一种基于内存自省技术的虚拟化安全防护模型
详细信息 查看官网全文
- 英文论文题名:A Security Protection Model for Virtualization Based on Memory Introspection
- 论文作者:张淑慧 ; 孟祥旭 ; 王连海 ; 徐淑奖
- 英文论文作者:Shuhui Zhang ; Xiangxu Meng ; Lianhai Wang ; Shujiang Xu ; School of Computer Science and Technology ; Shandong University ; Shandong Provincial Key Laboratory of Computer Networks ; Shandong Computer Science Center(National Supercomputer Center in Jinan)
- 年:2016
- 作者机构:山东大学计算机科学与技术学院;山东省计算中心(国家超级计算济南中心)山东省省计算机网络重点实验室;
- 论文关键词:虚拟化安全 ; 虚拟机自省 ; 内存自省 ; 内存分析
- 英文论文关键词:virtualization security ; virtual machine introspection ; memory introspection ; memory analysis
- 会议召开时间:2016-06-24
- 会议录名称:2016年全国通信软件学术会议程序册与交流文集
- 语种:中文
- 分类号:TP309
- 学会代码:ZGTH
- 会议名称:2016年全国通信软件学术会议
- 会议地点:中国陕西西安
- 主办单位:中国通信学会
- 学会名称:中国通信学会
- 页数:6
- 文件大小:2118k
- 原文格式:O
- 会议级别:全国
摘要
现有虚拟机自省技术需要在已知虚拟机操作系统版本以及内核结构体等知识的前提下方可对虚拟机进行分析,难以满足实际的虚拟化环境安全需求。为了解决这一问题,本文提出了一种基于内存自省技术的虚拟化安全防护模型VEDefender。在无任何先验知识的前提下,该模型能够通过实时分析物理主机物理内存检测到正在运行的虚拟机并重构虚拟机高级语义信息,从而能够及时发现虚拟机中存在的恶意行为,并对恶意行为做出智能响应。本文在KVM虚拟机监视器中实现了VEDefender系统原型,并针对KVM提出了一种基于vm_list内核符号表的虚拟机自动检测方法。实验结果表明,该系统能够检测到运行的虚拟机,并获取虚拟机状态,具有透明、抗攻击、通用和高效等优良特性。
Existing virtual machine introspection technologies are useful to analysis the virtual machine only when the operation system and kernel structures of target virtual machine are known,which cannot meet the actual security need of virtualization environment.To solve this problem,a security protection module named VEDefender for virtualization based on memory introspection is proposed.By analyzing the physical memory of host machine,this model can detect running virtual machines in real time and reconstruct their high-level semantic information without any priori knowledge.Then,malicious activity in virtual machine can be identified timely and intelligent response will be made.The prototype of VEDefender is implemented on KVM virtualization platform for which a novel approach to automatically detect running virtual machines based on vmjist kernel symbol is put forward.Experimental results show that the system can detect running virtual machines and obtain their status information.Further,the system is transparent,attack-resistant,universal and efficient.
Existing virtual machine introspection technologies are useful to analysis the virtual machine only when the operation system and kernel structures of target virtual machine are known,which cannot meet the actual security need of virtualization environment.To solve this problem,a security protection module named VEDefender for virtualization based on memory introspection is proposed.By analyzing the physical memory of host machine,this model can detect running virtual machines in real time and reconstruct their high-level semantic information without any priori knowledge.Then,malicious activity in virtual machine can be identified timely and intelligent response will be made.The prototype of VEDefender is implemented on KVM virtualization platform for which a novel approach to automatically detect running virtual machines based on vmjist kernel symbol is put forward.Experimental results show that the system can detect running virtual machines and obtain their status information.Further,the system is transparent,attack-resistant,universal and efficient.
引文
[1]Khalil IM,Khreishah A,Azeem M.Cloud computing security:a survey[J].IEEE Computers,2014,3(1):1-15.
[2]张玉清,王晓菲,刘雪峰,刘玲.云计算环境安全综述[J].软件学报,2016,27(6):a2.http://www.jos.org.cn/1000-9825/5003.htm Zhang Yu-Qing,Wang Xiao-Fei,Liu Xue-Feng,Liu Ling.Survey on Cloud Computing Security[J].2016,27(6):a2.http://www.jos.org.cn/1000-9825/5003.htm
[3]Kumara.M.A Ajay,Jaidhar CD.Hypervisor and Virtual Machine Dependent Intrusion Detection and Prevention System for Virtualized Cloud Envoirnoment[C]//TAFGEN2015.Kuala Lumpur,Malaysia,2015:28-33.
[4]Garfinkel T,Rosenblum M.A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]//SNDSS 2003.2003:191-206.
[5]林杰,刘川意,方滨兴.IVirt:基于虚拟机自省的运行环境完整性度量机制.计算机学报,2015 38(1),pp 191-203Lin,J.,Liu,C.-Y.,Fang,B.-X.IVirt:Runtime environment integrity measurement mechanism based on virtual machine introspection.Chinese Journal of Computers.2015 38(1),pp 191-203
[6]李保珲,徐克付,张鹏,郭莉,胡玥,方滨兴.虚拟机自省技术研究与应用进展[J/OL].软件学报,http://www.cnki.net/kcms/detail/ll.2560.TP.20160122.1120.016.html LI Bao-Hui,XU Ke-Fu,ZHANG Peng,GUO Li,HU Yue,FANG Bin-Xing,Research and Application Progress Of Virtual Machine Introspection Technology,Journal of Software.
[7]Asit More,Shashikala Tapaswi.Virtual machine introspection:towards bridging the semantic gap[J].Journal of Cloud Computing,2014,3:16.
[8]JIANG X,WANG X,XU D.Stealthy malware detection through VMM-based"out-of-the-box"semantic view reconstruction[C].CCS2007,New York,USA,2007:128-138.
[9]HAY B,NANCE K.Forensics examination of volatile system data using virtual introspection[J].ACM Sigops OS Review,2008,42(3):74-82.
[10]JONES S T,ARPACI D,A C,ARPACI D,R H.Antfarm:tracking processes in a virtual machine environment[C].Proc of the 2006 USENIX Annual Technical Conference,Boston,MA2006.
[11]J.Hizver,T.-c.Chiueh.Real-time deep virtual machine introspection and its applications[J].ACM SIGPLAN Notices,vol.49,no.7.ACM,2014:3-14.
[12]FU Y,LIN Z.Space traveling across VM:automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection[C].Proceedings of the 33rd IEEE Symposium on Security and Privacy[C].2012:586-600.
[2]张玉清,王晓菲,刘雪峰,刘玲.云计算环境安全综述[J].软件学报,2016,27(6):a2.http://www.jos.org.cn/1000-9825/5003.htm Zhang Yu-Qing,Wang Xiao-Fei,Liu Xue-Feng,Liu Ling.Survey on Cloud Computing Security[J].2016,27(6):a2.http://www.jos.org.cn/1000-9825/5003.htm
[3]Kumara.M.A Ajay,Jaidhar CD.Hypervisor and Virtual Machine Dependent Intrusion Detection and Prevention System for Virtualized Cloud Envoirnoment[C]//TAFGEN2015.Kuala Lumpur,Malaysia,2015:28-33.
[4]Garfinkel T,Rosenblum M.A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]//SNDSS 2003.2003:191-206.
[5]林杰,刘川意,方滨兴.IVirt:基于虚拟机自省的运行环境完整性度量机制.计算机学报,2015 38(1),pp 191-203Lin,J.,Liu,C.-Y.,Fang,B.-X.IVirt:Runtime environment integrity measurement mechanism based on virtual machine introspection.Chinese Journal of Computers.2015 38(1),pp 191-203
[6]李保珲,徐克付,张鹏,郭莉,胡玥,方滨兴.虚拟机自省技术研究与应用进展[J/OL].软件学报,http://www.cnki.net/kcms/detail/ll.2560.TP.20160122.1120.016.html LI Bao-Hui,XU Ke-Fu,ZHANG Peng,GUO Li,HU Yue,FANG Bin-Xing,Research and Application Progress Of Virtual Machine Introspection Technology,Journal of Software.
[7]Asit More,Shashikala Tapaswi.Virtual machine introspection:towards bridging the semantic gap[J].Journal of Cloud Computing,2014,3:16.
[8]JIANG X,WANG X,XU D.Stealthy malware detection through VMM-based"out-of-the-box"semantic view reconstruction[C].CCS2007,New York,USA,2007:128-138.
[9]HAY B,NANCE K.Forensics examination of volatile system data using virtual introspection[J].ACM Sigops OS Review,2008,42(3):74-82.
[10]JONES S T,ARPACI D,A C,ARPACI D,R H.Antfarm:tracking processes in a virtual machine environment[C].Proc of the 2006 USENIX Annual Technical Conference,Boston,MA2006.
[11]J.Hizver,T.-c.Chiueh.Real-time deep virtual machine introspection and its applications[J].ACM SIGPLAN Notices,vol.49,no.7.ACM,2014:3-14.
[12]FU Y,LIN Z.Space traveling across VM:automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection[C].Proceedings of the 33rd IEEE Symposium on Security and Privacy[C].2012:586-600.