摘要
程序隔离执行是一种将非可信代码的执行效果与其他应用隔离的安全机制。但是,目前的相关研究无法兼顾强隔离(即操作系统隔离)与被隔离代码的可用性(需要通过计算环境的重现与提交隔离执行环境的执行效果来完成)。本文提出一种基于本地虚拟化技术的安全虚拟执行环境SVEE,并在Windows下实现了SVEE的原型系统。SVEE借助系统级虚拟化技术有效地实现了SVEE内程序与宿主操作系统的强隔离。SVEE的关键特性是利用本地虚拟化技术实现了宿主机计算环境在SVEE内的重现,使得程序在SVEE中与在宿主操作系统内的执行效果一致。此外,SVEE还支持SVEE与宿主操作系统的差异对比,并利用比较结果选择合适的方法将SVEE内程序的执行效果提交到宿主操作系统。
Isolation is a mechanism that has been applied to allow untrusted code to run while isolating their effects Irom the rest of the system. But the current isolation technologies cannot achieve both the strong isolation (i. e. , operating system isolation) and the functionality of isolated applications (accomplished via reproducing the computing environment and committing changes within the isolated environment). In this paper, we propose a safe virtual execution environment (SVEE) based on the local virtualization technology and implement it on Windows. Via systematic virtualization,SVEE fulfills strong isolation, thus completely isolates the effects of untrusted code execution within SVEE from the underlying host operating system. The key feature of SVEE is that it provides the capability to reproduce the computing environment of the host operating system, therefore it can reproduce the behavior of applications, as if it were running natively within the host operating system. This is accomplished via the local virtualization technology. Moreover, SVEE provides a convenient way to compare the changes within SVEE and the host operating system. Using these comparison results for reference, SVEE will select a proper method to commit these changes.
出处
《计算机工程与科学》
CSCD
2008年第4期1-4,10,共5页
Computer Engineering & Science
基金
国家973计划资助项目(2005CB321801)
关键词
入侵隔离
隔离执行
虚拟执行环境
安全
虚拟机
intrusion isolation
isolated execution
virtual execution environment
security
virtual machine
