基于虚拟机的内核完整性保护技术

针对云计算中客户虚拟机内核完整性面临的威胁,该文提出了一种保护虚拟机内核完整性的技术-CTVM。该技术在KVM虚拟机环境中实现了虚拟化可信执行环境的创建,使多个客户虚拟机同时拥有可信计算功能,能对客户虚拟机提供启动完整性度量;在此基础上利用硬件辅助虚拟化技术,通过为客户虚拟机构造隔离的地址空间,使客户虚拟机中不可信模块与内核运行在逻辑隔离的地址空间。从这两个方面实现对客户虚拟机的启动和运行时的完整性保护。最后,以某国产服务器为实验平台实现了CTVM原型系统,系统测试与分析验证了技术的可用性,系统性能损耗在可接受的范围内。

A Kernel Integrity Protection Technology Based on Virtual Machine

For the kernel integrity threats of virtual machine in cloud computing environment, an integrity protecting technology of virtual machine kernel, cloud trusted virtual machine(CTVM), is proposed. In the CTVM, the virtual trusted execution environment in kernel-based virtual machine(KVM) is created, the multiple virtual machines are endowed with a trusted computing function at the same time, and the guest virtual machines are provided with integrity measurement ability. By utilizing hardware virtualization technology, the untrusted kernel modules are isolated from operating system kernel through constructing isolated address space in guest virtual machines, so as to protect the booting integrity and runtime integrity of guest virtual machines. Finally, with a domestic server as the experimental platform, CTVM prototype system is presented. System test and analysis show that the system performance loss is within the acceptable range.