|
|
- 2018
基于影子内存的无代理虚拟机进程防护
|
Abstract:
为了提高虚拟机中进程的安全性,避免系统调用表SSDT和系统调用执行流被恶意挂钩,提出一种基于影子内存的无代理虚拟机进程防护方案。首先利用VMM的高特权级在虚拟机的非换页内存区透明构建一块影子内存,通过向影子内存透明注入SSDT和跳转函数,构建全新SSDT和系统调用执行流,保证SSDT和系统调用执行流的完整性。通过主动挂钩影子内存中的SSDT,利用硬件虚拟化的自动陷入机制检测进程的敏感行为,在VMM中过滤针对受保护进程的非法操作,实现无代理的进程防护。实验结果表明,该方案可以有效地对虚拟机中指定进程进行防护并过滤大部分的rootkit攻击,对虚拟机性能的影响在3%以下。
| [1] | MANDT T. Kernel pool exploitation on Windows 7[EB/OL].[2017-03-17]. https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf. |
| [2] | 潘爱民. Windows内核原理与实现[M]. 北京:电子工业出版社, 2013. PAN Ai-min. Understanding the Windows kernel[M]. Beijing:Publishing House of Electronics Industry, 2013. |
| [3] | 林闯, 苏文博, 孟坤, 等. 云计算安全:架构、机制与模型评价[J]. 计算机学报, 2013, 36(9):1765-1784. LIN Chuang, SU Wen-bo, MENG Kun, et al. Cloud computing security:Architecture, mechanism and medeling[J]. Chinese Journal Of Computers, 2013, 36(9):1765-1784. |
| [4] | Imperva. Man in the cloud (MITC) attacks[EB/OL].[2015-09-06]. https://www.imperva.com/docs/HⅡ_Man_In_The_Cloud_Attacks.pdf. |
| [5] | 王惠莅, 杨晨, 杨建军. 美国NIST云计算安全标准跟踪及研究[J]. 信息技术与标准化, 2012(6):DOI:10.3969/j. issn.1671-539X.2012.06.013. WANG Hui-li, YANG Chen, YANG Jian-jun. Research on clouds computing security standards of NIST[J]. Information Technology & Standardization, 2012(6):DOI:10.3969/j.issn.1671-539X.2012.06.013. |
| [6] | Intel. 64-ia-32-architectures-software-developer-manual-325462[EB/OL].[2015-03-20]. http://www.intel.com/content/www/us/en/processors/architectures-software-deve loper-manuals.html. |
| [7] | SCHWARZKOPF R, SCHMIDT M, STRACK C, et al. Increasing virtual machine security in cloud environments[J]. Journal of Cloud Computing, 2012, 1(1):1-12. |
| [8] | 彭春洪. 基于KVM虚拟机的恶意行为检测系统设计与实现[D]. 成都:电子科技大学, 2015. PENG Chun-hong. The design and implementation of the malicious behavior detecting system based on KVM virtual machine[D]. Chengdu:University of Electronic Science and Technology of China, 2015. |
| [9] | ERIC A, VOLV G, CARMEN L, et al. Microsoft security intelligence report[EB/OL].[2017-03-17]. https://www.microsoft.com/en-us/security/intelligence-report. |
| [10] | 崔竞松, 向浩, 郭迟, 等. 基于KVM的windows客户机进程查杀技术[J]. 四川大学学报:工程科学版, 2014, 46(6):7-13. CUI Jing-song, XIANG Hao, GUO Chi, et al. Online anti-virus technology of process running on Windows VM based on KVM[J]. Journal of SiChuan University (Engineering Science Edition), 2014, 46(6):7-13. |
| [11] | 张文静. 基于Xen的Rootkit检测技术研究[D]. 西安:西安电子科技大学, 2014. ZHANG Wen-jing. Research on rootkit detection techonlogy based on Xen[D]. Xi'an:XiDian University, 2014. |
| [12] | 张贵民. 基于Intel VT的内核完整性监控技术研究[D]. 郑州:解放军信息工程大学, 2014. ZHANG Gui-min. Research on kernel intergrity monitoring technology based on Intel VT[D]. Zhengzhou:PLA Information Engineering University, 2014. |
| [13] | 黄啸. 基于虚拟化的内核监控模型研究与实现[D]. 南京:南京大学, 2015. HUANG Xiao. Research and implementation of kernel monitoring model based on virtualization[D]. Nanjing:Nanjing University, 2015. |
| [14] | 李佳瑶. 基于虚拟化的Wndows进程内存保护研究[D]. 南京:南京大学, 2014. LI Jia-yao. Research on memory protection of Windows process based on virtualization[D]. Nanjing:Nanjing University, 2014. |
| [15] | 陈兴蜀, 赵成, 陶术松. 基于KVM的windows虚拟机用户进程防护[J]. 电子科技大学学报, 2016, 46(6):950-957. CHEN Xing-shu, ZHAO Cheng, TAO Shu-song. KVM-based Windows virtual machine user process protection[J]. Journal of University of Electronic Science and Technology of China, 2016, 46(6):950-957. |
| [16] | DUNLAP G W, KING S T, CINAR S, et al. ReVirt:Enabling intrusion analysis through virtual-machine logging and replay[J]. Acm Sigops Operating Systems Review, 2002, 36(SI):211-224. |
| [17] | JIA X, ZHU M. Research on significance of VCPU scheduling for SR-IOV on NUMA platform[C]//2014 International Conference on Cloud Computing and Internet of Things (CCIOT).[S.l.]:IEEE, 2015:57-60. |
| [18] | WANG R B, LU K, LU X C. Aware conflict detection of non-uniform memory access system and prevention for transactional memory[J]. Journal of Central South University, 2012, 19(8):2266-2271. |
| [19] | Microsoft. MSDN library for visual studio 2017[EB/OL].[2016-05-09]. https://msdn.microsoft.com/en-us/library/984x0h58.aspx. |
