如何有效保证云平台虚拟机客户机系统安全运行是目前的热点研究问题.客户机系统函数的截获和控制方法是实现监控客户机系统的关键技术之一.已有基于操作系统内核接口的安全监控方案和基于虚拟化技术的虚拟机自省方案中所采用的函数截获和控制方法虽能满足安全监控的需求,但仍存在一些缺陷:函数截获动作容易被旁路;系统调用截获方式单一且局限,无法截获客户机应用程序内部函数;无法控制函数的执行流程;安全机制引入较大额外性能开销等.该文提出了一种基于虚拟化技术的自动化客户机系统函数截获和控制方案VMSPY.作者在VMM中实现模块的主要功能,通过反汇编引擎对客户机系统代码自动分析,动态生成并在合适位置插入经过设计的特权指令序列,实现对客户机操作系统的系统调用截获,在不受地址随机化技术的影响下对应用程序内部函数截获;在VMM中按策略自动模拟执行被截获函数的代码指令序列,实现对客户机系统调用函数和应用程序函数的执行流程控制;通过内存页权限机制保护在客户机系统中插入的特权指令序列,防止客户机系统对监控模块的影响;通过一种缓存机制,尽可能地减少额外性能开销.%How to effectively ensure the operation security of the guest virtual machine on a cloud computing platform is a hot topic at present.The system function hook and control method is one of the key technologies that are used to monitor the client system.Although the function hook and control method adopted in the security monitoring program based on the kernel interface of the operation system and the introspection program of the virtual machine based on the virtualization technology can meet the requirements of the security monitoring,the system still has some defects:the function hook can be easily bypassed;the system call hook method is single and limited;the internal function of the client application can't be hooked;the executing process of the function cannot be controlled;the security mechanism may result in extra large performance overhead.In this paper,an automatic function hook and control program of the guest virtual machine system based on virtualization technology (VMSPY) is proposed.The main functions of the modules are realized in the VMM,the codes of the guest system are analyzed automatically and generated dynamically via the disassembly engine.Besides,the privileged instruction sequence designed is inserted in a proper position to realize the system call hook.The internal function of the application is intercepted under the condition that it is not affected by the address space layout randomization (ASLR) technology.The code instruction sequence of the hooked function is simulated and executed automatically in the VMM according to the strategy to realize the control of the executing process of the system call and the application function.The privileged instruction sequence inserted in the guest system is protected through the memory page authorization mechanism to prevent the impact of the guest system.A cache mechanism is used to reduce the extra performance overhead as much as possible.
展开▼
