基于訪問控制的Hypervisor非控制數(shù)據(jù)完整性保護(hù)
doi: 10.11999/JEIT150130
基金項(xiàng)目:
核高基國家科技重大專項(xiàng)(2013JH00103)和國家863目標(biāo)導(dǎo)向項(xiàng)目(2009AA01Z434)
Access Control Based Hypervisor Non-control Data Integrity Protection
Funds:
The National Science and Technology Major Project of China (2013JH00103)
-
摘要: 在虛擬化技術(shù)廣泛應(yīng)用的同時(shí)虛擬層的安全問題引起了國內(nèi)外研究人員的密切關(guān)注?,F(xiàn)有的虛擬機(jī)管理器(Hypervisor)完整性保護(hù)方法主要針對代碼和控制數(shù)據(jù)的完整性保護(hù),無法抵御非控制數(shù)據(jù)攻擊;采用周期性監(jiān)控?zé)o法提供實(shí)時(shí)的非控制數(shù)據(jù)完整性保護(hù)。針對現(xiàn)有方法的不足,該文提出了基于UCON的Hypervisor非控制數(shù)據(jù)完整性保護(hù)模型UCONhi。該模型在非控制數(shù)據(jù)完整性保護(hù)需求的基礎(chǔ)上簡化了UCON模型,繼承了UCON模型的連續(xù)性和易變性實(shí)現(xiàn)非控制數(shù)據(jù)的實(shí)時(shí)訪問控制。根據(jù)攻擊樣例分析攻擊者和攻擊對象確定主客體減少安全策略,提高了決策效率;并基于ECA描述UCONhi安全策略,能夠有效地決策非控制數(shù)據(jù)訪問合法性。在Xen系統(tǒng)中設(shè)計(jì)并實(shí)現(xiàn)了相應(yīng)的原型系統(tǒng)Xen-UCONhi,通過實(shí)驗(yàn)評測Xen-UCONhi的有效性和性能。結(jié)果表明,Xen-UCONhi能夠有效阻止針對虛擬機(jī)管理器的攻擊,且性能開銷在10%以內(nèi)。
-
關(guān)鍵詞:
- 虛擬機(jī)管理器 /
- 非控制數(shù)據(jù) /
- 使用控制 /
- 完整性保護(hù) /
- 事件條件行為
Abstract: With the widely spread of virtualization technology, the security problems of virtual layer have attracted the close attention of domestic and foreign researchers at the same time. Existing virtual machine monitor (or Hypervisor) integrity protection methods mainly focus on code and control data integrity protection, and can not resist the non-control data attacks; using periodic monitoring can not provide real-time non-control data integrity protection. According to the deficiencies of the existing methods, Hypervisor non-control data integrity protection model UCONhi is proposed based on Usage CONtral (UCON). The model simplifies the UCON model according to the needs of the non-control data integrity protection, inheriting the continuity and mutability of UCON model to realize real-time access control of non-control data. The attacker and the attacked object are analyzed to determine the subjects and objects and reduce the security policies according to the attacking samples, and UCONhi security policies are described based on ECA, which can effectively decide the legality of non-control data access. A prototype system Xen-UCONhi is designed and implemented based on Xen system, and the effectiveness and performance overhead of Xen-UCONhi are evaluated by comprehensive experiments. The results show that Xen-UCONhi can effectively prevent attacks against Hypervisor with less than 10% performance overhead. -
Garfinkel T and Rosenblum M. A virtual machine introspection based architecture for intrusion detection[C]. Proceedings of the 10th Network and Distributed System Symposium, San Diego, USA, 2003: 191-206. Lanzi A, Sharif M I, and Lee W. K-Tracer: a system for extracting kernel malware behavior[C]. Proceedings of the 16th Network and Distributed System Security Symposium, San Diego, USA, 2009: 191-203. Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684. 李博, 沃天宇, 胡春明, 等. 基于VMM的操作系統(tǒng)隱藏對象關(guān)聯(lián)檢測技術(shù)[J]. 軟件學(xué)報(bào), 2013, 24(2): 405-420. Li Bo, Wo Tian-yu, Hu Chun-ming, et al.. Hidden OS objects correlated detection technology based on VMM[J]. Journal of Software, 2013, 24(2): 405-420. Criswell J, Dautenhahn N, and Adve V. KCoFI: complete control-flow integrity for commodity operating system kernels[C]. Proceedings of the 35th IEEE Symposium on Security and Privacy, Oakland, 2014: 14-29. 殷波, 王穎, 邱雪松, 等. 一種面向云服務(wù)提供商的資源分配機(jī)制[J]. 電子與信息學(xué)報(bào), 2014, 36(1): 15-21. Yin Bo, Wang Ying, Qiu Xue-song, et al.. A resource provisioning mechanism for service providers in cloud[J]. Journal of Electronics Information Technology, 2014, 36(1): 15-21. Barham P, Dragovic B, Fraser K, et al.. Xen and the art of virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles, New York, USA, 2003: 164-177. Wojtczuk R. Subverting the xen hypervisor[R]. Black Hat, USA, 2008. Rutkowska J and Tereshkin A. Bluepilling the xen hypervisor[R]. Black Hat, USA, 2008. Zovi D D. Hardware virtualization rootkits[R]. Black Hat Briefings, USA, 2006. Klein G, Elphinstone K, Heiser G, et al.. SeL4: formal verification of an OS kernel[C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, New York, USA, 2009: 207-220. Barthe G, Betarte G, Campo J D, et al.. Formally verifying isolation and availability in an idealized model of virtualization[C]. Proceedings of the 17th International Symposium on Formal Methods, Limerick, Ireland, 2011: 231-245. Baumann C, Bormer T, Blasum H, et al.. Proving memory separation in a microkernel by code level verification[C]. Proceedings of the 14th IEEE International Symposium on/ Object/Component/Service-OrientedReal-Time Distributed Computing Workshops, Reno, NV, USA, 2011: 25-32. Shinagawa T, Eiraku H, Tanimoto K, et al.. Bitvisor: a thin hypervisor for enforcing I/O device security[C]. Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, New York, USA, 2009: 121-130. Steinberg U and Kauer B. NOVA: a microhypervisor-based secure virtualization architecture[C]. Proceedings of the 5th European Conference on Computer Systems, New York, USA, 2010: 209-222. Nguyen A, Raj H, Rayanchu S, et al.. Delusional boot: securing hypervisors without massive re-engineering[C]. Proceedings of the 7th ACM European Conference on Computer Systems, New York, USA, 2012: 141-154. Wang Z and Jiang X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity[C]. Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, USA, 2010: 380-395. Azab A M, Ning P, Wang Z, et al.. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C]. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010: 38-49. Wang J, Stavrou A, and Ghosh A. HyperCheck: a hardware-assisted integrity monitor[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 11(4): 332-344. Ding B, He Y, Wu Y, et al.. HyperVerify: a vm-assisted architecture for monitoring hypervisor non-control data[C]. Proceedings of the IEEE 7th International Conference on Software Security and Reliability-Companion, Gaithersburg, MD, USA, 2013: 26-34. Liu Z, Lee J H, Zeng J, et al.. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM[C]. Proceedings of the 40th Annual International Symposium on Computer Architecture, Tel-Aviv, Israel, 2013: 392-403. Chen S, Xu J, Sezer E C, et al.. Non-control-data attacks are realistic threats[C]. Proceedings of the 14th Usenix Security Symposium, Baltimore, MD, USA, 2005: 177-192. Ding B, He Y, Wu Y, et al.. Systemic threats to hypervisor non-control data[J]. IET Information Security, 2013, 7(4): 349-354. 俞能海, 郝卓, 徐甲甲, 等. 云安全研究進(jìn)展綜述[J]. 電子學(xué)報(bào), 2013, 41(2): 371-381. Yu Neng-hai, Hao Zhuo, Xu Jia-jia, et al.. Review of cloud computing security[J]. Acta Electronica Sinica, 2013, 41(2): 371-381. Park J and Sandhu R. Towards usage control models: beyond traditional access control[C]. Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, New York, NY, USA, 2002: 57-64. 熊厚仁, 陳性元, 張斌, 等. 基于雙層角色和組織的可擴(kuò)展訪問控制模型[J]. 電子與信息學(xué)報(bào), 2015, DOI: 10.11999/ JEIT141255. Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, et al.. Scalable access control model based on double-tier role and organization[J]. Journal of Electronics Information Technology, 2015, DOI: 10.11999/JEIT141255. Alferes J J, Banti F, and Brogi A. An event-condition-action logic programming language[C]. Proceedings of the 10th European Conference on JELIA, Liverpool, 2006: 29-42. Kivity A, Kamay Y, Laor D, et al.. KVM: the linux virtual machine monitor[C]. Proceedings of the 2007 Linux Symposium, Ottawa, Canada, 2007: 225-230. -
計(jì)量
- 文章訪問數(shù): 1279
- HTML全文瀏覽量: 226
- PDF下載量: 701
- 被引次數(shù): 0