本文關鍵詞： 虛擬機監(jiān)控 防病毒 DMA內存安全 網絡功能虛擬化 TCP/IP協議棧卸載　出處：《中國科學院大學(中國科學院深圳先進技術研究院)》2017年博士論文　論文類型：學位論文

【摘要】：虛擬機安全是當前和未來信息安全的基礎,是云計算安全的核心內容之一,其重要性不言而喻。然而,一方面,在虛擬機環(huán)境下,傳統的主機安全問題依然存在,而且還引入了新的安全問題,這使得安全形勢更加復雜化;另一方面,虛擬機的架構特性也給安全問題的解決提供了新的思路。為此,本研究從云計算實際應用中的安全問題出發(fā),圍繞著虛擬機中代碼安全監(jiān)控、DMA內存數據安全以及網絡安全三個方面,研究相應的安全保障及性能優(yōu)化技術。本文的主要貢獻包括:1)提出了基于“首次執(zhí)行”事件的無代理運行時虛擬機代碼安全監(jiān)控技術�；诳蛻籼摂M機中可執(zhí)行程序執(zhí)行過程中的硬件事件序列特征,設計了虛擬機的“首次執(zhí)行”事件,使得客戶機可執(zhí)行程序代碼在被加載到內存后且被CPU執(zhí)行之前能夠被VMM所發(fā)現并攔截,從而對代碼實施透明的安全檢查并能夠及時阻止惡意代碼的運行,解決了外部監(jiān)控架構下的語義鴻溝問題�；谠摷夹g思想,進一步提出了無代理運行時虛擬機防病毒技術,解決了傳統防病毒工具存在的安全漏洞,避免了防病毒風暴、虛擬機快照回滾漏洞等問題。功能驗證和性能測試結果表明,Virt AV不但能夠準確、及時地識別并阻止病毒程序,也能夠提供較好的性能保證,對于常用的桌面類應用軟件能夠提供較為滿意的性能體驗。2)提出了基于IOMMU半虛擬化的虛擬機DMA內存安全保障及其性能優(yōu)化技術。指出了純軟件模擬設備的DMA安全漏洞問題并分析了導致DMA安全問題的架構設計原因。實現了IOMMU半虛擬化系統,能夠統一為模擬設備和硬件直通設備提供I/O地址空間隔離和DMA訪問控制功能,解決了虛擬機DMA內存數據安全問題。通過反向轉換緩沖區(qū)、預分配頁面池與最近引用頁表指針緩存等性能優(yōu)化技術,降低了IOMMU半虛擬化開銷。網絡性能測試表明,采用優(yōu)化后的PVIOMMU能夠達到甚至超過無IOMMU虛擬化環(huán)境下的網絡性能,相應的CPU資源消耗情況對比也沒有明顯的差異。3)提出了面向NFV環(huán)境的以虛擬機為中心的虛擬網絡安全保障及其性能優(yōu)化技術。提出以虛擬機為中心的輕量級網絡安全服務功能鏈架構,有效防范網絡內部發(fā)起的攻擊。基于TCP/IP協議棧卸載技術,將用戶虛擬機和安全虛擬機中的協議棧卸載到專用虛擬機上去,消除了重復的網絡包解包和封包操作,提高了網絡安全處理效率,降低網絡包轉發(fā)延遲,釋放宿主機上的CPU資源。TCP通信延遲測試結果顯示,在功能鏈上只有一臺安全虛擬機的情況下,TOSEC能夠將網絡轉發(fā)延遲縮小到普通NFV功能鏈的68%-48%,在功能鏈上有兩臺安全虛擬機的情況下,網絡轉發(fā)延遲能夠進一步縮小到33%~22%。
[Abstract]:Virtual machine security is the foundation of current and future information security and one of the core contents of cloud computing security. However, in virtual machine environment, traditional host security problems still exist. It also introduces new security problems, which make the security situation more complicated. On the other hand, the architecture characteristics of virtual machines also provide a new way to solve the security problems. Based on the security problems in cloud computing applications, this study focuses on three aspects: code security monitoring and DMA memory data security and network security in virtual machine. The main contributions of this paper include: 1) A new security monitoring technique based on the "first execution" event is proposed. Based on the executable in the client virtual machine, the security monitoring technology of the proxy runtime virtual machine code is proposed. The characteristics of the hardware event sequence in the process of program execution, The "first execution" event of the virtual machine is designed so that client executable code can be discovered and intercepted by VMM before it is loaded into memory and executed by CPU. So the code can be checked transparently and the malicious code can be stopped in time, and the semantic gap problem under the external monitoring architecture is solved. Based on the thought of this technology, the anti-virus technology of virtual machine while no proxy running is put forward. It solves the security holes existing in traditional antivirus tools, avoids the problems of anti-virus storm, virtual machine snapshot rollback vulnerability, etc. The functional verification and performance test results show that Virt AV can not only accurately and timely identify and stop virus programs. Can also provide better performance assurance, For commonly used desktop application software can provide a more satisfactory performance experience. 2) this paper proposes a virtual machine DMA memory security based on IOMMU paravirtualization and its performance optimization technology. It also points out the DMA security of pure software analog devices. The problem of vulnerability and the cause of DMA security are analyzed. The IOMMU paravirtualization system is implemented. It can provide I / O address space isolation and DMA access control function for analog devices and hardware through devices. It solves the problem of memory data security of virtual machine DMA. Performance optimization techniques such as preallocated page pool and recently referenced page table pointer cache reduce the IOMMU paravirtualization overhead. Network performance tests show that the optimized PVIOMMU can achieve or exceed network performance without IOMMU virtualization. There is no obvious difference in the consumption of CPU resources. 3) the virtual network security and performance optimization technology based on virtual machine for NFV environment is put forward, and the lightweight network with virtual machine as the center is proposed. Security service function chain architecture, Based on the TCP/IP protocol stack unload technology, the protocol stack in the user virtual machine and the secure virtual machine is unloaded to the special virtual machine, which eliminates the repeated network packet unpacking and packet packing operation. The network security processing efficiency is improved, the network packet forwarding delay is reduced, and the CPU resources on the host are released. The test results show that, When there is only one secure virtual machine in the functional chain, TOSEC can reduce the network forwarding delay to 68-48 of the normal NFV functional chain. When there are two secure virtual machines in the functional chain, the network forwarding delay can be further reduced to 330.2222.
【學位授予單位】：中國科學院大學(中國科學院深圳先進技術研究院)
【學位級別】：博士
【學位授予年份】：2017
【分類號】：TP302;TP309

【參考文獻】

相關期刊論文 前2條

1 項國富;金海;鄒德清;陳學廣;;基于虛擬化的安全監(jiān)控[J];軟件學報;2012年08期

2 李勇;郭玉東;王曉睿;時光;;基于EPT的內存虛擬化研究與實現[J];計算機工程與設計;2010年18期

相關碩士學位論文 前2條

1 林春;基于KVM設備虛擬化技術的研究[D];西安電子科技大學;2014年

2 趙欣;面向TCP加速的協議棧關鍵技術研究與實現[D];國防科學技術大學;2006年

，

本文編號：1555972