面向云计算的虚拟机系统安全研究
|
摘要
云计算平台通过Internet提供各种服务,这种开放式的模式在方便用户访问的同时,也带来了潜在的安全隐患。云计算平台通常以虚拟机系统作为底层架构,因此虚拟机系统的安全是云计算安全的核心。针对这一背景,本文围绕云计算平台中虚拟机系统安全的三个方面进行了研究。
在云计算平台,尤其是私有云和社区云中,虚拟机之间通常需要进行交互和通信。然而这种交互为攻击和恶意软件的传播提供了可能,需要有一种机制来保证虚拟机通信场景下的安全。为此,本文提出了Virt-BLP模型,它是一个针对虚拟机系统定制的关于多级安全的强制访问控制模型。为了实现这一目标,它定义了一系列的模型元素、安全公理和状态转换规则。云计算平台中,客户虚拟机负责向用户提供服务,而特权虚拟机和虚拟机监控器一般由云服务供应商管理,根据这一特征,当特权虚拟机作为主体时,Virt-BLP模型将其定义为可信主体。模型中的一些状态转换规则只能由可信主体来执行,这样实现了特权虚拟机对客户虚拟机之间访问和通信进行管理和控制的目的。于是在提供强制访问控制的同时,Virt-BLP模型也实现了部分的自主访问控制,很好地适应了虚拟机系统的特点。基于Virt-BLP模型,在Xen虚拟机系统中设计和实现了关于多级安全的强制访问控制框架VMAC,验证实验表明它成功地在Xen系统中映射了Virt-BLP模型的功能。Virt-BLP模型是一个通用的模型,其它虚拟机系统可以在它的基础上设计自己的强制访问控制框架。
客户虚拟机在云计算平台中为用户提供服务,保证它的安全才能使用户有一个安全地获取云计算服务的环境。本文分别针对客户虚拟机用户级应用程序的运行时安全和内核的运行时安全进行了研究。在应用级安全方面,提出了虚拟机内度量框架Hyperivm,它用于判断客户虚拟机应用程序运行时的状态。度量模块对运行在客户虚拟机中的可执行文件进行度量并产生度量值,这些度量值通过虚拟机间通信机制传递到特权虚拟机,保存在度量列表中。参照列表中保存的可信度量值用于在验证时与度量列表中的对应值进行比较,以判断可执行文件的状态。可信平台模块(Trusted Platform Module, TPM)被用来保证度量列表和参照列表的完整性。此外,框架中的内存监视模块用于判断度量模块的状态,以保证度量过程的安全性。在半虚拟化Xen系统中实现了一个Hyperivm虚拟机内度量框架的原型,在保护应用程序安全的基础上,它在性能评估中表现出良好的效率。
相比客户虚拟机应用程序的安全,其内核的运行时安全更为重要。本文提出了虚拟机动态监控框架Hyperchk,目标是确保客户虚拟机内核的运行时安全。整个框架部署在特权虚拟机中,并借助虚拟机监控器对客户虚拟机的内核内存进行监控。特权虚拟机和虚拟机监控器在云计算平台中对外界是透明的,因此具有较高的安全性,这一特点保证了Hyperchk框架获取内存过程的可靠性,进而也确保了监控过程的安全性。通过搜索客户虚拟机内核内存来获取监控过程中所需关键值的做法,大大提高了监控过程的健壮性。根据CPU负载自调整监控频率的策略,在提高检测率的同时,也减少了不必要的性能开销。策略中心作为Hyperchk框架的驱动,它的可定制化特性使得本虚拟机动态监控框架具有良好的扩展性和灵活性。在半虚拟化Xen中实现的Hyperchk框架原型系统,不仅能有效地检测针对客户虚拟机的内核rootkit攻击,同时在不同负载情况下均有良好的性能表现。
Cloud computing platform provides services to users through Internet. This open modenot only facilitates the access by users, but also brings potential security risks. Usually, cloudcomputing platform utilizes virtual machine system as its underlying architecture. Conse-quently, the security of virtual machine system is of paramount importance to the security ofcloud computing. According to this background, this thesis studies three aspects of securityof virtual machine system in cloud computing.
In cloud computing platform, especially in private cloud and community cloud, thecommunications between virtual machines (VMs) are necessary. However, this interactionprovides a possible channel for the propagation of attacks and malicious softwares. For thisreason, a mechanism is needed to guarantee the security when virtual machine communicateswith each other. In this thesis, we propose Virt-BLP model, which is a mandatory accesscontrol (MAC) model tailored to virtual machine system. It well satisfies the requirement ofmulti-level security (MLS) in virtual machine system. A series of elements, security axioms,and state transition rules are defined in Virt-BLP model. In cloud computing platform, guestvirtual machines (guest VMs) are used to provide services to users, while privileged virtualmachine (privileged VM) and virtual machine monitor (VMM) are managed by cloud serviceprovider. According to this property, Virt-BLP model defines privileged VM as the trustedsubject when it acts as subject. Some state transition rules could only be enforced by trustedsubject. As a result, privileged VM can manage and control the communications betweenVMs. That is to say, Virt-BLP model supports MAC and partial discretionary access control(DAC). Based on Virt-BLP model, we design and implement a MAC framework applicableto MLS in Xen, which is called VMAC. The experimental results show that the functions ofVirt-BLP model are mapped into the VMAC framework successfully. Moreover, Virt-BLPmodel is a versatile model, based on which other virtual machine systems could establishtheir own MAC frameworks.
As guest VMs provide services to users, their security is of significant importance toprovision of secure cloud computing services. This thesis studies the security of user levelapplications and OS kernel in guest VMs respectively. We propose an in-VM measuring framework called Hyperivm, to determine the status of user level applications in guest VMs.The measurement module (MM) measures running executables in guest VMs. All measure-ment values are transferred to privileged VM through inter-VMs communications mecha-nism, and are stored in measurement table (MT). Reference table (RT) containing the trustedmeasurement values of running executables is used for verifying the status of executables.The trusted platform module (TPM) is leveraged to guarantee the integrity of MT and RT.Moreover, we design a module called memory watcher (MW) to determine the status of MM.A working prototype of this in-VM measuring framework is implemented on paravirtualizedXen, which could guarantee the security of user level applications in DomU. Meanwhile, itshows good efciency in performance evaluation.
Compared to the security of user level applications in guest VMs, the security of OSkernel in guest VMs is more important. For this reason, we propose a dynamic monitoringframework called Hyperchk to guarantee the runtime security of OS kernel in guest VMs.This framework is deployed in privileged VM, and monitors the kernel memory of guestVMs via VMM. For privileged VM and VMM are transparent to the outside, they run withhigh security. As a result, the process of retrieving kernel memory of guest VMs is security,and furthermore the monitoring results are reliable. The key values used in Hyperchk frame-work are retrieved by searching the kernel memory of guest VMs, which largely increasesthe robustness of monitoring process. Besides, Hyperchk framework adopts the schemeof self-adjusting monitoring frequency according to the runtime CPU load. This schemeincreases the detection rate, and also decreases unnecessary overhead. With customizablepolicy center, Hyperchk framework is scalable and flexible. Moreover, a working prototypeof Hyperchk framework is implemented on paravirtualized Xen. This prototype presents ef-fectiveness of detecting kernel rootkits, and just incurs acceptable overhead under diferentworkload conditions.
在云计算平台,尤其是私有云和社区云中,虚拟机之间通常需要进行交互和通信。然而这种交互为攻击和恶意软件的传播提供了可能,需要有一种机制来保证虚拟机通信场景下的安全。为此,本文提出了Virt-BLP模型,它是一个针对虚拟机系统定制的关于多级安全的强制访问控制模型。为了实现这一目标,它定义了一系列的模型元素、安全公理和状态转换规则。云计算平台中,客户虚拟机负责向用户提供服务,而特权虚拟机和虚拟机监控器一般由云服务供应商管理,根据这一特征,当特权虚拟机作为主体时,Virt-BLP模型将其定义为可信主体。模型中的一些状态转换规则只能由可信主体来执行,这样实现了特权虚拟机对客户虚拟机之间访问和通信进行管理和控制的目的。于是在提供强制访问控制的同时,Virt-BLP模型也实现了部分的自主访问控制,很好地适应了虚拟机系统的特点。基于Virt-BLP模型,在Xen虚拟机系统中设计和实现了关于多级安全的强制访问控制框架VMAC,验证实验表明它成功地在Xen系统中映射了Virt-BLP模型的功能。Virt-BLP模型是一个通用的模型,其它虚拟机系统可以在它的基础上设计自己的强制访问控制框架。
客户虚拟机在云计算平台中为用户提供服务,保证它的安全才能使用户有一个安全地获取云计算服务的环境。本文分别针对客户虚拟机用户级应用程序的运行时安全和内核的运行时安全进行了研究。在应用级安全方面,提出了虚拟机内度量框架Hyperivm,它用于判断客户虚拟机应用程序运行时的状态。度量模块对运行在客户虚拟机中的可执行文件进行度量并产生度量值,这些度量值通过虚拟机间通信机制传递到特权虚拟机,保存在度量列表中。参照列表中保存的可信度量值用于在验证时与度量列表中的对应值进行比较,以判断可执行文件的状态。可信平台模块(Trusted Platform Module, TPM)被用来保证度量列表和参照列表的完整性。此外,框架中的内存监视模块用于判断度量模块的状态,以保证度量过程的安全性。在半虚拟化Xen系统中实现了一个Hyperivm虚拟机内度量框架的原型,在保护应用程序安全的基础上,它在性能评估中表现出良好的效率。
相比客户虚拟机应用程序的安全,其内核的运行时安全更为重要。本文提出了虚拟机动态监控框架Hyperchk,目标是确保客户虚拟机内核的运行时安全。整个框架部署在特权虚拟机中,并借助虚拟机监控器对客户虚拟机的内核内存进行监控。特权虚拟机和虚拟机监控器在云计算平台中对外界是透明的,因此具有较高的安全性,这一特点保证了Hyperchk框架获取内存过程的可靠性,进而也确保了监控过程的安全性。通过搜索客户虚拟机内核内存来获取监控过程中所需关键值的做法,大大提高了监控过程的健壮性。根据CPU负载自调整监控频率的策略,在提高检测率的同时,也减少了不必要的性能开销。策略中心作为Hyperchk框架的驱动,它的可定制化特性使得本虚拟机动态监控框架具有良好的扩展性和灵活性。在半虚拟化Xen中实现的Hyperchk框架原型系统,不仅能有效地检测针对客户虚拟机的内核rootkit攻击,同时在不同负载情况下均有良好的性能表现。
Cloud computing platform provides services to users through Internet. This open modenot only facilitates the access by users, but also brings potential security risks. Usually, cloudcomputing platform utilizes virtual machine system as its underlying architecture. Conse-quently, the security of virtual machine system is of paramount importance to the security ofcloud computing. According to this background, this thesis studies three aspects of securityof virtual machine system in cloud computing.
In cloud computing platform, especially in private cloud and community cloud, thecommunications between virtual machines (VMs) are necessary. However, this interactionprovides a possible channel for the propagation of attacks and malicious softwares. For thisreason, a mechanism is needed to guarantee the security when virtual machine communicateswith each other. In this thesis, we propose Virt-BLP model, which is a mandatory accesscontrol (MAC) model tailored to virtual machine system. It well satisfies the requirement ofmulti-level security (MLS) in virtual machine system. A series of elements, security axioms,and state transition rules are defined in Virt-BLP model. In cloud computing platform, guestvirtual machines (guest VMs) are used to provide services to users, while privileged virtualmachine (privileged VM) and virtual machine monitor (VMM) are managed by cloud serviceprovider. According to this property, Virt-BLP model defines privileged VM as the trustedsubject when it acts as subject. Some state transition rules could only be enforced by trustedsubject. As a result, privileged VM can manage and control the communications betweenVMs. That is to say, Virt-BLP model supports MAC and partial discretionary access control(DAC). Based on Virt-BLP model, we design and implement a MAC framework applicableto MLS in Xen, which is called VMAC. The experimental results show that the functions ofVirt-BLP model are mapped into the VMAC framework successfully. Moreover, Virt-BLPmodel is a versatile model, based on which other virtual machine systems could establishtheir own MAC frameworks.
As guest VMs provide services to users, their security is of significant importance toprovision of secure cloud computing services. This thesis studies the security of user levelapplications and OS kernel in guest VMs respectively. We propose an in-VM measuring framework called Hyperivm, to determine the status of user level applications in guest VMs.The measurement module (MM) measures running executables in guest VMs. All measure-ment values are transferred to privileged VM through inter-VMs communications mecha-nism, and are stored in measurement table (MT). Reference table (RT) containing the trustedmeasurement values of running executables is used for verifying the status of executables.The trusted platform module (TPM) is leveraged to guarantee the integrity of MT and RT.Moreover, we design a module called memory watcher (MW) to determine the status of MM.A working prototype of this in-VM measuring framework is implemented on paravirtualizedXen, which could guarantee the security of user level applications in DomU. Meanwhile, itshows good efciency in performance evaluation.
Compared to the security of user level applications in guest VMs, the security of OSkernel in guest VMs is more important. For this reason, we propose a dynamic monitoringframework called Hyperchk to guarantee the runtime security of OS kernel in guest VMs.This framework is deployed in privileged VM, and monitors the kernel memory of guestVMs via VMM. For privileged VM and VMM are transparent to the outside, they run withhigh security. As a result, the process of retrieving kernel memory of guest VMs is security,and furthermore the monitoring results are reliable. The key values used in Hyperchk frame-work are retrieved by searching the kernel memory of guest VMs, which largely increasesthe robustness of monitoring process. Besides, Hyperchk framework adopts the schemeof self-adjusting monitoring frequency according to the runtime CPU load. This schemeincreases the detection rate, and also decreases unnecessary overhead. With customizablepolicy center, Hyperchk framework is scalable and flexible. Moreover, a working prototypeof Hyperchk framework is implemented on paravirtualized Xen. This prototype presents ef-fectiveness of detecting kernel rootkits, and just incurs acceptable overhead under diferentworkload conditions.
引文
[1] B.P. Rimal, E. Choi, and I. Lumb. A Taxonomy and Survey of Cloud Computing Systems. InProceedings of the2009Fifth International Joint Conference on INC, IMS and IDC, pages44–51.IEEE Computer Society,2009.
[2] M. Armbrust, A. Fox, R. Grifth, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A.Rabkin, I. Stoica, et al. A view of cloud computing. Communications of the ACM,53(4):50–58,2010.
[3] M. Armbrust, A. Fox, R. Grifth, A.D. Joseph, R.H. Katz, A. Konwinski, G. Lee, D.A. Patterson,A. Rabkin, I. Stoica, et al. Above the clouds: A berkeley view of cloud computing. Techni-cal report, Technical Report UCB/EECS-2009-28, EECS Department, University of California,Berkeley,2009.
[4] I. Foster, Y. Zhao, I. Raicu, and S. Lu. Cloud computing and grid computing360-degree compared.In Grid Computing Environments Workshop,2008(GCE’08), pages1–10. IEEE,2009.
[5] Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/.
[6] Google App Engine(GAE). https://appengine.google.com/.
[7] Microsoft Azure Services Platform. http://www.microsoft.com/azure/.
[8] CA3Tera AppLogic. http://www.3tera.com/AppLogic/.
[9] Rackspace Mosso. http://www.mosso.com/.
[10] Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems (Eucalyp-tus). http://www.eucalyptus.com/.
[11] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Yousef, and D. Zagorodnov. Theeucalyptus open-source cloud-computing system. In9th IEEE/ACM International Symposium onCluster Computing and the Grid, pages124–131. IEEE,2009.
[12] IBM Blue Cloud. http://www.ibm.com/cloud.
[13] P. Mell and T. Grance. The nist definition of cloud computing (draft). NIST Special Publication,800:145,2011.
[14] R.P. Goldberg. Survey of virtual machine research. IEEE Computer,7(6):34–45,1974.
[15] J. Smith and R. Nair. Virtual Machines: Versatile platforms for systems and processes. Elsevier,USA,2005.
[16] R. Rose. Survey of system virtualization techniques. Retrieved March,15,2004.
[17]英特尔开源软件技术中心,复旦大学并行处理研究所.系统虚拟化――原理与实现.清华大学出版社,2008.
[18] J. Sugerman, G. Venkitachalam, and B.H. Lim. Virtualizing I/O devices on VMware workstation’shosted virtual machine monitor. In USENIX Annual Technical Conference, pages1–14,2001.
[19] I. VMware. VMware. Inc., VMware products, VMware, Inc., Palo Alto, CA, USA (2008)http://www.vmware.com/products,2008.
[20] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A.Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium onOperating systems principles, page177. ACM,2003.
[21] D. Chisnall. The definitive guide to the xen hypervisor. Prentice Hall Press Upper Saddle River,NJ, USA,2007.
[22] Hyper-V. http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx.
[23] VirtualBox. https://www.virtualbox.org/.
[24] A. Whitaker, M. Shaw, and S.D. Gribble. Denali: Lightweight virtual machines for distributed andnetworked applications.2002.
[25] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. kvm: the Linux virtual machine monitor.In Proceedings of the Linux Symposium, volume1, pages225–230,2007.
[26] M.E. Hoskins. User-mode linux. Linux Journal,145,2006.
[27] G.J. Popek and R.P. Goldberg. Formal requirements for virtualizable third generation architectures.Communications of the ACM,17(7):421,1974.
[28] R. Bryant and O.H. David Richard. Computer systems: a programmer’s perspective. Prentice Hall,2003.
[29] T. Jamil. Risc versus cisc. Potentials, IEEE,14(3):13–16,1995.
[30] R.P. Colwell, C.Y. Hitchcock, and E.D. Jensen. Peering through the risc/cisc fog: an outline ofresearch. ACM SIGARCH Computer Architecture News,11(1):44–50,1983.
[31] K. Adams and O. Agesen. A comparison of software and hardware techniques for x86virtualiza-tion. In Proceedings of the12th international conference on Architectural support for programminglanguages and operating systems, pages2–13. ACM,2006.
[32] F. Bellard. QEMU, a fast and portable dynamic translator. In2005USENIX Annual TechnicalConference,2005.
[33] Intel Corporation. Intel Virtualization Technology Specification for the IA-32Intel Architecture.April2005.
[34] AMD. AMD64Virtualization Codenamed”Pacifica” Technology. Secure Virtual Machine Archi-tecture Reference Manual, May2005.
[35] R.P. Goldberg. Architectural Principles for Virtual Computer Systems.,1973.
[36] L.M. Kaufman. Can public-cloud security meet its unique challenges? Security&Privacy, IEEE,8(4):55–57,2010.
[37] E. Traut. Building the virtual PC. Byte,22(11):51–52,1997.
[38] J. Honeycutt. Microsoft Virtual PC2004Technical Overview. Microsoft, Nov,2003.
[39] J.S. Reuben. A survey on virtual machine security. Helsinki University of Technology,2007.
[40] S.M. Bellovin. Virtual machines, virtual security? Communications of the ACM,49(10):104,2006.
[41] W. Stallings, L. Brown, M. Bauer, and M. Howard. Computer security: principles and practice.Pearson Prentice Hall,2008.
[42] B. Guttman and E.A. Roback. An introduction to computer security: the NIST handbook. DIANEPublishing,1995.
[43] J. Rutkowska. Introducing stealth malware taxonomy. COSEINC Advanced Malware Labs,2006.
[44] S.E. Madnick and J.J. Donovan. Application and analysis of the virtual machine approach toinformation system security and isolation. In Proceedings of the workshop on virtual computersystems, pages210–224. ACM,1973.
[45] T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtualmachine based computing environments. In Proceedings of the10th conference on Hot Topics inOperating Systems-Volume10, page20. USENIX Association,2005.
[46] R.R. Schell and M.F. Thompson. Platform security: What is lacking? INF SECUR TECH REP,5(1):26–41,2000.
[47] D. Challener, K. Yoder, R. Catherman, D. Saford, and L. Van Doorn. A practical guide to trustedcomputing.2007.
[48]刘威鹏,胡俊,方艳湘,沈昌祥.基于可信计算的终端安全体系结构研究与进展.计算机科学,34(010):257–263,2007.
[49] D. Grawrock. TCG Specification Architecture Overview Revision1.4. Technical report, TrustedComputing Group,2007.
[50] I.C. Card and P. Profile. Common Criteria for Information Technology Security Evaluation.2001.
[51] Trusted Computing Group. TPM Main part1design principles specification version1.2,2003.
[52] D.R. Stinson. Cryptography: theory and practice, Third Edition. Chapman&Hall/CRC,2006.
[53] C. Mitchell. PKI standards.2000.
[54] C. Adams and S. Lloyd. Understanding PKI: Concepts, Standards, and Deployment Considera-tions (2nd Edition). Addison-Wesley Professional,2002.
[55] R. Perlman. An overview of PKI trust models. Network, IEEE,13(6):38–43,2002.
[56]周建峰,马玉祥,欧阳雄. PKI信任模型研究.电子科技,第4期:75–78,2006.
[57] Open Trusted Computing (OpenTC). http://www.opentc.net.
[58] Trusted Boot. http://sourceforge.net/projects/tboot.
[59] WA Arbaugh, DJ Farber, and JM Smith. A secure and reliable bootstrap architecture. In Pro-ceedings of the1997IEEE Symposium on Security and Privacy, page65. IEEE Computer Society,1997.
[60] D.G. Murray, G. Milos, and S. Hand. Improving Xen security through disaggregation. In Proceed-ings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environ-ments, pages151–160. ACM,2008.
[61] R. Sailer, X. Zhang, T. Jaeger, and L. Van Doorn. Design and implementation of a TCG-basedintegrity measurement architecture. In Proceedings of the USENIX Security Symposium, volume1, page24,2004.
[62] T. Garfinkel, B. Pfaf, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-basedplatform for trusted computing. ACM SIGOPS Operating Systems Review,37(5):206,2003.
[63] R. Perez, R. Sailer, and L. van Doorn. vTPM: virtualizing the trusted platform module.
[64] B.W. Lampson. Protection. In Proceedings of the5th Princeton Conference on Information Sci-ences and Systems, pages18–24. Princeton,1971.
[65] J.P. Anderson. Computer security technology planning study. Technical report, DTIC Document,1972.
[66] R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. Van Doorn, J.L. Grifn, and S. Berger. sHype: Securehypervisor approach to trusted virtualized systems. IBM Research Report RC23511,2005.
[67] R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J.L. Grifn, and L. van Doorn.Building a MAC-based security architecture for the Xen opensource hypervisor. In Proceedings ofthe21st Annual Computer Security Applications Conference, pages276–285. Citeseer,2005.
[68] D.F.C. Brewer and M.J. Nash. The Chinese wall security policy. In Proceedings of the1989IEEESymposium on Security and Privacy, pages206–214. IEEE,1989.
[69] W.E. Boebert and R.Y. Kain. A practical alternative to hierarchical integrity policies. In Proceed-ings of the8th National Computer Security Conference,1985.
[70] F. David and K. Richard. Role-based access controls. In Proceedings of the15th NIST-NCSCNational Computer Security Conference. Baltimore: NIST-NCSC, pages554–563,1992.
[71] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models.Computer,29(2):38–47,2002.
[72] M. Hirano, T. Shinagawa, H. Eiraku, S. Hasegawa, K. Omote, K. Tanimoto, T. Horie, K. Kato,T. Okuda, E. Kawai, et al. Introducing Role-Based Access Control to a Secure Virtual MachineMonitor: Security Policy Enforcement Mechanism for Distributed Computers. In Asia-PacificServices Computing Conference,2008. APSCC’08. IEEE, pages1225–1230. IEEE,2008.
[73] H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. ComputerNetworks,31(8):805–822,1999.
[74] G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen. ReVirt: Enabling intrusion analysisthrough virtual-machine logging and replay. ACM SIGOPS Operating Systems Review,36(SI):211–224,2002.
[75] A. Haeberlen, P. Aditya, R. Rodrigues, and P. Druschel. Accountable virtual machines. In9thUSENIX Symposium on Operating Systems Design and Implementation (OSDI’10),2010.
[76] T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusiondetection. In Proc. Network and Distributed Systems Security Symposium, volume1, pages253–285. Citeseer,2003.
[77] L. Litty and D. Lie. Manitou: a layer-below approach to fighting malware. In Proceedings ofthe1st workshop on Architectural and system support for improving software dependability, pages6–11. ACM,2006.
[78] A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernelcode integrity for commodity OSes. ACM SIGOPS Operating Systems Review,41(6):350,2007.
[79] S.T. King and P.M. Chen. Backtracking intrusions. ACM Transactions on Computer Systems(TOCS),23(1):51–76,2005.
[80] B.D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An Architecture for Secure Active Moni-toring Using Virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE,2008.
[81] M. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure In-VM Monitoring Using Hardware Virtualization.In16th ACM Conference on Computer and Communications Security. ACM,2009.
[82] Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight HookProtection. In16th ACM Conference on Computer and Communications Security. ACM,2009.
[83] J. Toldinas, D. Rudzika, V.Sˇtuikys, and G. Ziberkas. Rootkit Detection Experiment within a VirtualEnvironment. Electronics and electrical Engineering, No.8(104):63–68,2010.
[84] J.G. Levine, J.B. Grizzard, and H.L. Owen. Detecting and categorizing kernel-level rootkits to aidfuture detection. IEEE Security&Privacy, pages24–32,2006.
[85] X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. InProceedings of the13th conference on USENIX Security Symposium-Volume13, page2. USENIXAssociation,2004.
[86] M. Thober, J.A. Pendergrass, and C.D. McDonell. Improving coherency of runtime integrity mea-surement. In Proceedings of the3rd ACM workshop on Scalable trusted computing, pages51–60.ACM,2008.
[87] P.A. Loscocco, P.W. Wilson, J.A. Pendergrass, and C.D. McDonell. Linux kernel integrity mea-surement using contextual inspection. In Proceedings of the2007ACM workshop on Scalabletrusted computing, pages21–29. ACM,2007.
[88] Intel Corporation. Intel Trusted Execution Technology–Measured Launched Environment Devel-oper’s Guide. June2008.
[89] Z. Xu, Y. He, and L. Deng. An Integrity Assurance Mechanism for Run-Time Programs. InInformation Security and Cryptology, pages389–405. Springer,2009.
[90] N.L. Petroni Jr, F.A. Timothy, W. William, and A. Arbaugh. An architecture for specification-baseddetection of semantic integrity violations in kernel dynamic data. In In Proceedings of the USENIXSecurity Symposium,2006.
[91] V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation: A virtual machine directedapproach to trusted computing. In Proceedings of the3rd conference on Virtual Machine ResearchAnd Technology Symposium-Volume3, page3. USENIX Association,2004.
[92] B. Jansen, H. Ramasamy, and M. Schunter. Flexible integrity protection and verification archi-tecture for virtual machine monitors. In Second Workshop on Advances in Trusted Computing,2006.
[93] BD Payne, MDP de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines.In Computer Security Applications Conference,2007. ACSAC2007. Twenty-Third Annual, pages385–397,2007.
[94] H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls(on the x86). In Proceedings of the14th ACM conference on Computer and communicationssecurity, pages552–561. ACM,2007.
[95] E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Gener-alizing return-oriented programming to RISC. In Proceedings of the15th ACM conference onComputer and communications security, pages27–38. ACM,2008.
[96] C.K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, and K.Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. InProceedings of the2005ACM SIGPLAN conference on Programming language design and imple-mentation, pages190–200. ACM,2005.
[97] A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools.In Proceedings of the ACM SIGPLAN1994conference on Programming language design andimplementation, pages196–205. ACM,1994.
[98] S. Wallace and K. Hazelwood. Superpin: Parallelizing dynamic instrumentation for real-time per-formance. In International Symposium on Code Generation and Optimization (CGO’07), pages209–220. IEEE,2007.
[99] T. Moseley, A. Shye, V.J. Reddi, D. Grunwald, and R. Peri. Shadow profiling: Hiding instrumen-tation costs with parallelism. In International Symposium on Code Generation and Optimization(CGO’07), pages198–208. IEEE,2007.
[100] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented program-ming malicious code. Information Systems Security, pages163–177,2009.
[101] N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumen-tation. ACM SIGPLAN Notices,42(6):89–100,2007.
[102] L. Davi, A.R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. Technical report, Technical Report HGI TR-2010-001, Horst Go¨rtzInstitute for IT-Security,2010.
[103] L. Davi, A.R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towardsdefense against return-oriented programming attacks. In Proceedings of the2009ACM workshopon Scalable trusted computing, pages49–54. ACM,2009.
[104] S. Checkoway and H. Shacham. Escape from return-oriented programming: Return-oriented pro-gramming without returns (on the x86). Technical report, Technical Report CS2010-0954, UC SanDiego,2010.
[105] P.P. Bungale and C.K. Luk. PinOS: a programmable framework for whole-system dynamic instru-mentation. In Proceedings of the3rd international conference on Virtual execution environments,pages137–147. ACM,2007.
[106]卿斯汉.操作系统安全.清华大学出版社,2004.
[107] C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covertstorage channels in source code.1987.
[108] R.A. Kemmerer. Shared resource matrix methodology: An approach to identifying storage andtiming channels. ACM Transactions on Computer Systems (TOCS),1(3):256–277,1983.
[109] M. Salau¨n. Practical overview of a Xen covert channel. Journal in Computer Virology, pages1–12.
[110] K. Okamura and Y. Oyama. Load-based covert channels between Xen virtual machines. In Pro-ceedings of the2010ACM Symposium on Applied Computing, pages173–180. ACM,2010.
[111] G. Yunchuan, Y. Lihua, Z. Yuan, and F. Binxing. Quantifying Information Leakage for FullyProbabilistic Systems. In201010th IEEE International Conference on Computer and InformationTechnology (CIT2010), pages589–595. IEEE,2010.
[112] T. Jaeger, R. Sailer, and Y. Sreenivasan. Managing the risk of covert information flows in virtualmachine systems. In Proceedings of the12th ACM symposium on Access control models andtechnologies, pages81–90. ACM,2007.
[113] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get of of my cloud: exploringinformation leakage in third-party compute clouds. In Proceedings of the16th ACM conference onComputer and communications security, pages199–212. ACM,2009.
[114] J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. Doorn. Towards sound detection ofvirtual machines. Botnet Detection, pages89–116,2008.
[115]汪小林,王振林,孙逸峰,刘毅,张彬彬,罗英伟.利用虚拟化平台进行内存泄露探测.计算机学报,33(3):463–472,2010.
[116] H. Lo¨hr, H.G. Ramasamy, A.R. Sadeghi, S. Schulz, M. Schunter, and C. Stu¨ble. Enhancing gridsecurity using trusted virtualization. Autonomic and Trusted Computing, pages372–384,2007.
[117] F. Lombardi and R. Di Pietro. Kvmsec: a security extension for linux kernel virtual machines. InProceedings of the2009ACM symposium on Applied Computing, pages2029–2034. ACM,2009.
[118]石文昌,孙玉芳,梁洪亮.经典blp安全公理的一种适应性标记实施方法及其正确.计算机研究与发展,38(11):1366–1372,2001.
[119]石文昌,孙玉芳.多级安全性政策的历史敏感性.软件学报,14(1):91–96,2003.
[120] D.E. Bell. Secure computer system: Unified exposition and multics interpretation. Technicalreport, DTIC Document,1976.
[121] G. Coker. Xen security modules (xsm). Xen Summit,2006.
[122] V. Ceder. The Quick Python Book (2nd Edition). Manning,2010.
[123] Python. http://python.org/.
[124] N. Rappin and R. Dunn. wxPython in Action. Manning,2006.
[125] wxPython. http://wxpython.org/.
[126] R. Love. Linux kernel development (2nd edition).2005.
[127] D. Bovet and M. Cesati. Understanding the Linux Kernel (3rd Edition). O’Reilly Media,2005.
[128] S. Smalley, T. Fraser, and C. Vance. Linux security modules: General security hooks for linux.http://kernel.org/doc/htmldocs/lsm.html,2001.
[129] C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: Gen-eral security support for the linux kernel. In Proceedings of the11th USENIX Security Symposium,volume2. San Francisco, CA,2002.
[130] J.P. Singh, W.D. Weber, and A. Gupta. SPLASH: Stanford parallel applications for shared-memory.ACM SIGARCH Computer Architecture News,20(1):5–44,1992.
[131] S.C. Woo, M. Ohara, E. Torrie, J.P. Singh, and A. Gupta. The SPLASH-2programs: Charac-terization and methodological considerations. In Proceedings of the22nd annual internationalsymposium on Computer architecture, pages24–36. ACM,1995.
[132] J.M. Arnold. The Splash2software environment. The Journal of Supercomputing,9(3):277–290,1995.
[133] F. Diacu. The solution of the n-body problem. The Mathematical Intelligencer,18(3):66–70,1996.
[134] D.H. Bailey. Ffts in external of hierarchical memory. In Proceedings of the1989ACM/IEEEconference on Supercomputing, pages234–242. ACM,1989.
[135]石磊,邹德清,金海. Xen虚拟化技术.华中科技大学出版社,2009.
[136] W. Von Hagen. Professional Xen virtualization. Wrox,2008.
[137] N.A. Quynh and Y. Takefuji. Towards a tamper-resistant kernel rootkit detector. In Proceedings ofthe2007ACM symposium on Applied computing, pages276–283. ACM,2007.
[138] O.S. Hofmann, A.M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel in-tegrity with osck. In Proceedings of the sixteenth international conference on Architectural supportfor programming languages and operating systems, pages279–290. ACM,2011.
[139] A. Baliga, V. Ganapathy, and L. Iftode. Detecting Kernel-level Rootkits using Data StructureInvariants. IEEE Transactions on Dependable and Secure Computing,2010.
[140] M.D. Ernst, J.H. Perkins, P.J. Guo, S. McCamant, C. Pacheco, M.S. Tschantz, and C. Xiao. Thedaikon system for dynamic detection of likely invariants. Science of Computer Programming,69(1-3):35–45,2007.
[141] B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Gifn. Robust signatures for kernel data struc-tures. In Proceedings of the16th ACM conference on Computer and communications security,pages566–577. ACM,2009.
[142] R. Blum. Professional Assembly Language. Wrox,2005.
[143] libvirt. http://libvirt.org/.
[144] N. Murilo and K. Steding-Jessen. chkrootkit. http://www.spenneberg.org/chkrootkit-mirror/.
[145] halfdead. Mystifying the debugger for ultimate stealthness. Phrack, Volume0x0c, Issue0x41,Phile#0x08of0x0f,2008.
[146] P.J. Salzman, M. Burian, and O. Pomerantz. The linux kernel module programming guide. TLDP:http://tldp.org/LDP/lkmpg/2.4/html,2001.
[147] A. Lineberry. Malicious code injection via/dev/mem. Black Hat Europe:http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf,2009.
[148] sd devik. Linux on-the-fly kernel patching without lkm. Volume0x0b, Issue0x3a, Phile#0x07of0x0e,2001.
[149] J.P. Singh, C. Holt, J.L. Hennessy, and A. Gupta. A parallel adaptive fast multipole method. InProceedings of the1993ACM/IEEE conference on Supercomputing, pages54–65. ACM,1993.
[150] J. Pal Singh, A. Gupta, and M. Levoy. Parallel visualization algorithms: Performance and archi-tectural implications. Computer,27(7):45–55,1994.
[151] J.L. Henning. Spec cpu2000: Measuring cpu performance in the new millennium. Computer,33(7):28–35,2000.
[152] Standard Performance Evaluation Corporation. http://www.spec.org/.
[153] Apache HTTP Server. http://httpd.apache.org/.
[154] PHP. http://www.php.net/.
[155] httperf. http://www.hpl.hp.com/research/linux/httperf/.
[156] D. Mosberger and T. Jin. httperf–a tool for measuring web server performance. ACM SIGMETRICSPerformance Evaluation Review,26(3):31–37,1998.
[157] autobench. http://www.xenoclast.org/autobench/.
[2] M. Armbrust, A. Fox, R. Grifth, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A.Rabkin, I. Stoica, et al. A view of cloud computing. Communications of the ACM,53(4):50–58,2010.
[3] M. Armbrust, A. Fox, R. Grifth, A.D. Joseph, R.H. Katz, A. Konwinski, G. Lee, D.A. Patterson,A. Rabkin, I. Stoica, et al. Above the clouds: A berkeley view of cloud computing. Techni-cal report, Technical Report UCB/EECS-2009-28, EECS Department, University of California,Berkeley,2009.
[4] I. Foster, Y. Zhao, I. Raicu, and S. Lu. Cloud computing and grid computing360-degree compared.In Grid Computing Environments Workshop,2008(GCE’08), pages1–10. IEEE,2009.
[5] Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/.
[6] Google App Engine(GAE). https://appengine.google.com/.
[7] Microsoft Azure Services Platform. http://www.microsoft.com/azure/.
[8] CA3Tera AppLogic. http://www.3tera.com/AppLogic/.
[9] Rackspace Mosso. http://www.mosso.com/.
[10] Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems (Eucalyp-tus). http://www.eucalyptus.com/.
[11] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Yousef, and D. Zagorodnov. Theeucalyptus open-source cloud-computing system. In9th IEEE/ACM International Symposium onCluster Computing and the Grid, pages124–131. IEEE,2009.
[12] IBM Blue Cloud. http://www.ibm.com/cloud.
[13] P. Mell and T. Grance. The nist definition of cloud computing (draft). NIST Special Publication,800:145,2011.
[14] R.P. Goldberg. Survey of virtual machine research. IEEE Computer,7(6):34–45,1974.
[15] J. Smith and R. Nair. Virtual Machines: Versatile platforms for systems and processes. Elsevier,USA,2005.
[16] R. Rose. Survey of system virtualization techniques. Retrieved March,15,2004.
[17]英特尔开源软件技术中心,复旦大学并行处理研究所.系统虚拟化――原理与实现.清华大学出版社,2008.
[18] J. Sugerman, G. Venkitachalam, and B.H. Lim. Virtualizing I/O devices on VMware workstation’shosted virtual machine monitor. In USENIX Annual Technical Conference, pages1–14,2001.
[19] I. VMware. VMware. Inc., VMware products, VMware, Inc., Palo Alto, CA, USA (2008)http://www.vmware.com/products,2008.
[20] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A.Warfield. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium onOperating systems principles, page177. ACM,2003.
[21] D. Chisnall. The definitive guide to the xen hypervisor. Prentice Hall Press Upper Saddle River,NJ, USA,2007.
[22] Hyper-V. http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx.
[23] VirtualBox. https://www.virtualbox.org/.
[24] A. Whitaker, M. Shaw, and S.D. Gribble. Denali: Lightweight virtual machines for distributed andnetworked applications.2002.
[25] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. kvm: the Linux virtual machine monitor.In Proceedings of the Linux Symposium, volume1, pages225–230,2007.
[26] M.E. Hoskins. User-mode linux. Linux Journal,145,2006.
[27] G.J. Popek and R.P. Goldberg. Formal requirements for virtualizable third generation architectures.Communications of the ACM,17(7):421,1974.
[28] R. Bryant and O.H. David Richard. Computer systems: a programmer’s perspective. Prentice Hall,2003.
[29] T. Jamil. Risc versus cisc. Potentials, IEEE,14(3):13–16,1995.
[30] R.P. Colwell, C.Y. Hitchcock, and E.D. Jensen. Peering through the risc/cisc fog: an outline ofresearch. ACM SIGARCH Computer Architecture News,11(1):44–50,1983.
[31] K. Adams and O. Agesen. A comparison of software and hardware techniques for x86virtualiza-tion. In Proceedings of the12th international conference on Architectural support for programminglanguages and operating systems, pages2–13. ACM,2006.
[32] F. Bellard. QEMU, a fast and portable dynamic translator. In2005USENIX Annual TechnicalConference,2005.
[33] Intel Corporation. Intel Virtualization Technology Specification for the IA-32Intel Architecture.April2005.
[34] AMD. AMD64Virtualization Codenamed”Pacifica” Technology. Secure Virtual Machine Archi-tecture Reference Manual, May2005.
[35] R.P. Goldberg. Architectural Principles for Virtual Computer Systems.,1973.
[36] L.M. Kaufman. Can public-cloud security meet its unique challenges? Security&Privacy, IEEE,8(4):55–57,2010.
[37] E. Traut. Building the virtual PC. Byte,22(11):51–52,1997.
[38] J. Honeycutt. Microsoft Virtual PC2004Technical Overview. Microsoft, Nov,2003.
[39] J.S. Reuben. A survey on virtual machine security. Helsinki University of Technology,2007.
[40] S.M. Bellovin. Virtual machines, virtual security? Communications of the ACM,49(10):104,2006.
[41] W. Stallings, L. Brown, M. Bauer, and M. Howard. Computer security: principles and practice.Pearson Prentice Hall,2008.
[42] B. Guttman and E.A. Roback. An introduction to computer security: the NIST handbook. DIANEPublishing,1995.
[43] J. Rutkowska. Introducing stealth malware taxonomy. COSEINC Advanced Malware Labs,2006.
[44] S.E. Madnick and J.J. Donovan. Application and analysis of the virtual machine approach toinformation system security and isolation. In Proceedings of the workshop on virtual computersystems, pages210–224. ACM,1973.
[45] T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtualmachine based computing environments. In Proceedings of the10th conference on Hot Topics inOperating Systems-Volume10, page20. USENIX Association,2005.
[46] R.R. Schell and M.F. Thompson. Platform security: What is lacking? INF SECUR TECH REP,5(1):26–41,2000.
[47] D. Challener, K. Yoder, R. Catherman, D. Saford, and L. Van Doorn. A practical guide to trustedcomputing.2007.
[48]刘威鹏,胡俊,方艳湘,沈昌祥.基于可信计算的终端安全体系结构研究与进展.计算机科学,34(010):257–263,2007.
[49] D. Grawrock. TCG Specification Architecture Overview Revision1.4. Technical report, TrustedComputing Group,2007.
[50] I.C. Card and P. Profile. Common Criteria for Information Technology Security Evaluation.2001.
[51] Trusted Computing Group. TPM Main part1design principles specification version1.2,2003.
[52] D.R. Stinson. Cryptography: theory and practice, Third Edition. Chapman&Hall/CRC,2006.
[53] C. Mitchell. PKI standards.2000.
[54] C. Adams and S. Lloyd. Understanding PKI: Concepts, Standards, and Deployment Considera-tions (2nd Edition). Addison-Wesley Professional,2002.
[55] R. Perlman. An overview of PKI trust models. Network, IEEE,13(6):38–43,2002.
[56]周建峰,马玉祥,欧阳雄. PKI信任模型研究.电子科技,第4期:75–78,2006.
[57] Open Trusted Computing (OpenTC). http://www.opentc.net.
[58] Trusted Boot. http://sourceforge.net/projects/tboot.
[59] WA Arbaugh, DJ Farber, and JM Smith. A secure and reliable bootstrap architecture. In Pro-ceedings of the1997IEEE Symposium on Security and Privacy, page65. IEEE Computer Society,1997.
[60] D.G. Murray, G. Milos, and S. Hand. Improving Xen security through disaggregation. In Proceed-ings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environ-ments, pages151–160. ACM,2008.
[61] R. Sailer, X. Zhang, T. Jaeger, and L. Van Doorn. Design and implementation of a TCG-basedintegrity measurement architecture. In Proceedings of the USENIX Security Symposium, volume1, page24,2004.
[62] T. Garfinkel, B. Pfaf, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-basedplatform for trusted computing. ACM SIGOPS Operating Systems Review,37(5):206,2003.
[63] R. Perez, R. Sailer, and L. van Doorn. vTPM: virtualizing the trusted platform module.
[64] B.W. Lampson. Protection. In Proceedings of the5th Princeton Conference on Information Sci-ences and Systems, pages18–24. Princeton,1971.
[65] J.P. Anderson. Computer security technology planning study. Technical report, DTIC Document,1972.
[66] R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. Van Doorn, J.L. Grifn, and S. Berger. sHype: Securehypervisor approach to trusted virtualized systems. IBM Research Report RC23511,2005.
[67] R. Sailer, T. Jaeger, E. Valdez, R. Caceres, R. Perez, S. Berger, J.L. Grifn, and L. van Doorn.Building a MAC-based security architecture for the Xen opensource hypervisor. In Proceedings ofthe21st Annual Computer Security Applications Conference, pages276–285. Citeseer,2005.
[68] D.F.C. Brewer and M.J. Nash. The Chinese wall security policy. In Proceedings of the1989IEEESymposium on Security and Privacy, pages206–214. IEEE,1989.
[69] W.E. Boebert and R.Y. Kain. A practical alternative to hierarchical integrity policies. In Proceed-ings of the8th National Computer Security Conference,1985.
[70] F. David and K. Richard. Role-based access controls. In Proceedings of the15th NIST-NCSCNational Computer Security Conference. Baltimore: NIST-NCSC, pages554–563,1992.
[71] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models.Computer,29(2):38–47,2002.
[72] M. Hirano, T. Shinagawa, H. Eiraku, S. Hasegawa, K. Omote, K. Tanimoto, T. Horie, K. Kato,T. Okuda, E. Kawai, et al. Introducing Role-Based Access Control to a Secure Virtual MachineMonitor: Security Policy Enforcement Mechanism for Distributed Computers. In Asia-PacificServices Computing Conference,2008. APSCC’08. IEEE, pages1225–1230. IEEE,2008.
[73] H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. ComputerNetworks,31(8):805–822,1999.
[74] G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen. ReVirt: Enabling intrusion analysisthrough virtual-machine logging and replay. ACM SIGOPS Operating Systems Review,36(SI):211–224,2002.
[75] A. Haeberlen, P. Aditya, R. Rodrigues, and P. Druschel. Accountable virtual machines. In9thUSENIX Symposium on Operating Systems Design and Implementation (OSDI’10),2010.
[76] T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusiondetection. In Proc. Network and Distributed Systems Security Symposium, volume1, pages253–285. Citeseer,2003.
[77] L. Litty and D. Lie. Manitou: a layer-below approach to fighting malware. In Proceedings ofthe1st workshop on Architectural and system support for improving software dependability, pages6–11. ACM,2006.
[78] A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernelcode integrity for commodity OSes. ACM SIGOPS Operating Systems Review,41(6):350,2007.
[79] S.T. King and P.M. Chen. Backtracking intrusions. ACM Transactions on Computer Systems(TOCS),23(1):51–76,2005.
[80] B.D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An Architecture for Secure Active Moni-toring Using Virtualization. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE,2008.
[81] M. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure In-VM Monitoring Using Hardware Virtualization.In16th ACM Conference on Computer and Communications Security. ACM,2009.
[82] Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight HookProtection. In16th ACM Conference on Computer and Communications Security. ACM,2009.
[83] J. Toldinas, D. Rudzika, V.Sˇtuikys, and G. Ziberkas. Rootkit Detection Experiment within a VirtualEnvironment. Electronics and electrical Engineering, No.8(104):63–68,2010.
[84] J.G. Levine, J.B. Grizzard, and H.L. Owen. Detecting and categorizing kernel-level rootkits to aidfuture detection. IEEE Security&Privacy, pages24–32,2006.
[85] X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. InProceedings of the13th conference on USENIX Security Symposium-Volume13, page2. USENIXAssociation,2004.
[86] M. Thober, J.A. Pendergrass, and C.D. McDonell. Improving coherency of runtime integrity mea-surement. In Proceedings of the3rd ACM workshop on Scalable trusted computing, pages51–60.ACM,2008.
[87] P.A. Loscocco, P.W. Wilson, J.A. Pendergrass, and C.D. McDonell. Linux kernel integrity mea-surement using contextual inspection. In Proceedings of the2007ACM workshop on Scalabletrusted computing, pages21–29. ACM,2007.
[88] Intel Corporation. Intel Trusted Execution Technology–Measured Launched Environment Devel-oper’s Guide. June2008.
[89] Z. Xu, Y. He, and L. Deng. An Integrity Assurance Mechanism for Run-Time Programs. InInformation Security and Cryptology, pages389–405. Springer,2009.
[90] N.L. Petroni Jr, F.A. Timothy, W. William, and A. Arbaugh. An architecture for specification-baseddetection of semantic integrity violations in kernel dynamic data. In In Proceedings of the USENIXSecurity Symposium,2006.
[91] V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation: A virtual machine directedapproach to trusted computing. In Proceedings of the3rd conference on Virtual Machine ResearchAnd Technology Symposium-Volume3, page3. USENIX Association,2004.
[92] B. Jansen, H. Ramasamy, and M. Schunter. Flexible integrity protection and verification archi-tecture for virtual machine monitors. In Second Workshop on Advances in Trusted Computing,2006.
[93] BD Payne, MDP de Carbone, and W. Lee. Secure and flexible monitoring of virtual machines.In Computer Security Applications Conference,2007. ACSAC2007. Twenty-Third Annual, pages385–397,2007.
[94] H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls(on the x86). In Proceedings of the14th ACM conference on Computer and communicationssecurity, pages552–561. ACM,2007.
[95] E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Gener-alizing return-oriented programming to RISC. In Proceedings of the15th ACM conference onComputer and communications security, pages27–38. ACM,2008.
[96] C.K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, and K.Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. InProceedings of the2005ACM SIGPLAN conference on Programming language design and imple-mentation, pages190–200. ACM,2005.
[97] A. Srivastava and A. Eustace. ATOM: A system for building customized program analysis tools.In Proceedings of the ACM SIGPLAN1994conference on Programming language design andimplementation, pages196–205. ACM,1994.
[98] S. Wallace and K. Hazelwood. Superpin: Parallelizing dynamic instrumentation for real-time per-formance. In International Symposium on Code Generation and Optimization (CGO’07), pages209–220. IEEE,2007.
[99] T. Moseley, A. Shye, V.J. Reddi, D. Grunwald, and R. Peri. Shadow profiling: Hiding instrumen-tation costs with parallelism. In International Symposium on Code Generation and Optimization(CGO’07), pages198–208. IEEE,2007.
[100] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. DROP: Detecting return-oriented program-ming malicious code. Information Systems Security, pages163–177,2009.
[101] N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumen-tation. ACM SIGPLAN Notices,42(6):89–100,2007.
[102] L. Davi, A.R. Sadeghi, and M. Winandy. ROPdefender: A detection tool to defend against return-oriented programming attacks. Technical report, Technical Report HGI TR-2010-001, Horst Go¨rtzInstitute for IT-Security,2010.
[103] L. Davi, A.R. Sadeghi, and M. Winandy. Dynamic integrity measurement and attestation: Towardsdefense against return-oriented programming attacks. In Proceedings of the2009ACM workshopon Scalable trusted computing, pages49–54. ACM,2009.
[104] S. Checkoway and H. Shacham. Escape from return-oriented programming: Return-oriented pro-gramming without returns (on the x86). Technical report, Technical Report CS2010-0954, UC SanDiego,2010.
[105] P.P. Bungale and C.K. Luk. PinOS: a programmable framework for whole-system dynamic instru-mentation. In Proceedings of the3rd international conference on Virtual execution environments,pages137–147. ACM,2007.
[106]卿斯汉.操作系统安全.清华大学出版社,2004.
[107] C.R. Tsai, V.D. Gligor, and C.S. Chandersekaran. A formal method for the identification of covertstorage channels in source code.1987.
[108] R.A. Kemmerer. Shared resource matrix methodology: An approach to identifying storage andtiming channels. ACM Transactions on Computer Systems (TOCS),1(3):256–277,1983.
[109] M. Salau¨n. Practical overview of a Xen covert channel. Journal in Computer Virology, pages1–12.
[110] K. Okamura and Y. Oyama. Load-based covert channels between Xen virtual machines. In Pro-ceedings of the2010ACM Symposium on Applied Computing, pages173–180. ACM,2010.
[111] G. Yunchuan, Y. Lihua, Z. Yuan, and F. Binxing. Quantifying Information Leakage for FullyProbabilistic Systems. In201010th IEEE International Conference on Computer and InformationTechnology (CIT2010), pages589–595. IEEE,2010.
[112] T. Jaeger, R. Sailer, and Y. Sreenivasan. Managing the risk of covert information flows in virtualmachine systems. In Proceedings of the12th ACM symposium on Access control models andtechnologies, pages81–90. ACM,2007.
[113] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get of of my cloud: exploringinformation leakage in third-party compute clouds. In Proceedings of the16th ACM conference onComputer and communications security, pages199–212. ACM,2009.
[114] J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. Doorn. Towards sound detection ofvirtual machines. Botnet Detection, pages89–116,2008.
[115]汪小林,王振林,孙逸峰,刘毅,张彬彬,罗英伟.利用虚拟化平台进行内存泄露探测.计算机学报,33(3):463–472,2010.
[116] H. Lo¨hr, H.G. Ramasamy, A.R. Sadeghi, S. Schulz, M. Schunter, and C. Stu¨ble. Enhancing gridsecurity using trusted virtualization. Autonomic and Trusted Computing, pages372–384,2007.
[117] F. Lombardi and R. Di Pietro. Kvmsec: a security extension for linux kernel virtual machines. InProceedings of the2009ACM symposium on Applied Computing, pages2029–2034. ACM,2009.
[118]石文昌,孙玉芳,梁洪亮.经典blp安全公理的一种适应性标记实施方法及其正确.计算机研究与发展,38(11):1366–1372,2001.
[119]石文昌,孙玉芳.多级安全性政策的历史敏感性.软件学报,14(1):91–96,2003.
[120] D.E. Bell. Secure computer system: Unified exposition and multics interpretation. Technicalreport, DTIC Document,1976.
[121] G. Coker. Xen security modules (xsm). Xen Summit,2006.
[122] V. Ceder. The Quick Python Book (2nd Edition). Manning,2010.
[123] Python. http://python.org/.
[124] N. Rappin and R. Dunn. wxPython in Action. Manning,2006.
[125] wxPython. http://wxpython.org/.
[126] R. Love. Linux kernel development (2nd edition).2005.
[127] D. Bovet and M. Cesati. Understanding the Linux Kernel (3rd Edition). O’Reilly Media,2005.
[128] S. Smalley, T. Fraser, and C. Vance. Linux security modules: General security hooks for linux.http://kernel.org/doc/htmldocs/lsm.html,2001.
[129] C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: Gen-eral security support for the linux kernel. In Proceedings of the11th USENIX Security Symposium,volume2. San Francisco, CA,2002.
[130] J.P. Singh, W.D. Weber, and A. Gupta. SPLASH: Stanford parallel applications for shared-memory.ACM SIGARCH Computer Architecture News,20(1):5–44,1992.
[131] S.C. Woo, M. Ohara, E. Torrie, J.P. Singh, and A. Gupta. The SPLASH-2programs: Charac-terization and methodological considerations. In Proceedings of the22nd annual internationalsymposium on Computer architecture, pages24–36. ACM,1995.
[132] J.M. Arnold. The Splash2software environment. The Journal of Supercomputing,9(3):277–290,1995.
[133] F. Diacu. The solution of the n-body problem. The Mathematical Intelligencer,18(3):66–70,1996.
[134] D.H. Bailey. Ffts in external of hierarchical memory. In Proceedings of the1989ACM/IEEEconference on Supercomputing, pages234–242. ACM,1989.
[135]石磊,邹德清,金海. Xen虚拟化技术.华中科技大学出版社,2009.
[136] W. Von Hagen. Professional Xen virtualization. Wrox,2008.
[137] N.A. Quynh and Y. Takefuji. Towards a tamper-resistant kernel rootkit detector. In Proceedings ofthe2007ACM symposium on Applied computing, pages276–283. ACM,2007.
[138] O.S. Hofmann, A.M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel in-tegrity with osck. In Proceedings of the sixteenth international conference on Architectural supportfor programming languages and operating systems, pages279–290. ACM,2011.
[139] A. Baliga, V. Ganapathy, and L. Iftode. Detecting Kernel-level Rootkits using Data StructureInvariants. IEEE Transactions on Dependable and Secure Computing,2010.
[140] M.D. Ernst, J.H. Perkins, P.J. Guo, S. McCamant, C. Pacheco, M.S. Tschantz, and C. Xiao. Thedaikon system for dynamic detection of likely invariants. Science of Computer Programming,69(1-3):35–45,2007.
[141] B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Gifn. Robust signatures for kernel data struc-tures. In Proceedings of the16th ACM conference on Computer and communications security,pages566–577. ACM,2009.
[142] R. Blum. Professional Assembly Language. Wrox,2005.
[143] libvirt. http://libvirt.org/.
[144] N. Murilo and K. Steding-Jessen. chkrootkit. http://www.spenneberg.org/chkrootkit-mirror/.
[145] halfdead. Mystifying the debugger for ultimate stealthness. Phrack, Volume0x0c, Issue0x41,Phile#0x08of0x0f,2008.
[146] P.J. Salzman, M. Burian, and O. Pomerantz. The linux kernel module programming guide. TLDP:http://tldp.org/LDP/lkmpg/2.4/html,2001.
[147] A. Lineberry. Malicious code injection via/dev/mem. Black Hat Europe:http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf,2009.
[148] sd devik. Linux on-the-fly kernel patching without lkm. Volume0x0b, Issue0x3a, Phile#0x07of0x0e,2001.
[149] J.P. Singh, C. Holt, J.L. Hennessy, and A. Gupta. A parallel adaptive fast multipole method. InProceedings of the1993ACM/IEEE conference on Supercomputing, pages54–65. ACM,1993.
[150] J. Pal Singh, A. Gupta, and M. Levoy. Parallel visualization algorithms: Performance and archi-tectural implications. Computer,27(7):45–55,1994.
[151] J.L. Henning. Spec cpu2000: Measuring cpu performance in the new millennium. Computer,33(7):28–35,2000.
[152] Standard Performance Evaluation Corporation. http://www.spec.org/.
[153] Apache HTTP Server. http://httpd.apache.org/.
[154] PHP. http://www.php.net/.
[155] httperf. http://www.hpl.hp.com/research/linux/httperf/.
[156] D. Mosberger and T. Jin. httperf–a tool for measuring web server performance. ACM SIGMETRICSPerformance Evaluation Review,26(3):31–37,1998.
[157] autobench. http://www.xenoclast.org/autobench/.