|
|
- 2017
KVM Hypervisor安全能力增强技术研究
|
Abstract:
摘要: 为了增强基于内核的虚拟机(kernal-based virtual Machine, KVM)Hypervisor的安全能力,提出一种基于多脆弱点的多层次安全能力增强技术,采用Hypervisor类型隐藏、VMX扩展指令监控、ioctl系统调用交互接口防护、KVM完整性动态度量以及防卸载技术增强KVM Hypervisor的安全能力,并及时发现基于接口的未知攻击。在KVM全虚拟化环境下实现了Hypervisor安全加固的原型系统安全KVM(Security-KVM, Sec-KVM)。实验结果表明:Se-KVM能够隐藏Hypervisor的类型,增强KVM Hypervisor的抗攻击能力,保护KVM和ioctl系统调用接口的完整性,防止攻击扩展,并且能够及时发现基于KVM服务接口的未知攻击。
Abstract: To enhance the security capabilities of kernel-based virtual machine(KVM)Hypervisor, a multi-level security capabilities enhancement technology was proposed based on multi vulnerabilities, including Hypervisor type trick, VMX instructions monitoring, the ioctl system call interface protection, dynamical KVM code measurement and anti-unloading technology, to enhance the security capabilities of the KVM Hypervisor and detect some unknown attacks base interfaces of KVM in time. Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called(Security-KVM, Sec-KVM). The experimental result shows that the Sec-KVM is able to hide the virtualization type of the Hypervisor which enhanced the ability of anti-attack of Hypervisor, dynamically measure the integrity of the KVM and the ioctl system call interface which prevented spread of the attacks, and detect some unknown attacks based KVM service interfaces
| [1] | 梭溪.动态替换Linux核心函数的原理和实现[EB/OL].[2016-03-18].https://www.ibm.com/developerworks/cn/linux/l-knldebug/. SUO Xi. The principle and implementation of dynamic replacement of the Linux kernel functions[EB/OL].[2016-03-18].https://www.ibm.com/developerworks/cn/linux/l-knldebug/. |
| [2] | DING Baozeng, HE Yeping, WU Yanjun, et al. Systemic threats to hypervisor non-control data[J].Information Security, 2013, 7(4):349-354. |
| [3] | 沈昌祥,张焕国,王怀民,等.可信计算的研究与发展[J].中国科学:信息科学,2010,40:139-166. SHEN Changxiang, ZHANG Huanguo, WANG Huaimin, et al. Research and development of trusted computing[J].China Science: Information Science, 2010, 40:139-166. |
| [4] | AZAB A M, NING Peng, WANG Zhi, et al. HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity[C]. Proceedings of 17th ACM Conference on Computer and Communications Security, 2010:38-49. |
| [5] | WANG Zhi, JIANG Xuxian, HyperSafe:A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity[C].Proceedings Of IEEE Symposium on Security and Privacy, 2010:380-395. |
| [6] | 刘宏.云计算环境下虚拟机逃逸问题研究[D].上海:上海大学计算机工程与科学学院,2015. LIU Hong. The research of virtual machine escape in cloud computing environment[D].Shanghai: School of Computer Engineering and Science, Shanghai University, 2015. |
| [7] | XIA Yubin, LIU Yutao, CHEN Haibo, et al. Defending against VM Rollback Attack[C]. Proceedings of 2nd International Workshop on Dependability of Clouds, Data Centers and Virtual Machine Technology(DCDV 2012), 2012. |
| [8] | 杨峰, 姜辉, 诸葛建伟,等. 虚拟机环境检测方法研究综述[J]. 中国科技论文在线, 2012, 33(8):1830-1835. YANG Feng, JIANG Hui, ZHUGE Jianwei, et al. A survey on Virtual Machine Environment Detection Methods[J]. China Science and Technology Papers Online, 2012, 33(8):1830-1835. |
| [9] | Vpsee. How to judge whether the Linux running on the virtual machine [EB/OL].[2015-10-28].http://www.vpsee.com/2011/01/how-to-detect-if-a-linux-system-running-on-a-virtual-machine/. |
| [10] | Corporation Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual Volume3C: System Programming Guide[EB/OL]. [2015-12-25]. http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf. |
| [11] | CrowdStrike. VENOM VIRTUALIZED ENVIRONMENT NEGLETED OPERATIONS MANIPULATION[EB/OL].[2016-01-12]. http://venom.crowdstrike.com/. |
| [12] | 陈兴蜀, 赵丹丹, 李辉,等. 基于虚拟化的不可信模块运行监控[J]. 华中科技大学学报:自然科学版, 2016, 44(3):34-38. CHEN Xingshu, ZHAO Dandan, LI Hui, et al. Virtualization-based monitoring of untrusted extesions execution[J]. Journal of Huazhong University of Science and Technology: natural science edition, 2016, 44(3):34-38. |
| [13] | 沈余锋,余小军.云计算环境下虚拟化安全探讨[J].电力信息与通信技术,2013,11(11):6-11. SHEN Yujun, YU Xiaojun. Virtualization security discussed in cloud computing environment[J].The power of information and communication technology, 2013, 11(11):6-11. |
| [14] | Wikipedia.Virtual Machine Escape[EB/OL].[2016-03-20].http://en.wikipedia.org/wiki/Virtual<sub>-</sub>machine<sub>-</sub>escape. |
| [15] | 落尘纷扰.内核符号表的生成和查找过程[EB/OL].[2015-03-01].http://blog.csdn.net/jasonchen<sub>-</sub>gbd/article/details/44025681. LUOCEHN Fanrao.The generation of the kernel symbol table and search process [EB/OL].[2015-03-01].http://blog.csdn.net/jasonchen<sub>-</sub>gbd/article/details/44025681. |
| [16] | Terenceli. The analysis and use of VENOM [EB/OL].[2015-06-08].http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2015/06/26/venom. |
| [17] | HANN Little. Linux System Calls Hooking Method Summary[EB/OL].[2015-03-15].http://www.cnblogs.com/LittleHann/p/3854977.html. |
