摘要
完整性度量是检测程序篡改的重要方法,但是在虚拟化环境下传统的检测方法已体现出不足.例如,度量软件与被度量对象处于相同操作系统中易受攻击.该文从安全性和性能两方面出发,提出了一种基于虚拟机自省的完整性度量机制IVirt(Integrity for Virtualization).该机制从虚拟机外部通过地址转换和内容定位得到所需的虚拟机内存数据,从而对虚拟机内部的程序进行完整性度量,以检验程序是否遭到篡改.该文以典型的虚拟机监视器Xen为例实现了IVirt原型系统.相比于同类工作,IVirt一方面将度量软件与被度量对象分离,防止度量软件遭到攻击;另一方面采用地址转换来度量运行时状态,这区别于采用事件拦截机制的度量方法,以降低性能开销.实验结果表明,该方法能够检测出虚拟机运行时的软件篡改,而且在性能上不会引入过高的代价.
Integrity Measurement is an important method to detect compromised application,but under the virtualization environment traditional detection approaches have reflected some shortages.For example,the measurement software and measured objects are in the same operating system,so the measurement software is easily attacked.From the perspectives of security and performance,this paper proposes an integrity measurement mechanism based on virtual machine introspection—IVirt(Integrity for Virtualization).This mechanism obtains the needed memory data of virtual machine through address translation and content locating from outside of that virtual machine,thereby measuring the integrity of applications that are in the virtual machine is performed,so as to verify whether the applications are tampered with.The IVirt prototype was implemented in this paper adopting typical virtual machine monitor Xen.Compared with other work of the same kind,IVirt isolates the measurement software from the measured objects,preventing measurement software being attacked.On the other hand,address translation is employed to measure the runtime state,which is different from the method of using events intercepting,in order to reduce the performance overhead.The experimental results show thatthis method has the ability of detecting software modification,and it does not introduce high performance cost.
出处
《计算机学报》
EI
CSCD
北大核心
2015年第1期191-203,共13页
Chinese Journal of Computers
基金
国家自然科学基金(61202081)
国家"八六三"高技术研究发展计划项目基金(2012AA012606)资助~~
关键词
虚拟机自省
完整性度量
虚拟化
虚拟机监视器
运行时间
安全
virtual machine introspection
integrity measurement
virtualization
virtual machine monitor
runtime
security
