基于虚拟机的实时文件保护机制研究
|
摘要
随着虚拟化技术越来越广泛的应用,各种针对虚拟机的攻击工具也层出不穷,尤其是保存着用户大量重要数据的客户操作系统的安全性令人担忧。传统的文件保护位于目标操作系统之中,很容易受到内核态攻击工具的攻击,其软件本身的安全很难得到保证。另外,由于虚拟化环境下,一台主机上同时运行多个操作系统,传统的文件保护需要在每台虚拟机上冗余地安装各自的文件保护系统,这对系统资源造成了很大的浪费,也严重地影响了系统的性能。
基于虚拟机的实时文件保护机制有效地解决了上述问题。首先,由于该机制的关键模块在特权虚拟域中实现,与目标虚拟机有效隔离,不易受到内核态攻击工具的危害。其次,由于特权虚拟域有较高的管理权限,非特权虚拟域中的恶意软件无法感知到特权虚拟域中文件保护系统的存在,且相比在非特权虚拟域中实现能够更容易检测出恶意攻击的存在。该机制结合虚拟机分离设备驱动模型,利用特权操作系统中用户态设备管理工具实现对客户虚拟机中文件操作捕获,不修改虚拟机监控器和客户操作系统的代码,保证了其代码的完整性。最后,该机制实时获取客户操作系统中文件操作的相关信息,并在特权虚拟域中利用文件沙箱对非特权虚拟域的客户操作系统中文件实现有效地保护,保证了客户操作系统重要文件的安全性。总的来说该机制实现了以下四个特色:隔离性、透明性、非侵入性和实时性。
测试表明,基于虚拟机的实时文件保护机制能够有效地保证客户操作系统中指定文件的安全性,且对文件系统的压缩和解压缩速度以及文件的读写速度影响较小,并能够适应主机中虚拟机的动态部署、创建和销毁,同时对多个客户操作系统中的指定文件实施保护。
With the development of virtualization technology, file protection in virtual machine (VM), especially in guest OS, becomes more and more important. Traditional host-based file protection system resides the critical modules in monitored system, which is easily explored and destroyed by malwares. Moreover, in order to protect the multiple operation systems running on the same platform, it is necessary to install independent file protection system (FPS) for each of them, which greatly wastes computing resources and brings serious performance overhead.
A novel VM-based real-time file protection system, named VRFP, is proposed to solve these problems. Firstly, virtual machine monitor (VMM) introspect all file operations of guest OS; then, semantic gap between disk block and logic files is narrowed by blktap; finally, a virtual sandbox is implemented in privileged domain to prevent protected files in guest domain from modifying illegally. The approach is highly-isolated, transparent and without modification on virtual machine monitor and guest OS. The experimental results show that the presented system is validate and of low performance overhead.
The results of tests show that virtual machine based real-time file protection mechanism can effectively ensure the specified files in guest OS, and has low performance overhead to the speed of compressing and decompressing files and the file reading and writing speed in the target OS. Besides, it can adapt to the dynamic deployment of virtual machine, creation and destroy, providing the file protection for several virtual machines at the same time.
基于虚拟机的实时文件保护机制有效地解决了上述问题。首先,由于该机制的关键模块在特权虚拟域中实现,与目标虚拟机有效隔离,不易受到内核态攻击工具的危害。其次,由于特权虚拟域有较高的管理权限,非特权虚拟域中的恶意软件无法感知到特权虚拟域中文件保护系统的存在,且相比在非特权虚拟域中实现能够更容易检测出恶意攻击的存在。该机制结合虚拟机分离设备驱动模型,利用特权操作系统中用户态设备管理工具实现对客户虚拟机中文件操作捕获,不修改虚拟机监控器和客户操作系统的代码,保证了其代码的完整性。最后,该机制实时获取客户操作系统中文件操作的相关信息,并在特权虚拟域中利用文件沙箱对非特权虚拟域的客户操作系统中文件实现有效地保护,保证了客户操作系统重要文件的安全性。总的来说该机制实现了以下四个特色:隔离性、透明性、非侵入性和实时性。
测试表明,基于虚拟机的实时文件保护机制能够有效地保证客户操作系统中指定文件的安全性,且对文件系统的压缩和解压缩速度以及文件的读写速度影响较小,并能够适应主机中虚拟机的动态部署、创建和销毁,同时对多个客户操作系统中的指定文件实施保护。
With the development of virtualization technology, file protection in virtual machine (VM), especially in guest OS, becomes more and more important. Traditional host-based file protection system resides the critical modules in monitored system, which is easily explored and destroyed by malwares. Moreover, in order to protect the multiple operation systems running on the same platform, it is necessary to install independent file protection system (FPS) for each of them, which greatly wastes computing resources and brings serious performance overhead.
A novel VM-based real-time file protection system, named VRFP, is proposed to solve these problems. Firstly, virtual machine monitor (VMM) introspect all file operations of guest OS; then, semantic gap between disk block and logic files is narrowed by blktap; finally, a virtual sandbox is implemented in privileged domain to prevent protected files in guest domain from modifying illegally. The approach is highly-isolated, transparent and without modification on virtual machine monitor and guest OS. The experimental results show that the presented system is validate and of low performance overhead.
The results of tests show that virtual machine based real-time file protection mechanism can effectively ensure the specified files in guest OS, and has low performance overhead to the speed of compressing and decompressing files and the file reading and writing speed in the target OS. Besides, it can adapt to the dynamic deployment of virtual machine, creation and destroy, providing the file protection for several virtual machines at the same time.
引文
[1] Patil S, Kashyap A, Sivathanu G, et al. An In-Kernel Integrity Checker and Intrusion Detection File System. In: Proceedings of the 18th USENIX Large Installation System Administration Conference, USENIX Association. Berkeley, CA, USA, 2004. 67~78
[2] Zhao X, Borders K, Prakash A. Towards protecting sensitive files in a compromised system. In: Proceedings of the 3rd IEEE International Security in Storage Workshop, IEEE Computer Society. Washington, DC, USA, 2005. 21~28
[3] Quynh N, Takefuji Y. Towards a tamper-resistant kernel rootkit detector. In: Proceedings of the 2007 ACM symposium on Applied computing, ACM Press. New York, NY, USA, 2007. 276~283
[4] Ports D, Garfinkel T. Towards application security on untrusted operating systems. In: Proceedings of the 3rd conference on Hot topics in security, USENIX Association. Berkeley, CA, USA, 2008. 1~7
[5] Borders K, Zhao X, Prakash A. Securing sensitive content in a view-only file system, In: Proceedings of the ACM workshop on Digital rights management, ACM. New York, NY, USA, 2006. 27~36
[6] Jiang X, Wang X. Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, 2007. 198~218
[7] Jiang X, Wang X, Xu D. Stealthy malware detection through VMM-based‘out-of-the-box’semantic view. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM. New York, NY, USA, 2007. 1~20
[8] Goldberg R. Survey of Virtual Machine Research. IEEE Computer, 1974:34~45
[9] Barham P, Dragovic B, Fraser K, et al. Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, ACM. New York, NY, USA, 2003. 164~177
[10] Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research. In: Proceedings of 2004 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2004. 47~47
[11] Pratt I, Fraser K, Hand S, et al. Xen 3.0 and the Art of Virtualization. In: Proceedings of the Linux Symposium. 2005. 65~77
[12] Smith J, Nair R. The Architecture of Virtual Machines. Computer, IEEE Computer Society Press. Los Alamitos, CA, USA, 2005, 38(5): 32~38
[13] Rosenblum M, Garfinkel T. Virtual Machine Monitors: Current Technology and Future Trends, IEEE Computer. CA, USA; 2005, 38(5): 39~47
[14] Xen project. Xen interface manual, 2005
[15] Intel Architecture Software Developer’s Manual. Volume 3A: System Programming Guide. 2007
[16] Garfinkel T, Rosenblum M. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In: Proceedings of the 10th Workshop on Hot Topics in Operating Systems, USENIX Association. Berkeley, CA, USA, 2005. 20~20
[17] Kim G, Spafford E. The Design and Implementation of Tripwire: A File System Integrity Checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM. New York, NY, USA, 1994. 18~29
[18] URL: http://sourceforge.net/projects/tripwire
[19] Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Springer-Verlag. Berlin, Heidelberg, 2008. 1~20
[20] Jones S, Arpaci-Dusseau A, Arpaci-Dusseau R. VMM-based hidden process detection and identification using Lycosid. In: Proceedings of ACM Conference on Virtual Execution Environments, ACM. New York, NY, USA, 2008. 91~100
[21] Chen X, Garfinkel T, Lewis E, et al. A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ACM. New York, NY, USA, 2008. 2~13
[22] Jones S, Arpaci-Dusseau A, Arpaci-Dusseau R, et al. Antfarm: Tracking Processes in a Virtual Machine Environment. In: Proceedings of 2006 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2006. 1~14
[23]蒙杨,刘克龙,卿斯汉.一种新型的综合型安全系统研究.软件学报. 2000, 11(5): 616~619
[24] Payne B, Carbone M, Sharif M. Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy, IEEE Computer Society. Washington, DC, USA, 2008. 233~247
[25] Xu M, Jiang X, Sandhu R, et al. Towards a VMM-based usage control framework for OS kernel integrity protection. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, ACM. New York, NY, USA, 2007. 71~80
[26]怀进鹏,李沁,胡春明.基于虚拟机的虚拟计算环境研究与设计.软件学报. 2007, 18(8): 2016~2026
[27] Quynh N, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ACM. New York, NY, USA, 2007. 194~202
[28] Payne B, Carbone M, Lee W. Secure and flexible monitoring of virtual machines. In: Proceedings of the 23rd Annual Computer Security Applications Conference. Atlanta, 2007. 385~397
[29] Zhang X, Li Q, S. Qing S, et al. VNIDA: Building an IDS Architecture Using VMM-based Non-intrusive Approach. In: Proceedings of the 2nd International Workshop on Knowledge Discovery and Data Mining, IEEE Computer Society. Washington, DC, USA, 2008. 594~600
[30] Dunlap G, King S, Cinar S, et al. ReVirt: Enabling intrusion analysis through virtual machine logging and replay. In: Proceedings of the 5th symposium on Operating systems design and implementation, ACM. New York, NY, USA, 2002. 211~224
[31] Jiang X, Xu D. Collapsar: A VM-Based Architecture for Network Attack Detention Center. In: Journal of Parallel and Distributed Computing, Academic Press. Orlando, FL, USA, 2004, 66(9): 1165~1180
[32] Asrigo K, Lie D, Litty L. Using VMM-based sensors to monitor honeypots. In: Proceedings of the 2nd inter-national conference on Virtual execution environments, ACM. New York, NY, USA, 2006. 13~23
[33] URL: http://wiki.xensource.com/xenwiki/blktap
[34] Fraser K, Hand S, Pratt I, et al. Safe hardware access with the Xen virtual machine monitor. In: Proceedings of the First Workshop on Operating System and Architectural Support for the on demand IT Infrastructure. 2004. 151~160
[35] Nance K, Hay B, Bishop M. Virtual Machine Introspection Observation or Interference. In: Security & Privacy, IEEE. Fairbanks, AK, 2008, 6(5): 32~37
[36] Garfinkel T, Rosenblum M. A Virtual Machine Introspection based Architecture for Intrusion Detection. In: Proceedings of the 10th Network and Distributed System Symposium. 2003. 191~206
[37] Jin H, Xiang G, Zhao F, et al. VMFence: A Customized Intrusion Prevention System in Distributed Virtual Computing Environment. In: Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, ACM. New York, NY, USA, 2009. 391~399
[38] Andrew W, Keir F, Hand S, et al. Facilitating the development of soft devices. In: Proceedings of the annual conference on USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA. 2005. 22~22
[39] Frascone D. Debugging kernel modules with user-mode Linux. In: Linux Journal, Specialized Systems Consultants. Seattle, WA, USA, 2002, 2002(97): 5~5
[40] Pennington A, Strunk J, Griffin J, and et al. Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior. In: Proceedings of the 12th conference on USENIX Security Symposium, USENIX Association. Berkeley, CA, USA, 2003. 1~15
[41] Bovet D, Cesati M.深入理解LINUX内核(第三版).陈莉君,张琼声,张宏伟.北京:中国电力出版社, 2007.635~648
[42] Prevelakis V, Spinellis D. Sandboxing Applications, In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2001. 119 ~126
[2] Zhao X, Borders K, Prakash A. Towards protecting sensitive files in a compromised system. In: Proceedings of the 3rd IEEE International Security in Storage Workshop, IEEE Computer Society. Washington, DC, USA, 2005. 21~28
[3] Quynh N, Takefuji Y. Towards a tamper-resistant kernel rootkit detector. In: Proceedings of the 2007 ACM symposium on Applied computing, ACM Press. New York, NY, USA, 2007. 276~283
[4] Ports D, Garfinkel T. Towards application security on untrusted operating systems. In: Proceedings of the 3rd conference on Hot topics in security, USENIX Association. Berkeley, CA, USA, 2008. 1~7
[5] Borders K, Zhao X, Prakash A. Securing sensitive content in a view-only file system, In: Proceedings of the ACM workshop on Digital rights management, ACM. New York, NY, USA, 2006. 27~36
[6] Jiang X, Wang X. Out-of-the-box monitoring of VM-based high-interaction honeypots. In: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, 2007. 198~218
[7] Jiang X, Wang X, Xu D. Stealthy malware detection through VMM-based‘out-of-the-box’semantic view. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM. New York, NY, USA, 2007. 1~20
[8] Goldberg R. Survey of Virtual Machine Research. IEEE Computer, 1974:34~45
[9] Barham P, Dragovic B, Fraser K, et al. Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles, ACM. New York, NY, USA, 2003. 164~177
[10] Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research. In: Proceedings of 2004 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2004. 47~47
[11] Pratt I, Fraser K, Hand S, et al. Xen 3.0 and the Art of Virtualization. In: Proceedings of the Linux Symposium. 2005. 65~77
[12] Smith J, Nair R. The Architecture of Virtual Machines. Computer, IEEE Computer Society Press. Los Alamitos, CA, USA, 2005, 38(5): 32~38
[13] Rosenblum M, Garfinkel T. Virtual Machine Monitors: Current Technology and Future Trends, IEEE Computer. CA, USA; 2005, 38(5): 39~47
[14] Xen project. Xen interface manual, 2005
[15] Intel Architecture Software Developer’s Manual. Volume 3A: System Programming Guide. 2007
[16] Garfinkel T, Rosenblum M. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. In: Proceedings of the 10th Workshop on Hot Topics in Operating Systems, USENIX Association. Berkeley, CA, USA, 2005. 20~20
[17] Kim G, Spafford E. The Design and Implementation of Tripwire: A File System Integrity Checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM. New York, NY, USA, 1994. 18~29
[18] URL: http://sourceforge.net/projects/tripwire
[19] Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Springer-Verlag. Berlin, Heidelberg, 2008. 1~20
[20] Jones S, Arpaci-Dusseau A, Arpaci-Dusseau R. VMM-based hidden process detection and identification using Lycosid. In: Proceedings of ACM Conference on Virtual Execution Environments, ACM. New York, NY, USA, 2008. 91~100
[21] Chen X, Garfinkel T, Lewis E, et al. A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, ACM. New York, NY, USA, 2008. 2~13
[22] Jones S, Arpaci-Dusseau A, Arpaci-Dusseau R, et al. Antfarm: Tracking Processes in a Virtual Machine Environment. In: Proceedings of 2006 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2006. 1~14
[23]蒙杨,刘克龙,卿斯汉.一种新型的综合型安全系统研究.软件学报. 2000, 11(5): 616~619
[24] Payne B, Carbone M, Sharif M. Lares: an architecture for secure active monitoring using virtualization. In: Proceedings of the IEEE Symposium on Security and Privacy, IEEE Computer Society. Washington, DC, USA, 2008. 233~247
[25] Xu M, Jiang X, Sandhu R, et al. Towards a VMM-based usage control framework for OS kernel integrity protection. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, ACM. New York, NY, USA, 2007. 71~80
[26]怀进鹏,李沁,胡春明.基于虚拟机的虚拟计算环境研究与设计.软件学报. 2007, 18(8): 2016~2026
[27] Quynh N, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ACM. New York, NY, USA, 2007. 194~202
[28] Payne B, Carbone M, Lee W. Secure and flexible monitoring of virtual machines. In: Proceedings of the 23rd Annual Computer Security Applications Conference. Atlanta, 2007. 385~397
[29] Zhang X, Li Q, S. Qing S, et al. VNIDA: Building an IDS Architecture Using VMM-based Non-intrusive Approach. In: Proceedings of the 2nd International Workshop on Knowledge Discovery and Data Mining, IEEE Computer Society. Washington, DC, USA, 2008. 594~600
[30] Dunlap G, King S, Cinar S, et al. ReVirt: Enabling intrusion analysis through virtual machine logging and replay. In: Proceedings of the 5th symposium on Operating systems design and implementation, ACM. New York, NY, USA, 2002. 211~224
[31] Jiang X, Xu D. Collapsar: A VM-Based Architecture for Network Attack Detention Center. In: Journal of Parallel and Distributed Computing, Academic Press. Orlando, FL, USA, 2004, 66(9): 1165~1180
[32] Asrigo K, Lie D, Litty L. Using VMM-based sensors to monitor honeypots. In: Proceedings of the 2nd inter-national conference on Virtual execution environments, ACM. New York, NY, USA, 2006. 13~23
[33] URL: http://wiki.xensource.com/xenwiki/blktap
[34] Fraser K, Hand S, Pratt I, et al. Safe hardware access with the Xen virtual machine monitor. In: Proceedings of the First Workshop on Operating System and Architectural Support for the on demand IT Infrastructure. 2004. 151~160
[35] Nance K, Hay B, Bishop M. Virtual Machine Introspection Observation or Interference. In: Security & Privacy, IEEE. Fairbanks, AK, 2008, 6(5): 32~37
[36] Garfinkel T, Rosenblum M. A Virtual Machine Introspection based Architecture for Intrusion Detection. In: Proceedings of the 10th Network and Distributed System Symposium. 2003. 191~206
[37] Jin H, Xiang G, Zhao F, et al. VMFence: A Customized Intrusion Prevention System in Distributed Virtual Computing Environment. In: Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, ACM. New York, NY, USA, 2009. 391~399
[38] Andrew W, Keir F, Hand S, et al. Facilitating the development of soft devices. In: Proceedings of the annual conference on USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA. 2005. 22~22
[39] Frascone D. Debugging kernel modules with user-mode Linux. In: Linux Journal, Specialized Systems Consultants. Seattle, WA, USA, 2002, 2002(97): 5~5
[40] Pennington A, Strunk J, Griffin J, and et al. Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior. In: Proceedings of the 12th conference on USENIX Security Symposium, USENIX Association. Berkeley, CA, USA, 2003. 1~15
[41] Bovet D, Cesati M.深入理解LINUX内核(第三版).陈莉君,张琼声,张宏伟.北京:中国电力出版社, 2007.635~648
[42] Prevelakis V, Spinellis D. Sandboxing Applications, In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, USENIX Association. Berkeley, CA, USA, 2001. 119 ~126