虚拟机安全保障及其性能优化关键技术研究

发布时间：2018-03-02 09:36

本文关键词： 虚拟机监控防病毒 DMA内存安全网络功能虚拟化 TCP/IP协议栈卸载　出处：《中国科学院大学(中国科学院深圳先进技术研究院)》2017年博士论文　论文类型：学位论文

【摘要】：虚拟机安全是当前和未来信息安全的基础,是云计算安全的核心内容之一,其重要性不言而喻。然而,一方面,在虚拟机环境下,传统的主机安全问题依然存在,而且还引入了新的安全问题,这使得安全形势更加复杂化;另一方面,虚拟机的架构特性也给安全问题的解决提供了新的思路。为此,本研究从云计算实际应用中的安全问题出发,围绕着虚拟机中代码安全监控、DMA内存数据安全以及网络安全三个方面,研究相应的安全保障及性能优化技术。本文的主要贡献包括:1)提出了基于“首次执行”事件的无代理运行时虚拟机代码安全监控技术。基于客户虚拟机中可执行程序执行过程中的硬件事件序列特征,设计了虚拟机的“首次执行”事件,使得客户机可执行程序代码在被加载到内存后且被CPU执行之前能够被VMM所发现并拦截,从而对代码实施透明的安全检查并能够及时阻止恶意代码的运行,解决了外部监控架构下的语义鸿沟问题。基于该技术思想,进一步提出了无代理运行时虚拟机防病毒技术,解决了传统防病毒工具存在的安全漏洞,避免了防病毒风暴、虚拟机快照回滚漏洞等问题。功能验证和性能测试结果表明,Virt AV不但能够准确、及时地识别并阻止病毒程序,也能够提供较好的性能保证,对于常用的桌面类应用软件能够提供较为满意的性能体验。2)提出了基于IOMMU半虚拟化的虚拟机DMA内存安全保障及其性能优化技术。指出了纯软件模拟设备的DMA安全漏洞问题并分析了导致DMA安全问题的架构设计原因。实现了IOMMU半虚拟化系统,能够统一为模拟设备和硬件直通设备提供I/O地址空间隔离和DMA访问控制功能,解决了虚拟机DMA内存数据安全问题。通过反向转换缓冲区、预分配页面池与最近引用页表指针缓存等性能优化技术,降低了IOMMU半虚拟化开销。网络性能测试表明,采用优化后的PVIOMMU能够达到甚至超过无IOMMU虚拟化环境下的网络性能,相应的CPU资源消耗情况对比也没有明显的差异。3)提出了面向NFV环境的以虚拟机为中心的虚拟网络安全保障及其性能优化技术。提出以虚拟机为中心的轻量级网络安全服务功能链架构,有效防范网络内部发起的攻击。基于TCP/IP协议栈卸载技术,将用户虚拟机和安全虚拟机中的协议栈卸载到专用虚拟机上去,消除了重复的网络包解包和封包操作,提高了网络安全处理效率,降低网络包转发延迟,释放宿主机上的CPU资源。TCP通信延迟测试结果显示,在功能链上只有一台安全虚拟机的情况下,TOSEC能够将网络转发延迟缩小到普通NFV功能链的68%-48%,在功能链上有两台安全虚拟机的情况下,网络转发延迟能够进一步缩小到33%~22%。
[Abstract]:Virtual machine security is the foundation of current and future information security and one of the core contents of cloud computing security. However, in virtual machine environment, traditional host security problems still exist. It also introduces new security problems, which make the security situation more complicated. On the other hand, the architecture characteristics of virtual machines also provide a new way to solve the security problems. Based on the security problems in cloud computing applications, this study focuses on three aspects: code security monitoring and DMA memory data security and network security in virtual machine. The main contributions of this paper include: 1) A new security monitoring technique based on the "first execution" event is proposed. Based on the executable in the client virtual machine, the security monitoring technology of the proxy runtime virtual machine code is proposed. The characteristics of the hardware event sequence in the process of program execution, The "first execution" event of the virtual machine is designed so that client executable code can be discovered and intercepted by VMM before it is loaded into memory and executed by CPU. So the code can be checked transparently and the malicious code can be stopped in time, and the semantic gap problem under the external monitoring architecture is solved. Based on the thought of this technology, the anti-virus technology of virtual machine while no proxy running is put forward. It solves the security holes existing in traditional antivirus tools, avoids the problems of anti-virus storm, virtual machine snapshot rollback vulnerability, etc. The functional verification and performance test results show that Virt AV can not only accurately and timely identify and stop virus programs. Can also provide better performance assurance, For commonly used desktop application software can provide a more satisfactory performance experience. 2) this paper proposes a virtual machine DMA memory security based on IOMMU paravirtualization and its performance optimization technology. It also points out the DMA security of pure software analog devices. The problem of vulnerability and the cause of DMA security are analyzed. The IOMMU paravirtualization system is implemented. It can provide I / O address space isolation and DMA access control function for analog devices and hardware through devices. It solves the problem of memory data security of virtual machine DMA. Performance optimization techniques such as preallocated page pool and recently referenced page table pointer cache reduce the IOMMU paravirtualization overhead. Network performance tests show that the optimized PVIOMMU can achieve or exceed network performance without IOMMU virtualization. There is no obvious difference in the consumption of CPU resources. 3) the virtual network security and performance optimization technology based on virtual machine for NFV environment is put forward, and the lightweight network with virtual machine as the center is proposed. Security service function chain architecture, Based on the TCP/IP protocol stack unload technology, the protocol stack in the user virtual machine and the secure virtual machine is unloaded to the special virtual machine, which eliminates the repeated network packet unpacking and packet packing operation. The network security processing efficiency is improved, the network packet forwarding delay is reduced, and the CPU resources on the host are released. The test results show that, When there is only one secure virtual machine in the functional chain, TOSEC can reduce the network forwarding delay to 68-48 of the normal NFV functional chain. When there are two secure virtual machines in the functional chain, the network forwarding delay can be further reduced to 330.2222.
【学位授予单位】：中国科学院大学(中国科学院深圳先进技术研究院)
【学位级别】：博士
【学位授予年份】：2017
【分类号】：TP302;TP309

【参考文献】