基于虚拟机监控器的Windows剪贴板操作监控

doi:10.11772/j.issn.1001-9081.2016.02.0511

计算机应用 ›› 2016, Vol. 36 ›› Issue (2): 511-515.DOI: 10.11772/j.issn.1001-9081.2016.02.0511

基于虚拟机监控器的Windows剪贴板操作监控

周登元, 李清宝, 张擂, 孔维亮

数学工程与先进计算国家重点实验室(信息工程大学), 郑州 450000

收稿日期:2015-07-20 修回日期:2015-10-07 出版日期:2016-02-10 发布日期:2016-02-03
通讯作者: 周登元(1991-),男,河南商丘人,硕士研究生,CCF会员,主要研究方向:网络信息安全。
作者简介:李清宝(1967-),男,四川乐山人,教授,博士生导师,博士,主要研究方向:网络信息安全、计算机体系结构;张擂(1990-),男,安徽涡阳人,硕士研究生,主要研究方向:信息安全、可信计算;孔维亮(1990-),男,天津人,硕士研究生,主要研究方向:网络信息安全。
基金资助:
国家核高基项目(2013JH00103)。

Windows clipboard operations monitoring based on virtual machine monitor

ZHOU Dengyuan, LI Qingbao, ZHANG Lei, KONG Weiliang

State Key Laboratory of Mathematical Engineering and Advanced Computing(Information Engineering University), Zhengzhou Henan 450000, China

Received:2015-07-20 Revised:2015-10-07 Online:2016-02-10 Published:2016-02-03

摘要/Abstract

摘要： 针对现有剪贴板操作监控无法抵御内核层攻击,且所采取的单一保护策略无法满足现实需求的问题,提出一种基于虚拟机监控器(VMM)的文档内容剪贴板操作监控技术,并提出基于剪贴板操作监控的电子文档分级保护策略。首先,通过修改影子寄存器的方法在VMM层截获并识别系统调用;其次,监控文档打开操作建立进程标识符和文档路径之间的映射表,并在截获到剪贴板操作后通过进程标识符解析文档路径;最后,根据电子文档分级保护策略对剪贴板操作进行过滤。实验结果表明,监控系统给客户机文件系统带来的性能损耗随着文件读写块的增大而减小,当读写块大小达到64 KB以上时,客户机性能损耗在10%以内,对用户影响不大。

关键词: 虚拟机监控器, 剪贴板监控, 系统调用, 电子文档, 分级保护

Abstract: The existing methods for monitoring clipboard operations cannot defend kernel-level attacks and satisfy the practical needs due to the simple protection strategy. In order to mitigate these disadvantages, a clipboard operations monitoring technique for document contents based on Virtual Machine Monitor (VMM) was proposed, as well as a classification protection strategy for electronic documents based on clipboard operations monitoring. Firstly, system calls were intercepted and identified in VMM by modifying the shadow registers. Secondly, a mapping table between process identifier and document path was created by monitoring the document open operations, then the document path could be obtained by process identifier when the clipboard operations were intercepted. Finally, clipboard operations were filtered according to classification protection strategy. The experimental results show that the performance loss to Guest OS file system caused by the monitoring system decreases with the increase of the record size; when the record size reaches more than 64 KB, the performance loss is within 10%, which has little effect on the user.

Key words: Virtual Machine Monitor(VMM), clipboard monitoring, system call, electronic document, classification protection

中图分类号:

TP309.2

周登元, 李清宝, 张擂, 孔维亮. 基于虚拟机监控器的Windows剪贴板操作监控[J]. 计算机应用, 2016, 36(2): 511-515.

ZHOU Dengyuan, LI Qingbao, ZHANG Lei, KONG Weiliang. Windows clipboard operations monitoring based on virtual machine monitor[J]. Journal of Computer Applications, 2016, 36(2): 511-515.

参考文献

[1] BRUNDRETT P, GARG P, GU J, et al. Encrypting file system and method: U.S. 6249866B1 [P]. 2001-06-19.
[2] LAM K C, LAU W C, YUE O. Hitchbot-delivering malicious URLs via social hitch-hiking[C]//GLOBECOM 2011: Proceedings of the 2011 Global Telecommunications Conference. Piscataway, NJ: IEEE Press, 2011: 1-6.
[3] 任建华,江国华.终端文件安全保障系统中剪贴板监控技术的应用[J].计算机应用,2005,25(Z2):86-88. (REN J H, JIANG G H. Application of the technology of the clipboard monitoring in the terminal file security system[J]. Journal of Computer Applications, 2005, 25(Z2): 86-88.)
[4] LI S, LV S, JIA X, et al. Application of clipboard monitoring technology in graphic and document information security protection system[C]//IITSI '10: Proceedings of the 2010 Third International Symposium on Intelligent Information Technology and Security Informatics. Washington, DC: IEEE Computer Society, 2010: 423-426.
[5] PARK C, KIM H. System and method for clipboard security: U.S., 20120226913A1 [P]. 2010-02-02.
[6] PATHAK G, TAK G K. Implementation of clipboard security using cryptographic techniques[J]. International Journal of Computer Applications, 2014, 86(6): 1-5.
[7] OKOLICA J, PETERSON G L. Extracting the windows clipboard from physical memory[J]. Digital Investigation, 2011, 8(Supplement): S118-S124.
[8] BRADBURY D. Microsoft's new window on security[J]. Computers & Security, 2006, 25(6): 405-407.
[9] 熊海泉,刘志勇,徐卫志,等.VMM中Guest OS非陷入系统调用指令截获与识别[J].计算机研究与发展,2014,51(10):2348-2359. (XIONG H Q, LIU Z Y, XU W Z, et al. Interception and identification of guest OS non-trapping system call instruction within VMM[J]. Journal of Computer Research and Development, 2014, 51(10): 2348-2359.)
[10] PROSNITZ B. Blackbox no more: reconstruction of internal virtual machine state [EB/OL]. (2007-03-26) [2013-03-21]. http://www.cs.northwestern.edu/~plab/Virtuoso/NWU-EECS-07-01.pdf.
[11] FATTORI A, LANZI A, BALZAROTTI D, et al. Hypervisor-based malware protection with AccessMiner[J]. Computers & Security, 2015, 52: 33-50.
[12] PFOH J, SCHNEIDER C, ECKERT C. Nitro: hardware-based system call tracing for virtual machines[C]//IWSEC 2011: Proceedings of the 6th International Workshop on Advances in Information and Computer Security, LNCS 7038. Berlin: Springer-Verlag, 2011: 96-112.
[13] DINABURG A, ROYAL P, SHARIF M, et al. Ether: malware analysis via hardware virtualization extensions[C]//CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 51-62.

[1]	蔡梦娟, 陈兴蜀, 金鑫, 赵成, 殷明勇. 基于硬件虚拟化的虚拟机进程代码分页式度量方法[J]. 计算机应用, 2018, 38(2): 305-309.
[2]	李津津, 贾晓启, 杜海超, 王利朋. 基于虚拟化技术的有效提高系统可用性的方法[J]. 计算机应用, 2017, 37(4): 986-992.
[3]	赵成, 陈兴蜀, 金鑫. 基于硬件虚拟化的虚拟机文件完整性监控[J]. 计算机应用, 2017, 37(2): 388-391.
[4]	李洪敏万平国葛杨. 跨域引用监视器及其以数据为中心的多级安全模型[J]. 计算机应用, 2013, 33(03): 717-719.
[5]	解文冲杨英杰汪永伟代向东. 基于任务划分的防信息聚合泄密模型[J]. 计算机应用, 2013, 33(02): 408-416.
[6]	吴瀛江建慧. 基于进程轨迹最小熵长度的系统调用异常检测[J]. 计算机应用, 2012, 32(12): 3439-3444.
[7]	卢建平郭玉东王晓睿赵玉春. 基于协作型VMM的虚拟机执行环境动态配置模型[J]. 计算机应用, 2012, 32(03): 831-834.
[8]	孟江涛卢显良. 虚拟机监控器Xen的可靠性优化[J]. 计算机应用, 2010, 30(9): 2358-2361.
[9]	朱大立陈晓苏. 基于数字水印的电子文档信息标识应用方案[J]. 计算机应用, 2010, 30(07): 1818-1820.
[10]	杨翠谭成翔. 远端非可信平台Agent完整性保护机制研究与设计[J]. 计算机应用, 2009, 29(11): 3001-3004.
[11]	马博袁丁. 基于Linux驱动级内核访问监控技术研究与实现[J]. 计算机应用, 2009, 29(09): 2369-2374.
[12]	何志范明钰. 基于HSC的进程隐藏检测技术[J]. 计算机应用, 2008, 28(7): 1772-1775.
[13]	赵文刚钟乐海张娅杨金邹海洋. 模糊窗口Markov链在IDS中的应用[J]. 计算机应用, 2008, 28(6): 1398-1400.
[14]	张军苏璞睿冯登国 . 基于系统调用的入侵检测系统设计与实现[J]. 计算机应用, 2006, 26(9): 2137-2139.
[15]	孟江涛;卢显良;田荣华. 一个基于引用监控机的内核完整性保护方法[J]. 计算机应用, 2006, 26(5): 1071-1074.

基于虚拟机监控器的Windows剪贴板操作监控

Windows clipboard operations monitoring based on virtual machine monitor

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics