| 基于KVM的Windows虚拟机用户进程防护 |
| |
| 引用本文: | 陈兴蜀,赵成,陶术松.基于KVM的Windows虚拟机用户进程防护[J].电子科技大学学报(自然科学版),2016,45(6):950-957. |
| |
| 作者姓名: | 陈兴蜀 赵成 陶术松 |
| |
| 作者单位: | 四川大学计算机学院 成都 610065 |
| |
| 基金项目: | 国家自然科学基金61272447 |
| |
| 摘 要: | 为保护Windows虚拟机中进程的内存和系统调用执行路径免受恶意代码的威胁,提出了一种基于KVM的虚拟机用户进程防护方案。结合硬件虚拟化技术,为Windows虚拟机构造一份影子内核以绕过恶意代码对原内核系统调用路径的挂钩,保护进程系统调用路径的安全。同时,在监控代理中过滤跨进程系统调用,在KVM中拦截虚拟机页表切换行为并监控虚拟机断点异常与调试异常,保护进程内存的安全。另外,构造影子监控代理,实现对虚拟机监控代理内存的安全防护。最后,实现了基于KVM的虚拟机用户进程防护系统VMPPS,并对其有效性进行了系统测试与分析。实验结果表明,在性能损失可接受范围内,进程内存与进程系统调用执行路径能够得到有效防护。
|
| 关 键 词: | 监控代理 安全防护 用户进程 虚拟化 虚拟机 |
| 收稿时间: | 2016-01-18 |
KVM-Based Windows Virtual Machine User Process Protection |
| |
| Affiliation: | College of Computer, Sichuan University Chengdu 610065 |
| |
| Abstract: | To protect the process memory and execution paths of system calls from the threat of malicious code on Windows virtual machine, a KVM-based virtual machine user process protection solution is proposed. Combined with hardware virtualization technologies, a shadow kernel is built for Windows virtual machine to protect the original kernel system call paths from being hooked by malicious code. Meanwhile, the process memory is secured through filtering out-of-process system calls in the monitoring agent, intercepting the switching behaviors of page tables, monitoring the exceptions of breakpoints, and debugging of the virtual machine. In addition, a shadow monitoring agent is built to safeguard the virtual machine's monitor agent memory. A prototype system VMPPS was thus designed and implemented with its validity tests and analysis results showing that process memory and execution paths of system calls of the virtual machine are effectively protected within an acceptable performance loss range. |
| |
| Keywords: | |
|
| 点击此处可从《电子科技大学学报(自然科学版)》浏览原始摘要信息 |
|
点击此处可从《电子科技大学学报(自然科学版)》下载全文 |
