Interception and Identification of Guest OS Non-trapping System Call Instruction within VMM

Xiong Haiquan; Liu Zhiyong; Xu Weizhi; Tang Shibin; Fan Dongrui

doi:10.7544/issn1000-1239.2014.20130612

Journal of Computer Research and Development > 2014 > 51(10): 2348-2359. > DOI: 10.7544/issn1000-1239.2014.20130612

Xiong Haiquan, Liu Zhiyong, Xu Weizhi, Tang Shibin, Fan Dongrui. Interception and Identification of Guest OS Non-trapping System Call Instruction within VMM[J]. Journal of Computer Research and Development, 2014, 51(10): 2348-2359. DOI: 10.7544/issn1000-1239.2014.20130612

Citation:

PDF (3557 KB)

Interception and Identification of Guest OS Non-trapping System Call Instruction within VMM

¹(State Key Laboratory of Computer Architecture, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190)
²(University of Chinese Academy of Sciences, Beijing 100049)
³(Institute of Microelectronics, Tsinghua University, Beijing 100084)

More Information

Published Date: September 30, 2014

Graphical Abstract

Abstract

Abstract

To solve the problem that VMM can not monitor and control some Guest OS specific behavior due to its non-trapping feature in virtualized computing environment, an idea has been proposed to make those non-trapping instructions trap into VMM through modifying their normal execution conditions so as to cause system exception. According to the idea, special methods have been explored on how to intercept and identify the three different non-trapping system call instructions of x86 architecture from Guest OS within VMM. The int and sysenter instructions trap into VMM through causing GP system exception, while syscall instruction trap into VMM through causing UD system exception. They are identified with the virtual CPU context information within VMM. The Qemu&Kvm based prototype indicates that VMM can successfully intercept and identify all the three system call behaviors from Guest OS, and the performance overhead is within an accepted range for normal applications. For example, in unixbench shell test case, the performance overhead ratio is range 1900 to 2608. Compared with existing methods, they are all based on the architecture specification, so the advantage is that they are transparent to Guest OS and need not any modifications to Guest OS.
- Guest OS,
- virtual machine monitor (VMM),
- virtualization,
- non-trapping instruction,
- system call

FullText(HTML)

References (0)

[1]	Chen Maotang, Zheng Sheng’an, You Litong, Wang Jingyu, Yan Tian, Tu Yaofeng, Han Yinjun, Huang Linpeng. A Distributed Persistent Memory File System Based on RDMA Multicast[J]. Journal of Computer Research and Development, 2021, 58(2): 384-396. DOI: 10.7544/issn1000-1239.2021.20200369
[2]	Chen Xingshu, Chen Jiaxin, Jin Xin, Ge Long. Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments[J]. Journal of Computer Research and Development, 2019, 56(12): 2684-2693. DOI: 10.7544/issn1000-1239.2019.20180843
[3]	Wu Song, Wang Kun, Jin Hai. Research Situation and Prospects of Operating System Virtualization[J]. Journal of Computer Research and Development, 2019, 56(1): 58-68. DOI: 10.7544/issn1000-1239.2019.20180720
[4]	Xiang Yong, Cao Ruidong, Mao Yingming. QEMU-Based Dynamic Function Call Tracing[J]. Journal of Computer Research and Development, 2017, 54(7): 1569-1576. DOI: 10.7544/issn1000-1239.2017.20160094
[5]	Li Zhen, Tian Junfeng, and Yang Xiaohui. Program Behavior Monitoring Based on System Call Attributes[J]. Journal of Computer Research and Development, 2012, 49(8): 1676-1684.
[6]	Chen Hao, Peng Cuifen, Sun Jianhua, and Shi Lin. XenRPC:Design and Implementation of Security VM Remote Procedure Call[J]. Journal of Computer Research and Development, 2012, 49(5): 996-1004.
[7]	Li Bo, Li Jianxin, Hu Chunming, Wo Tianyu, and Huai Jinpeng. Software Integrity Verification Based on VMM-Level System Call Analysis Technique[J]. Journal of Computer Research and Development, 2011, 48(8): 1438-1446.
[8]	Zhao Feng, Jin Hai, Jin Li, Yuan Pingpeng. VFRS: A Novel Approach for Intrusion Tolerance in Virtual Computing Environment[J]. Journal of Computer Research and Development, 2010, 47(3): 493-499.
[9]	Tian Xinguang, Gao Lizhi, Sun Chunlai, Zhang Eryang. Anomaly Detection of Program Behaviors Based on System Calls and Homogeneous Markov Chain Models[J]. Journal of Computer Research and Development, 2007, 44(9): 1538-1544.
[10]	Xiong Tinggang, Ma Zhong, Yuan Youguang. Research on Synchronization Technology of Fault-Tolerant Computer System Based on Operating System Calls[J]. Journal of Computer Research and Development, 2006, 43(11): 1985-1992.