基于访问控制的Hypervisor非控制数据完整性保护

陈志锋; 李清宝; 张平; 曾光裕

doi:10.11999/JEIT150130

基于访问控制的Hypervisor非控制数据完整性保护

doi: 10.11999/JEIT150130

基金项目:

核高基国家科技重大专项(2013JH00103)和国家863目标导向项目(2009AA01Z434)

计量
- 文章访问数: 1257
- HTML全文浏览量: 220
- PDF下载量: 701
- 被引次数: 0
出版历程
- 收稿日期: 2015-01-27
- 修回日期: 2015-06-23
- 刊出日期: 2015-10-19

Access Control Based Hypervisor Non-control Data Integrity Protection

Funds:

The National Science and Technology Major Project of China (2013JH00103)

摘要

摘要: 在虚拟化技术广泛应用的同时虚拟层的安全问题引起了国内外研究人员的密切关注。现有的虚拟机管理器(Hypervisor)完整性保护方法主要针对代码和控制数据的完整性保护，无法抵御非控制数据攻击；采用周期性监控无法提供实时的非控制数据完整性保护。针对现有方法的不足，该文提出了基于UCON的Hypervisor非控制数据完整性保护模型UCONhi。该模型在非控制数据完整性保护需求的基础上简化了UCON模型，继承了UCON模型的连续性和易变性实现非控制数据的实时访问控制。根据攻击样例分析攻击者和攻击对象确定主客体减少安全策略，提高了决策效率；并基于ECA描述UCONhi安全策略，能够有效地决策非控制数据访问合法性。在Xen系统中设计并实现了相应的原型系统Xen-UCONhi，通过实验评测Xen-UCONhi的有效性和性能。结果表明，Xen-UCONhi能够有效阻止针对虚拟机管理器的攻击，且性能开销在10%以内。
- 虚拟机管理器 /
- 非控制数据 /
- 使用控制 /
- 完整性保护 /
- 事件条件行为
Abstract: With the widely spread of virtualization technology, the security problems of virtual layer have attracted the close attention of domestic and foreign researchers at the same time. Existing virtual machine monitor (or Hypervisor) integrity protection methods mainly focus on code and control data integrity protection, and can not resist the non-control data attacks; using periodic monitoring can not provide real-time non-control data integrity protection. According to the deficiencies of the existing methods, Hypervisor non-control data integrity protection model UCONhi is proposed based on Usage CONtral (UCON). The model simplifies the UCON model according to the needs of the non-control data integrity protection, inheriting the continuity and mutability of UCON model to realize real-time access control of non-control data. The attacker and the attacked object are analyzed to determine the subjects and objects and reduce the security policies according to the attacking samples, and UCONhi security policies are described based on ECA, which can effectively decide the legality of non-control data access. A prototype system Xen-UCONhi is designed and implemented based on Xen system, and the effectiveness and performance overhead of Xen-UCONhi are evaluated by comprehensive experiments. The results show that Xen-UCONhi can effectively prevent attacks against Hypervisor with less than 10% performance overhead.
- Virtual Machine Monitor (Hypervisor) /
- Non-control data /
- Usage control /
- Integrity protection /
- Event condition action

HTML全文

参考文献(32)

Garfinkel T and Rosenblum M. A virtual machine introspection based architecture for intrusion detection[C]. Proceedings of the 10th Network and Distributed System Symposium, San Diego, USA, 2003: 191-206.

Lanzi A, Sharif M I, and Lee W. K-Tracer: a system for extracting kernel malware behavior[C]. Proceedings of the 16th Network and Distributed System Security Symposium, San Diego, USA, 2009: 191-203.

Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.

李博, 沃天宇, 胡春明, 等. 基于VMM的操作系统隐藏对象关联检测技术[J]. 软件学报, 2013, 24(2): 405-420.

Li Bo, Wo Tian-yu, Hu Chun-ming, et al.. Hidden OS objects correlated detection technology based on VMM[J]. Journal of Software, 2013, 24(2): 405-420.

Criswell J, Dautenhahn N, and Adve V. KCoFI: complete control-flow integrity for commodity operating system kernels[C]. Proceedings of the 35th IEEE Symposium on Security and Privacy, Oakland, 2014: 14-29.

殷波, 王颖, 邱雪松, 等. 一种面向云服务提供商的资源分配机制[J]. 电子与信息学报, 2014, 36(1): 15-21.

Yin Bo, Wang Ying, Qiu Xue-song, et al.. A resource provisioning mechanism for service providers in cloud[J]. Journal of Electronics Information Technology, 2014, 36(1): 15-21.

Barham P, Dragovic B, Fraser K, et al.. Xen and the art of virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles, New York, USA, 2003: 164-177.

Wojtczuk R. Subverting the xen hypervisor[R]. Black Hat, USA, 2008.

Rutkowska J and Tereshkin A. Bluepilling the xen hypervisor[R]. Black Hat, USA, 2008.

Zovi D D. Hardware virtualization rootkits[R]. Black Hat Briefings, USA, 2006.

Klein G, Elphinstone K, Heiser G, et al.. SeL4: formal verification of an OS kernel[C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, New York, USA, 2009: 207-220.

Barthe G, Betarte G, Campo J D, et al.. Formally verifying isolation and availability in an idealized model of virtualization[C]. Proceedings of the 17th International Symposium on Formal Methods, Limerick, Ireland, 2011: 231-245.

Baumann C, Bormer T, Blasum H, et al.. Proving memory separation in a microkernel by code level verification[C]. Proceedings of the 14th IEEE International Symposium on/ Object/Component/Service-OrientedReal-Time Distributed Computing Workshops, Reno, NV, USA, 2011: 25-32.

Shinagawa T, Eiraku H, Tanimoto K, et al.. Bitvisor: a thin hypervisor for enforcing I/O device security[C]. Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, New York, USA, 2009: 121-130.

Steinberg U and Kauer B. NOVA: a microhypervisor-based secure virtualization architecture[C]. Proceedings of the 5th European Conference on Computer Systems, New York, USA, 2010: 209-222.

Nguyen A, Raj H, Rayanchu S, et al.. Delusional boot: securing hypervisors without massive re-engineering[C]. Proceedings of the 7th ACM European Conference on Computer Systems, New York, USA, 2012: 141-154.

Wang Z and Jiang X. HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity[C]. Proceedings of the 31st IEEE Symposium on Security and Privacy, Oakland, USA, 2010: 380-395.

Azab A M, Ning P, Wang Z, et al.. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity[C]. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010: 38-49.

Wang J, Stavrou A, and Ghosh A. HyperCheck: a hardware-assisted integrity monitor[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 11(4): 332-344.

Ding B, He Y, Wu Y, et al.. HyperVerify: a vm-assisted architecture for monitoring hypervisor non-control data[C]. Proceedings of the IEEE 7th International Conference on Software Security and Reliability-Companion, Gaithersburg, MD, USA, 2013: 26-34.

Liu Z, Lee J H, Zeng J, et al.. CPU transparent protection of OS kernel and hypervisor integrity with programmable DRAM[C]. Proceedings of the 40th Annual International Symposium on Computer Architecture, Tel-Aviv, Israel, 2013: 392-403.

Chen S, Xu J, Sezer E C, et al.. Non-control-data attacks are realistic threats[C]. Proceedings of the 14th Usenix Security Symposium, Baltimore, MD, USA, 2005: 177-192.

Ding B, He Y, Wu Y, et al.. Systemic threats to hypervisor non-control data[J]. IET Information Security, 2013, 7(4): 349-354.

俞能海, 郝卓, 徐甲甲, 等. 云安全研究进展综述[J]. 电子学报, 2013, 41(2): 371-381.

Yu Neng-hai, Hao Zhuo, Xu Jia-jia, et al.. Review of cloud computing security[J]. Acta Electronica Sinica, 2013, 41(2): 371-381.

Park J and Sandhu R. Towards usage control models: beyond traditional access control[C]. Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, New York, NY, USA, 2002: 57-64.

熊厚仁, 陈性元, 张斌, 等. 基于双层角色和组织的可扩展访问控制模型[J]. 电子与信息学报, 2015, DOI: 10.11999/ JEIT141255.

Xiong Hou-ren, Chen Xing-yuan, Zhang Bin, et al.. Scalable access control model based on double-tier role and organization[J]. Journal of Electronics Information Technology, 2015, DOI: 10.11999/JEIT141255.

Alferes J J, Banti F, and Brogi A. An event-condition-action logic programming language[C]. Proceedings of the 10th European Conference on JELIA, Liverpool, 2006: 29-42.

Kivity A, Kamay Y, Laor D, et al.. KVM: the linux virtual machine monitor[C]. Proceedings of the 2007 Linux Symposium, Ottawa, Canada, 2007: 225-230.

施引文献

资源附件(0)

访问统计