安全虚拟环境中的进程执行精确监控

doi:10.3969/j.issn.1001-2400.2012.06.030

J4 ›› 2012, Vol. 39 ›› Issue (6): 181-186.doi: 10.3969/j.issn.1001-2400.2012.06.030

安全虚拟环境中的进程执行精确监控

刘哲元;慕德俊

(西北工业大学控制与网络研究所，陕西西安 710072)

收稿日期:2012-03-09 出版日期:2012-12-20 发布日期:2013-01-17
通讯作者: 刘哲元
作者简介:刘哲元(1982-)，男，西北工业大学博士研究生，E-mail: liuzheyuan@mail.nwpu.edu.cn．

Secure virtualization-based fine-grained process execution monitoring

LIU Zheyuan;MU Dejun

(Control and Network Inst., Northwestern Polytechnical Univ., Xi'an 710072， China)

Received:2012-03-09 Online:2012-12-20 Published:2013-01-17
Contact: LIU Zheyuan

摘要/Abstract

摘要：

提出了通过进程移植实现对用户级进程执行实施监控的方法，旨在同时解决隔离和兼容性问题，并采取重定向系统调用来保证被移植进程执行的连续性．实验结果表明了文中方法的有效性和可行性，以及对系统性能的微小影响．

关键词: 进程监控, 语义鸿沟, 虚拟机自省

Abstract:

Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems. However, the inherent semantic gap poses a great challenge in supporting existing monitoring tools. In this paper, we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems. Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process. Evaluation results show its effectiveness and feasibility with a tiny influence on the system.

Key words: process monitoring, semantic gap, virtual machine introspection

刘哲元;慕德俊. 安全虚拟环境中的进程执行精确监控[J]. J4, 2012, 39(6): 181-186.

LIU Zheyuan;MU Dejun. Secure virtualization-based fine-grained process execution monitoring[J]. J4, 2012, 39(6): 181-186.

参考文献

［1］ McAfee Threats Report. Fourth Quarter［R/OL］. ［2011-12-20］. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2010.pdf.
［2］ Azab A M, Ning P, Sezer E C, et al. HIMA: A Hypervisor-based Integrity Measurement Agent ［C］//Proc of the 25th Annual Computer Security Applications Conference. Honolulu: IEEE, 2009: 461-470.
［3］ Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection ［C］//Proc of Network and Distributed Systems Security Symposium. San Diego: ISOC, 2003: 191-206.
［4］ Payne B D, de Carbone M, Lee W K. Secure and Flexible Monitoring of Virtual Machines ［C］//Proc of the 23rd Annual Computer Security Applications Conference. Miami Beach: IEEE, 2007: 385-397.
［5］ Payne B D, de Carbone M, Sharif M, et al. Lares: An Architecture for Secure Active Monitoring Using Virtualization ［C］//Proc of the 29th IEEE Symposium on Security and Privacy. Oakland: IEEE, 2008: 233-247.
［6］ Dolan-Gavitt B, Leek T, Zhivich M, et al. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection ［C］//Proc of the 32nd IEEE Symposium on Security and Privacy. Berkeley: IEEE, 2011: 297-312.
［7］ Dolan-Gavitt B, Payne B D, Lee W K. Leveraging Forensic Tools for Virtual Machine Introspection ［R］. Atlanta: Technical Report. Georgia Institute of Technology, GT-CS-11-05, 2011.
［8］ Klein G, Elphinstone K, Heiser G, et al. seL4: Formal Verification of an OS Kernel ［C］//Proc of the 22nd Symposium on Operating Systems Principles. New York: ACM, 2009: 207-220.
［9］ Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual ［M］. Raleigh: Intel Corporation, 2012: Volume 3B.
［10］ Wikipedia. Kernel-based Virtual Machine ［EB/OL］. ［2012-01-10］. http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine.
［11］ Wikipedia. QEMU ［EB/OL］. ［2011-12-20］. http://en.wikipedia.org/wiki/QEMU.
［12］ Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual ［M］. Raleigh: Intel Corporation, 2012: Volume 3A.
［13］ Forrest S, Hofmeyr S, Somayaji A. The Evolution of System-Call Monitoring ［C］//Proc of the 24th Annual Computer Security Applications Conference. Anaheim: IEEE, 2008: 418-430.

安全虚拟环境中的进程执行精确监控

Secure virtualization-based fine-grained process execution monitoring

PDF (PC)

赞

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 0

Metrics

本文评价

推荐阅读 10