基于硬件架构和虚拟化扩展机制的虚拟机自省机制研究

Study of Virtual Machine Introspection Based on Hardware Architecture and Virtualization Extensions

作者：邹冰玉(武汉大学计算机学院;空天信息安全与可信计算教育部重点实验室（武汉大学）)；张焕国(武汉大学计算机学院;空天信息安全与可信计算教育部重点实验室（武汉大学）)；陈景君(湖北源辉科技有限公司)

Author：Zou Bingyu(School of Computer,Wuhan Univ.;Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education,Wuhan Univ.)；Zhang Huanguo(School of Computer,Wuhan Univ.;Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education,Wuhan Univ.)；Chen Jingjun(Yuanhui Technol Co.)

收稿日期：2014-06-25 年卷（期）页码：2015,47(1):54-59

期刊名称：工程科学与技术

Journal Name：Advanced Engineering Sciences

关键字：虚拟机;自省；虚拟化扩展

Key words：virtual machine;introspection;virtualization extensions

基金项目：国家自然科学基金重点项目资助（61332019）；国家重点基础研究发展计划资助项目（2014CB340600）

中文摘要

针对现有虚拟机自省技术利用不可信被监控操作系统的内核数据结构在内存中的期望布局及内核函数构建被监控系统语义、无法抵抗直接内核数据结构操纵攻击的问题，对虚拟机自省机制的能力进行全面分析，并对利用虚拟机自省机制可应对的恶意攻击进行分类，提出更具健壮性的基于硬件体系架构和虚拟化扩展机制的虚拟机自省技术，通过硬件体系结构提供的虚拟机自省特性被动地观察与收集被监控系统信息，并利用虚拟硬件扩展机制主动地截获客户虚拟机内部的事件和指令，达到主动监控的目的。描述了基于硬件的虚拟机自省机制在系统调用序列收集与监控上的应用，并进行了效率测试分析。

英文摘要

Recent studies on virtual machine introspection mostly build guest VM state by the use of guest OS kernel data structures and kernel functions, which can be maliciously subverted. They are unable to resist direct kernel structure attacks. In view of the above situation, the capability of VMI was analyzed thoroughly, and then the possibilities of using hardware architectural knowledge and virtualization extension knowledge to construct VMI technology were explored and the possible attacks that can be detected and foiled by this mechanism were discussed. Collection and monitoring of system calls using the proposed method were described and the efficient of the monitored system was analyzed.

【关闭】

论文摘要

基于硬件架构和虚拟化扩展机制的虚拟机自省机制研究

Study of Virtual Machine Introspection Based on Hardware Architecture and Virtualization Extensions