%0 Journal Article %T KVM Hypervisor安全能力增强技术研究<br>A study on security enhancement technology for KVM Hypervisor %A 赵丹丹 %A 陈兴蜀 %A 金鑫< %A br> %A ZHAO Dan-dan %A CHEN Xing-shu %A JIN Xin %J 山东大学学报(理学版) %D 2017 %R 10.6040/j.issn.1671-9352.1.2016.083 %X 摘要: 为了增强基于内核的虚拟机(kernal-based virtual Machine, KVM)Hypervisor的安全能力,提出一种基于多脆弱点的多层次安全能力增强技术,采用Hypervisor类型隐藏、VMX扩展指令监控、ioctl系统调用交互接口防护、KVM完整性动态度量以及防卸载技术增强KVM Hypervisor的安全能力,并及时发现基于接口的未知攻击。在KVM全虚拟化环境下实现了Hypervisor安全加固的原型系统安全KVM(Security-KVM, Sec-KVM)。实验结果表明:Se-KVM能够隐藏Hypervisor的类型,增强KVM Hypervisor的抗攻击能力,保护KVM和ioctl系统调用接口的完整性,防止攻击扩展,并且能够及时发现基于KVM服务接口的未知攻击。<br>Abstract: To enhance the security capabilities of kernel-based virtual machine(KVM)Hypervisor, a multi-level security capabilities enhancement technology was proposed based on multi vulnerabilities, including Hypervisor type trick, VMX instructions monitoring, the ioctl system call interface protection, dynamical KVM code measurement and anti-unloading technology, to enhance the security capabilities of the KVM Hypervisor and detect some unknown attacks base interfaces of KVM in time. Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called(Security-KVM, Sec-KVM). The experimental result shows that the Sec-KVM is able to hide the virtualization type of the Hypervisor which enhanced the ability of anti-attack of Hypervisor, dynamically measure the integrity of the KVM and the ioctl system call interface which prevented spread of the attacks, and detect some unknown attacks based KVM service interfaces %K 虚拟机监视器 %K ioctl系统调用 %K 动态度量 %K KVM %K 类型隐藏 %K VMX扩展指令 %K < %K br> %K virtual machine monitor %K type hide %K ioctl system call %K KVM %K dynamic measurement %U http://lxbwk.njournal.sdu.edu.cn/CN/10.6040/j.issn.1671-9352.1.2016.083