A virtual machine kernel integrity protection method based on hardware virtualization

doi:10.3969/j.issn.1000-1565.2018.02.012

Abstract

Abstract: Virtualization technology provides convenience for users,but also provides more attacks.Aiming at the problem of virtual machine kernel integrity,a virtual machine kernel integrity protection method is proposed based on hardware virtualization.It can protect the kernel data,code,and registers by using hardware virtualization extensions.On one hand,a separate page table is created for important kernel data and code,and the access permissions is set for the page table to run in an isolated address space.On the other hand,the use of hardware virtualization “trap” mechanism makes the registers drop to VMM when they are tampered.Based on this,the implementation of the system is given and the system is verified.The experimental results show that this method can detect the common kernel-level rootkits and prevent them to tamper with the system.The final performance cost is controlled within 7%.As a result,this method gives enhanced security and will not have a significant impact on performance.

Key words: hardware-based virtualization, virtual machine kernel, integrity protection, Intel VT

CLC Number:

TP316

YANG Xiaohui,XU Ye. A virtual machine kernel integrity protection method based on hardware virtualization[J]. Journal of Hebei University (Natural Science Edition), 2018, 38(2): 194-203.

References

[1] BINU A,KUMAR G S.Virtualization techniques: a methodical review of XEN and KVM[J].Advances in Computing and Communications,2011: 399-410.DOI:10.1007/978-3-642-22709-7_40.
[2] HANDY A.Xen and the art of virtualization[J].Acm Sigops Operating Systems Review,2009,37(5):164-177.DOI:10.1145/945445.945462.
[3] BUGNION E,DEVINE S,ROSENBLUM M,et al.Bringing virtualization to the x86 architecture with the original vmware workstation[J].ACM Transactions on Computer Systems,2012,30(4):1-51.DOI:10.1145/2382553.2382554.
[4] BARRETT D,CISSP,COMPLETION C C O.How virtualization happens - virtualization and forensics - 1[J].Virtualization & Forensics,2010,1679(3):3-24.DOI:10.1016/b978-1-59749-557-8.00001-1.
[5] MONTES J,SÁNCHEZ A,MEMISHI B,et al.GMonE: A complete approach to cloud monitoring[J].Future Generation Computer Systems,2013,29(8):2026-2040.DOI:10.1016/j.future.2013.02.011.
[6] GARFINKEL T,ROSENBLUM M.A virtual machine introspection based architecture for intrusion detection[J].Proceedings of the Network & Distributed Systems Security Symposium,2003:191-206.DOI:10.1109/SP.2011.11.
[7] 李保珲,徐克付,张鹏,等.虚拟机自省技术研究与应用进展[J].软件学报,2016,27(6):1384-1401.DOI: 10.13328/j.cnki.jos.005006. LI B H,XU K F,ZHANG P,et al.Research and application progress of virtual machine introspection technology[J].Journal of Software,2016,27(6):1384-1401.DOI: 10.13328/j.cnki.jos.005006.
[8] VOGL S,KILIC F,SCHNEIDER C,et al.X-TIER: Kernel module injection[J].Religious Studies,2013,46:192-205.DOI:10.1007/978-3-642-38631-2_15.
[9] RHEE J,RILEY R,LIN Z,et al.Data-Centric OS kernel malware characterization[J].IEEE Transactions on Information Forensics & Security,2014,9(1):72-87.DOI:10.1109/TIFS.2013.2291964.
[10] AZAB A M,NING P,SEZER E C,et al.HIMA: A hypervisor-based integrity measurement agent[C] // GATES C.Computer Security Applications Conference,2009,ACSAC '09,Washington: IEEE Computer Society,2010:461-470.
[11] JIN H,XIANG G,ZOU D,et al.A VMM-based intrusion prevention system in cloud computing environment[J].Journal of Supercomputing,2013,66(3):1133-1151.DOI:10.1007/s11227-011-0608-2.
[12] 罗森林,闫广禄,潘丽敏,等.基于劫持内核入口点的隐藏进程检测方法[J].北京理工大学学报,2015,35(5):545-550.DOI:10.15918/j.tbit1001-0645.2015.05.021. LUO S L,YAN G L,PAN L M,et al.Hidden process detection method based on intercepting the entry of system kernel[J].Journal of Transactions of Beijing Institute of Technology,2015,35(5):545-550.DOI:10.15918/j.tbit1001-0645.2015.05.021.
[13] PFOH J,SCHNEIDER C,ECKERT C.Exploiting the x86 architecture to derive virtual machine state information[C] // GATES C.Fourth International Conference on Emerging Security Information,Systems and Technologies,Washington: IEEE Computer Society,2010:166-175.
[14] PFOH J,SCHNEIDER C,ECKERT C.Nitro: Hardware-based system call tracing for virtual machines[J].Lecture Notes In Computer Science,2011,7038:96-112.DOI:10.1007/978-3-642-25141-2_7.
[15] XIONG H,LIU Z.The architectural based interception and identification of system call instruction within VMM[J].Proceedings of International Workshop on Cloud Computing & Information Security,2013,52(2):73-76.DOI:10.2991/ccis-13.2013.18.
[16] LIU Y,XIA Y,GUAN H,et al.Concurrent and consistent virtual machine introspection with hardware transactional memory[C] // GATES C.International Symposium on High Performance Computer Architecture.Washington: IEEE Computer Society,2014:416-427.
[17] LIU Y,ZHOU T,CHEN K,et al.Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolat-ion[C] // LI N H.Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security,New York: ACM Press,2015:1607-1619.
[18] 黄啸,邓良,孙浩,等.基于硬件虚拟化的安全高效内核监控模型[J].软件学报,2016,27(2):481-494.DOI:10.13328/j.cnki.jos.004866. HUANG X,DENG L,SUN H,et al.Secure and efficient kernel monitoring model based on hardware virtualization[J].Journal of Software,2016,27(2):481-494.DOI:10.13328/j.cnki.jos.004866.
[19] MERKEL D.Docker: lightweight linux containers for consistent development and deployment[J].Linux Journal,2014,239: 2.DOI:10.1097/01.NND.0000320699.47006.a3.
[20] COSTAN V,LEBEDEV I,DEVADAS S.Secure processors part II:Intel SGX security analysis and MIT sanctum architecture[J].Foundations & Trends in Electronic Design Automation,2017,11(3):249-361.DOI:10.1561/1000000052.
[21] MAHAPATRA C,SELVAKUMAR S.An online cross view difference and behavior based kernel rootkit detector[J].Acm Sigsoft Software Engineering Notes,2011,36(4):1-9.DOI:10.1145/1988997.1989022
[22] BALIGA A,GANAPATHY V,IFTODE L.Detecting kernel-level rootkits using data structure invariants[J].IEEE Transactions on Dependable & Secure Computing,2011,8(5):670-684.DOI:10.1109/TDSC.2010.38.