本文關(guān)鍵詞： 虛擬機(jī)監(jiān)控 防病毒 DMA內(nèi)存安全 網(wǎng)絡(luò)功能虛擬化 TCP/IP協(xié)議棧卸載　出處：《中國科學(xué)院大學(xué)(中國科學(xué)院深圳先進(jìn)技術(shù)研究院)》2017年博士論文　論文類型：學(xué)位論文

【摘要】：虛擬機(jī)安全是當(dāng)前和未來信息安全的基礎(chǔ),是云計(jì)算安全的核心內(nèi)容之一,其重要性不言而喻。然而,一方面,在虛擬機(jī)環(huán)境下,傳統(tǒng)的主機(jī)安全問題依然存在,而且還引入了新的安全問題,這使得安全形勢(shì)更加復(fù)雜化;另一方面,虛擬機(jī)的架構(gòu)特性也給安全問題的解決提供了新的思路。為此,本研究從云計(jì)算實(shí)際應(yīng)用中的安全問題出發(fā),圍繞著虛擬機(jī)中代碼安全監(jiān)控、DMA內(nèi)存數(shù)據(jù)安全以及網(wǎng)絡(luò)安全三個(gè)方面,研究相應(yīng)的安全保障及性能優(yōu)化技術(shù)。本文的主要貢獻(xiàn)包括:1)提出了基于“首次執(zhí)行”事件的無代理運(yùn)行時(shí)虛擬機(jī)代碼安全監(jiān)控技術(shù)�；诳蛻籼摂M機(jī)中可執(zhí)行程序執(zhí)行過程中的硬件事件序列特征,設(shè)計(jì)了虛擬機(jī)的“首次執(zhí)行”事件,使得客戶機(jī)可執(zhí)行程序代碼在被加載到內(nèi)存后且被CPU執(zhí)行之前能夠被VMM所發(fā)現(xiàn)并攔截,從而對(duì)代碼實(shí)施透明的安全檢查并能夠及時(shí)阻止惡意代碼的運(yùn)行,解決了外部監(jiān)控架構(gòu)下的語義鴻溝問題。基于該技術(shù)思想,進(jìn)一步提出了無代理運(yùn)行時(shí)虛擬機(jī)防病毒技術(shù),解決了傳統(tǒng)防病毒工具存在的安全漏洞,避免了防病毒風(fēng)暴、虛擬機(jī)快照回滾漏洞等問題。功能驗(yàn)證和性能測(cè)試結(jié)果表明,Virt AV不但能夠準(zhǔn)確、及時(shí)地識(shí)別并阻止病毒程序,也能夠提供較好的性能保證,對(duì)于常用的桌面類應(yīng)用軟件能夠提供較為滿意的性能體驗(yàn)。2)提出了基于IOMMU半虛擬化的虛擬機(jī)DMA內(nèi)存安全保障及其性能優(yōu)化技術(shù)。指出了純軟件模擬設(shè)備的DMA安全漏洞問題并分析了導(dǎo)致DMA安全問題的架構(gòu)設(shè)計(jì)原因。實(shí)現(xiàn)了IOMMU半虛擬化系統(tǒng),能夠統(tǒng)一為模擬設(shè)備和硬件直通設(shè)備提供I/O地址空間隔離和DMA訪問控制功能,解決了虛擬機(jī)DMA內(nèi)存數(shù)據(jù)安全問題。通過反向轉(zhuǎn)換緩沖區(qū)、預(yù)分配頁面池與最近引用頁表指針緩存等性能優(yōu)化技術(shù),降低了IOMMU半虛擬化開銷。網(wǎng)絡(luò)性能測(cè)試表明,采用優(yōu)化后的PVIOMMU能夠達(dá)到甚至超過無IOMMU虛擬化環(huán)境下的網(wǎng)絡(luò)性能,相應(yīng)的CPU資源消耗情況對(duì)比也沒有明顯的差異。3)提出了面向NFV環(huán)境的以虛擬機(jī)為中心的虛擬網(wǎng)絡(luò)安全保障及其性能優(yōu)化技術(shù)。提出以虛擬機(jī)為中心的輕量級(jí)網(wǎng)絡(luò)安全服務(wù)功能鏈架構(gòu),有效防范網(wǎng)絡(luò)內(nèi)部發(fā)起的攻擊�；赥CP/IP協(xié)議棧卸載技術(shù),將用戶虛擬機(jī)和安全虛擬機(jī)中的協(xié)議棧卸載到專用虛擬機(jī)上去,消除了重復(fù)的網(wǎng)絡(luò)包解包和封包操作,提高了網(wǎng)絡(luò)安全處理效率,降低網(wǎng)絡(luò)包轉(zhuǎn)發(fā)延遲,釋放宿主機(jī)上的CPU資源。TCP通信延遲測(cè)試結(jié)果顯示,在功能鏈上只有一臺(tái)安全虛擬機(jī)的情況下,TOSEC能夠?qū)⒕W(wǎng)絡(luò)轉(zhuǎn)發(fā)延遲縮小到普通NFV功能鏈的68%-48%,在功能鏈上有兩臺(tái)安全虛擬機(jī)的情況下,網(wǎng)絡(luò)轉(zhuǎn)發(fā)延遲能夠進(jìn)一步縮小到33%~22%。
[Abstract]:Virtual machine security is the foundation of current and future information security and one of the core contents of cloud computing security. However, in virtual machine environment, traditional host security problems still exist. It also introduces new security problems, which make the security situation more complicated. On the other hand, the architecture characteristics of virtual machines also provide a new way to solve the security problems. Based on the security problems in cloud computing applications, this study focuses on three aspects: code security monitoring and DMA memory data security and network security in virtual machine. The main contributions of this paper include: 1) A new security monitoring technique based on the "first execution" event is proposed. Based on the executable in the client virtual machine, the security monitoring technology of the proxy runtime virtual machine code is proposed. The characteristics of the hardware event sequence in the process of program execution, The "first execution" event of the virtual machine is designed so that client executable code can be discovered and intercepted by VMM before it is loaded into memory and executed by CPU. So the code can be checked transparently and the malicious code can be stopped in time, and the semantic gap problem under the external monitoring architecture is solved. Based on the thought of this technology, the anti-virus technology of virtual machine while no proxy running is put forward. It solves the security holes existing in traditional antivirus tools, avoids the problems of anti-virus storm, virtual machine snapshot rollback vulnerability, etc. The functional verification and performance test results show that Virt AV can not only accurately and timely identify and stop virus programs. Can also provide better performance assurance, For commonly used desktop application software can provide a more satisfactory performance experience. 2) this paper proposes a virtual machine DMA memory security based on IOMMU paravirtualization and its performance optimization technology. It also points out the DMA security of pure software analog devices. The problem of vulnerability and the cause of DMA security are analyzed. The IOMMU paravirtualization system is implemented. It can provide I / O address space isolation and DMA access control function for analog devices and hardware through devices. It solves the problem of memory data security of virtual machine DMA. Performance optimization techniques such as preallocated page pool and recently referenced page table pointer cache reduce the IOMMU paravirtualization overhead. Network performance tests show that the optimized PVIOMMU can achieve or exceed network performance without IOMMU virtualization. There is no obvious difference in the consumption of CPU resources. 3) the virtual network security and performance optimization technology based on virtual machine for NFV environment is put forward, and the lightweight network with virtual machine as the center is proposed. Security service function chain architecture, Based on the TCP/IP protocol stack unload technology, the protocol stack in the user virtual machine and the secure virtual machine is unloaded to the special virtual machine, which eliminates the repeated network packet unpacking and packet packing operation. The network security processing efficiency is improved, the network packet forwarding delay is reduced, and the CPU resources on the host are released. The test results show that, When there is only one secure virtual machine in the functional chain, TOSEC can reduce the network forwarding delay to 68-48 of the normal NFV functional chain. When there are two secure virtual machines in the functional chain, the network forwarding delay can be further reduced to 330.2222.
【學(xué)位授予單位】：中國科學(xué)院大學(xué)(中國科學(xué)院深圳先進(jìn)技術(shù)研究院)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP302;TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 項(xiàng)國富;金海;鄒德清;陳學(xué)廣;;基于虛擬化的安全監(jiān)控[J];軟件學(xué)報(bào);2012年08期

2 李勇;郭玉東;王曉睿;時(shí)光;;基于EPT的內(nèi)存虛擬化研究與實(shí)現(xiàn)[J];計(jì)算機(jī)工程與設(shè)計(jì);2010年18期

相關(guān)碩士學(xué)位論文 前2條

1 林春;基于KVM設(shè)備虛擬化技術(shù)的研究[D];西安電子科技大學(xué);2014年

2 趙欣;面向TCP加速的協(xié)議棧關(guān)鍵技術(shù)研究與實(shí)現(xiàn)[D];國防科學(xué)技術(shù)大學(xué);2006年

，

本文編號(hào)：1555972