[go: up one dir, main page]

CN116127445A - eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics - Google Patents

eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics Download PDF

Info

Publication number
CN116127445A
CN116127445A CN202310011710.3A CN202310011710A CN116127445A CN 116127445 A CN116127445 A CN 116127445A CN 202310011710 A CN202310011710 A CN 202310011710A CN 116127445 A CN116127445 A CN 116127445A
Authority
CN
China
Prior art keywords
ebpf
function
sandbox
kernel
auxiliary function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310011710.3A
Other languages
Chinese (zh)
Inventor
古金宇
夏虞斌
陈海波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiao Tong University
Original Assignee
Shanghai Jiao Tong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiao Tong University filed Critical Shanghai Jiao Tong University
Priority to CN202310011710.3A priority Critical patent/CN116127445A/en
Publication of CN116127445A publication Critical patent/CN116127445A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Hardware Redundancy (AREA)

Abstract

The invention provides an eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics, wherein the method comprises the following steps: step S1: calling an auxiliary function; step S2: the springboard function checks whether the parameters of the auxiliary function call are legal; if the error is not checked, error processing is performed, and the execution of the whole eBPF program is ended; if the inspection is passed, the process proceeds to step S3; step S3: updating PKRS to temporarily exit the sandbox; step S4: synchronizing the shadow object back to the kernel object; step S5: calling a real auxiliary function; step S6: synchronizing the kernel object back to the shadow object; step S7: updating the value of PKRS to reenter the sandbox; step S8: and ending calling the auxiliary function. The PKS isolation sandbox reduces the code quantity of the eBPF checker, can intercept malicious eBPF program access and storage in the running process, and solves the problem of false negative.

Description

基于内核态内存隔离硬件特性的eBPF内存隔离方法及系统eBPF memory isolation method and system based on kernel state memory isolation hardware features

技术领域technical field

本发明涉及内核态的技术领域,具体地,涉及基于内核态内存隔离硬件特性的eBPF内存隔离方法及系统。The present invention relates to the technical field of the kernel state, in particular to an eBPF memory isolation method and system based on the hardware characteristics of the kernel state memory isolation.

背景技术Background technique

Intel PKS技术是英特尔公司开发的一种新的硬件特性,可以将内核地址空间以页的粒度划分为独立的内存域,并可以在不引入额外性能开销的情况下检查程序运行时的每一次内存访问操作是否具有对相应内存域的访问权限。PKS利用页表项中的四个保留位标记一个页所属的内存域,并引入了一个新的特殊模块寄存器PKRS来控制当前内核线程对内存域的访问权限。处理器可以使用WRMSR指令来修改PKRS的值,进而达到内核内存隔离的目的。Intel PKS technology is a new hardware feature developed by Intel Corporation. It can divide the kernel address space into independent memory domains at the granularity of pages, and can check the memory every time the program is running without introducing additional performance overhead. Whether the access operation has access to the corresponding memory domain. PKS uses four reserved bits in the page table entry to mark the memory domain to which a page belongs, and introduces a new special module register PKRS to control the access rights of the current kernel thread to the memory domain. The processor can use the WRMSR instruction to modify the value of PKRS, thereby achieving the purpose of kernel memory isolation.

Linux内核中的eBPF机制可以将用户提供的不受信任的程序安全地加载到内核中。eBPF机制提供了一套简化的RISC指令集架构,用户可以使用llvm提供的eBPF后端将C语言代码编译为eBPF字节码。在将字节码加载到内核中执行之前,eBPF依赖检查器来确保加载的程序的安全性。由于llvm编译器不在可信计算基中,检查器会在eBPF字节码层面做检查,确保eBPF程序不会访问内核敏感信息或导致内核崩溃。成功通过了检查器检查的eBPF字节码会被编译为目标硬件架构的机器码。eBPF程序在被成功加载到内核之后,会被特定的事件触发执行。例如在网络驱动处理网络包、系统调用的开始和结束处都有内核预先设定好的eBPF触发点,当系统执行到这些地方时,会执行挂载在该处的eBPF程序。此外,eBPF还可以依靠Kprobe技术将程序插入到内核中几乎任何函数所在的位置。The eBPF mechanism in the Linux kernel can safely load untrusted programs provided by users into the kernel. The eBPF mechanism provides a simplified RISC instruction set architecture, and users can use the eBPF backend provided by llvm to compile C language code into eBPF bytecode. Before loading bytecode into the kernel for execution, eBPF relies on checkers to ensure the safety of loaded programs. Since the llvm compiler is not in the Trusted Computing Base, the checker will check at the eBPF bytecode level to ensure that eBPF programs will not access kernel sensitive information or cause kernel crashes. eBPF bytecode that successfully passes the checker is compiled to machine code for the target hardware architecture. After the eBPF program is successfully loaded into the kernel, it will be triggered to execute by specific events. For example, there are eBPF trigger points preset by the kernel at the beginning and end of the network driver processing network packets and system calls. When the system executes to these places, the eBPF program mounted there will be executed. In addition, eBPF can also rely on Kprobe technology to insert programs into the kernel where almost any function is located.

eBPF机制中静态安全检查机制的设计存在两个关键问题。其一是检查器的代码自身存在漏洞,可能被攻击者利用而造成“假阴性”问题。在5.10版本的Linux内核中,eBPF检查器的代码约为12,000行,逻辑复杂,规模庞大。自2020年以来,Linux内核披露的漏洞中涉及eBPF检查器的高达14个,攻击者可以根据漏洞精心制作能够导致内核崩溃或者窃取内核敏感数据的eBPF程序,而这些程序可以通过检查器的检查;其二是检查器的保守检查带来的“假阳性”问题。一方面为了避免检查器占用过多的CPU执行时间,eBPF在设计之初就仅支持有限的语义,例如对指令条数有限制,不支持动态内存分配等等;另一方面检查器采用的模拟执行的方法缺少变量间关系的语义,因此难以准确追踪变量的取值范围。这些因素为eBPF程序的开发带来了困难,开发者们往往需要仔细分析,甚至了解检查器底层原理才能写出高效且被检查器接收的代码。There are two key problems in the design of the static security check mechanism in the eBPF mechanism. One is that there are loopholes in the code of the checker itself, which may be exploited by attackers to cause "false negative" problems. In the 5.10 version of the Linux kernel, the code of the eBPF checker is about 12,000 lines, with complex logic and large scale. Since 2020, as many as 14 of the vulnerabilities disclosed in the Linux kernel involve the eBPF checker. According to the vulnerabilities, attackers can carefully craft eBPF programs that can cause the kernel to crash or steal sensitive kernel data, and these programs can pass the checker's inspection; The second is the "false positive" problem caused by the conservative inspection of the checker. On the one hand, in order to prevent the checker from taking up too much CPU execution time, eBPF only supports limited semantics at the beginning of the design, such as a limit on the number of instructions, and does not support dynamic memory allocation, etc.; on the other hand, the simulation used by the checker The executed method lacks the semantics of the relationship between variables, making it difficult to accurately track the value ranges of variables. These factors have brought difficulties to the development of eBPF programs. Developers often need to carefully analyze and even understand the underlying principles of the checker to write efficient code that is accepted by the checker.

为了解决上述“假阴性”和“假阳性”的问题,现有工作往往通过优化静态检查的方式来增强eBPF系统的功能。PREVAIL可以将eBPF二进制文件翻译成一种基于执行流图的语言,进而可以被基于抽象解释的工具读取并分析。然而PREVAIL的检测速度比Linux内核中的检查器要慢,和当前内核eBPF实现不兼容,还依赖抽象解释系统Crab,这都使得它难以被融入内核系统。PRSafe系统引入了一个非图灵完备的领域特定语言,该语言基于原始递归函数的内存和输入特性确保所有的计算都是可终止的。但是该工作还处于一个较为初级的阶段,略过了一些关键问题,例如它依赖Z3 SMT solver进行安全检查,但是如何提供与eBPF检查器相同的功能被当作了未来的工作。ExoBPF系统需要开发者自行提供eBPF程序的正确性证明,因此得以将整个eBPF检查器移出内核。ExoBPF计划支持不同种类的检查器,包括使用SAT solving的方式分析大型的程序。这套方案的缺点在于给开发者带来了较大的证明负担,因为开发者需要了解形式化证明才能很好地使用这套机制。In order to solve the above-mentioned "false negative" and "false positive" problems, the existing work often enhances the function of the eBPF system by optimizing the static check. PREVAIL can translate eBPF binary files into a language based on execution flow graphs, which can then be read and analyzed by tools based on abstract interpretation. However, PREVAIL's detection speed is slower than the checker in the Linux kernel, it is not compatible with the current kernel eBPF implementation, and it also relies on the abstract interpretation system Crab, which makes it difficult to integrate into the kernel system. The PRSafe system introduces a non-Turing-complete domain-specific language that ensures that all computations are terminated based on the memory and input properties of primitive recursive functions. But the work is still at a relatively early stage, skipping some key issues, such as it relies on the Z3 SMT solver for security checks, but how to provide the same functionality as the eBPF checker is regarded as future work. The ExoBPF system requires developers to provide proof of the correctness of eBPF programs, so the entire eBPF checker can be moved out of the kernel. ExoBPF plans to support different kinds of checkers, including using SAT solving to analyze large programs. The disadvantage of this scheme is that it brings a large proof burden to developers, because developers need to understand formal proofs to use this mechanism well.

因此,需要提出一种新的技术方案以改善上述技术问题。Therefore, a new technical solution needs to be proposed to improve the above technical problems.

发明内容Contents of the invention

针对现有技术中的缺陷,本发明的目的是提供一种基于内核态内存隔离硬件特性的eBPF内存隔离方法及系统。Aiming at the defects in the prior art, the object of the present invention is to provide an eBPF memory isolation method and system based on the hardware characteristics of kernel state memory isolation.

根据本发明提供的一种基于内核态内存隔离硬件特性的eBPF内存隔离方法,所述方法包括如下步骤:According to a kind of eBPF memory isolation method based on kernel state memory isolation hardware characteristic provided by the present invention, described method comprises the following steps:

步骤S1:调用辅助函数;Step S1: call the auxiliary function;

步骤S2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入步骤S3;Step S2: The springboard function checks whether the parameters of the auxiliary function call are legal; if the check is not passed, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, go to step S3;

步骤S3:更新PKRS临时退出沙箱;Step S3: update PKRS to temporarily exit the sandbox;

步骤S4:将影子对象同步回内核对象;Step S4: Synchronize the shadow object back to the kernel object;

步骤S5:调用真实辅助函数;Step S5: call the real helper function;

步骤S6:将内核对象同步回影子对象;Step S6: Synchronize the kernel object back to the shadow object;

步骤S7:更新PKRS的值重新进入沙箱;Step S7: update the value of PKRS and re-enter the sandbox;

步骤S8:结束调用辅助函数。Step S8: End calling the auxiliary function.

优选地,所述步骤S1提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。Preferably, the step S1 proposes a springboard function mechanism to solve the problem of auxiliary function calls; the eBPF program calls the auxiliary function through the springboard function; if the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function updates the PKRS before calling the auxiliary function The value temporarily exits the sandbox and re-enters the sandbox after being called; the springboard function synchronizes the shadow object to the kernel object before calling the helper function, and passes the kernel object as a parameter to the helper function.

优选地,所述步骤S2在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。Preferably, said step S2 replaces the call to the auxiliary function with the call to the springboard function when the eBPF program is compiled; the springboard function corresponds to the auxiliary function one by one, and the parameters of the call are checked for correctness, and illegal calls are rejected; After the parameters pass the check, the corresponding helper function is called.

优选地,所述步骤S3在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。Preferably, said step S3 includes a memory that an eBPF program allows access in a sandbox. When the kernel code execution flow is executed to the eBPF program, the value of the PKRS is updated by the WRMSR instruction to enter the sandbox; when the eBPF program calls outside the sandbox The isolation domain is switched again to allow access to the kernel address space when the auxiliary function is called; when the execution flow returns from the auxiliary function or exits from the eBPF program, the isolation domain is switched again.

优选地,所述步骤S4中的影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。Preferably, the shadow object in the step S4 is a copy of the kernel data structure in the sandbox, and the eBPF program accesses the shadow object during operation; the nested structure of the shadow object mechanism maintains the structure in the sandbox pointer relationship between them.

本发明还提供一种基于内核态内存隔离硬件特性的eBPF内存隔离系统,所述系统包括如下模块:The present invention also provides an eBPF memory isolation system based on the hardware characteristics of kernel state memory isolation, and the system includes the following modules:

模块M1:调用辅助函数;Module M1: call auxiliary function;

模块M2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入模块M3;Module M2: The springboard function checks whether the parameters of the auxiliary function call are legal; if it fails the check, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, it will enter module M3;

模块M3:更新PKRS临时退出沙箱;Module M3: Update PKRS to temporarily exit the sandbox;

模块M4:将影子对象同步回内核对象;Module M4: Synchronize the shadow object back to the kernel object;

模块M5:调用真实辅助函数;Module M5: call the real helper function;

模块M6:将内核对象同步回影子对象;Module M6: Synchronize the kernel object back to the shadow object;

模块M7:更新PKRS的值重新进入沙箱;Module M7: update the value of PKRS and re-enter the sandbox;

模块M8:结束调用辅助函数。Module M8: Finish calling the helper function.

优选地,所述模块M1提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。Preferably, the module M1 proposes a springboard function mechanism to solve the problem of auxiliary function calls; the eBPF program calls the auxiliary function through the springboard function; if the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function updates the PKRS before calling the auxiliary function The value temporarily exits the sandbox and re-enters the sandbox after being called; the springboard function synchronizes the shadow object to the kernel object before calling the helper function, and passes the kernel object as a parameter to the helper function.

优选地,所述模块M2在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。Preferably, the module M2 replaces the call to the auxiliary function with the call to the springboard function when the eBPF program is compiled; the springboard function corresponds to the auxiliary function one by one, and checks the correctness of the parameters of the call, and rejects illegal calls; After the parameters pass the check, the corresponding helper function is called.

优选地,所述模块M3在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。Preferably, the module M3 includes a memory that an eBPF program allows access in a sandbox. When the kernel code execution flow is executed to the eBPF program, the value of the PKRS is updated by the WRMSR instruction to enter the sandbox; when the eBPF program calls the sandbox outside The isolation domain is switched again to allow access to the kernel address space when the auxiliary function is called; when the execution flow returns from the auxiliary function or exits from the eBPF program, the isolation domain is switched again.

优选地,所述模块M4中的影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。Preferably, the shadow object in the module M4 is a copy of the kernel data structure in the sandbox, and the eBPF program accesses the shadow object during operation; the nested structure of the shadow object mechanism maintains the structure in the sandbox pointer relationship between them.

与现有技术相比,本发明具有如下的有益效果:Compared with the prior art, the present invention has the following beneficial effects:

1、本发明提出的PKS隔离沙箱减少了eBPF检查器的代码量,可以在运行过程中拦截恶意的eBPF程序访存,解决了“假阴性”问题;1. The PKS isolation sandbox proposed by the present invention reduces the code amount of the eBPF checker, and can intercept malicious eBPF program access during operation, solving the "false negative" problem;

2、本发明将检查器的部分工作移至运行时检查,因此允许更灵活的语义,减轻了eBPF开发者的负担,并给eBPF编译器提供了更激进优化的可能性,缓解了“假阳性”问题。2. The present invention moves part of the work of the checker to runtime checking, thus allowing more flexible semantics, reducing the burden on eBPF developers, and providing the eBPF compiler with the possibility of more aggressive optimization, alleviating "false positives" "question.

附图说明Description of drawings

通过阅读参照以下附图对非限制性实施例所作的详细描述,本发明的其它特征、目的和优点将会变得更明显:Other characteristics, objects and advantages of the present invention will become more apparent by reading the detailed description of non-limiting embodiments made with reference to the following drawings:

图1为本发明PKS隔离沙箱示意图;Fig. 1 is the schematic diagram of the PKS isolation sandbox of the present invention;

图2为本发明上下文对象区域处理流程示意图;Fig. 2 is a schematic diagram of the processing flow of the context object area of the present invention;

图3为本发明跳板函数执行过程的流程图。Fig. 3 is a flow chart of the execution process of the springboard function in the present invention.

具体实施方式Detailed ways

下面结合具体实施例对本发明进行详细说明。以下实施例将有助于本领域的技术人员进一步理解本发明,但不以任何形式限制本发明。应当指出的是,对本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变化和改进。这些都属于本发明的保护范围。The present invention will be described in detail below in conjunction with specific embodiments. The following examples will help those skilled in the art to further understand the present invention, but do not limit the present invention in any form. It should be noted that those skilled in the art can make several changes and improvements without departing from the concept of the present invention. These all belong to the protection scope of the present invention.

实施例1:Example 1:

根据本发明提供的一种基于内核态内存隔离硬件特性的eBPF内存隔离方法,所述方法包括如下步骤:According to a kind of eBPF memory isolation method based on kernel state memory isolation hardware characteristic provided by the present invention, described method comprises the following steps:

步骤S1:调用辅助函数;提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。Step S1: Call the auxiliary function; propose a springboard function mechanism to solve the problem of auxiliary function calling; eBPF program calls the auxiliary function through the springboard function; if the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function updates the PKRS before calling the auxiliary function The value temporarily exits the sandbox and re-enters the sandbox after being called; the springboard function synchronizes the shadow object to the kernel object before calling the helper function, and passes the kernel object as a parameter to the helper function.

步骤S2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入步骤S3;在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。Step S2: The springboard function checks whether the parameters called by the auxiliary function are legal; if it fails the check, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, enter step S3; when compiling the eBPF program, it will The function call is replaced by a call to the springboard function; the springboard function corresponds to the auxiliary function one by one, and the correctness of the parameters of the call is checked, and illegal calls are rejected; the corresponding auxiliary function is called after the parameters pass the inspection.

步骤S3:更新PKRS临时退出沙箱;在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。Step S3: Update PKRS to temporarily exit the sandbox; a sandbox contains a memory that an eBPF program is allowed to access. When the kernel code execution flow is executed to the eBPF program, update the value of PKRS through the WRMSR instruction to enter the sandbox; when the eBPF program calls When the helper function outside the sandbox, the isolation domain is switched again to allow access to the kernel address space; when the execution flow returns from the helper function or exits from the eBPF program, the isolation domain is switched again.

步骤S4:将影子对象同步回内核对象;影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。Step S4: Synchronize the shadow object back to the kernel object; the shadow object is a copy of the kernel data structure in the sandbox, and the eBPF program accesses the shadow object during operation; the nested structure of the shadow object mechanism is maintained in the sandbox Pointer relationship between structures.

步骤S5:调用真实辅助函数;Step S5: call the real helper function;

步骤S6:将内核对象同步回影子对象;Step S6: Synchronize the kernel object back to the shadow object;

步骤S7:更新PKRS的值重新进入沙箱;Step S7: update the value of PKRS and re-enter the sandbox;

步骤S8:结束调用辅助函数。Step S8: End calling the auxiliary function.

本发明还提供一种基于内核态内存隔离硬件特性的eBPF内存隔离系统,所述基于内核态内存隔离硬件特性的eBPF内存隔离系统可以通过执行所述基于内核态内存隔离硬件特性的eBPF内存隔离方法的流程步骤予以实现,即本领域技术人员可以将所述基于内核态内存隔离硬件特性的eBPF内存隔离方法理解为所述基于内核态内存隔离硬件特性的eBPF内存隔离系统的优选实施方式。The present invention also provides an eBPF memory isolation system based on the hardware characteristics of kernel-mode memory isolation hardware, the eBPF memory isolation system based on the hardware characteristics of kernel-mode memory isolation can implement the eBPF memory isolation method based on the hardware characteristics of kernel-mode memory isolation The process steps are implemented, that is, those skilled in the art can understand the eBPF memory isolation method based on the kernel-mode memory isolation hardware characteristics as a preferred implementation of the eBPF memory isolation system based on the kernel-mode memory isolation hardware characteristics.

实施例2:Example 2:

本发明还提供一种基于内核态内存隔离硬件特性的eBPF内存隔离系统,所述系统包括如下模块:The present invention also provides an eBPF memory isolation system based on the hardware characteristics of kernel state memory isolation, and the system includes the following modules:

模块M1:调用辅助函数;提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。Module M1: call auxiliary functions; a springboard function mechanism is proposed to solve the problem of auxiliary function calls; eBPF programs call auxiliary functions through springboard functions; if auxiliary functions need to access kernel data structures outside the sandbox, springboard functions update PKRS before calling auxiliary functions The value temporarily exits the sandbox and re-enters the sandbox after being called; the springboard function synchronizes the shadow object to the kernel object before calling the helper function, and passes the kernel object as a parameter to the helper function.

模块M2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入模块M3;在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。Module M2: The springboard function checks whether the parameters of the auxiliary function call are legal; if it fails the check, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, it will enter module M3; when compiling the eBPF program, it will The function call is replaced by a call to the springboard function; the springboard function corresponds to the auxiliary function one by one, and the correctness of the parameters of the call is checked, and illegal calls are rejected; the corresponding auxiliary function is called after the parameters pass the inspection.

模块M3:更新PKRS临时退出沙箱;在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。Module M3: Update PKRS to temporarily exit the sandbox; a sandbox contains a memory that an eBPF program is allowed to access. When the kernel code execution flow is executed to the eBPF program, the value of PKRS is updated through the WRMSR instruction to enter the sandbox; when the eBPF program calls When the helper function outside the sandbox, the isolation domain is switched again to allow access to the kernel address space; when the execution flow returns from the helper function or exits from the eBPF program, the isolation domain is switched again.

模块M4:将影子对象同步回内核对象;影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。Module M4: Synchronize the shadow object back to the kernel object; the shadow object is a copy of the kernel data structure in the sandbox, and the eBPF program accesses the shadow object during operation; the nested structure of the shadow object mechanism is maintained in the sandbox Pointer relationship between structures.

模块M5:调用真实辅助函数;Module M5: call the real helper function;

模块M6:将内核对象同步回影子对象;Module M6: Synchronize the kernel object back to the shadow object;

模块M7:更新PKRS的值重新进入沙箱;Module M7: update the value of PKRS and re-enter the sandbox;

模块M8:结束调用辅助函数。Module M8: Finish calling the helper function.

实施例3:Example 3:

本发明所提出的方法,使用轻量级动态检查的方式取代eBPF检查器中的静态模拟执行检查机制。具体来说,本发明提出将eBPF程序运行在内核态沙箱中,由沙箱对程序的内存访问进行动态检查,保证程序无法对内核内存进行非法访问;为高效实现轻量化的内核态沙箱,本发明利用新型硬件特性PKS进行零开销的访存指令检查,并提出高效的内核与沙箱中eBPF程序交互方法。The method proposed by the present invention replaces the static simulation execution checking mechanism in the eBPF checker with a lightweight dynamic checking method. Specifically, the present invention proposes to run the eBPF program in the kernel state sandbox, and the sandbox will dynamically check the memory access of the program to ensure that the program cannot illegally access the kernel memory; in order to efficiently implement a lightweight kernel state sandbox , the present invention utilizes the novel hardware feature PKS to check memory access instructions with zero overhead, and proposes an efficient method for interacting between the kernel and the eBPF program in the sandbox.

本发明修改了eBPF机制中对map数据结构的内存管理方式。为了保证沙箱中的eBPF程序能够正常访问map,本发明提出在创建map数据结构的时候将分配的内存页置于内核沙箱内。由于PKS机制以页的粒度保护内存区域,因此本发明修改了每一种map类型的内存分配函数,使得其分配的内存以页的粒度对齐。本发明提出可以将map数据结构置于一个单独的内核沙箱中,并给予多个eBPF程序对该沙箱的访问权限,以支持map数据结构被多个eBPF程序同时访问。The present invention modifies the memory management method of the map data structure in the eBPF mechanism. In order to ensure that the eBPF program in the sandbox can normally access the map, the present invention proposes to place the allocated memory pages in the kernel sandbox when creating the map data structure. Because the PKS mechanism protects the memory area at the granularity of the page, the present invention modifies the memory allocation function of each map type so that the allocated memory is aligned at the granularity of the page. The present invention proposes that the map data structure can be placed in a separate kernel sandbox, and multiple eBPF programs are given access to the sandbox, so as to support the map data structure to be accessed by multiple eBPF programs simultaneously.

本发明修改了Linux内核对网络数据包的内存管理方式。本发明提出在内核中维护一个用于储存数据包的缓冲区,并在系统启动时将其置于为网络包保留一个独立的沙箱中。同时本发明提出使用一个轻量级的内存管理库用于管理缓冲区内存空间,并修改内核中数据包的分配函数以保证所有的数据包分配在该缓冲区中。The invention modifies the memory management mode of the Linux kernel to the network data packets. The present invention proposes to maintain a buffer for storing data packets in the kernel, and place it in a separate sandbox reserved for network packets when the system is started. At the same time, the present invention proposes to use a light-weight memory management library to manage the buffer memory space, and modify the allocation function of data packets in the kernel to ensure that all data packets are allocated in the buffer.

本发明提出影子对象机制以解决eBPF访问上下文结构体的问题。影子对象即为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象。影子对象机制嵌套的结构体,可以在沙箱中维护结构体间的指针关系。本发明提出用时拷贝机制仅拷贝eBPF程序需要用到的域以解决资源浪费的问题。The present invention proposes a shadow object mechanism to solve the problem of eBPF accessing the context structure. The shadow object is a copy of the kernel data structure in the sandbox, and the eBPF program accesses the shadow object during operation. The nested structure of the shadow object mechanism can maintain the pointer relationship between the structures in the sandbox. The present invention proposes a time-use copy mechanism to only copy domains needed by eBPF programs to solve the problem of waste of resources.

本发明提出影子栈机制解决eBPF程序访问内核栈的问题。影子栈是位于内核沙箱中的一块内存区域,eBPF程序执行的时候会将栈指针切换到影子栈,待执行完毕后再切换回内核栈。为了避免运行时分配影子栈带来性能开销,本设计在创建eBPF沙箱的时候预先在沙箱中分配影子栈数组,并在程序执行时根据当前的CPU序号直接读取影子栈的地址。The invention proposes a shadow stack mechanism to solve the problem of eBPF programs accessing the kernel stack. The shadow stack is a memory area located in the kernel sandbox. When the eBPF program is executed, the stack pointer will be switched to the shadow stack, and then switched back to the kernel stack after execution. In order to avoid the performance overhead caused by allocating the shadow stack at runtime, this design pre-allocates the shadow stack array in the sandbox when creating the eBPF sandbox, and directly reads the address of the shadow stack according to the current CPU serial number when the program is executed.

本发明提出跳板函数机制解决辅助函数调用的问题。eBPF程序只能通过本发明提出的跳板函数调用辅助函数。如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前会更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱。为了避免内核直接访问影子对象,跳板函数会在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。The invention proposes a springboard function mechanism to solve the problem of auxiliary function calling. The eBPF program can only call the auxiliary function through the springboard function proposed by the present invention. If the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function will update the value of PKRS before calling the auxiliary function to temporarily exit the sandbox, and re-enter the sandbox after the call. In order to prevent the kernel from directly accessing the shadow object, the springboard function will synchronize the shadow object to the kernel object before calling the auxiliary function, and pass the kernel object as a parameter to the auxiliary function.

本发明处理PKS缺页异常。当恶意eBPF程序访问到内核沙箱外的内存时,会触发PKS缺页异常。为了避免内核崩溃,缺页异常的处理函数中会终止eBPF程序的执行,将eBPF程序从内核中卸载,并将执行流重置到eBPF入口函数返回的地址继续执行。The invention handles PKS page fault abnormality. When a malicious eBPF program accesses memory outside the kernel sandbox, a PKS page fault exception will be triggered. In order to avoid a kernel crash, the page fault exception handler will terminate the execution of the eBPF program, unload the eBPF program from the kernel, and reset the execution flow to the address returned by the eBPF entry function to continue execution.

图1是实施例中PKS隔离沙箱示意图。在一个PKS沙箱中包含一个eBPF程序允许访问的内存,例如栈区域、上下文区域、Map区域。可以被多个eBPF程序共享的内存被置于共享沙箱内,例如数据包区域。当内核代码执行流执行到eBPF程序时,会通过WRMSR指令更新PKRS的值进入沙箱。当eBPF程序调用沙箱外部的辅助函数时,会再次切换隔离域以允许访问内核地址空间。同理,当执行流从辅助函数返回或者从eBPF程序中退出时,也会再次切换隔离域。Fig. 1 is a schematic diagram of the PKS isolation sandbox in the embodiment. A PKS sandbox contains memory that an eBPF program is allowed to access, such as the stack area, context area, and Map area. Memory that can be shared by multiple eBPF programs is placed in the shared sandbox, such as the packet area. When the kernel code execution flow is executed to the eBPF program, the value of PKRS will be updated through the WRMSR instruction to enter the sandbox. When an eBPF program calls a helper function outside the sandbox, the isolation domain is switched again to allow access to the kernel address space. Similarly, when the execution flow returns from a helper function or exits from an eBPF program, the isolation domain is switched again.

图2是实施例中上下文对象区域处理流程示意图。本发明提出在入口函数处为上下文对象构建一个影子对象拷贝,并使用指向影子对象的指针(ctx_iso)替换原指针(ctx)作为参数传给eBPF机器码,因此得以对eBPF程序透明地支持上下文区域的隔离。当eBPF函数执行完毕后,影子对象的值可能被eBPF程序修改,此时再将影子对象的值拷贝回原对象。本发明提出在创建一个包含指针的结构体的影子对象的时候,为所有的嵌套结构体创建影子对象(嵌套影子对象)。与此同时,上下文影子对象中的指针会被更新为指向嵌套影子对象。本机制同样可以处理两层及以上嵌套的情形。上下文对象中仅有部分域(阴影标记的域)需要被同步到影子对象中,因此解决了资源浪费的问题。Fig. 2 is a schematic diagram of the processing flow of the context object area in the embodiment. The present invention proposes to construct a shadow object copy for the context object at the entry function, and use the pointer (ctx_iso) pointing to the shadow object to replace the original pointer (ctx) as a parameter and pass it to the eBPF machine code, so the context area can be transparently supported for the eBPF program isolation. After the eBPF function is executed, the value of the shadow object may be modified by the eBPF program, and then copy the value of the shadow object back to the original object. The present invention proposes to create shadow objects (nested shadow objects) for all nested structures when creating a shadow object of a structure containing pointers. At the same time, the pointer in the context shadow object will be updated to point to the nested shadow object. This mechanism can also handle two or more levels of nesting. Only some fields (fields marked with shadows) in the context object need to be synchronized into the shadow object, thus solving the problem of waste of resources.

图3是实施例中跳板函数执行过程的流程图,跳板函数首先会检查函数调用的参数是否合法,例如比较参数中影子对象的地址是否与入口函数中的地址相同、判断内存地址是否允许访问等。如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行。如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前会更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱。如果辅助函数需要访问影子对象,跳板函数会在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。Fig. 3 is a flowchart of the execution process of the springboard function in the embodiment. The springboard function first checks whether the parameters of the function call are legal, such as comparing whether the address of the shadow object in the parameter is the same as the address in the entry function, judging whether the memory address is allowed to be accessed, etc. . If the check fails, error handling will be performed and the execution of the entire eBPF program will end. If the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function will update the value of PKRS before calling the auxiliary function to temporarily exit the sandbox, and re-enter the sandbox after the call. If the auxiliary function needs to access the shadow object, the springboard function will synchronize the shadow object to the kernel object before calling the auxiliary function, and pass the kernel object as a parameter to the auxiliary function.

一种基于PKS技术的eBPF内存沙箱隔离机制,通过PKS技术控制内存隔离沙箱的读写权限,不同内存域间的内存资源相互隔离。An eBPF memory sandbox isolation mechanism based on PKS technology, which controls the read and write permissions of the memory isolation sandbox through PKS technology, and isolates memory resources between different memory domains.

所述内存沙箱隔离机制,每个eBPF程序对应一个隔离沙箱。隔离沙箱内有独立的栈区域、map区域与上下文区域。In the memory sandbox isolation mechanism, each eBPF program corresponds to an isolation sandbox. There are independent stack area, map area and context area in the isolation sandbox.

所述内存沙箱隔离机制,被多个eBPF程序共享的map被置于公共隔离沙箱内,拥有该map访问权限的eBPF程序同时访问该沙箱。In the memory sandbox isolation mechanism, the map shared by multiple eBPF programs is placed in a public isolation sandbox, and the eBPF program that has access to the map accesses the sandbox at the same time.

所述内存沙箱隔离机制,网络数据包区域对应一个公共的隔离沙箱,可以被拥有对网络数据包访问权限的所有eBPF程序访问。所述网络包隔离沙箱,修改内核中分配网络包的机制,将网络包都分配到系统启动时预留在沙箱内的空间中。In the memory sandbox isolation mechanism, the network data packet area corresponds to a public isolation sandbox, which can be accessed by all eBPF programs that have access rights to network data packets. The network packet isolation sandbox modifies the mechanism for distributing network packets in the kernel, and distributes all network packets to the space reserved in the sandbox when the system starts.

一种支持eBPF程序访问上下文对象的影子对象机制,为每一个上下文对象在沙箱内维护一个影子对象。当eBPF函数被调用时,上下文对象被拷贝到影子对象中,调用eBPF函数的参数中的上下文对象被替换成影子对象。当eBPF函数调用结束时,影子对象被拷贝到上下文对象中。A shadow object mechanism that supports eBPF programs to access context objects, and maintains a shadow object in the sandbox for each context object. When the eBPF function is called, the context object is copied to the shadow object, and the context object in the parameter of calling the eBPF function is replaced with the shadow object. When the eBPF function call ends, the shadow object is copied into the context object.

所述影子对象机制,当影子对象中存在指针指向另一个对象时,为指针指向的对象创建新的影子对象,本机制支持多层对象指针的嵌套。In the shadow object mechanism, when a pointer in the shadow object points to another object, a new shadow object is created for the object pointed to by the pointer. This mechanism supports nesting of multi-layer object pointers.

所述影子对象机制,当上下文的对象中仅有部分域被eBPF程序访问时,只将这些被访问的域拷贝到影子对象中。In the shadow object mechanism, when only some fields in the context object are accessed by the eBPF program, only these accessed fields are copied into the shadow object.

一种支持eBPF程序访问辅助函数的跳板函数机制,在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用。跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用。参数通过检查后调用对应的辅助函数。A springboard function mechanism that supports eBPF programs to access auxiliary functions, and replaces calls to auxiliary functions with calls to springboard functions when eBPF programs are compiled. The springboard function corresponds to the auxiliary function one by one, and checks the correctness of the parameters of the call, and rejects illegal calls. After the parameters pass the check, the corresponding helper function is called.

所述跳板函数机制,如果辅助函数需要访问沙箱外的内存,则在调用辅助函数之前通过修改PKRS的值临时退出沙箱,在调用之后重新进入沙箱。In the springboard function mechanism, if the auxiliary function needs to access memory outside the sandbox, it temporarily exits the sandbox by modifying the value of PKRS before calling the auxiliary function, and re-enters the sandbox after calling.

所述跳板函数机制,如果辅助函数需要访问上下文对象,则在调用辅助函数之前将影子对象拷贝到上下文对象中,并将上下文对象作为参数传递给辅助函数,在调用之后将上下文对象拷贝回影子对象。In the springboard function mechanism, if the auxiliary function needs to access the context object, the shadow object is copied to the context object before calling the auxiliary function, and the context object is passed to the auxiliary function as a parameter, and the context object is copied back to the shadow object after the call .

一种PKS缺页异常处理机制,隔离沙箱中的eBPF程序非法访存触发的PKS缺页异常处理函数中会终止eBPF程序的执行,将eBPF程序从内核中卸载,并将执行流重置到eBPF入口函数返回的地址继续执行。A PKS page fault exception handling mechanism. The PKS page fault exception processing function triggered by the illegal memory access of the eBPF program in the isolation sandbox will terminate the execution of the eBPF program, unload the eBPF program from the kernel, and reset the execution flow to The address returned by the eBPF entry function continues execution.

本发明提出的方法不限于隔离eBPF程序,也可以利用PKS隔离沙箱隔离内核中的重要数据结构以及驱动等子模块。The method proposed by the present invention is not limited to isolating eBPF programs, and can also use the PKS isolation sandbox to isolate important data structures and submodules such as drivers in the kernel.

PKS:Protection Key for Supervisor;PKS: Protection Key for Supervisor;

eBPF:Extended Berkeley Packet Filter;eBPF: Extended Berkeley Packet Filter;

RISC:Reduced Instruction Set Computing,精简指令集。RISC: Reduced Instruction Set Computing, reduced instruction set.

本领域技术人员可以将本实施例理解为实施例1、实施例2的更为具体的说明。Those skilled in the art may understand this embodiment as a more specific description of Embodiment 1 and Embodiment 2.

本领域技术人员知道,除了以纯计算机可读程序代码方式实现本发明提供的系统及其各个装置、模块、单元以外,完全可以通过将方法步骤进行逻辑编程来使得本发明提供的系统及其各个装置、模块、单元以逻辑门、开关、专用集成电路、可编程逻辑控制器以及嵌入式微控制器等的形式来实现相同功能。所以,本发明提供的系统及其各项装置、模块、单元可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置、模块、单元也可以视为硬件部件内的结构;也可以将用于实现各种功能的装置、模块、单元视为既可以是实现方法的软件模块又可以是硬件部件内的结构。Those skilled in the art know that, in addition to realizing the system provided by the present invention and its various devices, modules, and units in a purely computer-readable program code mode, the system provided by the present invention and its various devices can be completely programmed by logically programming the method steps. , modules, and units implement the same functions in the form of logic gates, switches, ASICs, programmable logic controllers, and embedded microcontrollers. Therefore, the system and its various devices, modules, and units provided by the present invention can be regarded as a hardware component, and the devices, modules, and units included in it for realizing various functions can also be regarded as hardware components. The structure; the devices, modules, and units for realizing various functions can also be regarded as not only the software modules for realizing the method, but also the structures in the hardware components.

以上对本发明的具体实施例进行了描述。需要理解的是,本发明并不局限于上述特定实施方式,本领域技术人员可以在权利要求的范围内做出各种变化或修改,这并不影响本发明的实质内容。在不冲突的情况下,本申请的实施例和实施例中的特征可以任意相互组合。Specific embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above, and those skilled in the art may make various changes or modifications within the scope of the claims, which do not affect the essence of the present invention. In the case of no conflict, the embodiments of the present application and the features in the embodiments can be combined with each other arbitrarily.

Claims (10)

1.一种基于内核态内存隔离硬件特性的eBPF内存隔离方法,其特征在于,所述方法包括如下步骤:1. an eBPF memory isolation method based on kernel state memory isolation hardware characteristics, is characterized in that, described method comprises the steps: 步骤S1:调用辅助函数;Step S1: call the auxiliary function; 步骤S2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入步骤S3;Step S2: The springboard function checks whether the parameters of the auxiliary function call are legal; if the check is not passed, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, go to step S3; 步骤S3:更新PKRS临时退出沙箱;Step S3: update PKRS to temporarily exit the sandbox; 步骤S4:将影子对象同步回内核对象;Step S4: Synchronize the shadow object back to the kernel object; 步骤S5:调用真实辅助函数;Step S5: call the real helper function; 步骤S6:将内核对象同步回影子对象;Step S6: Synchronize the kernel object back to the shadow object; 步骤S7:更新PKRS的值重新进入沙箱;Step S7: update the value of PKRS and re-enter the sandbox; 步骤S8:结束调用辅助函数。Step S8: End calling the auxiliary function. 2.根据权利要求1所述的基于内核态内存隔离硬件特性的eBPF内存隔离方法,其特征在于,所述步骤S1提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。2. the eBPF memory isolation method based on kernel state memory isolation hardware characteristics according to claim 1, is characterized in that, described step S1 proposes springboard function mechanism to solve the problem of auxiliary function call; eBPF program calls auxiliary function by springboard function; If the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function updates the value of PKRS before calling the auxiliary function to temporarily exit the sandbox and re-enter the sandbox after calling; the springboard function synchronizes the shadow object to kernel object, and pass the kernel object as an argument to the helper function. 3.根据权利要求1所述的基于内核态内存隔离硬件特性的eBPF内存隔离方法,其特征在于,所述步骤S2在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。3. the eBPF memory isolation method based on kernel mode memory isolation hardware characteristics according to claim 1, is characterized in that, described step S2 is replaced with the calling of springboard function to the calling of auxiliary function when eBPF program is compiled; There is a one-to-one correspondence between the function and the auxiliary function, and the correctness of the parameters of the call is checked, and illegal calls are rejected; the corresponding auxiliary function is called after the parameters pass the inspection. 4.根据权利要求1所述的基于内核态内存隔离硬件特性的eBPF内存隔离方法,其特征在于,所述步骤S3在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。4. the eBPF memory isolation method based on the kernel state memory isolation hardware characteristic according to claim 1, is characterized in that, described step S3 comprises the memory that an eBPF program allows access in a sandbox, when kernel code execution stream execution When entering the eBPF program, update the value of PKRS through the WRMSR instruction to enter the sandbox; when the eBPF program calls an auxiliary function outside the sandbox, switch the isolation domain again to allow access to the kernel address space; when the execution flow returns from the auxiliary function or from the eBPF program When exiting in , switch the isolation domain again. 5.根据权利要求1所述的基于内核态内存隔离硬件特性的eBPF内存隔离方法,其特征在于,所述步骤S4中的影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。5. the eBPF memory isolation method based on the kernel mode memory isolation hardware characteristic according to claim 1, is characterized in that, the shadow object in the described step S4 is a copy of the kernel data structure in the sandbox, and the eBPF program is in Access the shadow object during operation; the structure of the shadow object mechanism is nested, and the pointer relationship between the structures is maintained in the sandbox. 6.一种基于内核态内存隔离硬件特性的eBPF内存隔离系统,其特征在于,所述系统包括如下模块:6. A kind of eBPF memory isolation system based on kernel state memory isolation hardware characteristic, it is characterized in that, described system comprises following module: 模块M1:调用辅助函数;Module M1: call auxiliary function; 模块M2:跳板函数检查辅助函数调用的参数是否合法;如果没有通过检查,则会进行错误处理,并结束整个eBPF程序的执行;如果通过检查,则进入模块M3;Module M2: The springboard function checks whether the parameters of the auxiliary function call are legal; if it fails the check, it will perform error handling and end the execution of the entire eBPF program; if it passes the check, it will enter module M3; 模块M3:更新PKRS临时退出沙箱;Module M3: Update PKRS to temporarily exit the sandbox; 模块M4:将影子对象同步回内核对象;Module M4: Synchronize the shadow object back to the kernel object; 模块M5:调用真实辅助函数;Module M5: call the real helper function; 模块M6:将内核对象同步回影子对象;Module M6: Synchronize the kernel object back to the shadow object; 模块M7:更新PKRS的值重新进入沙箱;Module M7: update the value of PKRS and re-enter the sandbox; 模块M8:结束调用辅助函数。Module M8: Finish calling the helper function. 7.根据权利要求6所述的基于内核态内存隔离硬件特性的eBPF内存隔离系统,其特征在于,所述模块M1提出跳板函数机制解决辅助函数调用的问题;eBPF程序通过跳板函数调用辅助函数;如果辅助函数需要访问沙箱外的内核数据结构,跳板函数在调用辅助函数前更新PKRS的值临时退出沙箱,并在调用后重新进入沙箱;跳板函数在调用辅助函数前将影子对象同步到内核对象,并将内核对象作为参数传递给辅助函数。7. the eBPF memory isolation system based on kernel state memory isolation hardware characteristics according to claim 6, is characterized in that, described module M1 proposes springboard function mechanism to solve the problem of auxiliary function call; eBPF program calls auxiliary function by springboard function; If the auxiliary function needs to access the kernel data structure outside the sandbox, the springboard function updates the value of PKRS before calling the auxiliary function to temporarily exit the sandbox and re-enter the sandbox after calling; the springboard function synchronizes the shadow object to kernel object, and pass the kernel object as an argument to the helper function. 8.根据权利要求6所述的基于内核态内存隔离硬件特性的eBPF内存隔离系统,其特征在于,所述模块M2在eBPF程序编译时将对辅助函数的调用替换为对跳板函数的调用;跳板函数与辅助函数一一对应,并对调用的参数进行正确性检查,拒绝非法调用;参数通过检查后调用对应的辅助函数。8. the eBPF memory isolation system based on the kernel state memory isolation hardware characteristic according to claim 6, is characterized in that, described module M2 will be replaced to the calling of springboard function to the calling of auxiliary function when eBPF program compiling; Springboard There is a one-to-one correspondence between the function and the auxiliary function, and the correctness of the parameters of the call is checked, and illegal calls are rejected; the corresponding auxiliary function is called after the parameters pass the inspection. 9.根据权利要求6所述的基于内核态内存隔离硬件特性的eBPF内存隔离系统,其特征在于,所述模块M3在一个沙箱中包含一个eBPF程序允许访问的内存,当内核代码执行流执行到eBPF程序时,通过WRMSR指令更新PKRS的值进入沙箱;当eBPF程序调用沙箱外部的辅助函数时,再次切换隔离域以允许访问内核地址空间;当执行流从辅助函数返回或者从eBPF程序中退出时,再次切换隔离域。9. The eBPF memory isolation system based on kernel state memory isolation hardware characteristics according to claim 6, wherein said module M3 includes a memory that an eBPF program allows access in a sandbox, and when the kernel code execution flow executes When entering the eBPF program, update the value of PKRS through the WRMSR instruction to enter the sandbox; when the eBPF program calls an auxiliary function outside the sandbox, switch the isolation domain again to allow access to the kernel address space; when the execution flow returns from the auxiliary function or from the eBPF program When exiting in , switch the isolation domain again. 10.根据权利要求6所述的基于内核态内存隔离硬件特性的eBPF内存隔离系统,其特征在于,所述模块M4中的影子对象为内核数据结构在沙箱内的一份拷贝,eBPF程序在运行过程中访问影子对象;影子对象机制嵌套的结构体,在沙箱中维护结构体间的指针关系。10. The eBPF memory isolation system based on the kernel state memory isolation hardware characteristic according to claim 6, wherein the shadow object in the module M4 is a copy of the kernel data structure in the sandbox, and the eBPF program is in Access the shadow object during operation; the structure of the shadow object mechanism is nested, and the pointer relationship between the structures is maintained in the sandbox.
CN202310011710.3A 2023-01-05 2023-01-05 eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics Pending CN116127445A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310011710.3A CN116127445A (en) 2023-01-05 2023-01-05 eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310011710.3A CN116127445A (en) 2023-01-05 2023-01-05 eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics

Publications (1)

Publication Number Publication Date
CN116127445A true CN116127445A (en) 2023-05-16

Family

ID=86295095

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310011710.3A Pending CN116127445A (en) 2023-01-05 2023-01-05 eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics

Country Status (1)

Country Link
CN (1) CN116127445A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119720297A (en) * 2024-12-09 2025-03-28 上海交通大学 Method and system for enhancing isolation of operating system by software and hardware collaboration
CN120386587A (en) * 2025-06-27 2025-07-29 浪潮电子信息产业股份有限公司 Kernel task execution method, electronic device, readable storage medium and program product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119720297A (en) * 2024-12-09 2025-03-28 上海交通大学 Method and system for enhancing isolation of operating system by software and hardware collaboration
CN120386587A (en) * 2025-06-27 2025-07-29 浪潮电子信息产业股份有限公司 Kernel task execution method, electronic device, readable storage medium and program product

Similar Documents

Publication Publication Date Title
US11119949B2 (en) Apparatus and method for handling page protection faults in a computing system
Ŝevčik et al. Relaxed-memory concurrency and verified compilation
Zhao et al. ARMor: fully verified software fault isolation
Freund et al. A type system for object initialization in the Java bytecode language
US20080127142A1 (en) Compiling executable code into a less-trusted address space
CN110598405B (en) Runtime access control method and computing device
US7774787B2 (en) Method for specifying and verifying multi-threaded object-oriented programs with invariants
US20070050580A1 (en) Apparatus, system, and method for implementing protected virtual memory subcontexts
CN116484439B (en) Rust language-based safety enhancement model development method and system
CN117193882A (en) ELF loading method based on microkernel operating system
CN116127445A (en) eBPF memory isolation method and system based on kernel mode memory isolation hardware characteristics
Zhao et al. Rely-guarantee reasoning about concurrent memory management in zephyr RTOS
WO2024163410A1 (en) End-to-end verified trusted execution environments
Jomaa et al. Formal proof of dynamic memory isolation based on MMU
US7788653B2 (en) Apparatus and methods for performing generational escape analysis in managed runtime environments
US7512768B2 (en) Dynamically sharing a stack between different code segments
Jomaa et al. Formal proof of dynamic memory isolation based on MMU
Gomes et al. A formal modeling approach for portable low-level OS functionality
Štill et al. Using off-the-shelf exception support components in C++ verification
Zaeske et al. On the Design of a WebAssembly Interpreter for Safety Critical Avionics Applications
Shao Advanced development of certified OS kernels
Parízek Hybrid analysis for partial order reduction of programs with arrays
Leontie et al. No principal too small: Memory access control for fine-grained protection domains
Criswell Secure virtual architecture: security for commodity software systems
Leslie A functional approach to memory-safe operating systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination