基于硬件虚拟化的虚拟机文件完整性监控

为保护虚拟机敏感文件的完整性，针对外部监控中基于指令监控方式性能消耗大、兼容性低和灵活性差等缺点，提出一种基于硬件虚拟化的文件完整性监控（OFM）系统。该系统以基于内核的虚拟机（KVM）作为虚拟机监视器，可动态实时地配置敏感文件访问监控策略；OFM可修改虚拟机系统调用表项以透明拦截文件操作相关系统调用，以监控策略为依据判定虚拟机进程操作文件的合法性，并对非法进程进行处理。在虚拟机中采用性能测试软件Unixbench进行仿真，其中OFM在文件监控方面优于基于指令的监控方式，且不影响虚拟机其他类型系统调用。实验结果表明，OFM可以有效地监控虚拟机文件的完整性，具有更好的兼容性、灵活性和更低的性能损耗。

Virtual machine file integrity monitoring based on hardware virtualization

In order to protect the integrity of the Virtual Machine (VM) sensitive files and make up for the shortcomings such as high performance overhead, low compatibility and poor flexibility in out-of-box monitoring based on the instruction monitoring methods, OFM (Out-of-box File Monitoring) based on hardware virtualization was proposed. In OFM, Kernel-based Virtual Machine (KVM) was used as the virtual machine monitor to dynamically configure sensitive file access control strategy in real-time; in addition, OFM could modify the call table entries related to file operations of virtual machine system to determine the legitimacy of the VM process operation files, and deal with the illegal processes. Unixbench was deployed in a virtual machine to test the performance of OFM. The experimental results demonstrate that OFM outperforms to instruction monitoring methods in file monitoring and has no affect on other types of system calls for virtual machines. Meanwhile, OFM can effectively monitor the integrity of the virtual machine files and provide better compatibility, flexibility and lower performance losses.