摘要
程序隔离执行是一种将被隔离代码的执行效果与其它应用隔离的安全机制.但是目前的相关研究无法在PC平台下兼顾操作系统隔离与被隔离代码的可用性.针对这个问题,文中提出并实现了一种新的名为SVEE(Safe Virtual Execution Environment)的隔离执行模型.SVEE具有两个关键特性:一是借助基于本地虚拟化技术的系统级虚拟机(SVEEVM)有效实现了非可信代码与宿主操作系统的隔离;二是利用本地虚拟化技术实现了宿主机计算环境在SVEEVM内的重现,保证了被隔离程序在SVEEVM中与在宿主操作系统内的执行效果的一致性.因此,SVEE在保护了宿主操作系统安全的同时,兼顾了隔离执行代码的可用性.测试证明,对于计算密集型应用SVEE虚拟机的性能达到了本地性能的91.23%~97.88%,具有很好的可用性.
Isolation is a mechanism that has been applied to allow the isolated code running while shields the rest of the system from their effects. However, under the PC platforms, existing isolated execution approaches cannot achieve both the OS isolation and the functionality benefits of the isolated untrusted applications. To address this problem, this paper proposes a novel isolated execution model called Secure Virtual Execution Environment (SVEE). There are two key features in SVEE. Firstly,it fulfills the OS isolation by implementing a hosted virtual machine as the container of untrusted programs. Secondly,it can reuse the preinstalled applications of the host OS and faithfully reproduce the behavior of the isolated applications, as if they were running on the underlying host OS natively. As a result, SVEE guarantees security against potential malicious code without negating the functionality benefits provided by benign programs. Functional evaluation illustrates the effectiveness of the approach, while the performance evaluation shows that compute-intensive benchmarks run essentially at native speed on SVEE virtual machine, reaching 91.23%-97.88%.
出处
《计算机学报》
EI
CSCD
北大核心
2008年第10期1768-1779,共12页
Chinese Journal of Computers
基金
国家"九七三"重点基础研究发展规划项目基金(2005CB321801)资助
关键词
入侵隔离
隔离执行
虚拟执行环境
安全
虚拟机
intrusion isolation
isolated execution
virtual execution environment
security
virtual machine
