南京大学学报(自然科学版) ›› 2019, Vol. 55 ›› Issue (2): 221230.doi: 10.13232/j.cnki.jnju.2019.02.007
尹学渊1,陈兴蜀2*,陶术松3,陈 林3
Yin Xueyuan1,Chen Xingshu2*,Tao Shusong3,Chen Lin3
摘要: 针对云环境下的租户虚拟机状态监控问题,提出一种基于虚拟机内存实时在线分析的虚拟机监控技术. 借助虚拟化层的高特权级,可以在虚拟机外部透明地实时获取虚拟机的物理内存. 引入内存取证领域的物理内存解析机制,在虚拟化层在线地分析虚拟机内存中重要的内核数据结构,从而获取虚拟机内存语义知识,有效地解决虚拟机与虚拟化层之间的语义鸿沟问题,实现虚拟机细粒度状态信息监控. 由于监控代码处于更高特权级的虚拟化层,无需在用户虚拟机中部署监控代理,因此,虚拟机内部的恶意代码无法旁路和破坏安全监控代码,提高了方法的透明性和安全性. 实验表明,该方法可以在低开销下以无监控代理模式为租户提供虚拟机监控服务.
中图分类号:
[1] Yin X Y,Chen X S,Chen L,et al. Research of security as a service for VMs in IaaS platform. IEEE Access,2018,6:29158-29172. [2] 冯登国,张 敏,张 妍等. 云计算安全研究. 软件学报,2011,22(1):71-83.(Feng D G,Zhang M,Zhang Y,et al. Study on cloud computing security. Journal of Software,2011,22(1):71-83.) [3] 项国富,金 海,邹德清等. 基于虚拟化的安全监控. 软件学报,2012,23(8):2173-2187.(Xiang G F,Jin H,Zou D Q,et al. Virtualization-based security monitoring. Journal of Software,2012,23(8):2173-2187.) [4] 李保珲,徐克付,张 鹏等. 虚拟机自省技术研究与应用进展. 软件学报,2016,27(6):1384-1401.(Li B H,Xu K F,Zhang P,et al. Research and application progress of virtual machine introspection technology. Journal of Software,2016,27(6):1384-1401.) [5] Bahram S,Jiang X X,Wang Z,et al. DKSM:Subverting virtual machine introspection for fun and profit ∥ 2010 29th IEEE Symposium on Reliable Distributed Systems. New Delhi,India:IEEE,2010:82-91. [6] Chung C J,Cui J S,Khatkar P,et al. Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations ∥ 9th IEEE International Conference on Collaborative Computing:Networking,Applications and Worksharing. Austin,TX,USA:IEEE,2013:21-30. [7] Wang X G,Qi Y,Dai Y H,et al. Transparent security-sensitive process protection via vmm-based process shadowing ∥ 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops. Kyoto,Japan:IEEE,2013. [8] 段翼真,刘 忠,施 展. 基于云计算的恶意代码防御系统. 华中科技大学学报(自然科学版),2016,44(7):57-62.(Duan Y Z,Liu Z,Shi Z. Malicious code defense system based on cloud computing. Journal of Huazhong University of Science and Technology(Natural Science Edition),2016,44(7):57-62.) [9] Baek H W,Srivastava A,Van Der Merwe J. CloudVMI:Virtual Machine Introspection as a Cloud Service ∥ 2014 IEEE International Conference on Cloud Engineering. Boston,MA,USA:IEEE,2014:153-158. [10] 陈兴蜀,赵 成,陶术松. 基于KVM的Windows虚拟机用户进程防护. 电子科技大学学报,2016,46(6):950-957.(Chen X S,Zhao C,Tao S S,et al. KVM-based windows virtual machine user process protection. Journal of University of Electronic Science and Technology of China,2016,46(6):950-957.) [11] Dolan-Gavitt B,Srivastava A,Traynor P,et al. Robust signatures for kernel data structures ∥ Proceedings of the 16th ACM Conference on Computer and Communications Security. Chicago,IL,USA:ACM,2009:566-577. [12] Korkin I,Nesterov I. Applying memory forensics to rootkit detection ∥ Annual Conference on Digital Forensics,Security and Law,ADFSL2014. Richmond,VA,USA:Association of Digital Forensics,Security and Law,2014:115-141. [13] Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation,2006,3(S1):10-16. [14] Sylve J T,Marziale V,Richard III G G. Pool tag quick scanning for windows memory analysis. Digital Investigation,2016,16(S1):S25-S32. [15] Okolica J,Peterson G L. Extracting the windows clipboard from physical memory. Digital Investigation,2011,8(S1):S118-S124. [16] Lin Z Q,Rhee J,Zhang X Y,et al. SigGraph:Brute force scanning of kernel data structure instances using graph-based signatures ∥ Proceedings of the 18th Annual Network and Distributed System Security Symposium. San Diego,CA,USA:Digital Bibliography & Library Project,2011. |
[1] | 张霄涵,胡红钢*. 基于区块格的RFID双向认证协议[J]. 南京大学学报(自然科学版), 2019, 55(3): 458-469. |
|