VMSPY:一种自动化的虚拟机客户机系统函数截获和控制方案

发布时间：2018-06-28 08:01

  本文选题：虚拟化 + 函数截获　； 参考：《计算机学报》2017年02期

【摘要】：如何有效保证云平台虚拟机客户机系统安全运行是目前的热点研究问题,客户机系统函数的截获和控制方法是实现监控客户机系统的关键技术之一.已有基于操作系统内核接口的安全监控方案和基于虚拟化技术的虚拟机自省方案中所采用的函数截获和控制方法虽能满足安全监控的需求,但仍存在一些缺陷:函数截获动作容易被旁路;系统调用截获方式单一且局限,无法截获客户机应用程序内部函数;无法控制函数的执行流程;安全机制引入较大额外性能开销等.该文提出了一种基于虚拟化技术的自动化客户机系统函数截获和控制方案VMSPY.作者在VMM中实现模块的主要功能,通过反汇编引擎对客户机系统代码自动分析,动态生成并在合适位置插入经过设计的特权指令序列,实现对客户机操作系统的系统调用截获,在不受地址随机化技术的影响下对应用程序内部函数截获;在VMM中按策略自动模拟执行被截获函数的代码指令序列,实现对客户机系统调用函数和应用程序函数的执行流程控制;通过内存页权限机制保护在客户机系统中插入的特权指令序列,防止客户机系统对监控模块的影响;通过一种缓存机制,尽可能地减少额外性能开销.
[Abstract]:How to effectively ensure the safe operation of the virtual machine client system on cloud platform is a hot research issue at present. The interception and control method of client system function is one of the key technologies to realize monitoring client system. The existing security monitoring schemes based on the kernel interface of the operating system and the virtual machine introspection scheme based on virtualization technology can meet the needs of security monitoring although the methods of function interception and control can meet the requirements of security monitoring. However, there are still some defects: the action of function interception is easily bypassed, the mode of system call interception is single and limited, the internal function of client application can not be intercepted, the execution flow of function can not be controlled. Security mechanism introduces a large additional performance overhead and so on. This paper presents an automatic client system function interception and control scheme VMSPY. based on virtualization technology. The author realizes the main function of the module in VMM, analyzes the client system code automatically by the disassembly engine, dynamically generates and inserts the designed privileged instruction sequence in the appropriate position, realizes the system call interception of the client operating system. In VMM, the sequence of code instructions that execute the intercepted function is automatically simulated according to the policy, and the code instruction sequence of the intercepted function is automatically simulated in the VMM, which is not affected by the technology of address randomization. Implement the execution flow control of the client system calling function and the application program function, protect the privileged instruction sequence inserted in the client system through the memory page permission mechanism, and prevent the influence of the client system on the monitoring module. The additional performance overhead is minimized by a caching mechanism.
【作者单位】： 南京大学软件新技术国家重点实验室;南京大学计算机科学与技术系;
【基金】：国家“八六三”高技术研究发展计划重大项目基金(2011AA01A202) 国家自然科学基金(61321491)资助~~
【分类号】：TP309
，

本文编号：2077298