阅读说明：本技术 增强用户空间与内核空间的隔离性的方法和装置 (Method and device for enhancing isolation of user space and kernel space ) 是由 夏虞斌 华志超 翟征德 于 2018-07-11 设计创作，主要内容包括：本申请提供一种增强用户空间与内核空间的隔离性的方法和装置,将扩展页表拆分为内核态扩展页表和用户态扩展页表,使得用户态代码不能访问内核空间中的部分或全部内容,和/或,使得内核态代码不能访问用户空间中的部分内容,从而增强了用户空间和内核空间的隔离性,避免内核空间中的内容发生泄漏。(The method and the device for enhancing the isolation between the user space and the kernel space divide an extended page table into a kernel mode extended page table and a user mode extended page table, so that a user mode code cannot access part or all contents in the kernel space, and/or the kernel mode code cannot access part of the contents in the user space, thereby enhancing the isolation between the user space and the kernel space and avoiding the leakage of the contents in the kernel space.)

A method for enhancing isolation of a user space from a kernel space, the method being applied to a virtualization system comprising a virtual machine and a virtual machine monitor, the virtual machine monitor being configured to manage the virtual machine, the method comprising:

the virtual machine monitor creates at least two extended page tables, wherein the at least two extended page tables comprise a user mode extended page table and a kernel mode extended page table, the user mode extended page table is used for being called by a processor running the virtual machine when the virtual machine executes user mode codes, and the kernel mode extended page table is used for being called by the processor running the virtual machine when the virtual machine executes kernel mode codes;

and the virtual machine monitor performs mapping processing on the user mode extended page table and/or the kernel mode extended page table, wherein part or all of page table pages used for translating the kernel mode client virtual address in the client page table are mapped to invalid page table pages through the user mode extended page table, and/or part of page table pages used for translating the user mode client virtual address in the client page table are mapped to the invalid page table pages through the kernel mode extended page table.

The method of claim 1, wherein the invalid page table page is a host physical page having all 0's.

The method of claim 1 or 2, wherein before the virtual machine monitor creates at least two extended page tables, the method further comprises:

the virtual machine monitor determines a page table page in the guest page table for translating a kernel-mode guest virtual address.

The method of claim 3, wherein the guest page table comprises a level 4 page table page and a level 3 page table page, and wherein the virtual machine monitor determines a page table page in the guest page table for translating a kernel-mode guest virtual address, comprising:

the virtual machine monitor determines a level 3 page table page in the guest page table for translating a kernel-mode guest virtual address.

The method of claim 4, wherein the virtual machine monitor determining a level 3 page table page in the guest page table for translating a kernel-mode guest virtual address comprises:

the virtual machine monitor sets a read-write attribute of a 3-level page table page used for translating a kernel mode client virtual address in the client page table to be virtual machine read-only, wherein the virtual machine read-only page table page in the client page table is used for triggering virtual machine exit when being modified by the virtual machine;

when the virtual machine exit is triggered, the virtual machine monitor determines whether a level 3 page table page in the guest page table for translating a kernel-mode guest virtual address is filled;

when a 3-level page table page used for translating a kernel-mode guest virtual address in the guest page table is filled, the virtual machine monitor sets the read-write attribute of all 4-level page table pages in the guest page table to be virtual machine read-only;

the virtual machine monitor executes a virtual machine entry operation;

when the virtual machine exit is again triggered, the virtual machine monitor determines whether the level 4 page table page is modified;

when the 4-level page table page is modified, the virtual machine monitor determines a newly added 3-level page table page in the guest page table for translating a kernel-mode guest virtual address according to the modified 4-level page table page.

The method of claim 5, further comprising:

the virtual machine monitor maps a 3-level page table page and a 4-level page table page with read-write attribute of virtual machine read-only in the guest page table to a first guest physical address, the first guest physical address is different from a second guest physical address, the read-write attribute of the first guest physical address in the kernel mode extended page table is virtual machine read-only, and the read-write attribute of the second guest physical address in the user mode extended page table and the kernel mode extended page table is virtual machine readable writable, wherein the first guest physical address is a guest physical address used by the virtual machine, the second guest physical address is a guest physical address used by the processor, and the first guest physical address and the second guest physical address are mapped to the same host physical address.

The method of any of claims 3 to 6, wherein before the virtual machine monitor determines a page table page in the guest page table for translating a kernel-mode guest virtual address, the method further comprises:

the virtual machine monitor acquires base address modification information, wherein the base address modification information is used for indicating the storage position of the guest page table;

and the virtual machine monitor acquires the client page table according to the base address modification information.

The method of any of claims 1-7, wherein the virtual machine monitor is located on a first host,

before the virtual machine monitor creates at least two extended page tables, the method further comprises:

the virtual machine monitor migrating the virtual machine from a first host to a second host using a virtual machine live migration technique;

the virtual machine monitor writing a first switching code at a virtual machine kernel mode entry of the first host and writing a second switching code at a virtual machine kernel mode exit of the first host, wherein the first switching code is used for switching the user mode extended page table to the kernel mode extended page table and the second switching code is used for switching the kernel mode extended page table to the user mode extended page table;

after the virtual machine monitor performs mapping processing on the user mode extension page table and/or the kernel mode extension page table, the method further includes:

the virtual machine monitor migrates the virtual machine from the second host to the first host using a virtual machine live migration technique.

The method of claim 8, wherein the first and second switching codes are used to invoke extended page table switching functionality of a processor of the first host.

An apparatus for enhancing isolation of a user space from a kernel space, the apparatus being applied to a virtualization system comprising a virtual machine and a virtual machine monitor, the virtual machine monitor being configured to manage the virtual machine, the apparatus comprising an extended page table construction module configured to:

creating at least two extended page tables, wherein the at least two extended page tables comprise a user mode extended page table and a kernel mode extended page table, the user mode extended page table is used for being called by a processor running a virtual machine when the virtual machine executes user mode codes, and the kernel mode extended page table is used for being called by the processor running the virtual machine when the virtual machine executes kernel mode codes;

and performing mapping processing on the user mode extended page table and/or the kernel mode extended page table, wherein part or all of page table pages used for translating the kernel mode client virtual address in the client page table are mapped to invalid page table pages through the user mode extended page table, and/or part of page table pages used for translating the user mode client virtual address in the client page table are mapped to the invalid page table pages through the kernel mode extended page table.

The apparatus of claim 10, wherein the invalid page table page is a host physical page having all 0's.

The apparatus of claim 10 or 11, further comprising:

a guest page table trace module for

Determining a page table page in the guest page table for translating a kernel-mode guest virtual address.

The apparatus of claim 12, wherein the guest page table comprises a level 4 page table page and a level 3 page table page, and wherein the guest page table tracking module is specifically configured to:

determining a level 3 page table page in the guest page table for translating a kernel-mode guest virtual address.

The apparatus of claim 13, wherein the guest page table walk module is specifically configured to:

setting a read-write attribute of a 3-level page table page used for translating a kernel mode client virtual address in the client page table to be virtual machine read-only, wherein the virtual machine read-only page table page in the client page table is used for triggering virtual machine exit when being modified by the virtual machine;

determining whether a level 3 page table page in the guest page table for translating a kernel-mode guest virtual address is filled when the virtual machine exit is triggered;

when a 3-level page table page for translating a kernel mode client virtual address in the client page table is filled, setting the read-write attribute of all 4-level page table pages in the client page table to be read-only by a virtual machine;

executing a virtual machine entry operation;

determining whether the level 4 page table page is modified when the virtual machine exit is again triggered;

when the 4-level page table page is modified, determining a newly added 3-level page table page used for translating the virtual address of the kernel-mode client machine in the client page table according to the modified 4-level page table page.

The apparatus of claim 14, wherein the extended page table walk module is further to:

mapping a 3-level page table page and a 4-level page table page with read-write attribute of virtual machine read-only in the guest page table to a first guest physical address, wherein the first guest physical address is different from a second guest physical address, the read-write attribute of the first guest physical address in the kernel mode extension page table is virtual machine read-only, and the read-write attribute of the second guest physical address in the user mode extension page table and the kernel mode extension page table is virtual machine readable writable, wherein the first guest physical address is a guest physical address used by the virtual machine, the second guest physical address is a guest physical address used by the processor, and the first guest physical address and the second guest physical address are mapped to the same host physical address.

The apparatus of any of claims 12 to 15, wherein the extended page table tracking module is further to:

obtaining base address modification information, wherein the base address modification information is used for indicating a storage position of the guest page table;

and acquiring the client page table according to the base address modification information.

The apparatus of any of claims 10 to 16, wherein the virtual machine monitor is located on a first host, the apparatus further comprising a live migration module and a dynamic image modification module,

the thermal migration module is used for: migrating the virtual machine from a first host to a second host using a virtual machine live migration technique;

the dynamic mirror modification module is to: writing a first switching code at a virtual machine kernel entry of the first host and writing a second switching code at a virtual machine kernel exit of the first host, wherein the first switching code is used for switching the user mode extended page table to the kernel mode extended page table, and the second switching code is used for switching the kernel mode extended page table to the user mode extended page table;

the thermomigration module is further configured to: migrating the virtual machine from the second host to the first host using a virtual machine live migration technique.

The apparatus of claim 17, wherein the first and second switching codes are configured to invoke extended page table switching functionality of a processor of the first host.

An apparatus for enhancing isolation of user space from kernel space, comprising:

a memory for storing instructions for storing the instructions,

a processor, coupled to the memory, for invoking the instructions stored by the memory to perform the steps of the method of any of claims 1-9.

A computer-readable storage medium, having stored thereon computer program code, which, when executed by a processing unit or processor, enhances isolation of user space from kernel space, the method steps of any one of claims 1 to 9 being performed by an apparatus.

A virtualization system comprising a hardware layer, and a virtual machine monitor running on top of the hardware layer, and a virtual machine running on top of the virtual machine monitor, the virtual machine monitor to manage the virtual machine, the hardware layer comprising a processor, wherein:

the virtual machine monitor is used for creating at least two extended page tables, wherein the at least two extended page tables comprise a user mode extended page table and a kernel mode extended page table, the user mode extended page table is used for being called by a processor running the virtual machine when the virtual machine executes user mode code, and the kernel mode extended page table is used for being called by the processor running the virtual machine when the virtual machine executes kernel mode code;

the virtual machine monitor is further configured to perform mapping processing on the user mode extended page table and/or the kernel mode extended page table, so that the user mode extended page table maps part or all of page table pages used for translating the kernel mode guest virtual address in the guest page table to an invalid page table page, and/or so that the kernel mode extended page table maps part of page table pages used for translating the user mode guest virtual address in the guest page table to the invalid page table page.