计算机应用 ›› 2015, Vol. 35 ›› Issue (6): 1555-1559.DOI: 10.11772/j.issn.1001-9081.2015.06.1555

• 先进计算 • 上一篇    下一篇

基于轻量操作系统的虚拟机内省与内存安全监测

马乐乐1,2, 岳晓萌1,2, 王玉庆1,2, 杨秋松1,2   

  1. 1. 中国科学院 软件研究所, 北京 100190;
    2. 中国科学院 通用芯片与基础软件研究中心, 上海 201210
  • 收稿日期:2014-12-19 修回日期:2015-03-20 发布日期:2015-06-12
  • 通讯作者: 马乐乐(1989-),男,山东莱芜人,硕士研究生,主要研究方向:系统安全、虚拟现实;lelema.cn@gmail.com
  • 作者简介:岳晓萌(1989-),男,山东青州人,助理工程师,硕士,主要研究方向:系统安全、可信计算;王玉庆(1987-),男,河南南阳人,助理工程师,硕士,主要研究方向:信息安全、操作系统安全;杨秋松(1977-),男,河北泊头人,研究员,博士,CCF会员,主要研究方向:系统安全、形式化方法。
  • 基金资助:

    中国科学院知识创新工程重要方向性项目(KGCX2-YW-12);核高基国家重大项目(2014ZX01029101-002)。

Virtual machine introspection and memory security monitoring based on light-weight operating system

MA Lele1,2, YUE Xiaomeng1,2, WANG Yuqing1,2, YANG Qiusong1,2   

  1. 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China;
    2. CPU and Fundamental Software Research Center, Chinese Academy of Sciences, Shanghai 201210, China
  • Received:2014-12-19 Revised:2015-03-20 Published:2015-06-12

摘要:

针对在传统特权虚拟机中利用虚拟机内省实时监测其他虚拟机内存安全的方法不利于安全模块与系统其他部分的隔离,且会拖慢虚拟平台的整体性能的问题,提出基于轻量操作系统实现虚拟机内省的安全架构,并提出基于内存完整性度量的内存安全监测方案。通过在轻量客户机中实现内存实时检测与度量,减小了安全模块的可攻击面,降低了对虚拟平台整体性能的影响。通过无干涉的内存度量和自定义的虚拟平台授权策略增强了安全模块的隔离性。基于Xen中的小型操作系统Mini-OS实现了虚拟机内省与内存检测系统原型,评估表明该方案比在特权虚拟机中实现的同等功能减少了92%以上的性能损耗,有效提高了虚拟机内省与实时度量的效率。

关键词: 虚拟机内省, Xen Mini-OS, 内存监控, 完整性度量, 入侵检测

Abstract:

The method of utilizing Virtual Machine Introspection (VMI) in a traditional privileged Virtual Machine (VM) to monitor the memory security of other VMs may weaken the isolation between the security module and other parts of the system, and slows down the total performance of the virtualization platform. In order to mitigate these disadvantages, a security architecture based on implementing VMI in a light-weight operating system was proposed, along with a security checking scheme based on memory integrity measurements. By monitoring and checking other VMs' runtime memory in a light-weight VM, the attack surface as well as the performance overhead was reduced. By non-intrusive checking and personalized authentication policy of the virtualization platform, the isolation of the security module was strengthened. A prototype system of VMI and memory detection was implemented based on Mini-OS of Xen. Compared with achieving the same function in privileged VM, the proposed scheme can reduce performance loss by more than 92% . It is proved that the proposed scheme can significantly improve the performance of VMI and realtime checking.

Key words: Virtual Machine Introspection (VMI), Xen Mini Operating System (Xen Mini-OS), memory monitoring, integrity checking, intrusion detection

中图分类号: