基于QEMU的程序行为监视系统设计与实现
|
摘要
虚拟机监视器(Virtual Machine Monitor,VMM)具有强隔离性、高透明性的特点,成为研究系统行为和程序行为的热点。文中针对利用VMM带来的语义鸿沟问题,选择开源虚拟机软件QEMU做为VMM,提出了一种基于QEMU的程序行为监控方法,通过对QEMU结构及实现原理的分析,利用QEMU内建函数和嵌入钩子函数的方式获取程序行为的低层(Low-level)数据,完成对进程行为的视图重构,并提取出程序的关键行为数据,以作为对程序检测的重要依据。实验结果表明该方法能有效提取程序的行为数据并重构出关键的行为信息。
Considering that a virtual machine monitor( VMM) which has both the characteristics of strong isolation and high transparency,it becomes popular among information security researchers. This paper uses QEMU as a VMM to fix the semantic gap issue,and presents a QEMU-based program behavior extraction model. After doing the analysis for QEMU structure and design principle,the lowlevel data of program behavior from the VMM layer can be captured via QEMU built-in functions or / and implanted hooks and then reconstruct them to high-level view of the program. The key data of the program behavior information can be used to detect and determine that it is a malware or not. The experimental results show that the model can effectively extract the behavior data and can reconstruct the key behavior information of a program.
Considering that a virtual machine monitor( VMM) which has both the characteristics of strong isolation and high transparency,it becomes popular among information security researchers. This paper uses QEMU as a VMM to fix the semantic gap issue,and presents a QEMU-based program behavior extraction model. After doing the analysis for QEMU structure and design principle,the lowlevel data of program behavior from the VMM layer can be captured via QEMU built-in functions or / and implanted hooks and then reconstruct them to high-level view of the program. The key data of the program behavior information can be used to detect and determine that it is a malware or not. The experimental results show that the model can effectively extract the behavior data and can reconstruct the key behavior information of a program.
引文
[1]Chen P M,Noble B.When virtual is better than real[J].Hot Topics in Operation Systems(HOTOS’01),2001,8:133-138.
[2]Tal G,Mendel R.A Virtual Machine Introspection Based Architecture for Intrusion Detection[C].Network and distributed system security Symposium,California(USA):National Security Agency,2003:191-206.
[3]Joshi A,King S T,Dunlap G W,et al.Detecting Past and Present Intrusions through Vulnerability-Specific Predicates[C].The 20th ACM Symposium on Operating Systems Principles.Brighton(UK):ACM,2005:91-104.
[4]Ying W,Chunming H,Bo L.WMDetector:A VMM-based Platform to Detect Hidden Process by Multi-view Comparison[C].13th International Symposium on High-Assurance Systems Engineering(HASE 2011).Los Alamitos(USA):IEEE,2011:307-312.
[5]Fabrice Bellard.QEMU,a Fast and Portable Dynamic Translator[J].Proceedings of USENIX 2005 Annual Technical Conference,Anaheim,CA,USA,Apr.,2005.
[6]訾小超,薛质,姚立红,等.信息安全技术解析与开发实践[M].北京:清华大学出版社,2011:23-25.
[2]Tal G,Mendel R.A Virtual Machine Introspection Based Architecture for Intrusion Detection[C].Network and distributed system security Symposium,California(USA):National Security Agency,2003:191-206.
[3]Joshi A,King S T,Dunlap G W,et al.Detecting Past and Present Intrusions through Vulnerability-Specific Predicates[C].The 20th ACM Symposium on Operating Systems Principles.Brighton(UK):ACM,2005:91-104.
[4]Ying W,Chunming H,Bo L.WMDetector:A VMM-based Platform to Detect Hidden Process by Multi-view Comparison[C].13th International Symposium on High-Assurance Systems Engineering(HASE 2011).Los Alamitos(USA):IEEE,2011:307-312.
[5]Fabrice Bellard.QEMU,a Fast and Portable Dynamic Translator[J].Proceedings of USENIX 2005 Annual Technical Conference,Anaheim,CA,USA,Apr.,2005.
[6]訾小超,薛质,姚立红,等.信息安全技术解析与开发实践[M].北京:清华大学出版社,2011:23-25.