期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一个基于硬件虚拟化的内核完整性监控方法 被引量:7

Approach of Kernel Integrity Monitoring Using Hardware Virtualization
下载PDF
导出
摘要 对操作系统内核的攻击就是通过篡改关键数据和改变控制流来危及操作系统的安全。已有的一些方法通过保护代码完整性或控制流完整性来抵御这些攻击,但是这往往只关注于某一个方面而没有给出一个完整的监控方法。通过对内核完整性概念的分析,得出了在实际系统中保证内核完整性需要的条件:保障数据完整性,影响系统功能的关键数据对象只能由指定的代码在特定情况下修改;保障控制流完整性,保护和监控影响代码执行序列改变的所有因素。并采用硬件虚拟化的Xen虚拟机监控器实现对Linux内核的保护和监控。实验结果证明,该方法能够阻止外来攻击和本身漏洞对内核的破坏。 Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel. Current approaches defend against these attacks by applying code integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity. Critical data ob- jects effect operating system function directly. Only certain code is able to modify critical data objects at certain condi- tions to ensure data integrity. All factors about code execution sequence are protected and monitored to ensure control flow integrity. Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization, or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel. Experiments show that the solu- tion can detect and prevent attacks and bugs compromising the kernel.
作者 李珣 黄皓
机构地区 南京大学计算机科学与技术系软件新技术国家重点实验室
出处 《计算机科学》 CSCD 北大核心 2011年第12期68-72,共5页 Computer Science
基金 江苏省高技术项目(BE2008124) 国家自然科学创新群体项目(60721002)资助
关键词 监控 虚拟机监控器 硬件虚拟化 控制流完整性 数据完整性 Monitor, VMM, HVM, Control flow integrity, Data integrity
分类号 TP316 [自动化与计算机技术—计算机软件与理论]
  • 相关文献

参考文献14

  • 1Abadi M,Erlingsson M B U, Ligatti J. Control Flow Integrity: Principles,Implementations, and Applications[C]//Proc. of the ACM CCS. 2005.
  • 2AMD. AMD64 Virtualization Codenamed "Pacifica" Technology: Secure Virtual Machine Architecture Reference Manual[S]. 2005.
  • 3Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]//Proc. of NDSS. 2003.
  • 4Neiger G, Santoni A, Leung F, et al. Intel Virtualization Tech nology[J]. Intel Technology Journal, 2006,10.
  • 5Petroni N L, Hick M. Automated Detection of Persistent Kernel Control-flow Attacks[C]//Proc. of ACM CCS. 2007.
  • 6Oh N, Shirvani P P, Mccluskey J. Control-flow Checking by Software Signatures [J]. IEEE Transactions on Reliability, 2002,51(1) .. 111-122.
  • 7Storm P. All-root [EB/OL]. http://packetstormsecurity, org/ UNIX/penetration/rootkits/all-root. c,Jan. 2009-15.
  • 8Petroni N, Fraser T, Walters A, et al. An Architecture for Specification-based Detection of Semantic Integrity Violations in Kernel Dynamic Data[C]//Proc. of USENIX Security. 2006.
  • 9Richardson R. CSI Computer Crime and Security Survey[R]. Computer Security Institute, 2009.
  • 10Riley R,Jiang X,Xu D. Guest-transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing[C]//Proc. of the 11th Symposium on Recent Advances in Intrusion Detection (RAID). 2008.

同被引文献53

  • 1Enck W, Gilbert R TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones[C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. [S. 1.]: IEEE Press, 2010 393-407.
  • 2Grace M, Zhou Yajin, Wang Zhi, et al. Systematic Detection of Capability Leaks in Stock Android Smartphones[C]//Proc- eedings of NDSS' 12. [S. 1 .]: 1EEE Press, 2012: 107-201.
  • 3Enck W, Ongtang M, McDaniel P. On Lightweight Mobile Phone Application Certification[C]//Proceedings of ACM Conference on Computer and Communications Security. [S. 1.]: ACM Press, 2009: 235-245.
  • 4Nauman M, Khan S, Zhang X. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints[C]//Proceedings of ACM Conference on Computer and Communication Security. [S. 1.]: ACM Press,2010: 328-332.
  • 5Bugiel S. Towrads Taming Privilege-escalation Attacks on Android[C]//Proceedings of ISC' 10. [S. 1.]: IEEE Press, 2010: 346-360.
  • 6Shabtai A, Fledel Y, Elovici Y. Security Android-powered Mobile Device Using SELinux[J]. IEEE Security & Privacy, 2008, 8(3): 36-44.
  • 7NVD. CEV-2007-6562[EB/OL]. (2013-04-17). http://web.nvd. nist.gov/view/vuln/detail?vulnld=CVE-2007-6562.
  • 8Seshadri A, Luk M, Qu Ning, et al. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes[C]//Proceedings of ACM SOSP'07. [S. 1.]: ACM Press, 2007: 335-350.
  • 9Hwang Joo-Young. Xen on ARM: System Virtualization UsingXen Hypervisor for ARM-based Secure Mobile Phones[C]// Proceedings of the 5th IEEE Consumer Communications and Networking Conference. IS. 1.]: IEEE Press, 2008: 257-261.
  • 10Dall C, Nieh J. KVM for ARM[C]//Proceedings of Linux Symposium. [S. 1.]: IEEE Press, 2010: 45-56.

引证文献7

二级引证文献23

计算机科学
2011年 第12期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部