虚拟化软件栈安全研究

The Security Research of Virtualization Software Stack

随着云计算的兴起,虚拟化技术在IT产业中得到了广泛应用.政府、企业和个人已将自身的大量业务及其敏感数据转移到了云端的虚拟机中.在虚拟化软件栈中,虚拟机监控器具有最高权限和较小的可信计算基,故而能为虚拟化系统提供安全监控和保护.但同时也引入了新的软件层,增加了脆弱性,增大了攻击面.另外,多租户模式以及软硬件平台资源共享,更加剧了新软件栈的安全威胁.因此,虚拟机和虚拟机监控器的安全和隐私备受学术界和工业界关注.该文对虚拟化软件栈不同软件层的安全威胁、攻击方式和威胁机理进行了分析,并针对这些安全威胁,以可信基为视角,从基于虚拟机监控器、基于微虚拟机监控器、基于嵌套虚拟化和基于安全硬件等类别分析比较了国内外相关安全方案和技术,并指出了当前仍然存在的安全问题.最后对未来的研究方向进行了探讨和分析,并从软件和硬件两个层面给出了虚拟化软件栈的安全增强方案.

With the rise of cloud computing, virtualization has been extensively employed in the IT industry. Governments, enterprises, and private citizens have moved their business and confidential data to the virtual machines hosted in the remote cloud. In the virtualization software stack, hypervisor has the highest privilege and smaller trusted computing base, hence it can provide protection and security monitoring for a virtualization system. But virtualization also introduces a new software layer which increases the attack surfaces and vulnerabilities of the whole system. Besides, the multi-tenant model and sharing of software and hardware resources exacerbate the security threats of this new virtualization software stack. As a result, the security attacks and defenses of virtual machines and hypervisor have come under a great deal of concern in computer academia and industry. This paper analyzes the security risks, attacking mode and threat mechanism at different layers of the virtualization software stack. For these security threats, this paper analyzes and compares the state of the art of existing research findings and technologies both at home and abroad from the perspective of trusted computing base including the hypervisor-based, micro-hypervisor-based, nested virtualization-based and security hardware-based, etc. And based on the classifying of the above solutions, this paper also points out the remaining existing security problems. In the end, this paper discusses and analyzes the direction of the development of future research in virtualization security and gives the enhanced security solution of the virtualization software stack in the aspects of software and hardware. © 2017, Science Press. All right reserved.