期刊文献+

利用虚拟机监视器检测及管理隐藏进程 被引量:26

Detecting and Managing Hidden Process via Hypervisor
下载PDF
导出
摘要 恶意进程是威胁计算机系统安全的重大隐患,与内核级rootkit合作时具有较强的隐蔽性和不可觉察性.传统的隐藏进程检测工具驻留在被监控系统中,容易受到恶意篡改.为提高检测信息的精确性和检测系统的抗攻击能力,设计并实现一种基于虚拟机监视器的隐藏进程检测系统.该系统驻留在被监控虚拟机外,利用虚拟机自省机制获取被监控主机的底层状态信息,借助语义视图重构技术重构其进程队列,并通过交叉视图的方式比较各进程队列间的差异,从而确定隐藏进程.同时,该系统也提供相应的响应机制,用以汇报隐藏进程的详细信息(包括实际占用内存信息、网络端口等),以及提供终止和挂起隐藏进程的功能.通过对具有隐藏进程能力的rootkit进行实验,证明了系统的有效性和可行性. Malicious process is a significant threat to computer system security, which is not only able to compromise the integrity of system, but also getting increasingly stealthy and elusive when facilitated with stealthy rootkit techniques. Conventional detection tools are deployed and executed inside the very host they are protecting, which makes them vulnerable to deceive and subvert. In order to improve the accuracy of detection and the ability of tamper resistance, a VMM-based hidden process detection system located outside the protected virtual machine is designed and implemented. Using virtual machine introspection mechanism, the system implicitly inspects the low-levei state of the protected virtual machine, and then reconstructs the high level OS abstractions (process queues) which are needed for analysis by semantic view reconstruction technique. Based on cross-view validation principle, the system compares various process queues between internal and external view, and finally identifies the target hidden process through their discrepancies. In the meantime, this system facilitates response mechanism for reporting more specific information (such as network port, real memory occupation etc) about the hidden process to the administrator and supplies the interfaces for hidden process termination and suspension. The experiments on some real world rootkits which can hide process are designed to validate the effectiveness and feasibility of the detection system.
出处 《计算机研究与发展》 EI CSCD 北大核心 2011年第8期1534-1541,共8页 Journal of Computer Research and Development
基金 国家自然科学基金项目(60970114) 国家"八六三"高技术研究发展计划基金项目(2009AA01Z442)
关键词 隐藏进程检测 虚拟机自省 语义视图重构 交叉视图 进程终止和挂起 hidden process detection virtual machine introspection semantic view reconstruction cross-view process termination and suspension
  • 相关文献

参考文献17

  • 1Riley R, Jiang X, Xu D. Multi aspect profiling of kernel rootkit behavior [C] //Proc of the 4th ACM European Conf on Computer Systems (EuroSys 09). New York: ACM, 2009:47-60.
  • 2白光冬,郭耀,陈向群.一种基于交叉视图的Windows Rootkit检测方法[J].计算机科学,2009,36(8):133-137. 被引量:13
  • 3Garfinkel T, Rosenblum M. A machine introspection-based architecture for intrusion detection [C] //Proc of the 10th Network and Distributed System Security Symp. Washington DC: Internet Society, 2003:191-206.
  • 4Litty L, Lie D. Manitou: A layer-below approach to fighting malware [C]//Proc of the Workshop Architectural and System Support for Improving Software Dependability (ASID 06). NewYork: ACM, 2006:6-11.
  • 5Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization [C]//Proc of the 19th ACM Syrup on Operating Systems Principles (SOSP 03). New York: ACM, 2003: 164-177.
  • 6Carl A Waldspurger. Memory resource management in VMware ESX server [C] //Proe of the 5th Symp on Operating Systems Design and Implementation (OSDI 02). New York: ACM, 2002: 181-194.
  • 7Nance K, Bishop M, Hay B. Virtual machine introspection: Observation or interference[J]. IEEE Security and Privacy, 2008, 6(5): 32-37.
  • 8Chen P M, Noble B D. When virtual is better than real[C] // Proc of the 8th Workshop on Hot Topics in Operating Systems. Piscataway, NJ: IEEE, 2001: 133-138.
  • 9Jones S, Arpaci-Dusseau A, Arpaci-Dusseau R. AntFarm: Tracking processes in a virtual machine environment [C] // Proc of Annual USENIX Technical Conf. Berkeley, CA: USENIX, 2008:1-14.
  • 10Bryan D Payne, Martim Carbone, Wenke Lee. Secure and flexible monitoring of virtual machines [C] //Proc of the 23rd Annual Computer Security Applications Conf (ACSAC 07). Piscataway, NJ: 1EEE, 2007:385-397.

二级参考文献15

  • 1曾鸣,赵荣彩,王小芹,姚京松.一种基于反汇编技术的二进制补丁分析方法[J].计算机科学,2006,33(10):283-287. 被引量:9
  • 2谢余强,曾颖,舒辉.改进的基于图的可执行文件比较算法[J].计算机工程与设计,2007,28(2):257-260. 被引量:4
  • 3CERT Advisory CA- 1994-01 Ongoing Network Monitoring Attacks[OL]. http://www. cert. org/advisories/CA-1994-01. html.
  • 4Rutkowska J. Subverting Vista^TM Kernel For Fun And Profit [J]. Blaekhat Presentation,August 2006.
  • 5Uty.搜索内存枚举进程[OL].http://blog.donews.com/uuty/archive/2006/03/15/769472.aspx.
  • 6Wiki[OL]. http://en.wikipedia.org/wiki/Rootkit.
  • 7King S T,Chen P M. SubVirt: Implementing malware with virtual machines[C]// Security and Privacy, IEEE Symposium. 2006.
  • 8Heasman J. Implementing and Detecting an ACPI Rootkit[M]. BlackHat Federal, 2006.
  • 9Heasman J. Implementing and Detecting a PCI Rootkit[M]. November 2006.
  • 10Hoglund G,Butler J. Rootkits.. Subverting the windows kernel. 2007.

共引文献16

同被引文献233

引证文献26

二级引证文献76

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部