期刊文献+

基于VMM层内核函数分析的文件访问保护 被引量:1

File Access Protection Based on VMM-level Kernel Function Analysis Technique
下载PDF
导出
摘要 文件是操作系统的一部分,也是恶意代码的主要攻击对象,如何有效管控文件的访问行为是保护操作系统安全的关键.针对当前文件保护方法容易被攻击或绕过的问题,提出一种基于VMM层内核函数分析的文件访问保护方法.该方法基于指令替换和仿真的思想,在VMM层监控与文件访问相关的关键内核函数,并结合虚拟机自省技术实现对文件访问行为的有效管控,还利用扩展页表增强了保护机制的安全性,降低了内核恶意程序绕过保护机制的可能性,提高了监控方法的安全性.经对比测试与分析,该方法能够监控到文件的访问行为,管控文件的流向,实现对重要文件的有效保护,开启监控系统引入的性能开销仅在Bit Visor的基础上增加了4.5%. Files are not only an indispensable part of the operating system, but also a major target of malware. The key of protecting the security of the operating system is to control file access behavior effectively. Existing file protection methods can easily be attacked and bypassed by kernel malware, so this paper proposes a file protection method based on VMM-level kernel functions analysis. Based on the idea of instruction replacing and simulation,the method monitors critical kernel functions corresponding to file access behaviors in VMM, achieves effective control over privacy file access behaviors combining with virtual machine introspection technology, enhances the security of the protection mechanism with extended page-table,reduces the probability that kernel malwares will bypass protection mechanism, and improves the security of the monitoring method. The comparison test and analysis show that this method can protect the security of important files by monitoring file access behaviors and controlling the file flow. Performance overhead introduced by the monitoring system only increased by 4.5 % over BitVisor.
出处 《小型微型计算机系统》 CSCD 北大核心 2017年第6期1209-1215,共7页 Journal of Chinese Computer Systems
基金 国家社会科学基金项目(15AGJ012)资助
关键词 虚拟机监控器 文件访问 内核函数 敏感指令 陷入 virtual machine monitor file access control kernel function sensitive instruction trapping
  • 相关文献

参考文献2

二级参考文献18

  • 1唐勇,卢锡城,胡华平,朱培栋.Honeypot技术及其应用研究综述[J].小型微型计算机系统,2007,28(8):1345-1351. 被引量:9
  • 2Garfinkel T. Rosenblum M. A Virtual machine introspection based architecture for intrusion detection [C] // Proc of the 10th Annual Network and Distributed System Security Symp (NDSS'2003). Washington: ISOC, 2003: 191-200.
  • 3Pfoh J. Schneider C. Eckert C. Exploiting the xB6 architecture to derive virtual machine state information [C] // Proc of the 4th Int Conf on Emerging Security Information, Systems and Technologies (SECURWARE'2010). Piscataway, NJ: IEEE, 2010: 166-175.
  • 4Pfoh J, Schneider C, Eckert C. A formal model for virtual machine introspection [C] //Proc of the 1st ACM Workshop on Virtual Machine Security. New York: ACM, 2009: 1-10.
  • 5Popek G J. Goldberg R P. Formal requirements for virtualizable third generation architectures [J]. Communications of the ACM. 1974, 17(7): 412-421.
  • 6Prosnitz B. Blackbox no more: Reconstruction of internal virtual machine state [OL]. (2007-03-26) [2013-03-21 J. http://virtuoso. cs. northwestern. edu/NWU-EECS-07-01. pdf.
  • 7Onoue K, Oyama Y, Yonezawa A. Control of system calls from outside of virtual machines [C] //Proc of the 2008 ACM Syrnp on Applied Computing (SAC'2008). New York: ACM, 2008: 2116-1221.
  • 8Forrest S, Hofmeyr S, Somayaji A. The evolution of system-call monitoring [C] // Proc of the 2008 Annual Computer Security Applications(ACSAC'2008). Piscataway, NJ: IEEE, 2008: 41B-430.
  • 9Li Bo , Li j ianxin , Wo Tianyu , et al. A vmm-based system call interposition framework for program monitoring [C] // Proc of the 16th IEEE Int Conf on Parallel and Distributed Systems (lCPADS'2010). Piscataway, NJ: IEEE, 2010: 706-711.
  • 10Jiang Xuxian, Wang Xinyuan, Xu Dongyan. Stealthy malware detection and monitoring through vmm-based "outof-the-box" semantic view reconstruction [J]. ACM Trans on Information and System Security (TISSEC), 2010, 13 (2): 1-2B.

共引文献67

同被引文献9

引证文献1

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部