|
|
- 2016
基于KVM的Windows虚拟机用户进程防护
|
Abstract:
为保护Windows虚拟机中进程的内存和系统调用执行路径免受恶意代码的威胁,提出了一种基于KVM的虚拟机用户进程防护方案。结合硬件虚拟化技术,为Windows虚拟机构造一份影子内核以绕过恶意代码对原内核系统调用路径的挂钩,保护进程系统调用路径的安全。同时,在监控代理中过滤跨进程系统调用,在KVM中拦截虚拟机页表切换行为并监控虚拟机断点异常与调试异常,保护进程内存的安全。另外,构造影子监控代理,实现对虚拟机监控代理内存的安全防护。最后,实现了基于KVM的虚拟机用户进程防护系统VMPPS,并对其有效性进行了系统测试与分析。实验结果表明,在性能损失可接受范围内,进程内存与进程系统调用执行路径能够得到有效防护。
| [1] | VALLS-PRIETO J. Digital crime, cyberspace security, and information assurance[M]. Pennsylvania, USA:IGI Global, 2014. |
| [2] | 张涛, 牛伟颖, 孟正, 等. 基于Windows内核模式下进程监控的用户权限控制系统设计与实现[J]. 信息网络安全, 2014(4):13-19. ZHANG Tao, NIU Wei-ying, MENG Zheng, et al. The design and implemention of windows system access control based on process monitoring[J]. Netinfo Security, 2014(4):13-19. |
| [3] | JIANG X, WANG H J, XU D, et al. Randsys:Thwarting code injection attacks with system service interface randomization[C]//26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007). Beijing, China:IEEE, 2007:209-218. |
| [4] | Rapid7. Advanced exploitation of virtualBox 3D acceleration VM escape Vulnerability (CVE20140983)[EB/OL].[2015-03-20]. https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/VIRTUAL_BOX_OPENGL_ESCAPE. |
| [5] | WANG Z, JIANG X. Hypersafe:a lightweight approach to provide lifetime hypervisor control-flow integrity[C]//2010 IEEE Symposium on Security and Privacy (SP). California, USA:IEEE, 2010:380-395. |
| [6] | YANG W, MA L. HyperDomain:Enabling inspection of malicious VMM's misbehavior[C]//2012 IEEE 11th International Conference onTrust, Security and Privacy in Computing and Communications (TrustCom). Washington, USA:IEEE, 2012:588-595. |
| [7] | AMD. Secure virtual machine architecture reference manual[EB/OL].[2015-03-20]. http://www.mimuw.edu.pl/~vincent/lecture6/sources/amd-pacifica-specification.pdf. |
| [8] | ZAYTSEV O. Rootkits, spyware/adware, keyloggers and backdoors:Detection and neutralization[M].[S.l.]:A-List Publishing, 2006. |
| [9] | SESHADRI A, LUK M, QU N, et al. SecVisor:a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes[J]. ACM SIGOPS Operating Systems Review, 2007, 41(6):335-350. |
| [10] | CHEN X, GARFINKEL T, LEWIS E C, et al. Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems[J]. ACM SIGOPS Operating Systems Review, 2010, 42(2):2-13. |
| [11] | CHEN H, ZHANG F, CHEN C, et al. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor[J]. Technical Report, 2007, 12(3):123-138. |
| [12] | SILAKOV D V. Using virtualization to protect application address space inside untrusted environment[J]. Programming and Computer Software, 2012, 38(1):24-33. |
| [13] | PAYNE B D, De CARBONE M D P, LEE W. Secure and flexible monitoring of virtual machines[C]//Twenty-Third Annual Computer Security Applications Conference. Florida, USA:IEEE, 2007:385-397. |
| [14] | JIANG X, WANG X, XU D. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction[C]//Proceedings of the 14th ACM Conference on Computer and Communications Security. New York, USA:ACM, 2007:128-138. |
| [15] | FENG Deng-guo, ZHANG Min, ZHANG Yan, et al. Study on cloud computing security[J]. Journal of Software, 2011, 22(1):71-83. |
| [16] | 王惠莅, 杨晨, 杨建军. 美国NIST云计算安全标准跟踪及研究[J]. 信息技术与标准化, 2012(6):DOI:10.3969/j. issn.1671-539X.2012.06.013. WANG Hui-li, YANG Chen, YANG Jian-jun. Research on clouds computing security standards of NIST[J]. Information Technology & Standardization, 2012(6):DOI:10.3969/j.issn.1671-539X.2012.06.013. |
| [17] | 孟庆倩, 李清宝, 魏珉. 基于Windows环境进程监控的设计与实现[J]. 信息工程大学学报, 2007, 8(1):26-29. MENG Qing-qian, LI Qing-bao, WEI Min. Design and realization of process-monitoring based on windows[J]. Journal of Information Engineering University, 2007, 8(1):26-29. |
| [18] | YANG J, SHIN K G. Using hypervisor to provide data secrecy for user applications on a per-page basis[C]//Proceedings of the fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments. New York, USA:ACM, 2008:71-80. |
| [19] | MCCUNE J M, PARNO B J, PERRIG A, et al. Flicker:an execution infrastructure for TCB minimization[C]//ACM SIGOPS Operating Systems Review. New York, USA:ACM, 2008, 42(4):315-328. |
| [20] | TA-MIN R, LITTY L, LIE D. Splitting interfaces:Making trust between applications and operating systems configurable[C]//Proceedings of the 7th Symposium on Operating Systems Design and Implementation. Nerkeley, USA:USENIX Association, 2006:279-292. |
| [21] | WOJTCZUK R, RUTKOWSKA J, TERESHKIN A. Xen owning trilogy[EB/OL].[2015-03-20]. http://invisiblethingslab.com/itl/Resources.html. |
| [22] | WANG J, STAVROU A, GHOSH A. HyperCheck:a hardware-assisted integrity monitor[C]//Recent Advances in Intrusion Detection. Berlin Heidelberg:Springer, 2010:158-177. |
| [23] | Intel. Intel<sup>?</sup> virtualization technology (Intel<sup>?</sup> VT)[EB/OL].[2015-03-20]. http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.html. |
| [24] | Intel.64-ia-32-architectures-software-developer-manual-325462[M/OL]. Washington, USA:Intel, 2014.[2015-03-20]. http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html. |
