摘要
文件是操作系统的一部分,也是恶意代码的主要攻击对象,如何有效管控文件的访问行为是保护操作系统安全的关键.针对当前文件保护方法容易被攻击或绕过的问题,提出一种基于VMM层内核函数分析的文件访问保护方法.该方法基于指令替换和仿真的思想,在VMM层监控与文件访问相关的关键内核函数,并结合虚拟机自省技术实现对文件访问行为的有效管控,还利用扩展页表增强了保护机制的安全性,降低了内核恶意程序绕过保护机制的可能性,提高了监控方法的安全性.经对比测试与分析,该方法能够监控到文件的访问行为,管控文件的流向,实现对重要文件的有效保护,开启监控系统引入的性能开销仅在Bit Visor的基础上增加了4.5%.
Files are not only an indispensable part of the operating system, but also a major target of malware. The key of protecting the security of the operating system is to control file access behavior effectively. Existing file protection methods can easily be attacked and bypassed by kernel malware, so this paper proposes a file protection method based on VMM-level kernel functions analysis. Based on the idea of instruction replacing and simulation,the method monitors critical kernel functions corresponding to file access behaviors in VMM, achieves effective control over privacy file access behaviors combining with virtual machine introspection technology, enhances the security of the protection mechanism with extended page-table,reduces the probability that kernel malwares will bypass protection mechanism, and improves the security of the monitoring method. The comparison test and analysis show that this method can protect the security of important files by monitoring file access behaviors and controlling the file flow. Performance overhead introduced by the monitoring system only increased by 4.5 % over BitVisor.
出处
《小型微型计算机系统》
CSCD
北大核心
2017年第6期1209-1215,共7页
Journal of Chinese Computer Systems
基金
国家社会科学基金项目(15AGJ012)资助
关键词
虚拟机监控器
文件访问
内核函数
敏感指令
陷入
virtual machine monitor
file access control
kernel function
sensitive instruction
trapping