基于硬件虚拟化的虚拟机内核完整性保护

doi:10.3969/j.issn.1000-1565.2018.02.012

河北大学学报(自然科学版) ›› 2018, Vol. 38 ›› Issue (2): 194-203.DOI: 10.3969/j.issn.1000-1565.2018.02.012

基于硬件虚拟化的虚拟机内核完整性保护

杨晓晖,许烨

收稿日期:2017-06-20 出版日期:2018-03-25 发布日期:2018-03-25
作者简介:杨晓晖(1975—),男,河北巨鹿人,河北大学教授,博士,主要从事分布计算与信息安全等方向研究. E-mail:yxh@hbu.edu.cn
基金资助:
国家重点研发计划专项(2017YFB0802300)

A virtual machine kernel integrity protection method based on hardware virtualization

YANG Xiaohui,XU Ye

School of Cyber Security and Computer, Hebei University, Baoding 071002, China

Received:2017-06-20 Online:2018-03-25 Published:2018-03-25

摘要/Abstract

摘要： 虚拟化技术在为用户带来方便的同时,也为恶意程序提供了更多的攻击机会.针对虚拟机内核完整性面临的安全威胁,提出了一种基于硬件虚拟化的虚拟机内核完整性主动保护方法,通过硬件虚拟化扩展机制从2方面保护内核数据、代码以及关键寄存器:一方面为关键的内核数据与代码创建独立的页表并设置访问权限,使其运行在隔离的地址空间内;一方面利用硬件虚拟化的“陷入”机制使得关键寄存器一旦被篡改便下陷到VMM(virtual machine monitor).实验结果表明本文方法能够检测出常见的内核级Rootkit,并能阻止其对系统的恶意篡改,性能开销控制在7%以内,在提升安全性的同时,不会对性能产生明显的影响.

关键词: 硬件虚拟化, 虚拟机内核, 完整性保护, Intel VT

Abstract: Virtualization technology provides convenience for users,but also provides more attacks.Aiming at the problem of virtual machine kernel integrity,a virtual machine kernel integrity protection method is proposed based on hardware virtualization.It can protect the kernel data,code,and registers by using hardware virtualization extensions.On one hand,a separate page table is created for important kernel data and code,and the access permissions is set for the page table to run in an isolated address space.On the other hand,the use of hardware virtualization “trap” mechanism makes the registers drop to VMM when they are tampered.Based on this,the implementation of the system is given and the system is verified.The experimental results show that this method can detect the common kernel-level rootkits and prevent them to tamper with the system.The final performance cost is controlled within 7%.As a result,this method gives enhanced security and will not have a significant impact on performance.

Key words: hardware-based virtualization, virtual machine kernel, integrity protection, Intel VT

中图分类号:

TP316

杨晓晖,许烨. 基于硬件虚拟化的虚拟机内核完整性保护[J]. 河北大学学报(自然科学版), 2018, 38(2): 194-203.

YANG Xiaohui,XU Ye. A virtual machine kernel integrity protection method based on hardware virtualization[J]. Journal of Hebei University (Natural Science Edition), 2018, 38(2): 194-203.

参考文献

[1] BINU A,KUMAR G S.Virtualization techniques: a methodical review of XEN and KVM[J].Advances in Computing and Communications,2011: 399-410.DOI:10.1007/978-3-642-22709-7_40.
[2] HANDY A.Xen and the art of virtualization[J].Acm Sigops Operating Systems Review,2009,37(5):164-177.DOI:10.1145/945445.945462.
[3] BUGNION E,DEVINE S,ROSENBLUM M,et al.Bringing virtualization to the x86 architecture with the original vmware workstation[J].ACM Transactions on Computer Systems,2012,30(4):1-51.DOI:10.1145/2382553.2382554.
[4] BARRETT D,CISSP,COMPLETION C C O.How virtualization happens - virtualization and forensics - 1[J].Virtualization & Forensics,2010,1679(3):3-24.DOI:10.1016/b978-1-59749-557-8.00001-1.
[5] MONTES J,SÁNCHEZ A,MEMISHI B,et al.GMonE: A complete approach to cloud monitoring[J].Future Generation Computer Systems,2013,29(8):2026-2040.DOI:10.1016/j.future.2013.02.011.
[6] GARFINKEL T,ROSENBLUM M.A virtual machine introspection based architecture for intrusion detection[J].Proceedings of the Network & Distributed Systems Security Symposium,2003:191-206.DOI:10.1109/SP.2011.11.
[7] 李保珲,徐克付,张鹏,等.虚拟机自省技术研究与应用进展[J].软件学报,2016,27(6):1384-1401.DOI: 10.13328/j.cnki.jos.005006. LI B H,XU K F,ZHANG P,et al.Research and application progress of virtual machine introspection technology[J].Journal of Software,2016,27(6):1384-1401.DOI: 10.13328/j.cnki.jos.005006.
[8] VOGL S,KILIC F,SCHNEIDER C,et al.X-TIER: Kernel module injection[J].Religious Studies,2013,46:192-205.DOI:10.1007/978-3-642-38631-2_15.
[9] RHEE J,RILEY R,LIN Z,et al.Data-Centric OS kernel malware characterization[J].IEEE Transactions on Information Forensics & Security,2014,9(1):72-87.DOI:10.1109/TIFS.2013.2291964.
[10] AZAB A M,NING P,SEZER E C,et al.HIMA: A hypervisor-based integrity measurement agent[C] // GATES C.Computer Security Applications Conference,2009,ACSAC '09,Washington: IEEE Computer Society,2010:461-470.
[11] JIN H,XIANG G,ZOU D,et al.A VMM-based intrusion prevention system in cloud computing environment[J].Journal of Supercomputing,2013,66(3):1133-1151.DOI:10.1007/s11227-011-0608-2.
[12] 罗森林,闫广禄,潘丽敏,等.基于劫持内核入口点的隐藏进程检测方法[J].北京理工大学学报,2015,35(5):545-550.DOI:10.15918/j.tbit1001-0645.2015.05.021. LUO S L,YAN G L,PAN L M,et al.Hidden process detection method based on intercepting the entry of system kernel[J].Journal of Transactions of Beijing Institute of Technology,2015,35(5):545-550.DOI:10.15918/j.tbit1001-0645.2015.05.021.
[13] PFOH J,SCHNEIDER C,ECKERT C.Exploiting the x86 architecture to derive virtual machine state information[C] // GATES C.Fourth International Conference on Emerging Security Information,Systems and Technologies,Washington: IEEE Computer Society,2010:166-175.
[14] PFOH J,SCHNEIDER C,ECKERT C.Nitro: Hardware-based system call tracing for virtual machines[J].Lecture Notes In Computer Science,2011,7038:96-112.DOI:10.1007/978-3-642-25141-2_7.
[15] XIONG H,LIU Z.The architectural based interception and identification of system call instruction within VMM[J].Proceedings of International Workshop on Cloud Computing & Information Security,2013,52(2):73-76.DOI:10.2991/ccis-13.2013.18.
[16] LIU Y,XIA Y,GUAN H,et al.Concurrent and consistent virtual machine introspection with hardware transactional memory[C] // GATES C.International Symposium on High Performance Computer Architecture.Washington: IEEE Computer Society,2014:416-427.
[17] LIU Y,ZHOU T,CHEN K,et al.Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolat-ion[C] // LI N H.Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security,New York: ACM Press,2015:1607-1619.
[18] 黄啸,邓良,孙浩,等.基于硬件虚拟化的安全高效内核监控模型[J].软件学报,2016,27(2):481-494.DOI:10.13328/j.cnki.jos.004866. HUANG X,DENG L,SUN H,et al.Secure and efficient kernel monitoring model based on hardware virtualization[J].Journal of Software,2016,27(2):481-494.DOI:10.13328/j.cnki.jos.004866.
[19] MERKEL D.Docker: lightweight linux containers for consistent development and deployment[J].Linux Journal,2014,239: 2.DOI:10.1097/01.NND.0000320699.47006.a3.
[20] COSTAN V,LEBEDEV I,DEVADAS S.Secure processors part II:Intel SGX security analysis and MIT sanctum architecture[J].Foundations & Trends in Electronic Design Automation,2017,11(3):249-361.DOI:10.1561/1000000052.
[21] MAHAPATRA C,SELVAKUMAR S.An online cross view difference and behavior based kernel rootkit detector[J].Acm Sigsoft Software Engineering Notes,2011,36(4):1-9.DOI:10.1145/1988997.1989022
[22] BALIGA A,GANAPATHY V,IFTODE L.Detecting kernel-level rootkits using data structure invariants[J].IEEE Transactions on Dependable & Secure Computing,2011,8(5):670-684.DOI:10.1109/TDSC.2010.38.

基于硬件虚拟化的虚拟机内核完整性保护

A virtual machine kernel integrity protection method based on hardware virtualization

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

编辑推荐

Metrics

本文评价