基于虚拟化内存隔离的Rowhammer攻击防护机制

随着虚拟化技术的发展与云计算的流行,虚拟化环境下的安全防护问题一直受到广泛的关注。最近的Rowhammer攻击打破了人们对于硬件的信赖,同时基于Rowhammer攻击的各种攻击方式已经威胁到了虚拟化环境下的虚拟机监视器以及其他虚拟机的安全。目前业界已有的对Rowhammer攻击的防御机制或者局限于修改物理硬件,或者无法很好的部署在虚拟化环境下。本文提出一种方案,该方案实现了一套在虚拟机监视器层面的Rowhammer感知的内存分配机制,能够在虚拟机监视器层面以虚拟机的粒度进行Rowhammer攻击的隔离防护。测试表明,该方案能够在不修改硬件,以及引入较小的性能开销（小于6%的运行时开销和小于0.1%的内存开销）的前提下,成功阻止从虚拟机到虚拟机监视器以及跨虚拟机的Rowhammer攻击。     

面向云平台的多样化恶意软件检测架构

近年来,恶意软件对物理机和云平台上虚拟机均构成巨大的安全威胁。在基础设施即服务（IaaS）云平台上部署传统的杀毒软件、防火墙等恶意软件检测工具存在以下问题：1）检测工具可能被破坏或者关闭;2）单一的检测工具效果不理想;3）检测工具可能被加壳等方式绕过;4）需要给每台客户机安装额外软件,难以部署实施。为此提出一种面向云平台的多样化恶意软件检测架构。该架构利用虚拟化技术截获客户机的特定行为,抓取客户机内软件释放的代码,通过多种杀毒软件多样化的扫描确定软件的恶意性。采用的动态内存提取的方式对客户机完全透明。最后在Xen上部署该架构并进行恶意软件检测测试,该架构对加壳恶意软件的检测率为85.7%,比杀毒软件静态扫描的检测率高14.3个百分点。实验结果表明,在云平台上采用多样化恶意软件检测框架能更好地保障客户机的安全。     

一种基于虚拟机的安全监测方法

随着虚拟化广泛应用于如云计算等各种领域,渐渐成为各种恶意攻击的目标.虚拟机的运行时安全是重中之重.针对此问题,提出一种适用于虚拟化环境下的监测方法,并且在Xen中实现虚拟机的一个安全监测原型系统.通过这个系统,特权虚拟机可以对同一台物理机器上的大量客户虚拟机进行动态、可定制的监控.特别地,本系统对于潜伏在操作系统内核中的rootkit的检测十分有效.这种安全监测方法能有效提高客户虚拟机以及整个虚拟机系统的安全性.     

KVM虚拟化动态迁移技术的安全防护模型

虚拟机动态迁移技术是在用户不知情的情况下使得虚拟机在不同宿主机之间动态地转移,保证计算任务的完成,具有负载均衡、解除硬件依赖、高效利用资源等优点,但此技术应用过程中会将虚拟机信息和用户信息暴露到网络通信中,其在虚拟化环境下的安全性成为广大用户担心的问题,逐渐成为学术界讨论和研究的热点问题.本文从研究虚拟化机制、虚拟化操作系统源代码出发,以虚拟机动态迁移的安全问题作为突破点,首先分析了虚拟机动态迁移时的内存泄漏安全隐患;其次结合KVM(Kernel-based Virtual Machine)虚拟化技术原理、通信机制、迁移机制,设计并提出一种新的基于混合随机变换编码方式的安全防护模型,该模型在虚拟机动态迁移时的迁出端和迁入端增加数据监控模块和安全模块,保证虚拟机动态迁移时的数据安全;最后通过大量实验,仿真测试了该模型的安全防护能力和对虚拟机运行性能的影响,仿真结果表明,该安全防护模型可以在KVM虚拟化环境下保证虚拟机动态迁移的安全,并实现了虚拟机安全性和动态迁移性能的平衡.     

A security-aware virtual machine placement in the cloud using hesitant fuzzy decision-making processes

The introduction of cloud computing systems brought with itself a solution for the dynamic scaling of computing resources leveraging various approaches for providing computing power, networking, and storage. On the other hand, it helped decrease the human resource cost by delegating the maintenance cost of infrastructures and platforms to the cloud providers. Nevertheless, the security risks of utilizing shared resources are recognized as one of the major concerns in using cloud computing environments. To be more specific, an intruder can attack a virtual machine and consequently extend his/her attack to other virtual machines that are co-located on the same physical machine. The worst situation is when the hypervisor is compromised in which all the virtual machines assigned to the physical node will be under security risk. To address these issues, we have proposed a security-aware virtual machine placement scheme to reduce the risk of co-location for vulnerable virtual machines. Four attributes are introduced to reduce the aforementioned risk including the vulnerability level of a virtual machine, the importance level of a virtual machine in the given context, the cumulative vulnerability level of a physical machine, and the capacity of a physical machine for the allocation of new virtual machines. Nevertheless, the evaluation of security risks, due to the various vulnerabilities’ nature as well as the different properties of deployment environments is not quite accurate. To manage the precision of security evaluations, it is vital to consider hesitancy factors regarding security evaluations. To consider hesitancy in the proposed method, hesitant fuzzy sets are used. In the proposed method, the priorities of the cloud provider for the allocation of virtual machines are also considered. This will allow the model to assign more weights to attributes that have higher importance for the cloud provider. Eventually, the simulation results for the devised scenarios demonstrate that the proposed method can reduce the overall security risk of the given cloud data center. The results show that the proposed approach can reduce the risk of attacks caused by the co-location of virtual machines up to 41% compared to the existing approaches.

     

一种针对Xen超级调用的入侵防护方法

云计算技术已飞速发展并被广泛应用,虚拟化作为云计算的重要支撑,提高了平台对资源的利用效率与管理能力。作为一款开源虚拟化软件,Xen独特的设计思想与优良的虚拟化性能使其被许多云服务商采用,然而Xen虚拟机监视器同样面临着许多安全问题。Xen为虚拟机提供的特权接口可能被虚拟机恶意代码利用,攻击者可以借此攻击Xen或者运行其上的虚拟机。文章针对Xen向虚拟机提供的超级调用接口面临被恶意虚拟机内核代码利用的问题,提出了一种基于执行路径的分析方法,用以追溯发起该超级调用的虚拟机执行路径,与一个最初的路径训练集进行对比,可以避免超级调用被恶意虚拟机内核代码利用。该方法通过追溯虚拟机内核堆栈信息,结合指令分析与虚拟机内核符号表信息,实现了虚拟化平台下对虚拟机执行路径的动态追踪与重构。在Xen下进行实验,通过创建新的虚拟机并让其单独运行来获得训练集,训练集中包含所有发起该超级调用的虚拟机路径信息。在随后虚拟机运行过程中针对该超级调用动态构造出对应的虚拟机执行路径,将其与训练集对比,避免非正常执行路径的超级调用发生。     

A novel architecture to virtualise a hardware-bound trusted platform module

Security and trust are particularly relevant in modern softwarised infrastructures, such as cloud environments, as applications are deployed on platforms owned by third parties, are publicly accessible on the Internet and can share the hardware with other tenants. Traditionally, operating systems and applications have leveraged hardware tamper-proof chips, such as the Trusted Platform Modules (TPMs) to implement security workflows, such as remote attestation, and to protect sensitive data against software attacks. This approach does not easily translate to the cloud environment, wherein the isolation provided by the hypervisor makes it impractical to leverage the hardware root of trust in the virtual domains. Moreover, the scalability needs of the cloud often collide with the scarce hardware resources and inherent limitations of TPMs. For this reason, existing implementations of virtual TPMs (vTPMs) are based on TPM emulators. Although more flexible and scalable, this approach is less secure. In fact, each vTPM is vulnerable to software attacks both at the virtualised and hypervisor levels. In this work, we propose a novel design for vTPMs that provides a binding to an underlying physical TPM; the new design, akin to a virtualisation extension for TPMs, extends the latest TPM 2.0 specification. We minimise the number of required additions to the TPM data structures and commands so that they do not require a new, non-backwards compatible version of the specification. Moreover, we support migration of vTPMs among TPM-equipped hosts, as this is considered a key feature in a highly virtualised environment. Finally, we propose a flexible approach to vTPM object creation that protects vTPM secrets either in hardware or software, depending on the required level of assurance.     

A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one

Two key issues exist during virtual machine (VM) migration in cloud computing. One is when to start migration, and the other is how to determine a reliable target, both of which totally depend on whether the source hypervisor is trusted or not in previous studies. However, once the source hypervisor is not trusted any more, migration will be facing unprecedented challenges. To address the problems, we propose a secure architecture SMIG (secure migration), which defines a new concept of Region Critical TCB and leverages an innovative adjacent integrity measurement (AIM) mechanism. AIM dynamically monitors the integrity of its adjacent hypervisor, and passes the results to the Region Critical TCB, which then determines whether to start migration and where to migrate according to a table named integrity validation table. We have implemented a prototype of SMIG based on the Xen hypervisor. Experimental evaluation result shows that SMIG could detect amalicious hypervisor and start migration to a trusted one rapidly, only incurring a moderate overhead for computing intensive and I/O intensive tasks, and small for others.     

Executing secured virtual machines within a manycore architecture

Manycore processors are a way to face the always growing demand in digital data processing. However, by putting closer distinct and possibly private data, they open up new security breaches. Splitting the architecture into several partitions managed by a hypervisor is a way to enforce isolation between the running virtual machines. Thanks to their high number of cores, these architectures can mitigate the impact of dedicating cores both to the virtual machines and the hypervisor, while allowing an efficient execution of the virtualized operating systems. We present such an architecture allowing the execution of fully virtualized multicore operating systems benefiting of hardware cache coherence. The physical isolation is made by the means of address space via the introduction of a light hardware module similar to a memory-management unit at the network-on-chip entrance, but without the drawback of relying on a page table. We designed a cycle-accurate virtual prototype of the architecture, controlled by a light blind hypervisor with minimum rights, only able to start and stop virtual machines. Experiments made on our virtual prototype shows that our solution has a low time overhead – typically 3% on average.     

虚拟机中的通信机制的安全问题研究

自从1960年前后IBM成功推出VM/370,虚拟机的发展已经有了40多年的历史,尤其是最近几年VMware和Xen等针对X86架构的虚拟机产品的问世把对虚拟机的研究推到了工业界和研究界的前沿。人们在考虑虚拟机带来资源利用率提高的同时,也在关注着虚拟机的引入对计算机网络信息安全的影响。虚拟化能实现部分隔离功能,能增加系统的安全性。本文对完全硬件仿真虚拟机、半虚拟化虚拟机以及操作系统级虚拟机中的通讯机制的安全性进行分析,详细描述了目前的研究情况、存在的问题以及一些有针对性的优化方法。     

New scoring formula to rank hypervisors’ performance complementing with statistical analysis using DOE

Hypervisors enable cloud computing model to provide scalable infrastructures and on-demand access to computing resources as they support multiple operating systems to run on one physical server concurrently. This mechanism enhances utilization of physical server thus reduces server count in the data center. Hypervisors also drive the benefits of reduced IT infrastructure setup and maintenance costs along with power savings. It is interesting to know different hypervisors’ performance for the consolidated application workloads. Three hypervisors ESXi, XenServer, and KVM are carefully chosen to represent three categories full virtualized, para-virtualized, and hybrid virtualized respectively for the experiment. We have created a private cloud using CloudStack. Hypervisors are deployed as hosts in the private cloud in the respective clusters. Each hypervisor is deployed with three virtual machines. Three applications web server, application server, and database servers are installed on three virtual machines. Experiments are designed using Design of Experiments (DOE) methodology. With concurrently running virtual machines, each hypervisor is stressed with the consolidated real-time workloads (web load, application load, and OLTP) and important system information is gathered using SIGAR framework. The paper proposes a new scoring formula for hypervisors’ performance in the private cloud for consolidated application workloads and the accuracy of the results are complemented with sound statistical analysis using DOE.     

创建软件定义网络中的进程级纵深防御体系结构

云计算因其资源的弹性和可拓展性,在为用户提供各项服务时,相对于传统方式占据了先机。在用户考虑是否转向云计算时,一个极其重要的安全风险是：攻击者可以通过共享的云资源对云用户发起针对虚拟机的高效攻击。虚拟机作为云服务的基本资源,攻击者在攻击或者租用了某虚拟机之后,通过在其中部署恶意软件,并针对云内其他虚拟机发起更大范围的攻击行为,如分布式拒绝服务型攻击。为防止此种情况的发生,提出基于软件定义网络的纵深防御系统,以及时检测可疑虚拟机并控制其发出的流量,抑制来自该虚拟机的攻击行为并减轻因攻击所受到的影响。该系统以完全无代理的非侵入方式检测虚拟机状态,且基于软件定义网络,对同主机内虚拟机间或云主机间的网络流量进行进程级的监控。实验结果表明了该系统的有效性。     

基于马尔可夫模型的云系统安全性与性能建模

针对云环境缺乏安全性评估的问题,提出一种评估系统安全性的建模方法,并建立了云环境下的安全性-性能（S-P）关联模型。首先,针对云系统中最重要的组成部分,即虚拟机,建立了评估其安全性的模型,该模型充分反映了安全机制和恶意攻击两个安全因素对虚拟机的影响;随后基于虚拟机与云系统之间的关系,提出评估云系统安全性的指标;其次,提出一种分层建模方法来建立S-P关联模型。利用队列理论对云计算系统的性能进行建模,然后基于贝叶斯理论和相关分析建立了安全性和性能之间的关联关系,并提出评估复杂S-P相关性的新指标。实验结果验证了理论模型的正确性,并揭示了安全因素引起的性能动态变化规律。     

Taming Virtualization

Although the term virtualization has been around for decades, only recently has it become a buzzword in the computer systems community with the revival of virtual machines (VMs), driven by efforts in industry and academia. VMs are software entities that emulate a real machine's functionality; they execute under the control of a hypervisor that virtualizes and multiplexes low-level hardware resources. Hypervisors come in two flavors: non-hosted, which run directly on top of the hardware, and hosted, which are integrated with a host operating system (OS). The presence of a hypervisor makes VMs subject to a level of visibility and control that's hard to achieve with real machines. The small size, isolation, and mediation power of an ideal hypervisor over VMs make it an interesting candidate for a trusted computing base, with applications in security research fields such as intrusion detection, integrity protection, and malware analysis, among others.     

A dynamic VM consolidation technique for QoS and energy consumption in cloud environment

Cloud-based data centers consume a significant amount of energy which is a costly procedure. Virtualization technology, which can be regarded as the first step in the cloud by offering benefits like the virtual machine and live migration, is trying to overcome this problem. Virtual machines host workload, and because of the variability of workload, virtual machines consolidation is an effective technique to minimize the total number of active servers and unnecessary migrations and consequently improves energy consumption. Effective virtual machine placement and migration techniques act as a key issue to optimize the consolidation process. In this paper, we present a novel virtual machine consolidation technique to achieve energy–QoS–temperature balance in the cloud data center. We simulated our proposed technique in CloudSim simulation. Results of evaluation certify that physical machine temperature, SLA, and migration technique together control the energy consumption and QoS in a cloud data center.     

面向云计算的虚拟机动态迁移框架

根据云计算平台的特点,提出一种新型虚拟机动态迁移框架,并在Xen和KVM这2种典型的开源虚拟机监控器基础上,实现原型系统。测试结果表明,在不同类型计算资源的环境下,该动态迁移框架具有良好的性能,能够对动态迁移进行实时控制,从而满足服务等级协议的要求。     

虚拟机实时迁移技术研究

分析了虚拟机的实时迁移原理,重点论述了Xen的实时迁移实现方法,并在不同负载情况下对Xen的实时迁移进行了实验和探讨。     

虚拟机系统安全综述

随着云计算的广泛应用,虚拟机技术得到了复苏和长足的发展,但同时也带来了新的安全威胁,因此对于虚拟机的安全威胁和防御的研究成为目前计算机安全界的研究热点。以目前广泛应用的虚拟机Xen为例,针对虚拟机的技术特征分析了所存在的漏洞和威胁,并从计算机安全学的角度提出了相应的防御和保护方法。较为全面地总结了目前国内外针对虚拟机安全各方面相关的研究成果,通过系统的比较分析,指出了目前存在的问题,探讨了下一步的研究方向。     

基于I/O前后端模型的密码卡软件虚拟化

密码技术是云计算安全的基础,支持SR-IOV虚拟化的高性能密码卡适用于云密码机,可以为云计算环境提供虚拟化数据加密保护服务,满足安全需求.针对该类密码卡在云密码机使用过程中存在的兼容性不好、扩充性受限、迁移性差以及性价比低等问题,本文提出了基于I/O前后端模型的密码卡软件虚拟化方法,利用共享内存或者VIRTIO作为通信方式,通过设计密码卡前后端驱动或者服务程序,完成多虚拟机与宿主机的高效通信,实现常规密码卡被多虚拟机共享.该方法可以有效地降低云密码机的硬件门槛,具有兼容性好、性能高、易扩展等特点,在信创领域具有广阔的应用前景.     

A VMM-based intrusion prevention system in cloud computing environment

With the development of information technology, cloud computing becomes a new direction of grid computing. Cloud computing is user-centric, and provides end users with leasing service. Guaranteeing the security of user data needs careful consideration before cloud computing is widely applied in business. Virtualization provides a new approach to solve the traditional security problems and can be taken as the underlying infrastructure of cloud computing. In this paper, we propose an intrusion prevention system, VMFence, in a virtualization-based cloud computing environment, which is used to monitor network flow and file integrity in real time, and provide a network defense and file integrity protection as well. Due to the dynamicity of the virtual machine, the detection process varies with the state of the virtual machine. The state transition of the virtual machine is described via Definite Finite Automata (DFA). We have implemented VMFence on an open-source virtual machine monitor platform—Xen. The experimental results show our proposed method is effective and it brings acceptable overhead.