信息网络安全 ›› 2014, Vol. 14 ›› Issue (12): 43-46.doi: 10.3969/j.issn.1671-1122.2014.12.009

• 技术研究 • 上一篇    下一篇

一种针对Xen超级调用的入侵防护方法

李辉, 陈兴蜀, 张磊, 王文贤   

  1. 四川大学计算机学院网络与可信计算研究所,四川成都 610065
  • 收稿日期:2014-11-05 出版日期:2014-12-15
  • 通讯作者: 陈兴蜀 chenxsh@scu.edu.cn
  • 作者简介:李辉(1989-),男,重庆,硕士研究生,主要研究方向:虚拟化、操作系统;陈兴蜀(1968-),女,四川,博士,教授,主要研究方向:可信计算、云计算、信息安全;张磊(1983-),男,四川,博士研究生,主要研究方向:信息安全;王文贤(1978-),男,福建,讲师,博士,主要研究方向:信息安全、新媒体舆情和云计算。
  • 基金资助:
    国家科技支撑计划[2012BAH18B05]

A Method to Defend Intrusion from Hypercall of Xen

LI Hui, CHEN Xing-shu, ZHANG Lei, WANG Wen-xian   

  1. School of computing, Sichuan University, Chengdu Sichuan 610065, China
  • Received:2014-11-05 Online:2014-12-15

摘要: 云计算技术已飞速发展并被广泛应用,虚拟化作为云计算的重要支撑,提高了平台对资源的利用效率与管理能力。作为一款开源虚拟化软件,Xen独特的设计思想与优良的虚拟化性能使其被许多云服务商采用,然而Xen虚拟机监视器同样面临着许多安全问题。Xen为虚拟机提供的特权接口可能被虚拟机恶意代码利用,攻击者可以借此攻击Xen或者运行其上的虚拟机。文章针对Xen向虚拟机提供的超级调用接口面临被恶意虚拟机内核代码利用的问题,提出了一种基于执行路径的分析方法,用以追溯发起该超级调用的虚拟机执行路径,与一个最初的路径训练集进行对比,可以避免超级调用被恶意虚拟机内核代码利用。该方法通过追溯虚拟机内核堆栈信息,结合指令分析与虚拟机内核符号表信息,实现了虚拟化平台下对虚拟机执行路径的动态追踪与重构。在Xen下进行实验,通过创建新的虚拟机并让其单独运行来获得训练集,训练集中包含所有发起该超级调用的虚拟机路径信息。在随后虚拟机运行过程中针对该超级调用动态构造出对应的虚拟机执行路径,将其与训练集对比,避免非正常执行路径的超级调用发生。

关键词: Xen, 内核堆栈, 函数调用图, 指令分析

Abstract: Cloud computing is developing fast and widely used, as an important support for cloud computing, virtualization has improved the efficiency of resource utilization and management capability for a platform. As an open source software for virtualization, the unique design and excellent performance make Xen adopted by many could service providers, which are also troubled by the security problems of Xen hypervisor. The privilege interfaces provided by Xen can be utilized by malicious code of virtual machine, which can be used by intruders to attack Xen or virtual machines running above. To solve the problem of hypercalls of Xen to be abused by malicious code inside guest kernel, a method to analyze the execution path of guest kernel is provided, which is used to trace the execution path of guest kernel that has launched this hypercall, compared with the training set constructed at the beginning, preventing hypercalls being misused by malicious code of guest kernel becomes possible. By tracking stack information of guest kernel, the execution path of virtual machine is reconstructed and built up with the help of instruction analysis and symbol table of guest kernel, unexpected execution paths of hypervalls are avoided with this method. We experimented our idea on Xen platform, a new virtual machine was created to get its training set during its running time. Then when this heprcall happens, the corresponding execution path is constructed dynamically, compared with the training set, unforeseen invoking to hypervalls is avoided.

Key words: Xen, kernel stack, function call graph, instruction analysis

中图分类号: