Cloud computing technologies have developed rapidly in recent years. Threats caused by numerous currently existing malicious programs and malicious code in a kernel to security of processes in virtual machines on a cloud platform cannot be ignored. A virtual machine kernel plays a core role in a virtual machine. During running of the virtual machine, system call requests of all application programs, internal and external interrupt handling, and the like are all directly processed in the virtual machine kernel, and the virtual machine kernel performs necessary processing. In some implementations, among all interfaces for accessing the virtual machine kernel, a system call interface is an important interface for the application programs to interact with the virtual machine kernel and further obtain services of the virtual machine kernel. Correspondingly, among path branches to the virtual machine kernel, a system call execution path is a path that needs to be particularly protected. Once the system call execution path is hijacked, malicious code may obtain an opportunity for execution in a process environment of a particular process, and then read/write a process memory in the process by using an authorized identity of the process, to break through restrictions on read/write of the process memory by a third-party process. Consequently, the malicious code may, for example, tamper results of system call execution, threaten security of data in processes, and affect normal running of the processes.
In the prior art, to perform anti-hijacking protection on the system call execution path, a virtual machine monitor (Virtual Machine Monitor, VMM for short) in the virtual machine mainly performs transparent interception and monitoring on the virtual machine kernel in real time, that is, performs interception and monitoring without being perceived by a user side, to intercept, in real time, reading and writing of the process memory by an unauthorized operation. Specifically, interception is implemented mainly by using an exception/trap mechanism provided by a hardware-assisted virtualization mechanism and a hardware-assisted memory virtualization mechanism. In the VMM, corresponding memory isolation is implemented by using page tables, to trap an unauthorized operation and perform processing in time.
However, according to the prior art, omission usually occurs when the VMM performs interception at a granularity of a page table. For example, if malicious code performs continuous operations on a particular page, once the malicious code is not intercepted and is allowed the first time, it is difficult to trap the malicious code subsequently. That is, an interception effect is relatively poor and overheads caused by real-time interception are excessively large.