一种针对Xen超级调用的入侵防护方法

doi:10.3969/j.issn.1671-1122.2014.12.009

信息网络安全 ›› 2014, Vol. 14 ›› Issue (12): 43-46.doi: 10.3969/j.issn.1671-1122.2014.12.009

一种针对Xen超级调用的入侵防护方法

李辉, 陈兴蜀, 张磊, 王文贤

四川大学计算机学院网络与可信计算研究所,四川成都 610065

收稿日期:2014-11-05 出版日期:2014-12-15
通讯作者: 陈兴蜀 chenxsh@scu.edu.cn
作者简介:李辉（1989-）,男,重庆,硕士研究生,主要研究方向：虚拟化、操作系统;陈兴蜀（1968-）,女,四川,博士,教授,主要研究方向：可信计算、云计算、信息安全;张磊（1983-）,男,四川,博士研究生,主要研究方向：信息安全;王文贤（1978-）,男,福建,讲师,博士,主要研究方向：信息安全、新媒体舆情和云计算。
基金资助:
国家科技支撑计划[2012BAH18B05]

A Method to Defend Intrusion from Hypercall of Xen

LI Hui, CHEN Xing-shu, ZHANG Lei, WANG Wen-xian

School of computing, Sichuan University, Chengdu Sichuan 610065, China

Received:2014-11-05 Online:2014-12-15

摘要/Abstract

摘要： 云计算技术已飞速发展并被广泛应用,虚拟化作为云计算的重要支撑,提高了平台对资源的利用效率与管理能力。作为一款开源虚拟化软件,Xen独特的设计思想与优良的虚拟化性能使其被许多云服务商采用,然而Xen虚拟机监视器同样面临着许多安全问题。Xen为虚拟机提供的特权接口可能被虚拟机恶意代码利用,攻击者可以借此攻击Xen或者运行其上的虚拟机。文章针对Xen向虚拟机提供的超级调用接口面临被恶意虚拟机内核代码利用的问题,提出了一种基于执行路径的分析方法,用以追溯发起该超级调用的虚拟机执行路径,与一个最初的路径训练集进行对比,可以避免超级调用被恶意虚拟机内核代码利用。该方法通过追溯虚拟机内核堆栈信息,结合指令分析与虚拟机内核符号表信息,实现了虚拟化平台下对虚拟机执行路径的动态追踪与重构。在Xen下进行实验,通过创建新的虚拟机并让其单独运行来获得训练集,训练集中包含所有发起该超级调用的虚拟机路径信息。在随后虚拟机运行过程中针对该超级调用动态构造出对应的虚拟机执行路径,将其与训练集对比,避免非正常执行路径的超级调用发生。

关键词: Xen, 内核堆栈, 函数调用图, 指令分析

Abstract: Cloud computing is developing fast and widely used, as an important support for cloud computing, virtualization has improved the efficiency of resource utilization and management capability for a platform. As an open source software for virtualization, the unique design and excellent performance make Xen adopted by many could service providers, which are also troubled by the security problems of Xen hypervisor. The privilege interfaces provided by Xen can be utilized by malicious code of virtual machine, which can be used by intruders to attack Xen or virtual machines running above. To solve the problem of hypercalls of Xen to be abused by malicious code inside guest kernel, a method to analyze the execution path of guest kernel is provided, which is used to trace the execution path of guest kernel that has launched this hypercall, compared with the training set constructed at the beginning, preventing hypercalls being misused by malicious code of guest kernel becomes possible. By tracking stack information of guest kernel, the execution path of virtual machine is reconstructed and built up with the help of instruction analysis and symbol table of guest kernel, unexpected execution paths of hypervalls are avoided with this method. We experimented our idea on Xen platform, a new virtual machine was created to get its training set during its running time. Then when this heprcall happens, the corresponding execution path is constructed dynamically, compared with the training set, unforeseen invoking to hypervalls is avoided.

Key words: Xen, kernel stack, function call graph, instruction analysis

中图分类号:

TP309

李辉, 陈兴蜀, 张磊, 王文贤. 一种针对Xen超级调用的入侵防护方法[J]. 信息网络安全, 2014, 14(12): 43-46.

LI Hui, CHEN Xing-shu, ZHANG Lei, WANG Wen-xian. A Method to Defend Intrusion from Hypercall of Xen[J]. 信息网络安全, 2014, 14(12): 43-46.

参考文献

[1] Riley R, Jiang X, Xu D. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing[C]//Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2008: 1-20.
[2] Lange J R, Dinda P. Symcall: Symbiotic virtualization through vmm-to-guest upcalls[C]//ACM SIGPLAN Notices. ACM, 2011, 46(7): 193-204.
[3] Sharif M I, Lee W, Cui W, et al. Secure in-vm monitoring using hardware virtualization[C]// Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009: 477-487.
[4] Jiang J, Jia X, Feng D, et al. HyperCrop: a hypervisor-based countermeasure for return oriented programming[M]. Information and Communications Security. Springer Berlin Heidelberg, 2011.360-373.
[5] Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtualization[J]. ACM SIGOPS Operating Systems Review, 2003, 37(5): 164-177.
[6] Garfinkel T. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools[C]//NDSS. 2003, 3: 163-176.
[7] 石晶翔,陈蜀宇,黄晗辉. 基于Linux系统调用的内核级Rootkit技术研究[J]. 计算机技术与发展,2010,20（4）：175-178.
[8] Xianghe L, Liancheng Z, Shuo L. Kernel rootkits implement and detection[J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1473-1476.
[9] 赵欣,谭小彬,奚宏生. 一种改进的基于系统调用的入侵检测算法[J]. 数据通信,2010,（2）：48-51.
[10] 苏锦秀,陈莉君. 基于系统调用的日志系统的设计与实现[J]. 西安邮电学院学报,2012,16（4）：59-61.
[11] Xu M, Wu L, Qi S, et al. A similarity metric method of obfuscated malware using function-call graph[J]. Journal of Computer Virology and Hacking Techniques, 2013, 9(1): 35-47.
[12] Shang S, Zheng N, Xu J, et al. Detecting malware variants via function-call graph similarity[C]//Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010: 113-120.
[13] Graham S L, Kessler P B, Mckusick M K. Gprof: A call graph execution profiler[J]. ACM Sigplan Notices, 1982, 17(6): 120-126.
[14] Spivey J M. Fast, accurate call graph profiling[J]. Software: Practice and Experience, 2004, 34(3): 249-264.

一种针对Xen超级调用的入侵防护方法

A Method to Defend Intrusion from Hypercall of Xen

RichHTML

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

本文评价

[1]	牛鹏飞, 张健, 常青, 顾兆军. 基于Xen的异常行为在线检测平台研究与设计[J]. 信息网络安全, 2016, 16(9): 139-144.
[2]	孙志丹;邹哲峰;刘鹏. 基于云计算技术的信息安全试验系统设计与实现[J]. , 2012, 12(12): 0-0.
[3]	马喆;禹熹;袁傲;易晓磊;沈晴霓. Xen安全机制探析[J]. , 2011, 11(11): 0-0.