，第二线程模块103可将目标内核函数在运行过程中产生的内核数据，提供给安全检测程序30(对应图3步骤5和6)。关于将目标内核函数在运行过程中产生的内核数据提供给安全检测程序30的具体实施方式，可参见上述实施例的相关内容，在此不再赘述。相应地，安全检测程序30可基于目标内核函数在运行过程中产生的内核数据，对虚拟化实例进行安全检测(对应图3步骤7)。Further, the second thread module 103 may provide the kernel data generated by the target kernel function during operation to the security detection program 30 (corresponding to steps 5 and 6 of FIG. 3 ). For the specific implementation of providing the kernel data generated by the target kernel function during operation to the security detection program 30, please refer to the relevant content of the above embodiment, which will not be repeated here. Accordingly, the security detection program 30 may perform security detection on the virtualized instance based on the kernel data generated by the target kernel function during operation (corresponding to step 7 of FIG. 3 ).

可选地，安全检测程序30可对目标内核函数在运行过程中产生的内核数据进行特征提取，以得到内核数据特征；利用预先训练完成的恶意程序检测模型对内核数据特征进行安全检测，以识别虚拟化实例是否被恶意程序入侵。其中，恶意程序检测模型是以虚拟化实例被恶意程序入侵后，虚拟化实例的内核函数在运行过程中产生的内核数据为训练样本训练完成的。Optionally, the security detection program 30 can extract features from the kernel data generated during the operation of the target kernel function to obtain kernel data features; and use a pre-trained malicious program detection model to perform security detection on the kernel data features to identify whether the virtualized instance is invaded by a malicious program. After the instance is invaded by a malicious program, the kernel data generated by the kernel function of the virtualized instance during operation is used to complete the training of the training samples.

上述实施例提供的第二虚拟化实例自省模式，虚拟化管理器可通过在监测的虚拟化实例的目标内核函数上挂载钩子函数，并利用钩子函数主动通知目标内核函数被运行。这样，虚拟化管理器中的第二线程模块可及时获取目标内核函数运行过程中产生的内核数据，并及时反馈给安全检测程序进行安全检测，有助于提高对虚拟化实例安全检测的及时性。因此，上述第二虚拟化实例自省模式，适用于对虚拟化实例安全检测的及时性要求较高的情况，即对虚拟化实例安全检测的及时性敏感的情况。In the second virtualization instance introspection mode provided in the above embodiment, the virtualization manager can mount a hook function on the target kernel function of the monitored virtualization instance, and use the hook function to actively notify the target kernel function to be run. In this way, the second thread module in the virtualization manager can timely obtain the kernel data generated during the operation of the target kernel function, and timely feed it back to the security detection program for security detection, which helps to improve the timeliness of the virtualization instance security detection. Therefore, the above second virtualization instance introspection mode is suitable for situations where the timeliness of virtualization instance security detection is required to be high, that is, situations that are sensitive to the timeliness of virtualization instance security detection.

上述实施例提供的第一虚拟化实例自省模式及第二虚拟化实例自省模式中的安全检测程序的安全检测逻辑，运行在虚拟化管理器10的外部，在对虚拟化实例进行安全检测过程中，需要虚拟化管理器10与安全检测程序30之间通过安全检测服务接口101进行交互。对于安全检测逻辑比较复杂的实施例来说，则虚拟化管理器10与安全检测程序30之间的交互也较为复杂，影响安全检测速度。The security detection logic of the security detection program in the first virtualization instance self-reflection mode and the second virtualization instance self-reflection mode provided in the above embodiments runs outside the virtualization manager 10. During the security detection process of the virtualized instance, the virtualization manager 10 and the security detection program 30 need to interact through the security detection service interface 101. For embodiments with more complex security detection logic, the interaction between the virtualization manager 10 and the security detection program 30 is also more complex, which affects the security detection speed.

为了提高虚拟化实例的安全检测速度，本公开实施例还提供另一虚拟化实例自省模式，定义为第三虚拟化实例自省模式。在第三虚拟化实例自省模式中，将传统方案中运行在虚拟机里的安全检测逻辑“下沉”到宿主机的虚拟化管理器10上，而结果就像安全检测逻辑运行在虚拟化实例里一样。下面进行具体说明。In order to improve the security detection speed of the virtualized instance, the embodiment of the present disclosure also provides another virtualized instance self-reflection mode, which is defined as the third virtualized instance self-reflection mode. In the third virtualized instance self-reflection mode, the security detection logic running in the virtual machine in the traditional solution is "sunk" to the virtualization manager 10 of the host machine, and the result is the same as if the security detection logic runs in the virtualized instance. The following is a detailed description.

如图4所示，安全检测程序30可根据实际安全检测需求，确定预先与虚拟化管理器10约定的安全检测逻辑。安全检测逻辑在虚拟化管理器10中以线程形式运行在虚拟化管理器10中。相应地，安全检测程序30可根据实际安全检测需求，确定待监测的目标安全检测线程；并将目标安全检测线程的标识封装至安全检测请求中。进一步，安全检测程序30可将安全检测请求发送给虚拟化管理器10(对应图4中的步骤1)。As shown in FIG4 , the security detection program 30 can determine the security detection logic agreed in advance with the virtualization manager 10 according to the actual security detection requirements. The security detection logic runs in the virtualization manager 10 in the form of a thread. Accordingly, the security detection program 30 can determine the target security detection thread to be monitored according to the actual security detection requirements; and encapsulate the identifier of the target security detection thread into the security detection request. Further, the security detection program 30 can send the security detection request to the virtualization manager 10 (corresponding to step 1 in FIG4 ).

虚拟化管理器10响应于安全检测请求，可创建另一线程模块104(定义为第三线程模块)(对应图4中的步骤2)。第三线程模块104可创建安全检测请求请求监测的目标安全检测线程105(对应图4中的步骤3)。其中，目标安全检测线程105可基于预先封装好的虚拟化实例的系统调用接口作为用户态程序，运行在虚拟化实例20的操作系统之上(对应图4中的步骤4)。这样，目标安全检测线程105在其它虚拟化实例的用户态看起来，就像运行在虚拟化实例的用户态的线程，即就像图4中运行在虚拟化实例的用户态的目标安全检测线程代理。预先封装好的虚拟化实例的系统调用接口可为syscall接口，如创建新进程fork()接口、在父进程中创建子进程execv()接口等。In response to the security detection request, the virtualization manager 10 may create another thread module 104 (defined as a third thread module) (corresponding to step 2 in FIG. 4 ). The third thread module 104 may create a target security detection thread 105 (corresponding to step 3 in FIG. 4 ) for monitoring by the security detection request. Among them, the target security detection thread 105 may be based on the system call interface of the pre-packaged virtualization instance as a user state program, running on the operating system of the virtualization instance 20 (corresponding to step 4 in FIG. 4 ). In this way, the target security detection thread 105 looks like a thread running in the user state of the virtualization instance in the user state of other virtualization instances, that is, it looks like a target security detection thread agent running in the user state of the virtualization instance in FIG. 4 . The system call interface of the pre-packaged virtualization instance may be a syscall interface, such as a fork() interface for creating a new process, an execv() interface for creating a child process in a parent process, etc.

由于目标安全检测线程105可基于预先封装好的虚拟化实例的系统调用接口作为用户态程序，运行在虚拟化实例20的操作系统之上，因此，目标安全检测线程105可访问操作系统的用户态地址空间。因此，目标安全检测线程可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取目标安全检测线程关注的内核数据。Since the target security detection thread 105 can be run as a user-mode program based on the system call interface of the pre-packaged virtualization instance on the operating system of the virtualization instance 20, the target security detection thread 105 can access the user-mode address space of the operating system. Therefore, the target security detection thread can obtain the kernel data that the target security detection thread is concerned about from the target address space based on the memory mapping relationship between the kernel-mode address space of the virtualization instance and the user-mode address space of the host machine.

其中，目标安全检测线程105关注的内核数据由该线程自身的安全检测逻辑决定。例如，目标安全检测线程105用于监测虚拟化实例的特定的内核数据，则可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取目标安全检测线程监测的内核数据，作为目标安全检测线程105关注的内核数据。又例如，目标安全检测线程105用于监测虚拟化实例对应的特定的内核函数，则目标安全检测线程105可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取被监测的内核函数运行过程中产生的内核数据，作为目标安全检测线程105关注的内核数据。The kernel data that the target security detection thread 105 is concerned about is determined by the security detection logic of the thread itself. For example, if the target security detection thread 105 is used to monitor specific kernel data of a virtualized instance, the kernel data monitored by the target security detection thread can be obtained from the target address space based on the memory mapping relationship between the kernel state address space of the virtualized instance and the user state address space of the host machine as the kernel data that the target security detection thread 105 is concerned about. For another example, the target security detection thread 105 is used to monitor a specific kernel function corresponding to a virtualization instance. The target security detection thread 105 can obtain the kernel data generated during the running of the monitored kernel function from the target address space based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, as the kernel data that the target security detection thread 105 is concerned about.

例如，在一些实施例中，目标安全检测线程的安全检测逻辑，为运行周期性监测(Watch)程序。Watch程序是周期性地执行某个命令并显示执行结果的命令。例如监测虚拟化实例的处理器，如中央处理器(Central Processing Unit，CPU)的动态负载，则可根据指定的时间间隔刷新CPU的负载信息。则目标安全检测线程关注的内核数据，为虚拟化实例的CPU的负载信息。For example, in some embodiments, the security detection logic of the target security detection thread is to run a periodic monitoring (Watch) program. The Watch program is a command that periodically executes a command and displays the execution result. For example, to monitor the dynamic load of the processor of the virtualized instance, such as the central processing unit (CPU), the load information of the CPU can be refreshed according to the specified time interval. Then the kernel data that the target security detection thread focuses on is the load information of the CPU of the virtualized instance.

进一步，目标安全检测线程105可将获取的关注的内核数据输出。相应地，第三线程模块104可获取目标安全检测线程105输出的数据，作为目标数据对象(对应图4中的步骤5)。目标安全检测线程105输出的数据，即为目标安全检测线程105关注的内核数据。Further, the target security detection thread 105 may output the obtained kernel data of interest. Accordingly, the third thread module 104 may obtain the data output by the target security detection thread 105 as the target data object (corresponding to step 5 in FIG. 4 ). The data output by the target security detection thread 105 is the kernel data of interest to the target security detection thread 105.

进一步，第三线程模块104可将目标安全检测线程105关注的内核数据，提供给安全检测程序30(对应图4中的步骤6和7)。安全检测程序30可基于目标安全检测线程105关注的内核数据，对虚拟化实例20进行安全检测(对应图4中的步骤8)。Further, the third thread module 104 can provide the kernel data concerned by the target security detection thread 105 to the security detection program 30 (corresponding to steps 6 and 7 in FIG. 4 ). The security detection program 30 can perform security detection on the virtualization instance 20 based on the kernel data concerned by the target security detection thread 105 (corresponding to step 8 in FIG. 4 ).

在目标安全检测线程105关注的内核数据为虚拟化实例的特定的内核数据的情况下，可基于虚拟化实例的特定的内核数据，对虚拟化实例20进行安全检测，其具体安全检测方式可参见上述第一虚拟化实例自省模式的相关内容，在此不再赘述。在目标安全检测线程105关注的内核数据为虚拟化实例的特定的内核函数在运行过程中产生的内核数据的情况下，可基于特定的内核函数在运行过程中产生的内核数据，对虚拟化实例20进行安全检测，其具体安全检测方式可参见上述第二虚拟化实例自省模式的相关内容，在此不再赘述。In the case where the kernel data that the target security detection thread 105 is concerned about is the specific kernel data of the virtualization instance, the virtualization instance 20 can be security-checked based on the specific kernel data of the virtualization instance. The specific security detection method can refer to the relevant content of the above-mentioned first virtualization instance introspection mode, which will not be repeated here. In the case where the kernel data that the target security detection thread 105 is concerned about is the kernel data generated during the operation of a specific kernel function of the virtualization instance, the virtualization instance 20 can be security-checked based on the kernel data generated during the operation of the specific kernel function. The specific security detection method can refer to the relevant content of the above-mentioned second virtualization instance introspection mode, which will not be repeated here.

根据上述三种虚拟化实例自省模式，可知三种虚拟化实例自省模式各有优劣。在实际使用过程中，可采用三种虚拟化实例自省模式中的一种进行实施，当然，也可结合三种虚拟化实例自省模式中的多种进行实施。例如，可结合三种虚拟化实例自省模式中的任意2种进行实施，当然也可结合三种进行实施。在多种虚拟化实例自省模式结合进行实施时，多种虚拟化实例自省模式可优劣互补，取长补短，提高虚拟化实例安全检测的性能。According to the above three virtualization instance introspection modes, it can be known that the three virtualization instance introspection modes each have their own advantages and disadvantages. In actual use, one of the three virtualization instance introspection modes can be adopted for implementation. Of course, it can also be implemented in combination with multiple of the three virtualization instance introspection modes. For example, it can be implemented in combination with any two of the three virtualization instance introspection modes, and of course it can also be implemented in combination with three. When multiple virtualization instance introspection modes are implemented in combination, the multiple virtualization instance introspection modes can complement each other's advantages and disadvantages, learn from each other's strengths and weaknesses, and improve the performance of virtualization instance security detection.

在结合三种虚拟化实例自省模式中的多种进行实施的示例中，可由安全检测程序30确定在线安全检测时采用哪种虚拟化实例自省模式。具体地，安全检测程序30可根据对虚拟化实例20进行安全检测的安全检测需求，从多种虚拟化实例自省模式中，确定目标虚拟化实例自省模式；根据目标虚拟化实例自省模式的标识，生成安全检测请求并发送给虚拟化管理器。In an example of implementing multiple of the three virtualization instance introspection modes, the security detection program 30 may determine which virtualization instance introspection mode to use during online security detection. Specifically, the security detection program 30 may determine the target virtualization instance introspection mode from multiple virtualization instance introspection modes according to the security detection requirements for performing security detection on the virtualization instance 20; and generate a security detection request according to the identifier of the target virtualization instance introspection mode and send it to the virtualization manager.

其中，对虚拟化实例20进行安全检测的安全检测需求可由用户决定，也可由安全检测程序30的安全检测逻辑决定。对虚拟化实例20进行安全检测的安全检测需求可包括：全检测过程中虚拟化实例的服务性能需求、安全检测的及时性需求、及对虚拟化实例进行安全检测的安全检测线程的逻辑复杂程度中的至少一种。The security detection requirement for performing security detection on the virtualized instance 20 may be determined by the user or by the security detection logic of the security detection program 30. The security detection requirement for performing security detection on the virtualized instance 20 may include at least one of: service performance requirements of the virtualized instance during the entire detection process, timeliness requirements of security detection, and logic complexity of the security detection thread for performing security detection on the virtualized instance.

基于上述三种虚拟化实例自省模式的特点，可知上述第一虚拟化实例自省模式对虚拟化实例的侵入性较低，对虚拟化实例的服务性能影响较小，因此，第一虚拟化实例自省模式适用于虚拟化实例对服务性能较为敏感的情况。相应地，安全检测程序30可在安全检测需求指示虚拟化实例对服务性能较为敏感的情况下，确定目标虚拟化实例自省模式为第一虚拟化实例自省模式。Based on the characteristics of the above three virtualization instance self-reflection modes, it can be seen that the above first virtualization instance self-reflection mode is less invasive to the virtualization instance and has less impact on the service performance of the virtualization instance. Therefore, the first virtualization instance self-reflection mode is suitable for the situation where the virtualization instance is more sensitive to service performance. When the measurement demand indicates that the virtualized instance is more sensitive to the service performance, the target virtualized instance introspection mode is determined to be the first virtualized instance introspection mode.

由于上述第二虚拟化实例自省模式的安全检测的及时性较高，因此，安全检测程序30可在安全检测需求指示虚拟化实例对安全检测及时性比较敏感的情况下，确定目标虚拟化实例自省模式为第二虚拟化实例自省模式。Since the timeliness of security detection in the second virtualization instance introspection mode is higher, the security detection program 30 can determine that the target virtualization instance introspection mode is the second virtualization instance introspection mode when the security detection requirement indicates that the virtualization instance is more sensitive to the timeliness of security detection.

由于上述第三虚拟化实例自省模式适用于安全检测逻辑较为复杂的实施例，因此，安全检测程序30可在安全检测需求指示对虚拟化实例进行安全检测的逻辑复杂程度为设定的逻辑复杂程度的情况下，确定目标虚拟化实例自省模式为第三虚拟化实例自省模式。进一步，在该情况下，可以确定目标对象的类型为对虚拟化实例进行安全检测的安全检测线程。本公开实施例并不限定“设定的逻辑复杂程度”的具体复杂度，可以根据应用需求灵活设定。Since the third virtualization instance introspection mode is applicable to embodiments with relatively complex security detection logic, the security detection program 30 can determine that the target virtualization instance introspection mode is the third virtualization instance introspection mode when the security detection requirement indicates that the logic complexity of the security detection of the virtualization instance is the set logic complexity. Further, in this case, the type of the target object can be determined as a security detection thread that performs security detection on the virtualization instance. The disclosed embodiment does not limit the specific complexity of the "set logic complexity" and can be flexibly set according to application requirements.

进一步，安全检测需求中还可以包含目标对象的描述信息及目标对象的类型，在该情况下，安全检测程序30还可以根据安全检测需求包含的目标对象的描述信息及目标对象的类型，确定目标对象的标识；并根据目标对象的标识及目标虚拟化实例自省模式的标识，生成安全检测请求。进一步，安全检测程序30可将安全检测请求提供给虚拟化管理器10。Furthermore, the security detection requirement may also include description information of the target object and the type of the target object. In this case, the security detection program 30 may also determine the identifier of the target object according to the description information of the target object and the type of the target object included in the security detection requirement; and generate a security detection request according to the identifier of the target object and the identifier of the target virtualization instance introspection mode. Furthermore, the security detection program 30 may provide the security detection request to the virtualization manager 10.

相应地，虚拟化管理器10可从安全检测请求中，获取目标虚拟化实例自省模式的标识；并根据目标虚拟化实例自省模式的标识，创建目标虚拟化实例自省模式对应的目标线程模块。其中，目标虚拟化实例自省模式是安全检测程序根据对虚拟化实例进行安全检测的安全检测需求，从多种虚拟化实例自省模式中选择使用的至少一种虚拟化实例自省模式，不同虚拟化实例自省模式对应不同的线程模块。其中，第一虚拟化实例自省模式对应的线程模块为第一线程模块；第二虚拟化实例自省模式对应的线程模块为第二线程模块；第三虚拟化实例自省模式对应的线程模块为第三线程模块。Accordingly, the virtualization manager 10 can obtain the identifier of the target virtualization instance introspection mode from the security detection request; and create a target thread module corresponding to the target virtualization instance introspection mode according to the identifier of the target virtualization instance introspection mode. Among them, the target virtualization instance introspection mode is at least one virtualization instance introspection mode selected and used from a plurality of virtualization instance introspection modes by the security detection program according to the security detection requirements for security detection of the virtualization instance, and different virtualization instance introspection modes correspond to different thread modules. Among them, the thread module corresponding to the first virtualization instance introspection mode is the first thread module; the thread module corresponding to the second virtualization instance introspection mode is the second thread module; and the thread module corresponding to the third virtualization instance introspection mode is the third thread module.

目标虚拟化实例自省模式可为1种或多种。多种是指2种或2种以上。目标虚拟化实例自省模式的具体数量，由对虚拟化实例20进行安全检测的安全检测需求决定。例如，若对虚拟化实例20进行安全检测的安全检测需求指示虚拟化实例对服务性能较为敏感，且对安全检测及时性也较为敏感，则确定目标虚拟化实例自省模式为第一虚拟化实例自省模式和第二虚拟化实例自省模式。相应地，虚拟化管理器10可以根据目标虚拟化实例自省模式的标识，确定需要创建的目标线程模块包括第一线程模块和第二线程模块，进而同时控制第一线程模块基于内存映射关系从目标地址空间中获取安全检测请求请求监测的内核数据作为目标数据对象，以及控制第二线程模块利用虚拟化实例的内核函数上挂载钩子函数获取目标内核函数在运行过程中产生的内核数据作为目标数据对象。The target virtualization instance introspection mode may be one or more. Multiple means two or more. The specific number of the target virtualization instance introspection modes is determined by the security detection requirements for the security detection of the virtualization instance 20. For example, if the security detection requirements for the security detection of the virtualization instance 20 indicate that the virtualization instance is more sensitive to service performance and is also more sensitive to the timeliness of security detection, then the target virtualization instance introspection mode is determined to be the first virtualization instance introspection mode and the second virtualization instance introspection mode. Accordingly, the virtualization manager 10 can determine that the target thread module to be created includes the first thread module and the second thread module according to the identifier of the target virtualization instance introspection mode, and then simultaneously control the first thread module to obtain the kernel data requested to be monitored by the security detection request from the target address space based on the memory mapping relationship as the target data object, and control the second thread module to obtain the kernel data generated by the target kernel function during the operation as the target data object by using the hook function mounted on the kernel function of the virtualization instance.

进一步可选地，在安全检测请求中包含目标对象的标识的情况下，目标线程模块可从安全检测请求中，获取目标对象的标识；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标对象的标识关联的目标数据对象。其中，目标对象的类型包括内核数据这一类型，目标对象的标识关联的目标数据对象包括安全检测请求请求监测的目标内核数据。和/或，目标对象的类型包括目标内核函数这一类型，目标对象的标识关联的目标数据对象包括安全检测请求请求监测的目标内核函数运行过程中产生的内核数据。和/或，目标对象的类型包括目标安全检测线程这一类型，目标对象的标识关联的目标数据对象包括目标安全检测线程关注的内核数据。 Further optionally, in the case where the security detection request includes the identifier of the target object, the target thread module can obtain the identifier of the target object from the security detection request; and based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, obtain the target data object associated with the identifier of the target object from the target address space. Among them, the type of the target object includes the type of kernel data, and the target data object associated with the identifier of the target object includes the target kernel data monitored by the security detection request. And/or, the type of the target object includes the type of target kernel function, and the target data object associated with the identifier of the target object includes the kernel data generated during the operation of the target kernel function monitored by the security detection request. And/or, the type of the target object includes the type of target security detection thread, and the target data object associated with the identifier of the target object includes the kernel data concerned by the target security detection thread.

关于目标虚拟化实例自省模式对应的线程模块，基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标对象的标识关联的目标数据对象的具体实施方式，可参见上述各实施例中的相关内容，在此不再赘述。Regarding the thread module corresponding to the introspection mode of the target virtualization instance, based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, the specific implementation method of obtaining the target data object associated with the identification of the target object from the target address space can be referred to the relevant content in the above embodiments, which will not be repeated here.

本公开实施例在多种虚拟化实例自省模式结合进行实施时，多种虚拟化实例自省模式可优劣互补，取长补短，提高虚拟化实例安全检测的性能。When the embodiments of the present disclosure are implemented in combination with multiple virtualization instance self-reflection modes, the multiple virtualization instance self-reflection modes can complement each other's strengths and weaknesses, learn from each other's strengths and overcome each other's weaknesses, and improve the performance of virtualization instance security detection.

除了上述宿主机之外，本公开实施例还提供虚拟化实例自省方法。下面对本公开实施例提供的虚拟化实例自省方法进行示例性说明。In addition to the above host machine, the embodiment of the present disclosure also provides a virtualization instance self-reflection method. The virtualization instance self-reflection method provided by the embodiment of the present disclosure is exemplarily described below.

图5为本公开实施例提供的虚拟化实例自省方法的流程示意图。该虚拟化实例自省方法可适用于宿主机上部署的虚拟化管理器。宿主机上还部署有被虚拟化管理器管理的虚拟化实例以及位于虚拟化实例外部的安全检测程序，且虚拟化实例的内核地址空间被映射到宿主机的用户态地址空间中的目标地址空间。如图5所示，该虚拟化实例自省方法主要包括：FIG5 is a flow chart of a virtualization instance introspection method provided by an embodiment of the present disclosure. The virtualization instance introspection method is applicable to a virtualization manager deployed on a host machine. The host machine is also deployed with a virtualization instance managed by the virtualization manager and a security detection program located outside the virtualization instance, and the kernel address space of the virtualization instance is mapped to a target address space in the user state address space of the host machine. As shown in FIG5 , the virtualization instance introspection method mainly includes:

501、接收安全检测程序发送的安全检测请求。501. Receive a security detection request sent by a security detection program.

502、基于虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取安全检测请求关联的目标数据对象，目标数据对象包括虚拟化实例的至少部分内核数据。502. Based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine, obtain a target data object associated with the security detection request from the target address space, where the target data object includes at least part of the kernel data of the virtualization instance.

503、将目标数据对象提供给安全检测程序，以供安全检测程序基于目标数据对象对虚拟化实例进行安全检测。503. Provide the target data object to the security detection program, so that the security detection program performs security detection on the virtualization instance based on the target data object.

在本实施例中，虚拟化实例和虚拟化管理器部署于宿主机的用户态。虚拟化实例又可划分为用户态和内核态。虚拟化实例的用户态地址空间，用于存储虚拟化实例的用户态数据。虚拟化实例的内核态地址空间，用于存储虚拟化实例对应的内核态数据，如内核数据及内核函数等。关于虚拟化管理器、虚拟化实例及安全检测程序的实现形式的描述，可参见上述宿主机实施例的相关内容，在此不再赘述。In this embodiment, the virtualization instance and the virtualization manager are deployed in the user state of the host machine. The virtualization instance can be divided into user state and kernel state. The user state address space of the virtualization instance is used to store the user state data of the virtualization instance. The kernel state address space of the virtualization instance is used to store the kernel state data corresponding to the virtualization instance, such as kernel data and kernel functions. For the description of the implementation form of the virtualization manager, virtualization instance and security detection program, please refer to the relevant content of the above host machine embodiment, which will not be repeated here.

在本实施例中，安全检测程序部署于虚拟化实例外部的宿主机的用户态，实现虚拟化实例自省。这样，安全检测程序的安全性不再受虚拟化环境的影响，即便虚拟化实例受到入侵，基于宿主机和虚拟化实例之间的隔离性，入侵程序也无法干扰安全检测程序，使得安全检测程序能够正常运行，可提高安全检测程序的安全性。In this embodiment, the security detection program is deployed in the user state of the host machine outside the virtualized instance to realize the self-reflection of the virtualized instance. In this way, the security of the security detection program is no longer affected by the virtualized environment. Even if the virtualized instance is invaded, based on the isolation between the host machine and the virtualized instance, the intrusion program cannot interfere with the security detection program, so that the security detection program can run normally, which can improve the security of the security detection program.

然而，宿主机与虚拟化实例之间的隔离性，也带来了语义鸿沟(Semantic Gap)问题，即宿主机中的安全检测程序无法获知虚拟化实例的内部语义，给利用虚拟化实例自省技术增强虚拟化实例安全的应用带来了困难。However, the isolation between the host machine and the virtualized instance also brings about the semantic gap problem, that is, the security detection program in the host machine cannot know the internal semantics of the virtualized instance, which brings difficulties to the application of using virtualized instance introspection technology to enhance the security of virtualized instances.

在本实施例中，为了解决上述技术问题，实现跨越语义鸿沟的虚拟化实例自省，虚拟化管理器将虚拟化实例的内核地址空间映射到宿主机的用户态地址空间中的目标地址空间。具体地，可在虚拟化实例创建过程中，从宿主机的用户态地址空间中的空闲地址空间中，为虚拟化实例分配目标地址空间；并建立虚拟化实例的内核地址空间与目标地址空间之间的内存映射关系，实现虚拟化实例的内核态地址空间，与宿主机的用户态地址空间中的目标地址空间之间的内存映射。In this embodiment, in order to solve the above technical problems and realize the introspection of virtualized instances across the semantic gap, the virtualization manager maps the kernel address space of the virtualized instance to the target address space in the user state address space of the host machine. Specifically, during the process of creating the virtualized instance, the target address space can be allocated to the virtualized instance from the free address space in the user state address space of the host machine; and a memory mapping relationship between the kernel address space of the virtualized instance and the target address space is established to realize the memory mapping between the kernel address space of the virtualized instance and the target address space in the user state address space of the host machine.

其中，虚拟化实例的内核态地址空间与宿主机的用户态地址空间中的目标地址空间之间的映射，实质为虚拟化实例的内核态地址空间存储的数据的映射，即将虚拟化实例的内核态地址空间与宿主机的用户态地址空间中的目标地址空间，可将虚拟化实例的内核态地址空间存储的数据(如虚拟化实例对应的内核数据及内核函数)，存储至宿主机的用户态地址空间中的目标地址空间。这样，宿主机的用户态地址空间中的目标地址空间，存储有虚拟化实例对应的内核数据及内核函数等。The mapping between the kernel state address space of the virtualized instance and the target address space in the user state address space of the host machine is essentially the mapping of the data stored in the kernel state address space of the virtualized instance, that is, the kernel state address space of the virtualized instance and the target address space in the user state address space of the host machine can be mapped to the kernel state address space of the virtualized instance. The data stored in the address space (such as the kernel data and kernel functions corresponding to the virtualized instance) are stored in the target address space in the user address space of the host machine. In this way, the target address space in the user address space of the host machine stores the kernel data and kernel functions corresponding to the virtualized instance.

由于宿主机的用户态地址空间中的目标地址空间，存储有虚拟化实例对应的内核数据及内核函数，因此，部署于宿主机的用户态的虚拟化管理器可从目标地址空间获取虚拟化实例的操作系统层面的语义，即获取虚拟化实例对应的内核数据，消除虚拟化实例与宿主机之间的语义鸿沟。Since the target address space in the user-state address space of the host machine stores the kernel data and kernel functions corresponding to the virtualization instance, the virtualization manager deployed in the user state of the host machine can obtain the operating system-level semantics of the virtualization instance from the target address space, that is, obtain the kernel data corresponding to the virtualization instance, thereby eliminating the semantic gap between the virtualization instance and the host machine.

具体地，安全检测程序可根据安全检测需求，向虚拟化管理器发送安全检测请求。该安全检测请求用于请求对虚拟化实例进行安全监测。针对虚拟化管理器，在步骤501中，可接收该安全检测请求。为了实现虚拟化管理器和安全检测程序之间的交互，可在虚拟化管理器上设置面向安全检测程序的安全检测服务接口，以与安全检测程序交互。Specifically, the security detection program can send a security detection request to the virtualization manager according to the security detection requirement. The security detection request is used to request security monitoring of the virtualized instance. For the virtualization manager, in step 501, the security detection request can be received. In order to realize the interaction between the virtualization manager and the security detection program, a security detection service interface for the security detection program can be set on the virtualization manager to interact with the security detection program.

可选地，安全检测服务接口可实现为RPC接口、套接字(Socket)接口或API等。Optionally, the security detection service interface can be implemented as an RPC interface, a socket interface or an API, etc.

在一些实施例中，安全检测服务接口实现为RPC接口，则安全检测程序可通过RPC方式调用安全检测服务接口，并通过安全检测服务接口向虚拟化管理器发送安全检测请求。相应地，虚拟化管理器可通过安全检测服务接口获取安全检测请求。In some embodiments, the security detection service interface is implemented as an RPC interface, and the security detection program can call the security detection service interface through the RPC method, and send a security detection request to the virtualization manager through the security detection service interface. Accordingly, the virtualization manager can obtain the security detection request through the security detection service interface.

进一步，针对虚拟化管理器，在步骤502中，可响应于安全检测请求，基于上述虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取安全检测请求关联的目标数据对象。该目标数据对象包括虚拟化实例的至少部分内核数据。目标数据对象包括的内核数据，可包括从目标地址空间直接读取的内核数据，也可包括响应安全检测请求的过程中虚拟化实例产生的内核数据等。Further, for the virtualization manager, in step 502, in response to the security detection request, based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine, the target data object associated with the security detection request can be obtained from the target address space. The target data object includes at least part of the kernel data of the virtualization instance. The kernel data included in the target data object may include kernel data directly read from the target address space, and may also include kernel data generated by the virtualization instance in the process of responding to the security detection request, etc.

进一步，在步骤503中，可将目标数据对象提供给安全检测程序。具体地，可通过安全检测服务接口，将目标数据对象提供给安全检测程序。Further, in step 503, the target data object may be provided to the security detection program. Specifically, the target data object may be provided to the security detection program through a security detection service interface.

在一些实施例中，可将目标数据对象转换为安全检测服务接口支持的目标协议格式；并通过安全检测服务接口，将具有目标协议格式的目标数据对象提供给安全检测程序。In some embodiments, the target data object may be converted into a target protocol format supported by a security detection service interface; and the target data object in the target protocol format may be provided to a security detection program through the security detection service interface.

相应地，安全检测程序可基于目标数据对象，对虚拟化实例进行安全检测。Accordingly, the security detection program can perform security detection on the virtualized instance based on the target data object.

结合图2，在一些实施例中，安全检测请求请求监测的目标对象为特定的内核数据(定义为目标内核数据)，则目标数据对象可实现为目标内核数据。例如，目标数据对象可为执行查询进程命令所需的用于描述进程的结构体及特定属性等。 2, in some embodiments, the target object monitored by the security detection request is specific kernel data (defined as target kernel data), and the target data object can be implemented as target kernel data. For example, the target data object can be a structure and specific attributes required to execute the query process command to describe the process.

结合图2，安全检测程,可根据实际检测需求，确定待监测的目标内核数据；并将目标内核数据的标识封装至安全检测请求。之后，可将安全检测请求发送给虚拟化管理器。针对虚拟化管理器，上述步骤502可实现为：响应于安全检测请求，创建第一线程模块，该第一线程模块用于获取安全检测请求请求监测的内核数据。进一步，控制第一线程模块基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取安全检测请求请求监测的目标内核数据，作为目标数据对象。In conjunction with Figure 2, the security detection process can determine the target kernel data to be monitored according to the actual detection requirements; and encapsulate the identifier of the target kernel data into the security detection request. Afterwards, the security detection request can be sent to the virtualization manager. For the virtualization manager, the above step 502 can be implemented as follows: in response to the security detection request, create a first thread module, and the first thread module is used to obtain the kernel data requested to be monitored by the security detection request. Further, the first thread module is controlled to obtain the target kernel data requested to be monitored by the security detection request from the target address space as the target data object based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine.

具体地，可控制第一线程模块从安全检测请求中，获取待监测的内核数据的标识；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取待监测的内核数据的标识对应的内核数据，作为安全检测请求请求监测的目标内核数据，即作为目标数据对象。Specifically, the first thread module can be controlled to obtain the identifier of the kernel data to be monitored from the security detection request; and based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine, the kernel data corresponding to the identifier of the kernel data to be monitored is obtained from the target address space as the target kernel data to be monitored by the security detection request, that is, as the target data object.

在本实施例中，可控制第一线程模块基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，访问目标地址空间；并从目标地址空间，直接获取安全检测请求请求监测的目标内核数据，作为目标数据对象。In this embodiment, the first thread module can be controlled to access the target address space based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine; and directly obtain the target kernel data monitored by the security detection request from the target address space as the target data object.

当然，也可控制第一线程模块基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，在目标地址空间执行虚拟化实例对应的用于数据提取的内核函数；利用用于数据提取的内核函数从目标地址空间，获取安全检测请求请求监测的目标内核数据，作为目标数据对象。Of course, the first thread module can also be controlled to execute the kernel function for data extraction corresponding to the virtualization instance in the target address space based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine; and use the kernel function for data extraction to obtain the target kernel data requested to be monitored by the security detection request from the target address space as the target data object.

进一步，可控制第一线程模块将安全检测请求请求监测的目标内核数据提供给安全检测程序。具体地，可控制第一线程模块将安全检测请求请求监测的目标内核数据，转换为安全检测服务接口支持的目标协议格式；并通过安全检测服务接口将具有目标协议格式的目标内核数据提供给安全检测程序。安全检测程序可基于安全检测请求请求监测的目标内核数据，对虚拟化实例进行安全检测。关于安全检测程序基于安全检测请求请求监测的目标内核数据，对虚拟化实例进行安全检测的具体实施方式，可参见上述宿主机实施例的相关内容。Further, the first thread module can be controlled to provide the target kernel data monitored by the security detection request to the security detection program. Specifically, the first thread module can be controlled to convert the target kernel data monitored by the security detection request into a target protocol format supported by the security detection service interface; and provide the target kernel data in the target protocol format to the security detection program through the security detection service interface. The security detection program can perform a security detection on the virtualized instance based on the target kernel data monitored by the security detection request. For the specific implementation method of the security detection program performing a security detection on the virtualized instance based on the target kernel data monitored by the security detection request, please refer to the relevant content of the above-mentioned host machine embodiment.

上述实施例示出的虚拟化实例自省模式，可定义为第一虚拟化实例自省模式。第一虚拟化实例自省模式安全检测程序主动扫描虚拟化实例的内核态内存，不修改虚拟化实例的内核的钩子(Hook)函数，即虚拟化实例的内核不会主动报告目标数据对象。对于虚拟化实例来说，为被动型虚拟化实例自省。这种虚拟化实例自省模式对虚拟化实例的服务性能影响较小，但无法及时发现入侵，适用于虚拟化实例对服务性能要求较高，即虚拟化实例的服务性能敏感的情况。The virtualization instance introspection mode shown in the above embodiment can be defined as a first virtualization instance introspection mode. The first virtualization instance introspection mode security detection program actively scans the kernel state memory of the virtualization instance and does not modify the hook function of the kernel of the virtualization instance, that is, the kernel of the virtualization instance will not actively report the target data object. For the virtualization instance, it is a passive virtualization instance introspection. This virtualization instance introspection mode has little impact on the service performance of the virtualization instance, but cannot detect intrusions in a timely manner. It is suitable for situations where the virtualization instance has high service performance requirements, that is, the service performance of the virtualization instance is sensitive.

为了提高发现入侵的及时性，本公开实施例还提供另一种虚拟化实例自省模式，定义为第二虚拟化实例自省模式。第二虚拟化实例自省模式为主动型虚拟化实例自省模式，即虚拟化管理器可及时向安全检测程序报告虚拟化实例的相关行为。安全检测程序可根据虚拟化管理器的主动报告内容，对虚拟化实例进行安全检测。下面对第二虚拟化实例自省模式进行详细说明。In order to improve the timeliness of intrusion detection, the embodiment of the present disclosure also provides another virtualization instance self-reflection mode, which is defined as the second virtualization instance self-reflection mode. The second virtualization instance self-reflection mode is an active virtualization instance self-reflection mode, that is, the virtualization manager can report the relevant behavior of the virtualization instance to the security detection program in a timely manner. The security detection program can perform security detection on the virtualization instance based on the active report content of the virtualization manager. The second virtualization instance self-reflection mode is described in detail below.

结合图3，安全检测程序可根据安全检测需求，请求检测特定的内核函数(定义为目标内核函数)。例如，特定的内核函数可为进程管理函数，如创建新进程的内核函数、在父进程中创建子进程的内核函数等。相应地，安全检测程序可将请求监测的目标内核函数的标识，封装在安全检测请求中；并将安全检测请求发送给虚拟化管理器。关于安全检测程序将安全检测请求发送给虚拟化管理器的实施方式，可参见上述实施例的相关内容，在此不再赘述。In conjunction with Figure 3, the security detection program can request to detect a specific kernel function (defined as a target kernel function) based on the security detection requirements. For example, the specific kernel function can be a process management function, such as a kernel function for creating a new process, a kernel function for creating a child process in a parent process, etc. Accordingly, the security detection program can encapsulate the identifier of the target kernel function requested to be monitored in the security detection request; and send the security detection request to the virtualization manager. About security detection For the implementation method of the program sending the security detection request to the virtualization manager, please refer to the relevant content of the above embodiment, which will not be repeated here.

针对虚拟化管理器，上述步骤502可实现为：响应于安全检测请求，创建另一线程模块(定义为第二线程模块)；进一步，可控制第二线程模块在安全检测请求请求监测的目标内核函数上挂载钩子函数。钩子函数可在目标内核函数运行过程中，通知第二线程模块目标内核函数被执行。For the virtualization manager, the above step 502 can be implemented as follows: in response to the security detection request, another thread module (defined as the second thread module) is created; further, the second thread module can be controlled to mount a hook function on the target kernel function monitored by the security detection request. The hook function can notify the second thread module that the target kernel function is executed during the operation of the target kernel function.

在本实施例中，钩子函数可为第二线程模块实时挂载的，也可为第二线程模块在其它安全检测请求执行过程中预先挂载的。In this embodiment, the hook function may be mounted by the second thread module in real time, or may be pre-mounted by the second thread module during the execution of other security detection requests.

对于上述安全检测程序，可根据实际安全检测需求，确定请求监测的目标内核函数的标识、目标内核函数中用于挂载钩子(Hook)函数的跟踪点(tracepoint)的标识及钩子函数的标识。进一步，安全检测程序可将目标内核函数的标识、目标内核函数中用于挂载钩子函数的跟踪点的标识及钩子函数的标识，封装至安全检测请求中；并将安全检测请求发送至虚拟化管理器。For the above security detection program, the identifier of the target kernel function requested for monitoring, the identifier of the tracepoint in the target kernel function for mounting the hook function, and the identifier of the hook function can be determined according to the actual security detection requirements. Further, the security detection program can encapsulate the identifier of the target kernel function, the identifier of the tracepoint in the target kernel function for mounting the hook function, and the identifier of the hook function into a security detection request; and send the security detection request to the virtualization manager.

相应地，针对虚拟化管理器，可控制第二线程模块从安全检测请求中，获取目标内核函数的标识、目标内核函数中的跟踪点的标识及所述钩子函数的标识；并基于钩子函数的标识，获取钩子函数的代码。可选地，可基于钩子函数的标识，从代码库中下载钩子函数的代码。Accordingly, for the virtualization manager, the second thread module can be controlled to obtain the identifier of the target kernel function, the identifier of the tracking point in the target kernel function and the identifier of the hook function from the security detection request; and based on the identifier of the hook function, the code of the hook function is obtained. Optionally, the code of the hook function can be downloaded from the code library based on the identifier of the hook function.

进一步，可控制第二线程模块基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系及目标内核函数的标识，从目标地址空间确定内核函数的代码；并根据跟踪点的标识，在目标内核函数的代码中确定跟踪点；之后，可在目标地址空间，利用钩子函数的代码在跟踪点修改目标内核函数的代码，从而在目标内核函数的跟踪点上挂载上述钩子函数。Furthermore, the second thread module can be controlled to determine the code of the kernel function from the target address space based on the memory mapping relationship between the kernel state address space of the above-mentioned virtualization instance and the user state address space of the host machine and the identifier of the target kernel function; and determine the tracking point in the code of the target kernel function according to the identifier of the tracking point; thereafter, the code of the hook function can be used in the target address space to modify the code of the target kernel function at the tracking point, thereby mounting the above-mentioned hook function on the tracking point of the target kernel function.

钩子函数可在目标内核函数运行过程中，通知第二线程模块目标内核函数被执行。相应地，可控制第二线程模块在钩子函数在目标内核函数运行过程中发出通知的情况下，基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标内核函数在运行过程中产生的内核数据，作为目标数据对象。The hook function can notify the second thread module that the target kernel function is executed during the operation of the target kernel function. Accordingly, the second thread module can be controlled to obtain the kernel data generated during the operation of the target kernel function from the target address space as the target data object based on the memory mapping relationship between the kernel state address space of the virtualization instance and the user state address space of the host machine when the hook function issues a notification during the operation of the target kernel function.

具体地，目标内核函数在运行过程中，可将产生的内核数据存储于虚拟化实例的内核态地址空间；虚拟化管理器可将虚拟化实例的内核态地址空间中的目标内核函数在运行过程中产生的内核数据，映射到宿主机的用户态地址空间中的目标地址空间。因此，目标地址空间存储有目标内核函数在运行过程中产生的内核数据。基于此，运行于宿主机的用户态的第二线程模块，可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标内核函数在运行过程中产生的内核数据，作为目标数据对象。Specifically, during the operation of the target kernel function, the generated kernel data may be stored in the kernel state address space of the virtualized instance; the virtualization manager may map the kernel data generated during the operation of the target kernel function in the kernel state address space of the virtualized instance to the target address space in the user state address space of the host machine. Therefore, the target address space stores the kernel data generated during the operation of the target kernel function. Based on this, the second thread module running in the user state of the host machine can obtain the kernel data generated during the operation of the target kernel function from the target address space as the target data object based on the memory mapping relationship between the kernel state address space of the virtualized instance and the user state address space of the host machine.

进一步，可控制第二线程模块将目标内核函数在运行过程中产生的内核数据，提供给安全检测程序。关于将目标内核函数在运行过程中产生的内核数据提供给安全检测程序的具体实施方式，可参见上述实施例的相关内容，在此不再赘述。相应地，安全检测程序可基于目标内核函数在运行过程中产生的内核数据，对虚拟化实例进行安全检测。关于安全检测程序基于目标内核函数在运行过程中产生的内核数据，对虚拟化实例进行安全检测的具体实施方式，可参见上述宿主机实施例的相关内容，在此不再赘述。 Further, the second thread module can be controlled to provide the kernel data generated by the target kernel function during operation to the security detection program. For the specific implementation of providing the kernel data generated by the target kernel function during operation to the security detection program, please refer to the relevant content of the above-mentioned embodiment, which will not be repeated here. Accordingly, the security detection program can perform security detection on the virtualized instance based on the kernel data generated by the target kernel function during operation. For the specific implementation of the security detection program performing security detection on the virtualized instance based on the kernel data generated by the target kernel function during operation, please refer to the relevant content of the above-mentioned host machine embodiment, which will not be repeated here.

上述实施例提供的第一虚拟化实例自省模式及第二虚拟化实例自省模式中的安全检测程序的安全检测逻辑，运行在虚拟化管理器的外部，在对虚拟化实例进行安全检测过程中，需要虚拟化管理器与安全检测程序之间通过安全检测服务接口进行交互。对于安全检测逻辑比较复杂的实施例来说，则虚拟化管理器与安全检测程序之间的交互也较为复杂，影响安全检测速度。The security detection logic of the security detection program in the first virtualization instance self-reflection mode and the second virtualization instance self-reflection mode provided in the above embodiments runs outside the virtualization manager. During the security detection process of the virtualization instance, the virtualization manager and the security detection program need to interact through the security detection service interface. For embodiments with more complex security detection logic, the interaction between the virtualization manager and the security detection program is also more complex, which affects the security detection speed.

为了提高虚拟化实例的安全检测速度，本公开实施例还提供另一虚拟化实例自省模式，定义为第三虚拟化实例自省模式。在第三虚拟化实例自省模式中，将传统方案中运行在虚拟机里的安全检测逻辑“下沉”到宿主机的虚拟化管理器上，而结果就像安全检测逻辑运行在虚拟化实例里一样。下面进行具体说明。In order to improve the security detection speed of the virtualized instance, the embodiment of the present disclosure also provides another virtualized instance self-reflection mode, which is defined as the third virtualized instance self-reflection mode. In the third virtualized instance self-reflection mode, the security detection logic running in the virtual machine in the traditional solution is "sunk" to the virtualization manager of the host machine, and the result is the same as if the security detection logic runs in the virtualized instance. The following is a detailed description.

结合图4，安全检测程,可根据实际安全检测需求，确定预先与虚拟化管理器约定的安全检测逻辑。安全检测逻辑在虚拟化管理器中以线程形式运行在虚拟化管理器中。相应地，安全检测程序可根据实际安全检测需求，确定待监测的目标安全检测线程；并将目标安全检测线程的标识封装至安全检测请求中。进一步，可将安全检测请求发送给虚拟化管理器。In conjunction with FIG4 , the security detection program can determine the security detection logic agreed in advance with the virtualization manager according to the actual security detection requirements. The security detection logic runs in the virtualization manager in the form of a thread. Accordingly, the security detection program can determine the target security detection thread to be monitored according to the actual security detection requirements; and encapsulate the identifier of the target security detection thread into the security detection request. Further, the security detection request can be sent to the virtualization manager.

针对虚拟化管理器，上述步骤502还可实现为：响应于安全检测请求，可创建另一线程模块(定义为第三线程模块)；并控制第三线程模块创建安全检测请求请求监测的目标安全检测线程。其中，目标安全检测线程可基于预先封装好的虚拟化实例的系统调用接口作为用户态程序，运行在虚拟化实例的操作系统之上。这样，目标安全检测线程在其它虚拟化实例的用户态看起来，就像运行在虚拟化实例的用户态的线程，即就像图4中运行在虚拟化实例的用户态的目标安全检测线程代理。For the virtualization manager, the above step 502 can also be implemented as follows: in response to the security detection request, another thread module (defined as the third thread module) can be created; and the third thread module is controlled to create a target security detection thread for monitoring by the security detection request. Among them, the target security detection thread can be based on the pre-packaged system call interface of the virtualization instance as a user state program, running on the operating system of the virtualization instance. In this way, the target security detection thread looks like a thread running in the user state of the virtualization instance in the user state of other virtualization instances, that is, it is like the target security detection thread agent running in the user state of the virtualization instance in Figure 4.

由于目标安全检测线程可基于预先封装好的虚拟化实例的系统调用接口作为用户态程序，运行在虚拟化实例的操作系统之上，因此，目标安全检测线程可访问操作系统的用户态地址空间。因此，目标安全检测线程可基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间中获取目标安全检测线程关注的内核数据。Since the target security detection thread can be run as a user-mode program based on the pre-packaged system call interface of the virtualization instance and on the operating system of the virtualization instance, the target security detection thread can access the user-mode address space of the operating system. Therefore, the target security detection thread can obtain the kernel data that the target security detection thread is concerned about from the target address space based on the memory mapping relationship between the kernel-mode address space of the virtualization instance and the user-mode address space of the host machine.

其中，目标安全检测线程关注的内核数据的具体内容，可参见上述宿主机实施例的相关内容，在此不再赘述。Among them, the specific content of the kernel data that the target security detection thread is concerned about can be found in the relevant content of the above-mentioned host machine embodiment, which will not be repeated here.

进一步，目标安全检测线程可将获取的关注的内核数据输出。相应地，可控制第三线程模块获取目标安全检测线程输出的数据，作为目标数据对象。目标安全检测线程105输出的数据，即为目标安全检测线程关注的内核数据。Further, the target security detection thread can output the obtained kernel data of interest. Accordingly, the third thread module can be controlled to obtain the data output by the target security detection thread as the target data object. The data output by the target security detection thread 105 is the kernel data of interest to the target security detection thread.

进一步，可控制第三线程模块可将目标安全检测线程关注的内核数据，提供给安全检测程序。安全检测程序可基于目标安全检测线程关注的内核数据，对虚拟化实例进行安全检测。Furthermore, the third thread module may be controlled to provide the kernel data concerned by the target security detection thread to the security detection program. The security detection program may perform security detection on the virtualized instance based on the kernel data concerned by the target security detection thread.

根据上述三种虚拟化实例自省模式，可知三种虚拟化实例自省模式各有优劣。在实际使用过程中，可采用三种虚拟化实例自省模式中的一种进行实施，当然，也可结合三种虚拟化实例自省模式中的多种进行实施。例如，可结合三种虚拟化实例自省模式中的任意2种进行实施，当然也可结合三种进行实施。在多种虚拟化实例自省模式结合进行实施时，多种虚拟化实例自省模式可优劣互补，取长补短，提高虚拟化实例安全检测的性能。According to the above three virtualization instance self-reflection modes, we can see that the three virtualization instance self-reflection modes have their own advantages and disadvantages. During use, one of the three virtualization instance self-reflection modes can be used for implementation, and of course, multiple of the three virtualization instance self-reflection modes can also be combined for implementation. For example, any two of the three virtualization instance self-reflection modes can be combined for implementation, and of course, three of them can also be combined for implementation. When multiple virtualization instance self-reflection modes are combined for implementation, the multiple virtualization instance self-reflection modes can complement each other's strengths and weaknesses, learn from each other's strengths and weaknesses, and improve the performance of virtualization instance security detection.

在结合三种虚拟化实例自省模式中的多种进行实施的示例中，可由安全检测程序确定在线安全检测时采用哪种虚拟化实例自省模式。具体地，安全检测线程可根据对虚拟化实例进行安全检测的安全检测需求，从多种虚拟化实例自省模式中，选择目标虚拟化实例自省模式。根据目标虚拟化实例自省模式的标识，生成安全检测请求；将安全检测请求发送给虚拟化管理器，以供虚拟化管理器基于虚拟化实例的内核地址空间与宿主机的用户态地址空间之间的内存映射关系和目标虚拟化实例自省模式的标识，从目标地址空间中获取安全检测请求关联的目标数据对象，目标数据对象包括虚拟化实例的至少部分内核数据；进而，接收虚拟化管理器返回的目标数据对象并根据目标数据对象对虚拟化实例进行安全检测。In an example of implementing a combination of multiple of the three virtualization instance introspection modes, the security detection program can determine which virtualization instance introspection mode to use during online security detection. Specifically, the security detection thread can select a target virtualization instance introspection mode from multiple virtualization instance introspection modes based on the security detection requirements for performing security detection on the virtualization instance. Generate a security detection request based on the identifier of the target virtualization instance introspection mode; send the security detection request to the virtualization manager, so that the virtualization manager can obtain the target data object associated with the security detection request from the target address space based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine and the identifier of the target virtualization instance introspection mode, the target data object includes at least part of the kernel data of the virtualization instance; then, receive the target data object returned by the virtualization manager and perform security detection on the virtualization instance based on the target data object.

其中，对虚拟化实例进行安全检测的安全检测需求可由用户决定，也可由安全检测程序的安全检测逻辑决定。对虚拟化实例进行安全检测的安全检测需求可包括：全检测过程中虚拟化实例的服务性能需求、安全检测的及时性需求、及对虚拟化实例进行安全检测的安全检测线程的逻辑复杂程度中的至少一种。The security detection requirements for security detection of virtualized instances may be determined by the user or by the security detection logic of the security detection program. The security detection requirements for security detection of virtualized instances may include at least one of the service performance requirements of the virtualized instances during the entire detection process, the timeliness requirements of security detection, and the logic complexity of the security detection thread for security detection of the virtualized instances.

基于上述三种虚拟化实例自省模式的特点，可知上述第一虚拟化实例自省模式对虚拟化实例的侵入性较低，对虚拟化实例的服务性能影响较小，因此，第一虚拟化实例自省模式适用于虚拟化实例对服务性能较为敏感的情况。相应地，安全检测程序可在安全检测需求指示虚拟化实例对服务性能较为敏感的情况下，确定目标虚拟化实例自省模式为第一虚拟化实例自省模式。第一虚拟化实例自省模式为虚拟化管理器控制第一线程模块基于内存映射关系从目标地址空间中获取安全检测请求请求监测的目标内核数据作为目标数据对象的模式。Based on the characteristics of the above three virtualization instance introspection modes, it can be seen that the above first virtualization instance introspection mode is less invasive to the virtualization instance and has less impact on the service performance of the virtualization instance. Therefore, the first virtualization instance introspection mode is suitable for situations where the virtualization instance is more sensitive to service performance. Accordingly, the security detection program can determine that the target virtualization instance introspection mode is the first virtualization instance introspection mode when the security detection requirement indicates that the virtualization instance is more sensitive to service performance. The first virtualization instance introspection mode is a mode in which the virtualization manager controls the first thread module to obtain the target kernel data monitored by the security detection request from the target address space as the target data object based on the memory mapping relationship.

由于上述第二虚拟化实例自省模式的安全检测的及时性较高，因此，安全检测程序可在安全检测需求指示虚拟化实例对安全检测及时性较为敏感的情况下，确定目标虚拟化实例自省模式为第二虚拟化实例自省模式。第二虚拟化实例自省模式为虚拟化管理器控制第二线程模块利用虚拟化实例的内核函数上挂载钩子函数获取目标内核函数在运行过程中产生的内核数据作为目标数据对象的模式。Since the timeliness of security detection in the second virtualization instance introspection mode is relatively high, the security detection program can determine that the target virtualization instance introspection mode is the second virtualization instance introspection mode when the security detection requirement indicates that the virtualization instance is more sensitive to the timeliness of security detection. The second virtualization instance introspection mode is a mode in which the virtualization manager controls the second thread module to use the kernel function of the virtualization instance to mount a hook function to obtain the kernel data generated by the target kernel function during operation as the target data object.

由于上述第三虚拟化实例自省模式适用于安全检测逻辑较为复杂的实施例，因此，安全检测程序可在安全检测需求指示对虚拟化实例进行安全检测的逻辑复杂程度为设定的逻辑复杂程度的情况下，确定目标虚拟化实例自省模式为第三虚拟化实例自省模式。进一步，在该情况下，还可以确定目标对象的类型为对虚拟化实例进行安全检测的安全检测线程。第三虚拟化实例自省模式为虚拟化管理器控制第三线程模块创建目标安全检测线程并获取目标安全检测线程输出的内核数据作为目标数据对象的模式；目标安全检测线程基于预先封装好的虚拟化实例的系统调用接口作为用户态程序运行在虚拟化实例的操作系统之上，并基于内存映射关系从目标地址空间中获取其关注的内核数据。Since the third virtualization instance introspection mode is applicable to embodiments with relatively complex security detection logic, the security detection program can determine that the target virtualization instance introspection mode is the third virtualization instance introspection mode when the security detection requirement indicates that the logic complexity of the security detection of the virtualization instance is the set logic complexity. Further, in this case, the type of the target object can also be determined as a security detection thread that performs security detection on the virtualization instance. The third virtualization instance introspection mode is a mode in which the virtualization manager controls the third thread module to create a target security detection thread and obtains the kernel data output by the target security detection thread as the target data object; the target security detection thread runs as a user-mode program on the operating system of the virtualization instance based on the pre-packaged system call interface of the virtualization instance, and obtains the kernel data of its concern from the target address space based on the memory mapping relationship.

进一步，安全检测需求中还可以包含目标对象的描述信息及目标对象的类型，在该情况下，安全检测程序可根据安全检测需求包含的目标对象的描述信息及目标对象的类型，确定目标对象的标识；并根据目标对象的标识及目标虚拟化实例自省模式的标识，生成安全检测请求。进一步，安全检测程序可将安全检测请求提供给虚拟化管理器。Furthermore, the security detection requirement may also include description information of the target object and the type of the target object. In this case, the security detection program may be based on the description information of the target object and the type of the target object included in the security detection requirement. Determine the identifier of the target object; and generate a security detection request according to the identifier of the target object and the identifier of the introspection mode of the target virtualization instance. Further, the security detection program may provide the security detection request to the virtualization manager.

相应地，对虚拟化管理器来说，可从安全检测请求中，获取目标虚拟化实例自省模式的标识；并根据目标虚拟化实例自省模式的标识，创建目标虚拟化实例自省模式对应的目标线程模块。其中，目标线程模块包括第一线程模块、第二线程模块和第三线程模块中的至少一个。第一虚拟化实例自省模式对应的线程模块为第一线程模块；第二虚拟化实例自省模式对应的线程模块为第二线程模块；第三虚拟化实例自省模式对应的线程模块为第三线程模块。Correspondingly, for the virtualization manager, the identifier of the target virtualization instance introspection mode can be obtained from the security detection request; and according to the identifier of the target virtualization instance introspection mode, a target thread module corresponding to the target virtualization instance introspection mode is created. Among them, the target thread module includes at least one of the first thread module, the second thread module and the third thread module. The thread module corresponding to the first virtualization instance introspection mode is the first thread module; the thread module corresponding to the second virtualization instance introspection mode is the second thread module; the thread module corresponding to the third virtualization instance introspection mode is the third thread module.

进一步可选地，在安全检测请求中包含目标对象的标识的情况下，目标线程模块可从安全检测请求中，获取目标对象的标识；并基于上述虚拟化实例的内核态地址空间与宿主机的用户态地址空间之间的内存映射关系，从目标地址空间获取目标对象的标识关联的目标数据对象。其中，目标对象的类型包括内核数据这一类型，目标对象的标识关联的目标数据对象包括安全检测请求请求监测的目标内核数据。和/或，目标对象的类型包括目标内核函数这一类型，目标对象的标识关联的目标数据对象包括安全检测请求请求监测的目标内核函数运行过程中产生的内核数据。和/或，目标对象的类型包括目标安全检测线程这一类型，目标对象的标识关联的目标数据对象包括目标安全检测线程关注的内核数据。Further optionally, in the case where the security detection request includes the identifier of the target object, the target thread module can obtain the identifier of the target object from the security detection request; and based on the memory mapping relationship between the kernel state address space of the above virtualization instance and the user state address space of the host machine, obtain the target data object associated with the identifier of the target object from the target address space. Among them, the type of the target object includes the type of kernel data, and the target data object associated with the identifier of the target object includes the target kernel data monitored by the security detection request. And/or, the type of the target object includes the type of target kernel function, and the target data object associated with the identifier of the target object includes the kernel data generated during the operation of the target kernel function monitored by the security detection request. And/or, the type of the target object includes the type of target security detection thread, and the target data object associated with the identifier of the target object includes the kernel data concerned by the target security detection thread.

需要说明的是，上述实施例所提供方法的各步骤的执行主体均可以是同一设备，或者，该方法也由不同设备作为执行主体。比如，步骤501和502的执行主体可以为设备A；又比如，步骤501的执行主体可以为设备A，步骤502的执行主体可以为设备B；等等。It should be noted that the execution subject of each step of the method provided in the above embodiment can be the same device, or the method can be executed by different devices. For example, the execution subject of steps 501 and 502 can be device A; for another example, the execution subject of step 501 can be device A, and the execution subject of step 502 can be device B; and so on.

另外，在上述实施例及附图中的描述的一些流程中，包含了按照特定顺序出现的多个操作，但是应该清楚了解，这些操作可以不按照其在本文中出现的顺序来执行或并行执行，操作的序号如501、502等，仅仅是用于区分开各个不同的操作，序号本身不代表任何的执行顺序。另外，这些流程可以包括更多或更少的操作，并且这些操作可以按顺序执行或并行执行。In addition, in some of the processes described in the above embodiments and the accompanying drawings, multiple operations appearing in a specific order are included, but it should be clearly understood that these operations may not be executed in the order in which they appear in this document or may be executed in parallel, and the sequence numbers of the operations, such as 501, 502, etc., are only used to distinguish between different operations, and the sequence numbers themselves do not represent any execution order. In addition, these processes may include more or fewer operations, and these operations may be executed in sequence or in parallel.

相应地，本公开实施例还提供一种电子设备，该电子设备能够作为宿主机实现，宿主机上部署有虚拟化管理器、被虚拟化管理器管理的虚拟化实例，以及位于虚拟化实例外部的安全检测程序；虚拟化管理器面向安全检测程序提供安全检测服务接口，以与安全检测程序进行交互；如图6所示，该电子设备还包括：存储器61和处理器62；存储器61中存储有虚拟化管理器对应的程序代码和安全检测程序；其中，处理器62与存储器61耦合，用于执行虚拟化管理器对应的程序代码，以用于实现前述方法实施例中可由虚拟化管理器执行的方法步骤；以及用于执行安全检测程序，以用于实现前述方法实施例中可由安全检测程序执行的方法步骤。关于各方法步骤的详细描述可参见前述实施例，在此不在赘述。Correspondingly, the embodiment of the present disclosure also provides an electronic device, which can be implemented as a host machine, on which a virtualization manager, a virtualization instance managed by the virtualization manager, and a security detection program located outside the virtualization instance are deployed; the virtualization manager provides a security detection service interface to the security detection program to interact with the security detection program; as shown in Figure 6, the electronic device also includes: a memory 61 and a processor 62; the memory 61 stores program codes and security detection programs corresponding to the virtualization manager; wherein the processor 62 is coupled to the memory 61, and is used to execute the program code corresponding to the virtualization manager, so as to implement the method steps that can be executed by the virtualization manager in the aforementioned method embodiment; and is used to execute the security detection program, so as to implement the method steps that can be executed by the security detection program in the aforementioned method embodiment. For detailed descriptions of each method step, please refer to the aforementioned embodiment, which will not be repeated here.

进一步，如图6所示，本实施例的电子设备还包括：通信组件63、显示器64、电源组件65、音频组件66等其它组件。图6中仅示意性给出部分组件，并不意味着电子设备只包括图6所示组件。另外，图6中虚线框内的组件为可选组件，而非必选组件，具体可视电子设备的产品形态而定。本实施例的电子设备可以实现为台式电脑、笔记本电脑、智能手机或IOT设备等终端设备；也可以是传统服务器、云服务器或服务器集群等各种服务器设备。Further, as shown in FIG6 , the electronic device of this embodiment further includes: a communication component 63, a display 64, a power component 65, an audio component 66 and other components. FIG6 only schematically shows some components, which does not mean that the electronic device Only the components shown in FIG6 are included. In addition, the components in the dotted box in FIG6 are optional components, not mandatory components, and the specific components may depend on the product form of the electronic device. The electronic device of this embodiment can be implemented as a terminal device such as a desktop computer, a laptop computer, a smart phone or an IOT device; it can also be a traditional server, a cloud server or a server cluster.

相应地，本公开实施例还提供一种存储有计算机指令的计算机可读存储介质，当计算机指令被一个或多个处理器执行时，致使一个或多个处理器执行上述虚拟化实例自省方法中的步骤。Accordingly, an embodiment of the present disclosure also provides a computer-readable storage medium storing computer instructions, which, when executed by one or more processors, causes the one or more processors to execute the steps in the above-mentioned virtualization instance introspection method.

本公开实施例还提供一种计算机程序产品，包括计算机程序，该计算机程序被处理器执行时实现上述虚拟化实例自省方法中的步骤。The embodiment of the present disclosure also provides a computer program product, including a computer program, which implements the steps in the above-mentioned virtualization instance introspection method when executed by a processor.

需要说明的是，本公开所涉及的用户信息(包括但不限于用户设备信息、用户个人信息等)和数据(包括但不限于用于分析的数据、存储的数据、展示的数据等)，均为经用户授权或者经过各方充分授权的信息和数据，并且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准，并提供有相应的操作入口，供用户选择授权或者拒绝。It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, etc.) involved in this disclosure are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data must comply with the relevant laws, regulations and standards of relevant countries and regions, and provide corresponding operation entrances for users to choose to authorize or refuse.

还需要说明的是，本文中的“第一”、“第二”等描述，是用于区分不同的消息、设备、模块等，不代表先后顺序，也不限定“第一”和“第二”是不同的类型。It should also be noted that the descriptions such as "first" and "second" in this article are used to distinguish different messages, devices, modules, etc., and do not represent the order of precedence, nor do they limit "first" and "second" to different types.

本领域内的技术人员应明白，本公开的实施例可提供为方法、系统、或计算机程序产品。因此，本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、只读光盘(Compact Disc Read-Only Memory，CD-ROM)、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that the embodiments of the present disclosure may be provided as methods, systems, or computer program products. Therefore, the present disclosure may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present disclosure may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, compact disc read-only memory (CD-ROM), optical storage, etc.) containing computer-usable program code.

本公开是参照根据本公开实施例的方法、设备(或系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to the flowchart and/or block diagram of the method, device (or system), and computer program product according to the embodiment of the present disclosure. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

在一个典型的配置中，计算设备包括一个或多个处理器(如CPU等)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (such as a CPU, etc.), an input/output interface, a network interface, and a memory.

内存可能包括计算机可读介质中的非永久性存储器，随机存取存储器 (Random-Access Memory，RAM)和/或非易失性内存等形式，如只读存储器(Read Only Memory，ROM)或闪存(Flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, random access memory The memory is an example of a computer-readable medium.

计算机的存储介质为可读存储介质，也可称为可读介质。可读存储介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括，但不限于相变内存(Phase-Change Memory，PRAM)、静态随机存取存储器(Static Random-Access Memory，SRAM)、动态随机存取存储器(Dynamic Random Access Memory，DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read Only Memory，EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(Digital Video Disc，DVD)或其他光学存储、磁盒式磁带，磁盘存储或其他磁性存储设备或任何其他非传输介质，可用于存储可以被计算设备访问的信息。按照本文中的界定，计算机可读介质不包括暂存电脑可读媒体(Transitory Media)，如调制的数据信号和载波。The storage medium of a computer is a readable storage medium, which may also be referred to as a readable medium. The readable storage medium includes permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. The information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, Phase-Change Memory (PRAM), Static Random-Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, magnetic cassettes, disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined in this article, computer-readable media does not include temporary computer-readable media (transitory media), such as modulated data signals and carriers.

还需要说明的是，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括上述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of further restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the above elements.

以上内容仅为本公开的实施例而已，并不用于限制本公开。对于本领域技术人员来说，本公开可以有各种更改和变化。凡在本公开的精神和原理之内所作的任何修改、等同替换、改进等，均应包含在本公开的权利要求范围之内。 The above contents are only embodiments of the present disclosure and are not intended to limit the present disclosure. For those skilled in the art, the present disclosure may have various modifications and variations. Any modification, equivalent substitution, improvement, etc. made within the spirit and principle of the present disclosure shall be included in the scope of the claims of the present disclosure.

Claims

A host machine, wherein a virtualization manager, a virtualization instance managed by the virtualization manager, and a security detection program located outside the virtualization instance are deployed on the host machine; the virtualization manager provides a security detection service interface to the security detection program to interact with the security detection program;

The virtualization manager is used to map the kernel address space of the virtualization instance to a target address space in the user state address space of the host machine, wherein the target address space stores kernel data and kernel functions corresponding to the virtualization instance; and

Receive a security detection request sent by the security detection program, and based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine, obtain a target data object associated with the security detection request from the target address space, wherein the target data object includes at least part of the kernel data of the virtualization instance, and provide the target data object to the security detection program so that the security detection program performs security detection on the virtualization instance based on the target data object.

The host machine according to claim 1, wherein the virtualization manager is configured to adopt at least one of the following methods when obtaining the target data object associated with the security detection request from the target address space:

Creating a first thread module, providing the security detection request to the first thread module, and controlling the first thread module to obtain the target kernel data monitored by the security detection request from the target address space as the target data object based on the memory mapping relationship;

Create a second thread module, use the second thread module to mount a hook function on the target kernel function monitored by the security detection request, and when the hook function issues a notification, obtain the kernel data generated by the target kernel function during operation from the target address space based on the memory mapping relationship as the target data object;

Create a third thread module, use the third thread module to create a target security detection thread that the security detection request monitors, and obtain the kernel data output by the target security detection thread as the target data object; wherein the target security detection thread runs on the operating system of the virtualization instance as a user-mode program based on the pre-packaged system call interface of the virtualization instance, and obtains and outputs the kernel data of its concern from the target address space based on the memory mapping relationship.

A virtualization instance introspection method, wherein the method is applied to a virtualization manager deployed on a host machine, the host machine also has a virtualization instance and a security detection program corresponding to the virtualization manager deployed on it, and the kernel address space of the virtualization instance is mapped to a target address space in the user state address space of the host machine; the method comprises:

Receiving a security detection request sent by the security detection program;

Based on a memory mapping relationship between the kernel address space of the virtualized instance and the user state address space of the host machine, obtaining a target data object associated with the security detection request from the target address space, wherein the target data object includes at least part of the kernel data of the virtualized instance;

The target data object is provided to the security detection program so that the security detection program performs security detection on the virtualization instance based on the target data object.

The method according to claim 3, further comprising:

During the virtualization instance creation process, the target address space is allocated to the virtualization instance to store kernel data and kernel functions corresponding to the virtualization instance; and a memory mapping relationship is established between the kernel address space of the virtualization instance and the user state address space of the host machine.

The method according to claim 3, wherein the acquiring, from the target address space, the target data object associated with the security detection request based on the memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine comprises at least one of the following processing methods:

Create a third thread module, use the third thread module to create a target security detection thread that the security detection request monitors, and obtain the data output by the target security detection thread as the target data object; wherein the target security detection thread runs on the operating system of the virtualization instance as a user-mode program based on the pre-packaged system call interface of the virtualization instance, and obtains and outputs the kernel data of its concern from the target address space based on the memory mapping relationship.

The method according to claim 5, wherein the controlling the first thread module to obtain the target kernel data monitored by the security detection request from the target address space as the target data object based on the memory mapping relationship comprises:

Controlling the first thread module to access the target address space based on the memory mapping relationship; and obtaining the target kernel data monitored by the security detection request as the target data object from the target address space;

or,

Control the first thread module to execute the first kernel function of the virtualization instance, and control the first kernel function based on the memory mapping relationship to obtain the target kernel data monitored by the security detection request as the target data object from the target address space.

The method according to claim 5, wherein the step of using the second thread module to mount a hook function on the target kernel function that the security detection request requests to monitor comprises:

Using the second thread module to obtain the identifier of the target kernel function, the identifier of the tracking point in the target kernel function, and the identifier of the hook function from the security detection request;

Based on the identifier of the hook function, obtaining the code of the hook function;

Based on the memory mapping relationship and the identifier of the target kernel function, determining the code of the target kernel function from the target address space;

Determining the tracking point in the code of the target kernel function according to the identifier of the tracking point;

In the target address space, the code of the hook function is mounted on the tracking point.

The method according to claim 5, wherein the target kernel function is a process management function; the target kernel function is obtained from the target address space in the running process based on the memory mapping relationship. The kernel data generated in is used as the target data object, including:

Based on the memory mapping relationship, access the target address space;

From the target address space, kernel data generated by the target process managed during the execution of the process management function is obtained as the target data object.

The method according to any one of claims 3 to 8, wherein the receiving the security detection request sent by the security detection program comprises: receiving the security detection request sent by the security detection program through a security detection service interface provided by the virtualization manager;

Accordingly, the method further includes: converting the target data object into a target protocol format supported by the security detection service interface; and providing the target data object in the target protocol format to the security detection program through the security detection service interface.

The method according to any one of claims 5 to 8, wherein before creating the first thread module, the second thread module or the third thread module, it further comprises:

Obtaining an identifier of a target virtualization instance introspection mode from the security detection request, wherein the target virtualization instance introspection mode is at least one virtualization instance introspection mode selected by the security detection program from a plurality of virtualization instance introspection modes according to a security detection requirement for performing security detection on the virtualization instance, and different virtualization instance introspection modes correspond to different thread modules;

According to the identifier of the introspection mode of the target virtualization instance, a target thread module to be created is determined; the target thread module includes at least one of the first thread module, the second thread module and the third thread module.

According to the method according to claim 10, the target data object includes the target kernel data that the security detection request requests to monitor; and/or, the kernel data generated during the operation of the target kernel function that the security detection request requests to monitor; and/or, the kernel data that the security detection request requests to use to perform security detection on the virtualized instance is concerned about.

A virtualization instance introspection method, wherein the method is applied to a security detection program deployed on a host machine, the host machine also has a virtualization manager and a virtualization instance deployed on it, and the kernel address space of the virtualization instance is mapped to a target address space in the user state address space of the host machine; the method comprises:

According to the security detection requirement for the virtualized instance, a target virtualized instance introspection mode is selected from a plurality of virtualized instance introspection modes;

Generate a security detection request according to the identifier of the introspection mode of the target virtualization instance;

Sending the security detection request to the virtualization manager, so that the virtualization manager obtains a target data object associated with the security detection request from the target address space based on a memory mapping relationship between the kernel address space of the virtualization instance and the user state address space of the host machine and an identifier of the introspection mode of the target virtualization instance, wherein the target data object includes at least part of the kernel data of the virtualization instance;

The target data object returned by the virtualization manager is received, and security detection is performed on the virtualization instance according to the target data object.

The method according to claim 12, wherein the selecting a target virtualization instance introspection mode from a plurality of virtualization instance introspection modes according to a security detection requirement for performing security detection on the virtualization instance comprises:

When the security detection requirement indicates that the virtualized instance is sensitive to service performance, determining the target The virtualization instance introspection mode is a first virtualization instance introspection mode; the first virtualization instance introspection mode is a mode in which the virtualization manager controls the first thread module to obtain the target kernel data monitored by the security detection request from the target address space based on the memory mapping relationship as the target data object;

In the case where the security detection requirement indicates that the virtualization instance is sensitive to the timeliness of security detection, determining that the target virtualization instance introspection mode is a second virtualization instance introspection mode; the second virtualization instance introspection mode is a mode in which the virtualization manager controls the second thread module to use the hook function mounted on the target kernel function of the virtualization instance to obtain the kernel data generated by the target kernel function during operation as the target data object;

When the security detection requirement indicates that the logical complexity of the security detection on the virtualization instance is the set logical complexity, the target virtualization instance introspection mode is determined to be the third virtualization instance introspection mode; the third virtualization instance introspection mode is a mode in which the virtualization manager controls the third thread module to create a target security detection thread and obtains the kernel data output by the target security detection thread as the target data object; the target security detection thread runs as a user-mode program on the operating system of the virtualization instance based on the pre-packaged system call interface of the virtualization instance, and obtains the kernel data of its concern from the target address space based on the memory mapping relationship.

An electronic device, wherein the electronic device can be implemented as a host machine, a virtualization manager, a virtualization instance managed by the virtualization manager, and a security detection program located outside the virtualization instance are deployed on the host machine; the virtualization manager provides a security detection service interface to the security detection program to interact with the security detection program;

The electronic device further comprises: a memory and a processor; the memory stores a program code corresponding to the virtualization manager and the security detection program;

Wherein, the processor is coupled to the memory and is used to execute the program code corresponding to the virtualization manager to implement the steps in the method described in any one of claims 3-11; and is used to execute the security detection program to implement the steps in the method described in any one of claims 12-13.

A computer-readable storage medium storing computer instructions, wherein when the computer instructions are executed by one or more processors, the one or more processors are caused to execute the steps in the method according to any one of claims 3 to 13.

A computer program product comprises a computer program, which, when executed by a processor, implements the steps in the method according to any one of claims 3 to 13.