基于硬件虚拟化的虚拟机进程代码分页式度量方法

doi:10.11772/j.issn.1001-9081.2017082167

计算机应用 ›› 2018, Vol. 38 ›› Issue (2): 305-309.DOI: 10.11772/j.issn.1001-9081.2017082167

• 网络空间安全 • 下一篇

基于硬件虚拟化的虚拟机进程代码分页式度量方法

蔡梦娟¹, 陈兴蜀¹, 金鑫², 赵成², 殷明勇³

1. 四川大学网络空间安全研究院, 成都 610065;
2. 四川大学计算机学院, 成都 610065;
3. 中国工程物理研究院计算机应用研究所, 四川绵阳 621900

收稿日期:2017-08-21 修回日期:2017-09-13 出版日期:2018-02-10 发布日期:2018-02-10
通讯作者: 陈兴蜀
作者简介:蔡梦娟(1996-),女,湖北崇阳人,硕士研究生,主要研究方向:虚拟化安全;陈兴蜀(1968-),女,四川成都人,教授,博士,主要研究方向:云计算、大数据安全、网络空间安全;金鑫(1976-),男,辽宁营口人,博士研究生,主要研究方向:云计算安全、可信计算;赵成(1991-),男,河北固安人,硕士,主要研究方向:云计算、虚拟化;殷明勇(1983-),男,陕西汉中人,硕士,主要研究方向:网络安全、大数据。
基金资助:
国家自然科学基金资助项目（61272447）。

Paging-measurement method for virtual machine process code based on hardware virtualization

CAI Mengjuan¹, CHEN Xingshu¹, JIN Xin², ZHAO Cheng², YIN Mingyong³

1. Cybersecurity Research Institute, Sichuan University, Chengdu Sichuan 610065, China;
2. College of Computer Science, Sichuan University, Chengdu Sichuan 610065, China;
3. Institute of Computer Application, China Academy of Engineering Physics, Mianyang Sichuan 621900, China

Received:2017-08-21 Revised:2017-09-13 Online:2018-02-10 Published:2018-02-10
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61272447).

摘要/Abstract

摘要： 云环境下恶意软件可利用多种手段篡改虚拟机（VM）中关键业务代码，威胁其运行的稳定性。传统的基于主机的度量系统易被绕过或攻击而失效，针对在虚拟机监视器（VMM）层难以获取虚拟机中运行进程完整代码段并对其进行完整性验证的问题，提出基于硬件虚拟化的虚拟机进程代码分页式度量方法。该方法以基于内核的虚拟机（KVM）作为虚拟机监视器，在VMM层捕获虚拟机进程的系统调用作为度量流程的触发点，基于相对地址偏移解决了不同版本虚拟机之间的语义差异，实现了分页式度量方法在VMM层透明地验证虚拟机中运行进程代码段的完整性。实现的原型系统——虚拟机分页式度量系统（VMPMS）能有效度量虚拟机中进程，性能损耗在可接受范围内。

关键词: 进程完整性, 动态度量, 无代理, 系统调用, 基于内核的虚拟机

Abstract: In cloud environment, the code of pivotal business in Virtual Machine (VM) can be modified by malicious software in many ways, which can pose a threat to its stable operation. Traditional measurement systems based on host are liable to be bypassed or attacked. To solve the problem that it is difficult to obtain a complete virtual machine running process code and verify its integrity at Virtual Machine Monitor (VMM) layer, a paging-measurement method based on hardware virtualization was proposed. The Kernel-based Virtual Machine (KVM) was used as the VMM to capture the system calls of virtual machine process in VMM and regarde it as the trigger point of the measurement process; the semantic differences of different virtual machine versions were solved by using relative address offset, then the paging-measurement method could verify the code integrity of running process in virtual machine transparently at VMM layer. The implemented prototype system of VMPMS (Virtual Machine Paging-Measurement System) can effectively measure the virtual machine process code with acceptable performance loss.

Key words: process integrity, dynamic measurement, agentless, system call, Kernel-based Virtual Machine (KVM)

中图分类号:

TP309

蔡梦娟, 陈兴蜀, 金鑫, 赵成, 殷明勇. 基于硬件虚拟化的虚拟机进程代码分页式度量方法[J]. 计算机应用, 2018, 38(2): 305-309.

CAI Mengjuan, CHEN Xingshu, JIN Xin, ZHAO Cheng, YIN Mingyong. Paging-measurement method for virtual machine process code based on hardware virtualization[J]. Journal of Computer Applications, 2018, 38(2): 305-309.

参考文献

[1] 王惠莅,杨晨,杨建军.美国NIST云计算安全标准跟踪及研究[J].信息技术与标准化,2012(6):51-54. (WANG H L, YANG C, YANG J J. Research on clouds computing security standards of NIST[J]. Information Technology & Standardization, 2012(6):51-54.)
[2] 张瑞,刘威.2015年12月计算机病毒疫情分析[J].信息网络安全,2016(2):74. (ZHANG R, LIU W. Analysis of epidemic situation of computer virus in December 2015[J]. Netinfo Security, 2016(2):74.)
[3] 陈兴蜀,葛龙,罗永刚,等.云计算服务持续监管研究[J].网络与信息安全学报,2016,2(10):2-3. (CHEN X S, GE L, LUO Y G, et al. Research on continuous monitoring of cloud computing service[J]. Chinese Journal of Network and Information Security, 2016, 2(10):2-3.)
[4] 徐江峰,邵向阳.基于HOOK API技术的进程监控系统设计与实现[J].计算机工程与设计,2011,32(4):1330-1332. (XU J F, SHAO X Y. Design and realization of process-monitoring system based on HOOK API technology[J]. Computer Engineering and Design, 2011, 32(4):1330-1332.)
[5] 崔竞松,张雅娜,郭迟,等.支持多种虚拟化技术的进程非代理监控方法[J]. 华中科技大学学报(自然科学版),2014,42(11):122-124. (CUI J S, ZHANG Y N, GUO C, et al. Agent-free processes monitoring method supporting various virtualization technologies[J]. Journal of Huazhong University of Science and Technology (Nature Science Edition), 2014, 42(11):122-124.)
[6] 李博,沃天宇,胡春明,等.基于VMM的操作系统隐藏对象关联检测技术[J].软件学报,2013, 24(2):405-420. (LI B, WO T Y, HU C M, et al. Hidden OS objects correlated detection technology based on VMM[J]. Journal of Software, 2013, 24(2):405-420.)
[7] 张磊,陈兴蜀,任益,等.一种基于VMM的内核级Rootkit检测技术[J].信息网络安全,2015(4):57-59. (ZHANG L, CHEN X S, REN Y, et al. Kernel-level Rootkit detection technology based on VMM[J]. Netinfo Security, 2015(4):57-59.)
[8] HWANG T, SHIN Y, SON K, et al. Design of a hypervisor-based rootkit detection method for virtualized systems in cloud computing environments[C]//Proceedings of the 2013 AASRI Winter International Conference on Engineering and Technology. Amsterdam:Atlantis Press, 2013:27-33.
[9] GARFINKEL T, ROSENBLUM M. A virtual machine introspection based architecture for intrusion detection[C]//Proceedings of the Internet Society's 2003 Symposium on Network and Distributed Systems Security Symposium.[S.l.]:Internet Society, 2003:253-285.
[10] 骆源,毛亚强,廖振壹.一种用于虚拟机上的混合监控度量方法及系统:中国,CN104714877A[P]. 2015-06-17.
[11] 孙绍钢,李晓勇.一种基于虚拟化技术的恶意代码行为检测方法:中国,CN102682229A[P]. 2012-09-19.
[12] 林杰,刘川意,方滨兴.IVirt:基于虚拟机自省的运行环境完整性度量机制[J].计算机学报,2015,38(1):191-203. (LIN J, LIU C Y, FANG B X. IVirt:runtime environment integrity measurement mechanism based on virtual machine introspection[J]. Chinese Journal of Computers, 2015, 38(1):191-203.)
[13] AZAB A M, NING P, SEZER E C, et al. HIMA:a hypervisor-based integrity measurement agent[C]//ACSAC'09:Proceedings of the 2009 IEEE Annual Computer Security Applications Conference. Piscataway, NJ:IEEE, 2009:461-470.
[14] GARFINKEL T, PFAFF B, CHOW J, et al. Terra:a virtual machine-based platform for trusted computing[C]//SOSP'03:Proceedings of the 19th ACM Symposium on Operating Systems Principles. New York:ACM, 2003:193-206.
[15] 陈兴蜀,李辉,张磊,等.基于Xen的自下而上调用的设计与实现[J].电子科技大学学报,2014,43(6):881-884. (CHEN X S, LI H, ZHANG L, et al. The design and implement of Xen-based upcall[J]. Journal of University of Electronic Science and Technology of China, 2014, 43(6):881-884.)
[16] SAILER R, ZHANG X, JAEGER T, et al. Design and implementation of a TCG-based integrity measurement architecture[C]//SSYM'04:Proceedings of the 13th Conference on USENIX Security Symposium. Berkeley, CA:USENIX Association, 2004, 13:223-238.
[17] JAEGER T, SAILER R, SHANKAR U. PRIMA:Policy-Reduced Integrity Measurement Architecture[C]//SACMAT 2006:Proceedings of the 11th ACM Symposium on Access Control Models and Technologies. New York:ACM, 2006:19-28.
[18] HUH J H, MONTANARI M, DAGIT D, et al. An empirical study on the software integrity of virtual appliances:are you really getting what you paid for?[C]//ASIA CCS'13:Proceedings of the 2013 ACM SIGSAC Symposium on Information, Computer and Communications Security. New York:ACM, 2013:231-242.
[19] STELTE B, KOCH R, ULLMANN M. Towards integrity measurement in virtualized environments-a hypervisor based sensory integrity measurement architecture (SIMA)[C]//HST'10:Proceedings of the 2010 IEEE International Conference on Technologies for Homeland Security. Piscataway, NJ:IEEE, 2010:106-112.
[20] ALI S. Virtualization with KVM[M]//Practical Linux Infrastructure. Berkeley, CA:Apress, 2015:53-80.
[21] Intel. Intel 64 and IA-32 architectures software developer's manual[EB/OL].[2017-05-06]. http://www.ti.uni-bielefeld.de/html/teaching/WS1314/techinf1/64-ia-32-architectures-software-developers-manual.pdf.
[22] 邓志.处理器虚拟化[M].北京:电子工业出版社,2014:200-201. (DENG Z. Processor virtualization[M]. Beijing:Publishing House of Electronics Industry, 2014:200-201.)
[23] LI N, LI B, LI J, et al. vMON:An efficient out-of-VM process monitor for virtual machines[C]//HPCC_EUC 2013:Proceedings of the 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing. Piscataway, NJ:IEEE, 2013:1366-1373.
[24] 英特尔开源软件技术中心,复旦大学并行处理研究所. 系统虚拟化——原理与实现[M].北京:清华大学出版社,2009:51-54. (Intel Open Source Technology Center,Parallel Processing Institution of Fudan University. System Virtualization:Principles and Implementation[M]. Beijing:Tsinghua University Press, 2009:51-54.)

基于硬件虚拟化的虚拟机进程代码分页式度量方法

Paging-measurement method for virtual machine process code based on hardware virtualization

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 14

编辑推荐

Metrics

[1]	李津津, 贾晓启, 杜海超, 王利朋. 基于虚拟化技术的有效提高系统可用性的方法[J]. 计算机应用, 2017, 37(4): 986-992.
[2]	赵成, 陈兴蜀, 金鑫. 基于硬件虚拟化的虚拟机文件完整性监控[J]. 计算机应用, 2017, 37(2): 388-391.
[3]	周登元, 李清宝, 张擂, 孔维亮. 基于虚拟机监控器的Windows剪贴板操作监控[J]. 计算机应用, 2016, 36(2): 511-515.
[4]	吴瀛江建慧. 基于进程轨迹最小熵长度的系统调用异常检测[J]. 计算机应用, 2012, 32(12): 3439-3444.
[5]	辛思远赵勇廖建华王婷. 操作系统内核的动态可信度量模型[J]. 计算机应用, 2012, 32(04): 953-956.
[6]	马博袁丁. 基于Linux驱动级内核访问监控技术研究与实现[J]. 计算机应用, 2009, 29(09): 2369-2374.
[7]	何志范明钰. 基于HSC的进程隐藏检测技术[J]. 计算机应用, 2008, 28(7): 1772-1775.
[8]	赵文刚钟乐海张娅杨金邹海洋. 模糊窗口Markov链在IDS中的应用[J]. 计算机应用, 2008, 28(6): 1398-1400.
[9]	张军苏璞睿冯登国 . 基于系统调用的入侵检测系统设计与实现[J]. 计算机应用, 2006, 26(9): 2137-2139.
[10]	蒋世忠; 杨进; 张英. 基于免疫原理与粗糙集理论的入侵检测方法[J]. 计算机应用, 2006, 26(5): 1077-1080.
[11]	钱丽萍;汪立东. 一种评测应用程序实际性能开销的方法[J]. 计算机应用, 2006, 26(5): 1180-1182.
[12]	朱国强;刘真;李宗伯. 对计算机系统中程序行为的分析和研究[J]. 计算机应用, 2005, 25(12): 2739-2741.
[13]	安景琦，刘贵全，钱权. 一种基于隐Markov模型的异常检测技术[J]. 计算机应用, 2005, 25(08): 1744-1746.
[14]	李珍，王凤先. 基于系统调用序列的“非我”分类[J]. 计算机应用, 2005, 25(07): 1663-1665.