WO2020173083A1 - Procédé et système de communication interprocessus de micronoyau - Google Patents

Procédé et système de communication interprocessus de micronoyau Download PDF

Info

Publication number
WO2020173083A1
WO2020173083A1 PCT/CN2019/106833 CN2019106833W WO2020173083A1 WO 2020173083 A1 WO2020173083 A1 WO 2020173083A1 CN 2019106833 W CN2019106833 W CN 2019106833W WO 2020173083 A1 WO2020173083 A1 WO 2020173083A1
Authority
WO
WIPO (PCT)
Prior art keywords
kernel
page table
processes
microkernel
page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2019/106833
Other languages
English (en)
Chinese (zh)
Inventor
陈海波
糜泽羽
臧斌宇
管海兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiao Tong University
Original Assignee
Shanghai Jiao Tong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiao Tong University filed Critical Shanghai Jiao Tong University
Publication of WO2020173083A1 publication Critical patent/WO2020173083A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication

Definitions

  • the invention relates to the technical field of operating system microkernels, in particular to a microkernel inter-process communication method and system, in particular to an efficient and safe microkernel inter-process communication method and system.
  • microkernel Since the microkernel was proposed in the last century, after 30 years of research and development, its key design is to provide only the most basic mechanism of the operating system kernel, and move most of the other functions of the operating system kernel from the kernel mode to the user mode. Server process. This means that errors that occur in one server process will not affect other server processes, and will not affect the microkernel of the microkernel server. Therefore, such a design can enhance the robustness of the microkernel. At the same time, removing most of the functions from the kernel state can effectively reduce the trusted computing base (TCB), making the system less susceptible to attacks and easier to be formally verified. Based on the above advantages, microkernels are widely used in fields that are highly dependent on safety and reliability, such as aviation, in-vehicle systems, and medical equipment.
  • TDB trusted computing base
  • a microkernel In a microkernel, the communication between any two processes depends on the inter-process communication mechanism, but it is currently known that this mechanism is an important source of runtime overhead.
  • An inter-process communication first needs to call the system call to fall into the microkernel, then the microkernel finds the target process, and then copies the message to the target process. At the same time, it also needs two process address space switching (if you want to defend against the recent meltdown Meltdown attack), and finally Back to user mode. If you want to go back to the original process, such a process needs to be repeated completely.
  • seL4 uses a fast channel technical method for Call and ReplyWait system calls. This method directly transmits the message to the target process without scheduling. All the transmitted data is stored in the register, which also eliminates the overhead of data copy. But seL4 has flaws. First, the fast channel technology still needs to sink into the kernel, so its performance overhead is also relatively large; second, the fast channel path is only applicable to some system calls (Call and ReplyWait), and only a small amount of data can be transmitted at the same time.
  • the hardware-based modification scheme can greatly increase the cost of microkernel inter-process communication.
  • the dIPC project places all inter-process communication participants in the same virtual address space by modifying the hardware.
  • the subsequent inter-process communication is completely realized by hardware, allowing one The process directly calls the function of another process without the help of the operating system kernel.
  • the isolation between processes relies on the tag memory implemented by dIPC, which also needs to be implemented by modifying the hardware.
  • dIPC requires major changes to the software in order to use the interface proposed by dIPC.
  • major modifications to the operating system kernel are required to adapt to the new inter-process communication method. It still takes a long time to test the technical means of modifying hardware before it is actually used on a large scale. At the same time, this method is more difficult to deploy than the method of directly using mature commercial hardware. Therefore, this method is difficult to be accepted in a short time.
  • patent document CN103425538A discloses a process communication method, which allocates memory space according to process communication requests; stores communication data in the memory space; writes the logical address of the memory space into the message Queue; access the communication data through the logical address read from the message queue.
  • the above process communication method and system allocates memory space for storing communication data when receiving a process communication request. This eliminates the need to divide the communication data storage space in advance, and writes the logical address of the memory space into the message queue.
  • the reading of the logical address in the message queue is used to access the communication data, so that the data access process can access the communication data in an orderly manner by reading the logical addresses in the message queue one by one under the action of the message queue, and the communication between multiple processes There is no need to copy communication data during the process, which greatly improves the flexibility of data sharing.
  • the purpose of the present invention is to provide a microkernel inter-process communication method and system.
  • a method for communication between microkernel processes provided by the present invention includes:
  • Lightweight virtualization step starting the virtualization environment with hardware, constructing the micro-kernel into a sub-kernel, under which a root kernel is constructed, and the root kernel can interact with the virtualized environment;
  • Step of expanding page table constructing corresponding expanded page tables for different processes, the processes are divided into client processes and server processes, and the base address of the page table of the client process is filled into the extended page table of the server process;
  • Fast communication step provide an interface oriented to user mode processes, and the interface can switch between processes in the address space of user mode;
  • Binary modification steps Scan the code page in the process and replace illegal code jump instructions.
  • the lightweight virtualization step includes:
  • Root kernel initialization steps initialize the root kernel after the secondary kernel is started, dynamically move the secondary kernel to the non-privileged mode, and the root kernel provides an interface for managing the extended page table;
  • Process identification step allocate a memory page for the process to record the identity information of the process, which is recorded as the identity information page, and map the identity information page to the process extension page table and the virtual address space of the sub-kernel, so that The secondary kernel can access the identity information page of the current sinking process through the virtual address to identify the identity information of the sinking process.
  • the identity information page has the same customer physical address in the extended page tables of different processes.
  • the root kernel configures the VMCS domain so that the execution of the privileged instruction does not cause the virtual layer to sink; for the sink caused by the hardware event, the root kernel allows the hardware to fail.
  • the secondary kernel in the privileged mode inserts an external interrupt; for the sink caused by the violation of access to the extended page table, the root kernel uses a large-capacity page table to map the physical memory address to the secondary kernel.
  • the step of expanding the page table includes:
  • Initialization steps register the server process to the sub-kernel during initialization.
  • the sub-kernel notifies the root kernel to copy the extended page table for the client process and the server process respectively, and add the extended page table mapping;
  • the client process accesses the springboard code page to switch between processes.
  • the springboard code page calls the VMFUNC instruction to change the extended page table pointer from the extended page table of the client process to the extended page table of the server process, without modifying the CR3 register value.
  • the small data volume is transmitted through the CPU register; for large data volume transmission, a shared buffer is allocated, and the address of the shared buffer is mapped to the client process and the server process. Extended page table.
  • the implanted single VMFUNC instruction replace the single VMFUNC instruction with three null instructions; for illegal instructions pieced together by adjacent instructions, insert a null instruction between adjacent instructions ; For an illegal instruction that exists in a long instruction, replace the long instruction with multiple equivalent instructions before processing.
  • the secondary kernel is a microkernel running in an unprivileged mode;
  • the root kernel runs in a privileged mode, and includes a sink processing unit, an extension table management unit, and a self-virtualization unit;
  • the sink processing unit processes The sinking caused by the sub-kernel includes violations of access to the extended page table and sinking of the use of privileged instructions;
  • the extension table management unit dynamically manages the sub-kernel and the extended page tables of the processes in the sub-kernel;
  • the self-virtualization unit is dynamic when the system is started Downgrade the secondary kernel to unprivileged mode and initialize its VMCS and extended page tables.
  • a microkernel inter-process communication system provided according to the present invention includes:
  • Lightweight virtualization module starting the virtualization environment by hardware, constructing the micro-kernel into a sub-kernel, under which a root kernel is constructed, and the root kernel can interact with the virtualization environment;
  • Extended page table module constructs corresponding extended page tables for different processes, the process is divided into client process and server process, and the base address of the page table of the client process is filled in the extended page table of the server process;
  • Fast communication module provides an interface oriented to user mode processes, the interface can switch between processes in the user mode address space;
  • Binary Modification Module Scan the code page in the process and replace illegal code jump instructions.
  • the present invention has the following beneficial effects:
  • the present invention cleverly uses hardware virtualization technology to greatly improve the inter-process communication in the micro-kernel without any modification to the existing hardware architecture. performance.
  • the present invention can be applied to various micro-kernels of different designs, and only a small modification to the code of the micro-kernel can bring about a substantial performance improvement.
  • the present invention does not change the strong isolation of the original microkernel, and still has the defensive ability against attacks such as melting Meltdown.
  • Figure 1 is a schematic diagram of an embodiment of a communication device of the present invention
  • Figure 2 shows the use of the extended page table to control the contents of the client page table
  • FIG. 3 shows the process of starting the registration process
  • Figure 4 shows the switching process between user mode processes
  • Figure 5 shows the dynamic binary modification process
  • the method proposed by the present invention can allow one process to directly switch to the virtual address space of another process without the intervention of the microkernel during communication between microkernel processes.
  • the intervention of the microkernel is an important reason for the high cost of inter-process communication. If the microkernel is removed from the path of inter-process communication, the performance of inter-process communication will be greatly improved. Therefore, the present invention removes the microkernel from the inter-process communication. Without the intervention of the microkernel, it is ensured that a process will not maliciously use inter-process communication to access the data of other processes and execute the code of other processes.
  • the traditional method of inter-process communication requires the microkernel to check the legality of the communication and prevent any possible attacks.
  • the prior art can guarantee the safety of inter-process communication without the intervention of the operating system kernel, but the hardware needs to be modified.
  • the present invention needs to use mature commercial hardware to ensure the safety.
  • the present invention modifies the application program and the micro-kernel source code as little as possible, and the inter-process communication method is the core mechanism in the micro-kernel. Modification to it often means that a large number of changes to the application program and the micro-kernel source code are required, which will Greater difficulty of deployment. Therefore, the present invention modifies the application program and the microkernel source code as little as possible.
  • a method for communication between microkernel processes provided by the present invention includes:
  • Lightweight virtualization step starting the virtualization environment with hardware, constructing the micro-kernel into a sub-kernel, under which a root kernel is constructed, and the root kernel can interact with the virtualized environment;
  • Step of expanding page table constructing corresponding expanded page tables for different processes, the processes are divided into client processes and server processes, and the base address of the page table of the client process is filled into the extended page table of the server process;
  • Fast communication step provide an interface oriented to user mode processes, and the interface can switch between processes in the address space of user mode;
  • Binary modification steps Scan the code page in the process and replace illegal code jump instructions.
  • the lightweight virtualization step includes:
  • Root kernel initialization steps initialize the root kernel after the secondary kernel is started, dynamically move the secondary kernel to the non-privileged mode, and the root kernel provides an interface for managing the extended page table;
  • Process identification step allocate a memory page for the process to record the identity information of the process, which is recorded as the identity information page, and map the identity information page to the process extension page table and the address space of the sub-kernel, so that The secondary kernel can access the identity information page of the current sinking process through the virtual address to identify the identity information of the sinking process.
  • the identity information page has the same customer physical address in the extended page tables of different processes.
  • the root kernel configures the VMCS domain so that the execution of the privileged instruction does not cause the virtual layer to sink; for the sink caused by the hardware event, the root kernel allows the hardware to fail.
  • the secondary kernel in the privileged mode inserts an external interrupt; for the sink caused by the violation of access to the extended page table, the root kernel uses a large-capacity page table to map the physical memory address to the secondary kernel, and the capacity of the page table adopts a memory page size of 1GB.
  • the step of expanding the page table includes:
  • Initialization steps register the server process to the sub-kernel during initialization.
  • the sub-kernel notifies the root kernel to copy the extended page table for the client process and the server process respectively, and add the extended page table mapping;
  • the client process accesses the springboard code page to switch between processes.
  • the springboard code page calls the VMFUNC instruction to change the extended page table pointer from the extended page table of the client process to the extended page table of the server process, without modifying the CR3 register value.
  • the small data volume is transmitted through the CPU register; for large data volume transmission, a shared buffer is allocated, and the address of the shared buffer is mapped to the client process and the server process. Extended page table.
  • the secondary kernel is a microkernel running in an unprivileged mode;
  • the root kernel runs in a privileged mode and includes a sink processing unit, an extension table management unit, and a self-virtualization unit;
  • the sink processing unit processes The sinking caused by the sub-kernel includes violations of access to the extended page table and sinking of the use of privileged instructions;
  • the extension table management unit dynamically manages the sub-kernel and the extended page tables of the processes in the sub-kernel;
  • the self-virtualization unit is dynamic when the system is started Downgrade the secondary kernel to unprivileged mode and initialize its VMCS and extended page tables.
  • a microkernel inter-process communication system provided according to the present invention includes:
  • Lightweight virtualization module starting the virtualization environment by hardware, constructing the micro-kernel into a sub-kernel, under which a root kernel is constructed, and the root kernel can interact with the virtualization environment;
  • Extended page table module constructs corresponding extended page tables for different processes, the process is divided into client process and server process, and the base address of the page table of the client process is filled in the extended page table of the server process;
  • Fast communication module provides an interface oriented to user mode processes, the interface can switch between processes in the user mode address space;
  • Binary Modification Module Scan the code page in the process and replace illegal code jump instructions.
  • a microkernel is a kernel architecture composed of a minimal number of functions. These functions are responsible for implementing the most basic mechanisms that an operating system depends on, including physical address space management, process management, Inter-process communication (IPC).
  • a microkernel process is an application program running on the microkernel, and is the basic unit of the microkernel for resource allocation and resource scheduling.
  • Inter-process communication (IPC) is some technology or method for transferring data or signals between at least two processes or threads.
  • the present invention focuses on the inter-process communication of the microkernel.
  • the client process/server process is on the microkernel. Each instance of the client process can send a request to a server process, and the server process is responsible for providing various functional services.
  • the virtual address space is when the CPU is addressing, it is addressed according to the virtual address, and then the virtual address is converted into a physical address through the memory management unit (MMU).
  • MMU memory management unit
  • the virtual machine monitor can virtualize multiple guest virtual machines on one physical machine, and each guest virtual machine has the same functions as the real machine.
  • the processor uses the TLB to cache the address mapping stored in part of the page table. When a virtual address needs to be translated, the TLB will be queried first. If there is no corresponding mapping in the TLB, then the page table stored in the memory will be accessed to complete the address translation.
  • Guest virtual address (GVA)/guest physical address (GPA)/host physical address (HPA) is in a virtualized environment, the program in the guest virtual machine uses the guest virtual address to access the memory, and the physical memory of the guest virtual machine is the guest physical address .
  • the kernel of the guest virtual machine controls the conversion of the guest virtual address to the guest physical address by controlling the guest page table.
  • the host physical address represents the real memory of the physical machine, and the virtual machine monitor controls the conversion of the guest physical address to the host physical address through the extended page table.
  • CR3 control register used to control and determine the operating mode of the processor and the characteristics of the currently executing task.
  • CR3 contains the physical memory base address of the page directory table, so this register is also called the page directory base address register PDBR (Page-Directory Base) address Register).
  • PDBR Page-Directory Base address Register
  • the VMCS data field is a physical CPU that can obtain various information of each virtual CPU through the VMCS data field.
  • the invention utilizes hardware virtualization technology to allow a process to directly switch to the virtual address space of another process and call the target function without being trapped in the microkernel.
  • the present invention still allows different processes to have different virtual address spaces.
  • Such a design is consistent with the existing microkernel and can reduce the modification of the existing system.
  • the present invention constructs different extended page tables for different processes (controls the mapping of client physical addresses to host physical addresses) by introducing a very small virtual machine monitor, and uses hardware VMFUNC instructions to switch the extended page tables , In order to achieve the effect of switching the virtual address space in the user mode.
  • the present invention maps the base address of the page table of the sender process (the value of CR3 register) by configuring the extended page table of the receiver process To the host physical address corresponding to the base address of the receiver process page table (the value of the CR3 register). Therefore, after the sender process uses the hardware VMFUNC instruction to switch the extended page table, the value of its CR3 register will directly point to the page table of the receiver process.
  • the present invention provides a stack for each thread in the virtual address space of the receiver process.
  • the present invention provides shared buffers to transmit a large amount of information. These shared buffers are bound to each thread in the receiver process one by one to ensure that the present invention works in a highly concurrent environment. Good performance under.
  • Intel hardware virtualization technology allows to configure an extended page table for each user-mode process (at this stage, up to 512 extended page tables can be supported).
  • the base address of these extended page tables (that is, the pointer to the extended page table) needs to be stored in the extended page table pointer list.
  • the memory allocation of this list is initialized in the root kernel. Time to complete.
  • the micro-kernel initialization phase the micro-kernel runs directly on the physical machine, and directly manages the mapping of virtual addresses to host physical addresses through the page table of the micro-kernel. In the initial stage of the present invention, it is necessary to add a layer of main extended page table.
  • the original page table of the microkernel is responsible for the mapping of guest virtual addresses to client physical addresses
  • the main extended page table is responsible for the mapping of guest physical addresses to host physical addresses.
  • the base address of the main extended page table is stored by default in the first position of the extended page table pointer list (that is, the offset is 0).
  • Each subsequent start of a user mode process will first copy the main extended page table.
  • a copy-on-write mechanism is adopted. Only when the subsequent process modifies the extended page table entry, the new allocation Memory and establish a new mapping.
  • the client process registers itself with the server process, a mapping from the base address of the client process page table to the server process page table base address corresponding to the physical address of the host is added to the extended page table of the server process.
  • the extended page table is constructed when each user-mode process is started. During the start of each user-mode process, the virtual machine monitor will directly use the main extended page table. Only when the process is registered with the server, it is necessary to copy a master extended page table for each newly registered server process. At the same time, in this new extended page table, the physical address of the client of the page table base address of the registered process The host physical address that points to the base address of the page table of the server process (using a copy-on-write mechanism). Then fill the base address of the first-level memory page of the new extended page table generated by the copy into the corresponding offset item of the extended page table pointer list, and the offset depends on the process identifier of the current user process.
  • the overall architecture of the present invention includes four modules: a lightweight virtualization module, an extended page table management module, a fast inter-process communication module, and a dynamic binary modification module.
  • the lightweight virtualization module is responsible for starting an environment that supports virtualization technology with the help of hardware, using the original microkernel as a sub-kernel, and inserting a root kernel under it to handle the interaction between the remaining modules and the virtualized environment. This module is carefully configured to minimize the performance loss of the virtualized environment compared with the original environment under the premise of ensuring the correctness of the function.
  • the lightweight virtualization module first transforms the original environment into a virtualized environment with a privileged mode and an unprivileged mode, and puts various processes in the unprivileged mode.
  • the lightweight virtualization module For the virtualization design of the original microkernel, it is necessary to consider whether it needs to be placed in an unprivileged mode.
  • Known technologies that meet the above requirements are mainly divided into two categories: 1) Simulate mature virtual machine technology, treat the original process and kernel as a virtual machine system, and run in an unprivileged mode at the same time. 2) Put the kernel in privileged mode and keep the process running in unprivileged mode.
  • the first type of technology can utilize existing commercial hypervisors (such as KVM and Xen), but will cause a greater performance loss due to the virtualization layer.
  • the second type of technology will produce a large number of virtual layer sinks when the process and the kernel interact (such as system calls), and the cost of a virtual layer sink is much more expensive than the cost of a system call in a non-virtualized environment.
  • the lightweight virtualization module provides a new solution. Compared with the existing technology, it not only avoids the performance loss caused by the traditional virtualization solution, but also eliminates the additional overhead caused by a large number of virtual layer sinks: microkernel It is still placed in the non-privileged mode as a secondary kernel, and a lightweight small hypervisor root kernel that only contains the necessary functions is introduced in the privileged mode. It only provides extended page table management functions, dynamic self-virtualization modules, and Some basic virtual layer sink processing logic.
  • the lightweight virtualization module uses the following three methods, for example:
  • virtual layer sinks can be divided into three categories: sinks caused by privileged instructions, sinks caused by hardware events, and sinks caused by violations of extended page table entries. 1) For the depression caused by the execution of privileged instructions (such as changing the value of the CR3 register, halt (HLT) instruction, etc.), the root kernel can configure the VMCS domain so that the execution of these privileged instructions does not cause any virtual layer depression; 2) For hardware events The traditional hypervisor will configure the hardware to trigger a virtual layer sink when receiving such an event.
  • privileged instructions such as changing the value of the CR3 register, halt (HLT) instruction, etc.
  • the root kernel in the present invention also plays the same role to allow the hardware to go to an unprivileged mode.
  • the present invention makes the root kernel use the largest large page (in x86- The size of the 64 architecture is 1GB) to map most of the physical memory addresses to the secondary kernel, which can reduce the number of memory accesses of the processing logic after a TLB miss, and also reduce the number of TLB misses.
  • the root kernel still retains part of the virtual layer sink processing logic for management. For example, the VMCALL instruction will unconditionally trigger the virtual layer sink and the root kernel uses this instruction to implement a communication with the upper-level kernel. interface.
  • Initialization of the root kernel The booting method of the root kernel is different from the traditional virtualization hypervisor that is initialized with the physical machine. In order to avoid executing a large amount of error-prone initialization code during the startup process, the root kernel is selected after the secondary kernel is started. Initialize and dynamically move the secondary kernel to unprivileged mode. In order to enable the sub-kernel in the non-privileged mode to conveniently manage the extended page table of each process, the root kernel exposes an interface for managing the extended page table for the upper layer through the CPUID.
  • the extended page table management module is responsible for constructing corresponding extended page tables for different processes, and cooperates with the inter-process fast communication module to fill in the relevant mapping and data structure into the correct position in the extended page table of the called process.
  • the present invention needs to meet two requirements at the same time: 1) to ensure the isolation of virtual address spaces between different processes and 2) to provide a set of effective user-mode virtual address space switching methods for these processes.
  • the existing technical solutions can be divided into two categories: 1) Put different processes into the same virtual address space, but allocate a different extended page table for each process separately to be at the same virtual address Isolation is provided in the space, and the VMFUNC instruction is also used to bypass the kernel and directly execute the switch of the virtual address space in the user mode. 2) Use the hardware feature PKU proposed by Intel to switch different perspectives of different processes in the virtual address space.
  • the existing technology has the following disadvantages: the first type of technology has the advantage of being easy to implement when the number of processes is small, but when the number of processes increases, in order to avoid conflicts in the virtual address areas allocated by different processes, it needs to be managed very carefully The division of the virtual address space leads to a series of complicated tasks and increases the possibility of configuration errors.
  • the second type of technology also cannot solve potential virtual address region conflicts.
  • this hardware feature only provides a limited number of security domains, which obviously cannot meet the needs of microkernel scenarios.
  • the extended page table management module adopts the mapping management of the extended page table to implement.
  • the extended page table management module proposes a set of new solutions to map and manage the extended page tables before and after switching, which can retain the traditional virtual memory isolation and fast To switch between virtual address spaces. Different processes still retain their respective page tables.
  • the mapping from the value of the CR3 register of the client process to the physical address of the host corresponding to the value of the CR3 register of the server process is added to the extended page table of the server process, so as to enable the user mode.
  • the process of using the VMFUNC instruction to switch the extended page table does not need to modify the value in the CR3 register, and can directly perform the subsequent virtual address translation.
  • the client process and the server process have their own page tables, and the value of the base address of the page table is the client process CR3 value and the server process CR3 value, respectively.
  • the server process will first register its own process information (such as the value of CR3, etc.) to the secondary kernel.
  • the secondary kernel will notify the underlying root kernel to copy two new extended page tables for the two processes and establish appropriate mappings.
  • the value in the CR3 register of the host will keep the CR3 value of the client process unchanged.
  • the springboard code will call the VMFUNC instruction to change the extended page table pointer from the client process extended page table to the server process extended page table.
  • the client process can directly access any virtual address in the virtual address space of the current server process .
  • the inter-process fast communication module is responsible for providing a set of user-mode process-oriented interfaces for quickly and effectively switching between processes in the user-mode address space.
  • the inter-process communication module is responsible for mapping the springboard code page to the virtual address space of the process when each process registers itself with the sub-kernel, thereby providing a set of interfaces for fast inter-process switching for user-mode processes.
  • Each client process needs to fill all the server processes that need to be called into the springboard code page.
  • the sub-kernel will allocate a corresponding number of stacks according to the maximum number of parallel threads that can be supported when the server process registers itself, and map these stacks to the virtual server process In the address space.
  • the sender process needs to transmit some data to the receiver process through inter-process communication.
  • This module provides two methods according to different data sizes to be transmitted: 1) For transmission with a small amount of data, this module is based on x86 The calling convention under the -64 architecture puts the data to be transmitted into the registers of the CPU. 2) For transmission with a large amount of data, this module allocates a shared buffer for each pair of client process and server process and maps the address of the buffer to the page tables of the two processes.
  • the dynamic binary modification module is responsible for scanning all code pages of each process and replacing illegal VMUNFC instructions, thereby preventing users from maliciously using VMFUNC instructions to illegally jump to any code execution address.
  • the dynamic binary modification module can ensure the security of the system.
  • illegal VMFUNC instructions may appear due to accidental or malicious factors.
  • the existence of these illegal VMFUNC instructions may be attacked by the attacker. It jumps to an illegal code area for execution, so the present invention introduces a dynamic binary modification module to eliminate these illegal VMFUNC instructions.
  • the sub-kernel When a process registers itself, the sub-kernel will call this module to scan all code pages of the process. If an illegal VMFUNC instruction is found outside the specified springboard code page, it will replace the illegal instruction with some functionally equivalent instructions. The VMFUNC instruction. After the code page is dynamically modified, the original instruction will become two or more equivalent instructions, so that the space of the original code page cannot accommodate these equivalent instructions. Therefore, this module replaces the content in the original instruction location space with a jump instruction to jump to another code page for placing equivalent instructions. The code page storing the equivalent instructions is inserted into an unused virtual address by the sub-core.
  • the present invention adopts an illegal instruction replacement strategy, and there are several different possibilities for the existence of illegal VMFUNC instructions in the code page.
  • This module categorizes them into three situations and handles them separately: 1) The illegal VMFUNC instruction is indeed one The VMFUNC instruction is deliberately implanted. In this case, the module will replace this illegal VMFUNC instruction with three NOP instructions (instructions that do not do any work). 2) The illegal VMFUNC instruction is pieced together by two or more adjacent instructions. In this case, the module will insert a null instruction between these adjacent instructions to break the pieced together VMFUNC instruction. 3) The illegal VMFUNC instruction exists in a longer instruction that contains the code of the VMFUNC instruction. In this case, the module will replace this instruction with several other equivalent instructions to eliminate the illegal instruction.
  • the process startup registration process includes:
  • Step 1) When a user mode process is started, first judge whether its own process will serve as a server process to provide services for other client processes. If it is a server process, skip to step 2, otherwise skip to step 4.
  • Step 2 As a server process, it needs to register its own process information such as CR3 register value and save it in the secondary kernel.
  • Step 3) Judge whether its own process will be used as a client process to call services provided by other server processes. If yes, proceed to step 4, otherwise the registration process is completed.
  • Step 4 As a client process, it needs to register and inform the secondary kernel of the server process information that the process needs to call.
  • Step 5 The secondary kernel will then notify the root kernel to copy two client process extended page tables and server process extended page tables for the current client process and the corresponding server process respectively.
  • Step 6 The root kernel adds the mapping from the client process CR3 value to the server process CR3 value corresponding to the host physical address to the server process's extended page table, and the registration process is started and completed.
  • the springboard code page is a memory page, which contains simplified code logic, which is used to switch between different extended page tables and call function functions correctly.
  • the so-called springboard means that when the process runs to the first address of the code page, it will start to perform operations such as switching the extended page table, which is functionally embodied as the execution flow jumps from the client process to the server process.
  • the client process sets the data parameters to be transmitted and calls the corresponding interface to start executing the code in the springboard code page.
  • the springboard code page uses the VMFUNC instruction to switch to the extended page table of the server process. Due to the configuration described above, the function in the server process can be called normally and the return value can be obtained at this time.
  • the jumpboard code page uses the VMFUNC instruction to switch back to the original extended page table of the client process, restores the state of the register, etc., and the client process finally successfully obtains the return value from the server process.
  • the extended page address mapping is the mapping relationship between virtual addresses and physical addresses, and is usually used to query the corresponding physical address based on a virtual address.
  • the performance in the extended page table is as follows: Given a virtual address, the virtual address is divided into multiple parts (currently 4), and each part is used as the offset of the corresponding level of the extended page table, which is gradually translated to the extended page table. The lowermost layer finally obtains the content stored in the lowermost extended page table entry, which is the physical address corresponding to the given virtual address.
  • the essence of adding the mapping of the extended page table is to fill in the target physical address in the corresponding lowest-level extended page table entry according to the given virtual address.
  • extension page address mapping is in the process of the client process registering itself with the server process:
  • the secondary kernel will call the interface provided by the root kernel to allow the root kernel to bind the client process and the server process at the level of the extended page table.
  • the root kernel will query the extended page table, using the client physical address of the client process page table base address (CR3 register value) as the index, and translate it layer by layer in the extended page table of the server process, and finally in the extended page table Find the corresponding extended page table entry at the lowest level,
  • the root kernel fills in the content of the extended page table entry in the server process as the host physical address corresponding to the base address of the server process page table.
  • the base address of the page table of the client process will eventually be translated into the host physical address corresponding to the page table of the server process without changing the value of the CR3 register.
  • the user mode inter-process switching process includes:
  • Step 1) The client process sets the target server process parameters and calls the interface for switching between user mode processes provided by the present invention.
  • Step 2 The jumpboard code receives the process parameters of the target server and checks whether the size of the data to be transmitted exceeds the size of the register. If yes, skip to step 3, otherwise skip to step 4.
  • Step 3 The springboard code copies the data to be transmitted from the internal buffer of the client process to the shared buffer with the target server process.
  • Step 4) Use the VMFUNC instruction to change the extended page table pointer from the client process extended page table to the server process extended page table.
  • Step 5 The jumpboard code configures the stack that will be used during the execution of the server process, and then calls the function function registered in advance by the server process to start execution.
  • the dynamic binary modification process includes:
  • Step 1) Capture all code pages owned by the process when a process starts.
  • Step 2 The secondary kernel scans all code pages and identifies all illegal VMFUNC instructions. If there is no illegal VMFUNC instruction, the process ends, if there is, continue to step 3.
  • Step 3) Identify the cause of each identified illegal VMFUNC instruction, and allocate a memory page for storing equivalent replacement instructions in a specific unused virtual address space for each illegal VMFUNC instruction.
  • Step 4 For each illegal VMFUNC instruction, the corresponding replacement strategy mentioned above is adopted, and the equivalent instruction after replacement is put into the allocated memory page.
  • Step 5 Add a jump instruction at the end of each memory page where the equivalent instruction is placed, and the jump target address is the instruction address of the next line of the replaced instruction address.
  • Step 6 Replace the original illegal VMFUNC instruction with a jump instruction, and set the jump target address to the starting address of the corresponding memory page.
  • the dynamic binary modification process ends.
  • the present invention can defend against attacks in terms of security.
  • the dynamic binary modification technology provided by the present invention dynamically eliminates all illegal VMFUNC instructions during the startup of each process, and can effectively defend against users Malicious use of VMFUNC instructions to carry out illegal jump execution attacks; for fuse Meltdown attacks and its variants, the present invention does not modify the original page table isolation mechanism of the microkernel, because the microkernel’s own design naturally changes the user status
  • the page tables of the process and the microkernel are separated, and even if the user mode process is compromised, the kernel mode key data cannot be read; for denial of service attacks, the present invention provides a set of timeout mechanisms for when the server process does not respond for a long time Force the execution flow back to the client process.
  • the present invention provides a table that records the permissions of the client process to call the server process, which is used in each client process Before calling other server processes, check whether they have the legal rights to call. Therefore, the malicious process cannot arbitrarily call the server process without permission.
  • the invention uses hardware virtualization technology to accelerate the inter-process communication of the microkernel, and uses the extended page table to control the mapping of the client physical address to the host physical address, thereby realizing that the value of the base address of the process page table before and after switching between processes does not need to be modified, and new hardware instructions are used ,
  • the extended page table can be switched between user mode processes without sinking, realizing fast switching between microkernel processes; adopting a lightweight virtualized environment configuration method, using a small hypervisor inserted in the bottom layer, only for the original micro-kernel
  • apply virtualization technology to the existing microkernel configure the VMCS domain to eliminate most of the performance loss caused by the introduction of the virtualization layer; use dynamic binary modification protection methods and use mature binary Modification technology completely eliminates illegal instructions in the process when creating a new process to ensure that malicious switching between processes cannot occur, and eliminates malicious instructions without modifying or recompiling the source code of the process program.
  • the present invention proposes a lightweight and efficient virtualization system that uses an extended page table to control the page table content of a user-mode process, thereby realizing inter-process switching without modifying the base address of the process page table, and realizing application to microkernels through virtualized hardware characteristics Quickly switch between processes in user mode, combined with the existing mature binary modification technology, and completely eliminate specific malicious instructions without any modification to the process source code.
  • the present invention proposes a set of methods for accelerating the performance of inter-process communication by using hardware virtualization technology. While retaining the original features of the microkernel, the hardware has greatly improved the performance of inter-process communication, and only minor modifications have been made to the original microkernel code, which not only ensures safety but also improves overall performance.
  • the dynamic binary modification protection technology proposed by the present invention can also be used in various systems that need to replace specific instructions without modifying the program source code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

L'invention concerne un procédé et un système de communication interprocessus de micronoyau. Le procédé de communication interprocessus de micronoyau comporte les étapes consistant à: activer un environnement virtuel au moyen d'un matériel, configurer un micronoyau en tant que sous-noyau, et configurer un noyau racine sous le sous-noyau, le noyau racine étant capable d'interagir avec l'environnement virtuel; configurer des tables de pages étendues correspondant à différents processus, les processus étant divisés en un processus de client et un processus de serveur, et renseigner une adresse basée sur une table de pages du processus de client dans la table de pages étendue du processus de serveur; mettre en place une interface orientée processus de mode utilisateur, l'interface permettant une commutation entre des processus dans un espace d'adresses de mode utilisateur; et procéder à l'examen de pages de code dans les processus, et remplacer des instructions illégales de saut de code. La présente invention fait appel à des techniques de virtualisation de matériel, et utilise une table de pages étendue pour maîtriser un contenu dans une table de pages correspondant à un processus de mode utilisateur, réalisant ainsi une commutation entre processus sans avoir à modifier des adresses de ceux-ci basées sur la table de pages. L'invention améliore significativement les performances de communication entre des processus de micronoyau sans nécessiter aucune modification d'architectures matérielles existantes.
PCT/CN2019/106833 2019-02-28 2019-09-20 Procédé et système de communication interprocessus de micronoyau Ceased WO2020173083A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910151836.4 2019-02-28
CN201910151836.4A CN109933441B (zh) 2019-02-28 2019-02-28 微内核进程间通讯方法和系统

Publications (1)

Publication Number Publication Date
WO2020173083A1 true WO2020173083A1 (fr) 2020-09-03

Family

ID=66986097

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/106833 Ceased WO2020173083A1 (fr) 2019-02-28 2019-09-20 Procédé et système de communication interprocessus de micronoyau

Country Status (2)

Country Link
CN (1) CN109933441B (fr)
WO (1) WO2020173083A1 (fr)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109933441B (zh) * 2019-02-28 2020-11-17 上海交通大学 微内核进程间通讯方法和系统
CN110348224B (zh) * 2019-07-08 2020-06-30 沈昌祥 基于双体系结构可信计算平台的动态度量方法
CN110688330B (zh) * 2019-09-23 2021-08-31 北京航空航天大学 一种基于内存映射相邻性的虚拟内存地址翻译方法
CN110740102B (zh) 2019-09-29 2021-10-15 苏州浪潮智能科技有限公司 一种通信方法、系统、设备及计算机可读存储介质
WO2021217529A1 (fr) * 2020-04-29 2021-11-04 华为技术有限公司 Procédé et système de communication interprocessus
CN114090273B (zh) * 2020-07-30 2024-07-05 华为技术有限公司 一种进程间通信的方法、装置及计算机存储介质
CN111949596A (zh) * 2020-08-05 2020-11-17 上海交通大学 基于mpk技术的微内核模块间通讯方法、系统及介质
CN112131018A (zh) * 2020-09-17 2020-12-25 国网宁夏电力有限公司营销服务中心(国网宁夏电力有限公司计量中心) 微内核操作系统进程间快速通信方法
CN112199678B (zh) * 2020-09-25 2024-04-09 杭州安恒信息技术股份有限公司 一种在线取证的方法、装置、计算机设备和可读存储介质
CN112395095A (zh) * 2020-11-09 2021-02-23 王志平 一种基于cpoc的进程同步方法
CN113296935B (zh) * 2020-11-27 2025-02-14 阿里巴巴集团控股有限公司 微服务运行优化方法、微服务运行系统和服务器系统
CN113157432B (zh) * 2021-02-04 2022-10-04 无锡江南计算技术研究所 一种基于RISC处理器的firmware替换方法
CN113220469B (zh) * 2021-03-23 2024-04-16 黑芝麻智能科技(上海)有限公司 进程间通信方法、装置和计算机设备和计算机可读介质
CN113064697B (zh) * 2021-04-01 2022-09-23 上海交通大学 利用多硬件特性加速微内核进程间通信的方法
CN112989326A (zh) * 2021-04-08 2021-06-18 北京字节跳动网络技术有限公司 一种指令发送方法及装置
CN113704007B (zh) * 2021-09-14 2023-11-07 上海交通大学 利用硬件特性的无服务器计算平台加速系统
CN115878210B (zh) * 2021-09-29 2024-08-27 华为技术有限公司 一种系统配置处理方法及相关设备
CN113867820B (zh) * 2021-09-29 2024-05-28 深圳市智微智能软件开发有限公司 一种动态修改framebuffer的方法、装置、设备及存储介质
CN113886105B (zh) * 2021-09-30 2023-07-21 抖音视界有限公司 跨进程的调用方法、装置、存储介质及电子设备
CN116048827B (zh) * 2021-10-28 2026-02-13 华为技术有限公司 一种进程间的函数调用方法及相关设备
CN114328114B (zh) * 2021-12-29 2025-01-14 北京和利时系统工程有限公司 程序异常信息的记录方法、装置、设备及可读存储介质
CN117407925A (zh) * 2022-07-08 2024-01-16 华为技术有限公司 扩展内存隔离域的方法和电子设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246453A1 (en) * 2004-04-30 2005-11-03 Microsoft Corporation Providing direct access to hardware from a virtual environment
CN103425538A (zh) * 2012-05-24 2013-12-04 深圳市腾讯计算机系统有限公司 进程通讯方法及系统
CN104572313A (zh) * 2013-10-22 2015-04-29 华为技术有限公司 一种进程间的通信方法及装置
CN107368379A (zh) * 2017-07-14 2017-11-21 中南大学 面向EVP的跨GuestOS进程间通信方法及系统
CN107667350A (zh) * 2015-06-15 2018-02-06 英特尔公司 基于虚拟化的平台保护技术
CN109933441A (zh) * 2019-02-28 2019-06-25 上海交通大学 微内核进程间通讯方法和系统

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (zh) * 2008-01-28 2008-07-23 南京大学 基于可信硬件与虚拟机的微内核操作系统完整性保护方法
US9043562B2 (en) * 2011-04-20 2015-05-26 Microsoft Technology Licensing, Llc Virtual machine trigger
CN104123265B (zh) * 2013-04-26 2017-12-22 华为技术有限公司 一种众核间通信方法及系统
WO2017132417A1 (fr) * 2016-01-26 2017-08-03 Enterpriseweb Llc Système d'exploitation unifié pour de l'informatique distribuée
CN106802863A (zh) * 2016-12-16 2017-06-06 华东师范大学 基于微内核原型的进程间通信安全性形式化分析验证系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246453A1 (en) * 2004-04-30 2005-11-03 Microsoft Corporation Providing direct access to hardware from a virtual environment
CN103425538A (zh) * 2012-05-24 2013-12-04 深圳市腾讯计算机系统有限公司 进程通讯方法及系统
CN104572313A (zh) * 2013-10-22 2015-04-29 华为技术有限公司 一种进程间的通信方法及装置
CN107667350A (zh) * 2015-06-15 2018-02-06 英特尔公司 基于虚拟化的平台保护技术
CN107368379A (zh) * 2017-07-14 2017-11-21 中南大学 面向EVP的跨GuestOS进程间通信方法及系统
CN109933441A (zh) * 2019-02-28 2019-06-25 上海交通大学 微内核进程间通讯方法和系统

Also Published As

Publication number Publication date
CN109933441B (zh) 2020-11-17
CN109933441A (zh) 2019-06-25

Similar Documents

Publication Publication Date Title
CN109933441B (zh) 微内核进程间通讯方法和系统
US12061919B2 (en) Dynamic I/O virtualization system having guest memory management for mapping virtual addresses using virtualization application programming interface (API) in guest kernal
Steinberg et al. NOVA: A microhypervisor-based secure virtualization architecture
CN112035272B (zh) 进程间通信的方法、装置以及计算机设备
US8464022B2 (en) Virtualization with shadow page tables
Bugnion et al. Bringing virtualization to the x86 architecture with the original vmware workstation
EP2955634B1 (fr) Interface à base de paravirtualisation pour gestion de mémoire dans des machines virtuelles
EP4055488B1 (fr) Mécanisme informatique confidentiel
EP3819774B1 (fr) Mécanisme informatique confidentiel
CN119440734A (zh) 基于微内核Hypervisor的虚拟机跨操作系统通信方法
Vahidi et al. VETE: Virtualizing the Trusted Execution Environment
CN120762929A (zh) 微内核Hypervisor上的用户程序与虚拟机通信方法
Bugnion et al. Virtualization without Architectural Support
CN116107919A (zh) 一种针对跨架构的多地址空间虚拟化内存域隔离方法
Bugnion Using Virtual Machines in Modern Computing Environments with Limited Architectural Support
Blattmann Universität Karlsruhe (TH)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19917002

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04.02.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19917002

Country of ref document: EP

Kind code of ref document: A1