论文部分内容阅读
为了增强基于内核的虚拟机(kernal-based virtual Machine,KVM)Hypervisor的安全能力,提出一种基于多脆弱点的多层次安全能力增强技术,采用Hypervisor类型隐藏、VMX扩展指令监控、ioctl系统调用交互接口防护、KVM完整性动态度量以及防卸载技术增强KVM Hypervisor的安全能力,并及时发现基于接口的未知攻击。在KVM全虚拟化环境下实现了Hypervisor安全加固的原型系统安全KVM(Security-KVM,Sec-KVM)。实验结果表明:Se-KVM能够隐藏Hypervisor的类型,增强KVM Hypervisor的抗攻击能力,保护KVM和ioctl系统调用接口的完整性,防止攻击扩展,并且能够及时发现基于KVM服务接口的未知攻击。
In order to enhance the security capability of kernal-based virtual machine (KVM) hypervisor, a multi-vulnerability-based multi-layer security capability enhancement technology is proposed, which uses Hypervisor type hiding, VMX extension instruction monitoring, ioctl system call interaction Interface protection, dynamic KVM integrity metrics, and anti-offload technology enhance the security capabilities of the KVM Hypervisor and discover unknown interface-based attacks in a timely manner. Prototype Security KVM (Sec-KVM) for Hypervisor Security Hardening is implemented in KVM full virtualization environment. The experimental results show that Se-KVM can hide the type of Hypervisor, enhance the anti-attack ability of KVM Hypervisor, protect the integrity of KVM and ioctl system call interface, prevent attacks from expanding, and discover unknown attacks based on KVM service interface in time.