一级黄色片免费播放|中国黄色视频播放片|日本三级a|可以直接考播黄片影视免费一级毛片

高級搜索

留言板

尊敬的讀者、作者、審稿人, 關(guān)于本刊的投稿、審稿、編輯和出版的任何問題, 您可以本頁添加留言。我們將盡快給您答復(fù)。謝謝您的支持!

姓名
郵箱
手機(jī)號碼
標(biāo)題
留言內(nèi)容
驗(yàn)證碼

基于訪問控制的Hypervisor非控制數(shù)據(jù)完整性保護(hù)

陳志鋒 李清寶 張平 曾光裕

陳志鋒, 李清寶, 張平, 曾光裕. 基于訪問控制的Hypervisor非控制數(shù)據(jù)完整性保護(hù)[J]. 電子與信息學(xué)報(bào), 2015, 37(10): 2508-2516. doi: 10.11999/JEIT150130
引用本文: 陳志鋒, 李清寶, 張平, 曾光裕. 基于訪問控制的Hypervisor非控制數(shù)據(jù)完整性保護(hù)[J]. 電子與信息學(xué)報(bào), 2015, 37(10): 2508-2516. doi: 10.11999/JEIT150130
Chen Zhi-feng, Li Qing-bao, Zhang Ping, Zeng Guang-yu. Access Control Based Hypervisor Non-control Data Integrity Protection[J]. Journal of Electronics & Information Technology, 2015, 37(10): 2508-2516. doi: 10.11999/JEIT150130
Citation: Chen Zhi-feng, Li Qing-bao, Zhang Ping, Zeng Guang-yu. Access Control Based Hypervisor Non-control Data Integrity Protection[J]. Journal of Electronics & Information Technology, 2015, 37(10): 2508-2516. doi: 10.11999/JEIT150130

基于訪問控制的Hypervisor非控制數(shù)據(jù)完整性保護(hù)

doi: 10.11999/JEIT150130
基金項(xiàng)目: 

核高基國家科技重大專項(xiàng)(2013JH00103)和國家863目標(biāo)導(dǎo)向項(xiàng)目(2009AA01Z434)

Access Control Based Hypervisor Non-control Data Integrity Protection

Funds: 

The National Science and Technology Major Project of China (2013JH00103)

  • 摘要: 在虛擬化技術(shù)廣泛應(yīng)用的同時(shí)虛擬層的安全問題引起了國內(nèi)外研究人員的密切關(guān)注?,F(xiàn)有的虛擬機(jī)管理器(Hypervisor)完整性保護(hù)方法主要針對代碼和控制數(shù)據(jù)的完整性保護(hù),無法抵御非控制數(shù)據(jù)攻擊;采用周期性監(jiān)控?zé)o法提供實(shí)時(shí)的非控制數(shù)據(jù)完整性保護(hù)。針對現(xiàn)有方法的不足,該文提出了基于UCON的Hypervisor非控制數(shù)據(jù)完整性保護(hù)模型UCONhi。該模型在非控制數(shù)據(jù)完整性保護(hù)需求的基礎(chǔ)上簡化了UCON模型,繼承了UCON模型的連續(xù)性和易變性實(shí)現(xiàn)非控制數(shù)據(jù)的實(shí)時(shí)訪問控制。根據(jù)攻擊樣例分析攻擊者和攻擊對象確定主客體減少安全策略,提高了決策效率;并基于ECA描述UCONhi安全策略,能夠有效地決策非控制數(shù)據(jù)訪問合法性。在Xen系統(tǒng)中設(shè)計(jì)并實(shí)現(xiàn)了相應(yīng)的原型系統(tǒng)Xen-UCONhi,通過實(shí)驗(yàn)評測Xen-UCONhi的有效性和性能。結(jié)果表明,Xen-UCONhi能夠有效阻止針對虛擬機(jī)管理器的攻擊,且性能開銷在10%以內(nèi)。
  • Garfinkel T and Rosenblum M. A virtual machine introspection based architecture for intrusion detection[C]. Proceedings of the 10th Network and Distributed System Symposium, San Diego, USA, 2003: 191-206.
    Lanzi A, Sharif M I, and Lee W. K-Tracer: a system for extracting kernel malware behavior[C]. Proceedings of the 16th Network and Distributed System Security Symposium, San Diego, USA, 2009: 191-203.
    Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.
    李博, 沃天宇, 胡春明, 等. 基于VMM的操作系統(tǒng)隱藏對象關(guān)聯(lián)檢測技術(shù)[J]. 軟件學(xué)報(bào), 2013, 24(2): 405-420.
    Li Bo, Wo Tian-yu, Hu Chun-ming, et al.. Hidden OS objects correlated detection technology based on VMM[J]. Journal of Software, 2013, 24(2): 405-420.
    Criswell J, Dautenhahn N, and Adve V. KCoFI: complete control-flow integrity for commodity operating system kernels[C]. Proceedings of the 35th IEEE Symposium on Security and Privacy, Oakland, 2014: 14-29.
    殷波, 王穎, 邱雪松, 等. 一種面向云服務(wù)提供商的資源分配機(jī)制[J]. 電子與信息學(xué)報(bào), 2014, 36(1): 15-21.
    Yin Bo, Wang Ying, Qiu Xue-song, et al.. A resource provisioning mechanism for service providers in cloud[J]. Journal of Electronics Information Technology, 2014, 36(1): 15-21.
    Barham P, Dragovic B, Fraser K, et al.. Xen and the art of virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles, New York, USA, 2003: 164-177.
    Wojtczuk R. Subverting the xen hypervisor[R]. Black Hat, USA, 2008.
    Rutkowska J and Tereshkin A. Bluepilling the xen hypervisor[R]. Black Hat, USA, 2008.
    Zovi D D. Hardware virtualization rootkits[R]. Black Hat Briefings, USA, 2006.
    Klein G, Elphinstone K, Heiser G, et al.. SeL4: formal verification of an OS kernel[C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, New York, USA, 2009: 207-220.
    Barthe G, Betarte G, Campo J D, et al.. Formally verifying isolation and availability in an idealized model of virtualization[C]. Proceedings of the 17th International Symposium on Formal Methods, Limerick, Ireland, 2011: 231-245.
    Baumann C, Bormer T, Blasum H, et al.. Proving memory separation in a microkernel by code level verification[C]. Proceedings of the 14th IEEE International Symposium on/ Object/Component/Service-OrientedReal-Time Distributed Computing Workshops, Reno, NV, USA, 2011: 25-32.
    Shinagawa T, Eiraku H, Tanimoto K, et al.. Bitvisor: a thin hypervisor for enforcing I/O device security[C]. Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, New York, USA, 2009: 121-130.
    Steinberg U and Kauer B. NOVA: a microhypervisor-based secure virtualization architecture[C]. Proceedings of the 5th European Conference on Computer Systems, New York, USA, 2010: 209-222.
    Nguyen A, Raj H, Rayanchu S, et al.. Delusional boot: securing hypervisors without massive re-engineering[C]. Proceedings of the 7th ACM European Conference on Computer Systems, New York, USA, 2012: 141-154.
    Wang Z and Jiang X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity[C]. Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, USA, 2010: 380-395.
    Azab A M, Ning P, Wang Z, et al.. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C]. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010: 38-49.
    Wang J, Stavrou A, and Ghosh A. HyperCheck: a hardware-assisted integrity monitor[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 11(4): 332-344.
    Ding B, He Y, Wu Y, et al.. HyperVerify: a vm-assisted architecture for monitoring hypervisor non-control data[C]. Proceedings of the IEEE 7th International Conference on Software Security and Reliability-Companion, Gaithersburg, MD, USA, 2013: 26-34.
    Liu Z, Lee J H, Zeng J, et al.. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM[C]. Proceedings of the 40th Annual International Symposium on Computer Architecture, Tel-Aviv, Israel, 2013: 392-403.
    Chen S, Xu J, Sezer E C, et al.. Non-control-data attacks are realistic threats[C]. Proceedings of the 14th Usenix Security Symposium, Baltimore, MD, USA, 2005: 177-192.
    Ding B, He Y, Wu Y, et al.. Systemic threats to hypervisor non-control data[J]. IET Information Security, 2013, 7(4): 349-354.
    俞能海, 郝卓, 徐甲甲, 等. 云安全研究進(jìn)展綜述[J]. 電子學(xué)報(bào), 2013, 41(2): 371-381.
    Yu Neng-hai, Hao Zhuo, Xu Jia-jia, et al.. Review of cloud computing security[J]. Acta Electronica Sinica, 2013, 41(2): 371-381.
    Park J and Sandhu R. Towards usage control models: beyond traditional access control[C]. Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, New York, NY, USA, 2002: 57-64.
    熊厚仁, 陳性元, 張斌, 等. 基于雙層角色和組織的可擴(kuò)展訪問控制模型[J]. 電子與信息學(xué)報(bào), 2015, DOI: 10.11999/ JEIT141255.
    Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, et al.. Scalable access control model based on double-tier role and organization[J]. Journal of Electronics Information Technology, 2015, DOI: 10.11999/JEIT141255.
    Alferes J J, Banti F, and Brogi A. An event-condition-action logic programming language[C]. Proceedings of the 10th European Conference on JELIA, Liverpool, 2006: 29-42.
    Kivity A, Kamay Y, Laor D, et al.. KVM: the linux virtual machine monitor[C]. Proceedings of the 2007 Linux Symposium, Ottawa, Canada, 2007: 225-230.
  • 加載中
計(jì)量
  • 文章訪問數(shù):  1279
  • HTML全文瀏覽量:  226
  • PDF下載量:  701
  • 被引次數(shù): 0
出版歷程
  • 收稿日期:  2015-01-27
  • 修回日期:  2015-06-23
  • 刊出日期:  2015-10-19

目錄

    /

    返回文章
    返回