一种基于特权分离和时间锁的虚拟机隔离机制研究

发布时间：2018-01-04 17:06

本文关键词：一种基于特权分离和时间锁的虚拟机隔离机制研究　出处：《解放军信息工程大学》2013年硕士论文　论文类型：学位论文

【摘要】：虚拟化技术正在得到IT行业越来越多的重视，它打破了计算机软件与硬件之间的紧密依赖关系，提高了资源利用率，降低了维护成本。与此同时，虚拟机的安全问题也日益突出，已经成为虚拟机发展的重要挑战之一。在典型的虚拟机构架中，通常引入虚拟机监控器（Virtual Machine Monitor， VMM）来虚拟出多个隔离的虚拟物理资源，提供给上层所构造的虚拟机（Virtual Machine， VM）。为了简化设计，系统中通常还包含一个管理VM，负责管理其他VM，并提供设备驱动支持，如Xen中的Dom0和KVM中的Linux，它们拥有高于用户VM的权限。用户VM的安全，依赖于VMM和管理VM的安全。这种结构存在的不足之处在于：（1）管理VM的权限过于集中；（2）共享硬件平台的VM之间存在越权访问的可能；（3）用户VM安全所依赖的可信基规模过大，，确保自身安全难度较大。因此，提升虚拟机安全性的有效技术途径就是减小系统的可信基，减少并分散管理VM的特权，保持各VM的独立和安全。相比编写一个没有漏洞的操作系统来说，在现有虚拟机系统中加强各个域间的隔离特性，防止安全危害的扩大，对于提高系统安全性更为简单有效。本文提出了一种基于无干扰理论的时间锁隔离模型，然后给出了一种基于特权分离的虚拟机空间隔离机制和一种基于时间锁的虚拟机时间隔离机制设计，用于减小用户VM的TCB，分散管理VM特权，并加强对各VM间的访问隔离，提高系统的安全性。主要的工作包含以下几个方面：（1）提出了一种基于无干扰理论的时间锁隔离模型。利用可信计算的定义及无干扰理论，提出一种时间锁机制：允许不可信域进程对可信域进行访问，在访问过程中，对干扰该进程的不可信域进程进行锁定，访问结束后，解除锁定。根据无干扰理论，给出了访问策略的安全性证明。（2）提出了一种基于特权分离的虚拟机空间隔离机制。本文将传统Dom0进行特权分离：把易产生安全漏洞的设备驱动独立出来，形成单独的驱动域；将影响用户隐私的特权分离出来，形成DomU管理域。Dom0经分离后，成为Thin Dom0，只负责用户域的创建、管理等操作。特权分离机制对系统的权限进行重新分配，分离后的系统可信域代码量大幅减少，安全性得到提高，为实现时间隔离模型奠定了基础。（3）提出了一种基于时间锁的虚拟机时间隔离机制。特权分离后，系统中还存在不可信域对可信域的访问，利用时间锁机制，针对不可信域对可信域的访问，进行时间隔离。分别对Thin Dom0与DomU之间以及其它虚拟域之间的访问进行了分析，并给出了相应的时间隔离设计。（4）结合Xen平台，对特权分离和时间锁机制进行了实现研究。基于开源项目Xen，对系统的各个域，通过特权分离，进行空间隔离机制的实现研究；对特权分离后的各虚拟域之间的访问过程，利用时间锁机制，进行时间隔离机制的实现研究。最后，对系统进行安全性验证和性能测试，结果表明，本文所提出安全机制可以有效地提高系统的安全性，并且性能消耗也在可接受的范围之内。
[Abstract]:Virtualization technology is the IT industry more and more attention, it has broken the close relation between the computer software and hardware, improve the utilization rate of resources, reduce the maintenance cost. At the same time, virtual machine security issues have become increasingly prominent, has become one of the most important challenges of the development of the virtual machine.
In the virtual machine architecture typical, usually into the virtual machine monitor (Virtual Machine, Monitor, VMM) to create a virtual virtual physical resources of a plurality of isolation, provided to the upper structure of the virtual machine (Virtual, Machine, VM). In order to simplify the design, the system usually contains a management VM, responsible for the management of other VM, and device driver support, such as Xen Dom0 and KVM Linux, they have the higher VM user permissions. The security of user VM depends on VMM and VM. The safety management deficiencies existing in the structure:
(1) the authority to manage VM is too centralized;
(2) there is a possibility of overriding access between VM sharing hardware platforms;
(3) the size of the trusted base of the user VM security is too large to ensure that the security of the user is more difficult.
Therefore, TCB enhance effective way is to reduce the security of the virtual machine system, reduce and disperse management VM privileges, maintain the independence of each VM and safety. Compared to writing no loopholes in the operating system, the isolation between the various domains in the existing virtual machine system, to prevent the expansion of safety hazards and to improve the security of the system is more simple and effective.
This paper presents a model based on the theory of interference free isolation lock time, and provides a virtual machine based on spatial separation of privilege isolation mechanism and an isolation mechanism of the virtual machine time lock based design for reducing user VM TCB, decentralized management VM privileges, and to strengthen the VM access isolation and improve the security of the system. The main work includes the following aspects:
(1) a time lock isolation model based on non interference theory is proposed.
Using the definition of trusted computing and noninterference theory, we proposed a time lock mechanism to allow untrusted domain process access to the trusted domain, during the visit, to interfere with the process of trusted process after the end of the visit, lock, unlock. According to the interference theory, gives the security access policy the proof.
(2) a space isolation mechanism of virtual machines based on privilege separation is proposed.
In this paper, the traditional Dom0 privilege separation: prone to security vulnerabilities of device driver independent, drive single domain; will affect the user's privacy privilege separated form DomU management domain by.Dom0 after separation, as Thin Dom0, created only responsible for the user domain, such as operations management. Privilege separation mechanism was redistributed the system permissions, system TCB code after separation is greatly reduced, the safety is improved, laid the foundation for the realization of temporal isolation model.
(3) a time lock based time isolation mechanism for virtual machines is proposed.
Privilege separation, also exist in the system is not trusted domain to a trusted domain access, through the time lock mechanism for trusted domain access to trusted domain, the time of isolation. Between Thin Dom0 and DomU and other virtual domain access is analyzed, and gives the corresponding design of isolation time.
(4) the realization of privilege separation and time lock mechanism is studied in combination with Xen platform.
Based on open source project Xen, we study the realization of spatial isolation mechanism in every domain of the system by privilege separation. After the privilege separation process, we use the time locking mechanism to achieve the time isolation mechanism.
Finally, the security verification and performance test of the system are carried out. The results show that the security mechanism proposed in this paper can effectively improve the security of the system, and the performance consumption is also within the acceptable range.

【学位授予单位】：解放军信息工程大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP302

【参考文献】