摘要
为保护Windows虚拟机中进程的内存和系统调用执行路径免受恶意代码的威胁,提出了一种基于KVM的虚拟机用户进程防护方案。结合硬件虚拟化技术,为Windows虚拟机构造一份影子内核以绕过恶意代码对原内核系统调用路径的挂钩,保护进程系统调用路径的安全。同时,在监控代理中过滤跨进程系统调用,在KVM中拦截虚拟机页表切换行为并监控虚拟机断点异常与调试异常,保护进程内存的安全。另外,构造影子监控代理,实现对虚拟机监控代理内存的安全防护。最后,实现了基于KVM的虚拟机用户进程防护系统VMPPS,并对其有效性进行了系统测试与分析。实验结果表明,在性能损失可接受范围内,进程内存与进程系统调用执行路径能够得到有效防护。
To protect the process memory and execution paths of system calls from the threat of malicious code on Windows virtual machine, a KVM-based virtual machine user process protection solution is proposed. Combined with hardware virtualization technologies, a shadow kernel is built for Windows virtual machine to protect the original kernel system call paths from being hooked by malicious code. Meanwhile, the process memory is secured through filtering out-of-process system calls in the monitoring agent, intercepting the switching behaviors of page tables, monitoring the exceptions of breakpoints, and debugging of the virtual machine. In addition, a shadow monitoring agent is built to safeguard the virtual machine's monitor agent memory. A prototype system VMPPS was thus designed and implemented with its validity tests and analysis results showing that process memory and execution paths of system calls of the virtual machine are effectively protected within an acceptable performance loss range.
出处
《电子科技大学学报》
EI
CAS
CSCD
北大核心
2016年第6期950-957,共8页
Journal of University of Electronic Science and Technology of China
基金
国家自然科学基金(61272447)
关键词
监控代理
安全防护
用户进程
虚拟机
monitor agent
security and protect
user process
virtualization
virtual machine
