南京大学学报(自然科学版) ›› 2019, Vol. 55 ›› Issue (2): 221–230.doi: 10.13232/j.cnki.jnju.2019.02.007

• • 上一篇    下一篇

一种无代理虚拟机进程监控方法

尹学渊1,陈兴蜀2*,陶术松3,陈 林3   

  1. 1.四川大学计算机学院,成都,610065;2.四川大学网络空间安全研究院,成都,610065; 3.成都嗨翻屋科技有限公司,成都,610065
  • 接受日期:2018-09-01 出版日期:2019-04-01 发布日期:2019-03-31
  • 通讯作者: 陈兴蜀 E-mail:chenxsh@scu.edu.cn
  • 基金资助:
    国家科技支撑计划(2012BAH18B05),国家自然科学基金(61272447)

An agentless monitoring method for virtual machine processes

Yin Xueyuan1,Chen Xingshu2*,Tao Shusong3,Chen Lin3   

  1. 1.College of Computer Science,Sichuan University,Chengdu,610065,China; 2.Cybersecurity Research Institute,Sichuan University,Chengdu,610065,China; 3.HIFIVE Technology Co.,Ltd,Chengdu,610065,China
  • Accepted:2018-09-01 Online:2019-04-01 Published:2019-03-31
  • Contact: Chen Xingshu E-mail:chenxsh@scu.edu.cn

PDF (PC)

953

摘要: 针对云环境下的租户虚拟机状态监控问题,提出一种基于虚拟机内存实时在线分析的虚拟机监控技术. 借助虚拟化层的高特权级,可以在虚拟机外部透明地实时获取虚拟机的物理内存. 引入内存取证领域的物理内存解析机制,在虚拟化层在线地分析虚拟机内存中重要的内核数据结构,从而获取虚拟机内存语义知识,有效地解决虚拟机与虚拟化层之间的语义鸿沟问题,实现虚拟机细粒度状态信息监控. 由于监控代码处于更高特权级的虚拟化层,无需在用户虚拟机中部署监控代理,因此,虚拟机内部的恶意代码无法旁路和破坏安全监控代码,提高了方法的透明性和安全性. 实验表明,该方法可以在低开销下以无监控代理模式为租户提供虚拟机监控服务.

关键词: 虚拟机监控, 内存分析, 语义解析, 无代理

Abstract: To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed. With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines. Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’ virtual machine. Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Key words: virtual machine monitoring, memory analysis, semantic analysis, agentless

中图分类号: 

  • TP309
[1] Yin X Y,Chen X S,Chen L,et al. Research of security as a service for VMs in IaaS platform. IEEE Access,2018,6:29158-29172.
[2] 冯登国,张 敏,张 妍等. 云计算安全研究. 软件学报,2011,22(1):71-83.(Feng D G,Zhang M,Zhang Y,et al. Study on cloud computing security. Journal of Software,2011,22(1):71-83.) 
[3] 项国富,金 海,邹德清等. 基于虚拟化的安全监控. 软件学报,2012,23(8):2173-2187.(Xiang G F,Jin H,Zou D Q,et al. Virtualization-based security monitoring. Journal of Software,2012,23(8):2173-2187.)
[4] 李保珲,徐克付,张 鹏等. 虚拟机自省技术研究与应用进展. 软件学报,2016,27(6):1384-1401.(Li B H,Xu K F,Zhang P,et al. Research and application progress of virtual machine introspection technology. Journal of Software,2016,27(6):1384-1401.)
[5] Bahram S,Jiang X X,Wang Z,et al. DKSM:Subverting virtual machine introspection for fun and profit ∥ 2010 29th IEEE Symposium on Reliable Distributed Systems. New Delhi,India:IEEE,2010:82-91.
[6] Chung C J,Cui J S,Khatkar P,et al. Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations ∥ 9th IEEE International Conference on Collaborative Computing:Networking,Applications and Worksharing. Austin,TX,USA:IEEE,2013:21-30.
[7] Wang X G,Qi Y,Dai Y H,et al. Transparent security-sensitive process protection via vmm-based process shadowing ∥ 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops. Kyoto,Japan:IEEE,2013.
[8] 段翼真,刘 忠,施 展. 基于云计算的恶意代码防御系统. 华中科技大学学报(自然科学版),2016,44(7):57-62.(Duan Y Z,Liu Z,Shi Z. Malicious code defense system based on cloud computing. Journal of Huazhong University of Science and Technology(Natural Science Edition),2016,44(7):57-62.)
[9] Baek H W,Srivastava A,Van Der Merwe J. CloudVMI:Virtual Machine Introspection as a Cloud Service ∥ 2014 IEEE International Conference on Cloud Engineering. Boston,MA,USA:IEEE,2014:153-158.
[10] 陈兴蜀,赵 成,陶术松. 基于KVM的Windows虚拟机用户进程防护. 电子科技大学学报,2016,46(6):950-957.(Chen X S,Zhao C,Tao S S,et al. KVM-based windows virtual machine user process protection. Journal of University of Electronic Science and Technology of China,2016,46(6):950-957.)
[11] Dolan-Gavitt B,Srivastava A,Traynor P,et al. Robust signatures for kernel data structures ∥ Proceedings of the 16th ACM Conference on Computer and Communications Security. Chicago,IL,USA:ACM,2009:566-577.
[12] Korkin I,Nesterov I. Applying memory forensics to rootkit detection ∥ Annual Conference on Digital Forensics,Security and Law,ADFSL2014. Richmond,VA,USA:Association of Digital Forensics,Security and Law,2014:115-141.
[13] Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation,2006,3(S1):10-16.
[14] Sylve J T,Marziale V,Richard III G G. Pool tag quick scanning for windows memory analysis. Digital Investigation,2016,16(S1):S25-S32.
[15] Okolica J,Peterson G L. Extracting the windows clipboard from physical memory. Digital Investigation,2011,8(S1):S118-S124.
[16] Lin Z Q,Rhee J,Zhang X Y,et al. SigGraph:Brute force scanning of kernel data structure instances using graph-based signatures ∥ Proceedings of the 18th Annual Network and Distributed System Security Symposium. San Diego,CA,USA:Digital Bibliography & Library Project,2011.
[1] 张霄涵,胡红钢*. 基于区块格的RFID双向认证协议[J]. 南京大学学报(自然科学版), 2019, 55(3): 458-469.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
[1] 李 歌,朱 逸,过勐超,唐东明,张豹山,杨 燚. 嵌入频率选择表面的薄层宽带磁性吸波材料研究[J]. 南京大学学报(自然科学版), 2019, 55(3): 470 -477 .
[2] 王广辉,杨高东,周 政,张志炳. 丙酸异龙脑酯的合成、反应热力学和反应动力学研究[J]. 南京大学学报(自然科学版), 2019, 55(3): 486 -497 .
[3] 张滨,张胜,陈建飞. 毫米波综合孔径辐射计的压缩感知成像方法研究[J]. 南京大学学报(自然科学版), 2019, 55(5): 718 -724 .
[4] 张勋, 石婉玲, 赵祝萱, 朱聪, 李维智, 贾叙东. 生物基聚醚胺型苯并噁嗪树脂的制备与性能研究[J]. 南京大学学报(自然科学版), 2019, 55(5): 832 -839 .
[5] 柴变芳,魏春丽,曹欣雨,王建岭. 面向网络结构发现的批量主动学习算法[J]. 南京大学学报(自然科学版), 2019, 55(6): 1020 -1029 .
[6] 徐媛媛,张恒汝,闵帆,黄雨婷. 三支交互推荐[J]. 南京大学学报(自然科学版), 2019, 55(6): 973 -983 .
[7] 王浩哲,刘虎,韦志伟,邓倩,李诗达,张海祖,程斌,廖泽文. 塔里木盆地东部上寒武统SPICE事件检出及其油气地球化学意义[J]. 南京大学学报(自然科学版), 2020, 56(3): 354 -365 .
[8] 李佳云,吴人杰. 基因转录爆发的建模研究[J]. 南京大学学报(自然科学版), 2020, 56(3): 418 -429 .

版权所有 © 2021 《南京大学学报(自然科学)》

地址:江苏省南京市鼓楼区汉口路22号,南京大学学报编辑部,210093

电话:025-83592704 , 传真:025-83592704        技术支持:北京玛格泰克科技发展有限公司