HybridHP:一种轻型的内核完整性监控方案及其形式化验证

虽然传统的虚拟化监控方法可以在一定程度上保障操作系统安全.然而,虚拟监控器VMM中管理域Domain0的存在以及操作系统级的切换所带来的性能损失是很多具有大型应用的操作系统所不能接受的.注重硬件虚拟化技术的监控能力而摒弃其不必要的虚拟化能力,提出了一个新型的通用的虚拟化监控框架HybridHP,并实现其原型.HybridHP将管理域和虚拟机监控机制两者整合到被监控操作系统的地址空间,具有很好的获取被监控系统操作语义的能力.利用Isabelle/HOL形式化辅助证明工具验证HybridHP的隔离性、安全性和监控能力.最后对HybridHP进行了攻击实验和性能评估,结果显示HybridHP提供了和传统的虚拟化监控方案相同的安全保障,并具有很好的系统性能.     

一种恶意软件行为分析系统的设计与实现

基于虚拟化技术的恶意软件行为分析是近年来出现的分析恶意软件的方法。该方法利用虚拟化平台良好的隔离性和控制力对恶意软件运行时的行为进行分析,但存在两方面的不足：一方面,现有虚拟机监视器（Virtual Machine Monitor,VMM）的设计初衷是提高虚拟化系统的通用性和高效性,并没有充分考虑虚拟化系统的透明性,导致现有的VMM很容易被恶意软件的环境感知测试所发现。为此,提出一种基于硬件辅助虚拟化技术的恶意软件行为分析系统——THVA。THVA是一个利用了安全虚拟机（SVM）、二级页表（NPT）和虚拟机自省等多种虚拟化技术完成的、专门针对恶意软件行为分析的微型VMM。实验结果表明,THVA在行为监控和反恶意软件检测方面表现良好。     

基于独立核心安全组件的高安全体系结构

构建高安全体系结构是高安全级信息系统的一个重要前提。针对现有可信计算架构和基于VMM的虚拟化架构的核心模块存在易被篡改和被旁路的威胁,设计了一个基于独立核心安全组件的高安全体系结构HAICC。该体系结构通过硬件层有效实现了安全功能与计算功能的强隔离,将系统划分为独占不同物理资源的安全服务子系统和目标计算子系统,前者作为独立核心安全组件实施对整个计算系统的主动度量、实时监控、安全关键数据恢复。系统攻击实例及安全性分析表明,HAICC体系结构有效缓解了核心安全组件被篡改和被旁路的风险,提高了系统安全机制的完整有效性。     

基于硬件虚拟化的内核同层多域隔离模型

为了解决内核不可信带来的问题,很多工作提出了同层可信基的架构,即在内核同一硬件特权水平构建可部署安全机制的唯一保护域.但是,实际过程中往往面临多样化的安全需求,将多种对应的安全机制集中于唯一的保护域必然导致只要其中任何一个安全机制被攻陷,同一个保护域内其它所有安全机制都可能被攻击者恶意篡改或者破坏.为了解决上述问题,本文提出了内核同层多域隔离模型,即在内核同一硬件特权水平构建多个保护域实现了不同安全机制的内部隔离,缓解了传统方法将所有安全机制绑定在唯一保护域带来的安全风险.本文实现了内核同层多域隔离模型的原型系统Decentralized-KPD,其利用硬件虚拟化技术和地址重映射技术,将不同安全机制部署在与内核同一特权水平的多个保护域中,并不会引起较大的性能开销.总体而言,实验结果展示了内核同层多域隔离模型的安全性和实用性.     

基于硬件虚拟化的单向隔离执行模型

提出了一种基于硬件虚拟化技术的单向隔离执行模型.在该模型中,安全相关的应用程序可以根据自身需求分离成宿主进程(host process)和安全敏感模块(security sensitive module,简称SSM)两部分.隔离执行器(SSMVisor)作为模型的核心部件,为SSM提供了一个单向隔离的执行环境.既保证了安全性,又允许SSM以函数调用的方式与外部进行交互.安全应用程序的可信计算基(trusted computing base,简称TCB)仅由安全敏感模块和隔离执行器构成,不再包括应用程序中的安全无关模块和操作系统,有效地削减了TCB的规模.原型系统既保持了与原有操作系统环境的兼容性,又保证了实现的轻量级.实验结果表明,系统性能开销轻微,约为6.5％.     

基于本地虚拟化技术的隔离执行模型研究

程序隔离执行是一种将被隔离代码的执行效果与其它应用隔离的安全机制.但是目前的相关研究无法在PC平台下兼顾操作系统隔离与被隔离代码的可用性.针对这个问题,文中提出并实现了一种新的名为SVEE(Safe Virtual Execution Environment)的隔离执行模型.SVEE具有两个关键特性:一是借助基于本地虚拟化技术的系统级虚拟机(SVEEVM)有效实现了非可信代码与宿主操作系统的隔离;二是利用本地虚拟化技术实现了宿主机计算环境在SVEEVM内的重现,保证了被隔离程序在SVEEVM中与在宿主操作系统内的执行效果的一致性.因此,SVEE在保护了宿主操作系统安全的同时,兼顾了隔离执行代码的可用性.测试证明,对于计算密集型应用SVEE虚拟机的性能达到了本地性能的91.23%～97.88%,具有很好的可用性.     

Xen硬件虚拟化下一种客户机进程追踪技术

Xen硬件虚拟化(HVM)是运行于Xen Hypervisor上, 无需修改客户操作系统内核便可实现虚拟化的技术. 但Xen HVM在提升用户体验的同时, 也造成了VMM对客户机的干涉和理解程度的降低, 丧失了进程粒度级别的管理能力. 鉴于此, 提出了一种针对Xen HVM客户机的轻量级进程追踪技术原型Xen HPT. 借助VMM掌握的客户机ESP寄存器信息, 从客户机外部隐式捕获其实时进程信息. 实验证明, 该技术是一种追踪客户机进程的有效方法.     

墓于MIPS架构的内存虚拟化研究

内存虚拟化是系统虚拟化中如何有效抽象、利用、隔离计算机物理内存的重要方法,决定着系统虚拟化的整体性能.传统的纯软件内存虚拟化方法会产生较大的资源开销并且兼容性差,而硬件辅助的内存虚拟化方法需要重新设计处理器硬件架构.基于MIPS架构处理器提出一种软硬件协同的内存虚拟化方法,在不增加硬件支持的情况下提高内存虚拟化性能.提出的多层虚拟地址空间模型不仅可以解决MIPS架构处理器存在的虚拟化缺陷,而且可以在已有的内存虚拟化方法上提高性能.在多层虚拟地址空间模型的基础上,提出基于地址空间标识码(address space identity,ASID)、动态划分的旁路转换缓冲(translation lookaside buffer,TLB)共享方法,降低了虚拟机切换的开销.最终,在MIPS架构的龙芯3号处理器上实现了系统虚拟机VIRT-LOONGSO)N.性能测试表明,提出的方法可以提高大多数测试程序的性能,达到二进制翻译执行性能的3～5倍,并在TLB模拟方法的基础上提高了5％～16％的性能.     

VMM中Guest OS非陷入系统调用指令截获与识别

针对虚拟化环境下Guest OS某些特定指令行为不会产生陷入从而在虚拟机管理器(virtual machine monitor,VMM)中无法对其进行监控处理的问题,提出通过改变非陷入指令正常运行条件,使其执行非法产生系统异常陷入VMM的思想;据此就x86架构下Guest OS中3种非陷入系统调用指令在VMM中的截获与识别进行研究:其中基于int和sysenter指令的系统调用通过使其产生通用保护(general protection,GP)错系统异常而陷入,基于syscall指令的系统调用则通过使其产生UD(undefined)未定义指令系统异常而陷入,之后VMM依据虚拟处理器上下文现场信息对其进行识别;基于QemuKvm实现的原型系统表明:上述方法能成功截获并识别出Guest OS中所有3种系统调用行为,正常情况下其性能开销也在可接受的范围之内,如在unixbench的shell测试用例中,其性能开销比在1.900~2.608之间.与现有方法相比,它们都是以体系结构自身规范为基础,因此具有无需修改Guest OS、跨平台透明的优势.     

基于ARM虚拟化扩展的Android内核动态度量方法

针对现阶段内核级攻击对Android系统完整性的威胁,提出一种基于ARM虚拟化扩展的Android内核动态度量方法DIMDroid。该方法利用ARM架构中的硬件辅助虚拟化技术,提供度量模块与被度量Android系统的隔离,首先通过分析在Android系统运行时影响内核完整性的因素从而得到静态和动态度量对象,其次在度量层对这些度量对象进行语义重构,最后对其进行完整性分析来判断Android内核是否受到攻击;同时通过基于硬件信任链的启动保护和基于内存隔离的运行时防护来保证DIMDroid自身安全。实验结果表明,DIMDroid能够及时发现破环Android内核完整性的rootkit,且该方法的性能损失在可接受范围内。     

Design and verification of a lightweight reliable virtual machine monitor for a many-core architecture

Virtual machine monitors (VMMs) play a central role in cloud computing. Their reliability and availability are critical for cloud computing. Virtualization and device emulation make the VMM code base large and the interface between OS and VMM complex. This results in a code base that is very hard to verify the security of the VMM. For example, a misuse of a VMM hyper-call by a malicious guest OS can corrupt the whole VMM. The complexity of the VMM also makes it hard to formally verify the correctness of the system’s behavior. In this paper a new VMM, operating system virtualization (OSV), is proposed. The multiprocessor boot interface and memory configuration interface are virtualized in OSV at boot time in the Linux kernel. After booting, only inter-processor interrupt operations are intercepted by OSV, which makes the interface between OSV and OS simple. The interface is verified using formal model checking, which ensures a malicious OS cannot attack OSV through the interface. Currently, OSV is implemented based on the AMD Opteron multi-core server architecture. Evaluation results show that Linux running on OSV has a similar performance to native Linux. OSV has a performance improvement of 4%–13% over Xen.     

基于VMM的操作系统隐藏对象关联检测技术

恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在KVM虚拟化平台上实现了vDetector的系统原型,并通过实验评测vDetector的有效性和性能.结果表明,vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内.     

Intel virtualization technology

A virtualized system includes a new layer of software, the virtual machine monitor. The VMM's principal role is to arbitrate accesses to the underlying physical host platform's resources so that multiple operating systems (which are guests of the VMM) can share them. The VMM presents to each guest OS a set of virtual platform interfaces that constitute a virtual machine (VM). Once confined to specialized, proprietary, high-end server and mainframe systems, virtualization is now becoming more broadly available and is supported in off-the-shelf systems based on Intel architecture (IA) hardware. This development is due in part to the steady performance improvements of IA-based systems, which mitigates traditional virtualization performance overheads. Intel virtualization technology provides hardware support for processor virtualization, enabling simplifications of virtual machine monitor software. Resulting VMMs can support a wider range of legacy and future operating systems while maintaining high performance.     

Optimizing guest swapping using elastic and transparent memory provisioning on virtualization platform

On virtualization platforms, peak memory demand caused by hotspot applications often triggers page swapping in guest OS, causing performance degradation inside and outside of this virtual machine (VM). Even though host holds sufficient memory pages, guest OS is unable to utilize free pages in host directly due to the semantic gap between virtual machine monitor (VMM) and guest operating system (OS). Our work aims at utilizing the free memory scattered in multiple hosts in a virtualization environment to improve the performance of guest swapping in a transparent and implicit way. Based on the insightful analysis of behavioral characteristics of guest swapping, we design and implement a distributed and scalable framework HybridSwap. It dynamically constructs virtual swap pools using various policies, and builds up a synthetic swapping mechanism in a peer-to-peer way, which can adaptively choose different virtual swap pools.We implement the prototype of HybridSwap and evaluate it with some benchmarks in different scenarios. The evaluation results demonstrate that our solution has the ability to promote the guest swapping efficiency indeed and shows a double performance promotion in some cases. Even in the worst case, the system overhead brought by HybridSwap is acceptable.     

Virtio network paravirtualization driver: Implementation and performance of a de-facto standard

One of the techniques used to improve I/O performance of virtual machines is paravirtualization. Paravirtualized devices are intended to reduce the performance overhead on full virtualization where all hardware devices are emulated. The interface of a paravirtualized device is not identical to that of the underlying hardware. The OS of the virtual guest machine must be ported in order to use a paravirtualized device. In this paper, the network virtualization done by the Kernel-based Virtual Machine (KVM) is described. The KVM model is different from other Virtual Machines Monitors (VMMs) because the KVM is a Linux kernel model and it depends on hardware support. In this work, the overhead of using such virtual networks is been measured. A paravirtualized model by using the virtio [38] network driver is described, and some performance results of web benchmark on the two models are presented.     

VMMB: Virtual Machine Memory Balancing for Unmodified Operating Systems

Virtualization technology has been widely adopted in Internet hosting centers and cloud-based computing services, since it reduces the total cost of ownership by sharing hardware resources among virtual machines (VMs). In a virtualized system, a virtual machine monitor (VMM) is responsible for allocating physical resources such as CPU and memory to individual VMs. Whereas CPU and I/O devices can be shared among VMs in a time sharing manner, main memory is not amendable to such multiplexing. Moreover, it is often the primary bottleneck in achieving higher degrees of consolidation. In this paper, we present VMMB (Virtual Machine Memory Balancer), a novel mechanism to dynamically monitor the memory demand and periodically re-balance the memory among the VMs. VMMB accurately measures the memory demand with low overhead and effectively allocates memory based on the memory demand and the QoS requirement of each VM. It is applicable even to guest OS whose source code is not available, since VMMB does not require modifying guest kernel. We implemented our mechanism on Linux and experimented on synthetic and realistic workloads. Our experiments show that VMMB can improve performance of VMs that suffers from insufficient memory allocation by up to 3.6 times with low performance overhead (below 1%) for monitoring memory demand.     

设备虚拟化方法研究与实现

针对虚拟机监控器在IO虚拟化方面存在的性能瓶颈,分析了现有IO虚拟化模型存在的问题,提出了一种基于IO处理机的协作型虚拟机监控器。建立了基于IO处理机的IO虚拟化模型,实现了对客户机操作系统IO访问请求的处理,并进一步给出了该方法下从设备发现到功能模拟等关键技术。实验结果表明,基于IO处理机的IO虚拟化模型能够提供更为稳定的系统环境,并能有效提高整个系统性能。     

基于Xen的I／O准虚拟化驱动研究

针对全虚拟化下客户端虚拟机无法“感知”虚拟机监视器的问题,对基于Xen的I／O准虚拟化驱动进行研究,通过实验可知,准虚拟化驱动能够消除全虚拟化方式下虚拟机监视器“黑箱”特性的限制,可以实现和虚拟机监视器的密切配合,从而提高I／O性能。在虚拟机Xen的全虚拟化环境中加入准虚拟化驱动,采用对比测试方法验证了该驱动能大幅提升网络性能。     

基于虚拟机监控器的隐私透明保护

操作系统漏洞经常被攻击者利用,从而以内核权限执行任意代码(返回用户态攻击,ret2user)以及窃取用户隐私数据.使用虚拟机监控器构建了一个对操作系统及应用程序透明的内存访问审查机制,提出了一种低性能开销并且无法被绕过的内存页面使用信息实时跟踪策略;结合安全加载器,保证了动态链接库以及应用程序的代码完整性.能够确保即使操作系统内核被攻击,应用程序的内存隐私数据依然无法被窃取.在Linux操作系统上进行了原型实现及验证,实验结果表明,该隐私保护机制对大多数应用只带来6%~10%的性能负载.