基于硬件架构和虚拟化扩展机制的虚拟机自省机制研究

针对现有虚拟机自省技术利用不可信被监控操作系统的内核数据结构在内存中的期望布局及内核函数构建被监控系统语义、无法抵抗直接内核数据结构操纵攻击的问题,对虚拟机自省机制的能力进行全面分析,并对利用虚拟机自省机制可应对的恶意攻击进行分类,提出更具健壮性的基于硬件体系架构和虚拟化扩展机制的虚拟机自省技术,通过硬件体系结构提供的虚拟机自省特性被动地观察与收集被监控系统信息,并利用虚拟硬件扩展机制主动地截获客户虚拟机内部的事件和指令,达到主动监控的目的.描述了基于硬件的虚拟机自省机制在系统调用序列收集与监控上的应用,并进行了效率测试分析.

Study of Virtual Machine Introspection Based on Hardware Architecture and Virtualization Extensions

Recent studies on virtual machine introspection mostly build guest VM state by the use of guest OS kernel data structures and kernel functions, which can be maliciously subverted. They are unable to resist direct kernel structure attacks. In view of the above situation, the capability of VMI was analyzed thoroughly, and then the possibilities of using hardware architectural knowledge and virtualization extension knowledge to construct VMI technology were explored and the possible attacks that can be detected and foiled by this mechanism were discussed. Collection and monitoring of system calls using the proposed method were described and the efficient of the monitored system was analyzed.