本文選題：VMware + 漏洞檢測(cè)��； 參考：《北京交通大學(xué)》2016年碩士論文

【摘要】：虛擬化技術(shù)憑借充分利用宿主機(jī)資源、快速部署、高可用性等優(yōu)勢(shì)在企業(yè)中得到了廣泛應(yīng)用。近幾年,隨著企業(yè)信息化規(guī)模的不斷擴(kuò)大,虛擬服務(wù)器的部署規(guī)模也在不斷擴(kuò)大,相對(duì)于傳統(tǒng)的企業(yè)IT解決方案,云計(jì)算將應(yīng)用軟件和數(shù)據(jù)庫(kù)遷移至大型數(shù)據(jù)中心的服務(wù)器中,引發(fā)諸多安全挑戰(zhàn)。自云計(jì)算提出以來(lái),安全問(wèn)題就一直困擾著云服務(wù)提供者和使用者,因此,關(guān)注云計(jì)算安全,增強(qiáng)云計(jì)算的安全性己經(jīng)成為人們?nèi)找骊P(guān)注的問(wèn)題。軟硬件技術(shù)發(fā)展以及網(wǎng)絡(luò)應(yīng)用的普及推動(dòng)了虛擬化軟件發(fā)展,比較有代表性的是VNware、Xen、KVM、Hyper-V。以市場(chǎng)占有率來(lái)說(shuō),目前VMware所占的市場(chǎng)比例較大。作為系統(tǒng)虛擬化軟件的代表,VMware平臺(tái),其漏洞多種多樣,包括目錄遍歷漏洞、弱口令漏洞、格式化字符串漏洞、權(quán)限提升漏洞等多種漏洞。這些漏洞可能造成未授權(quán)的信息泄露、未授權(quán)的信息修改、管理員訪問(wèn)權(quán)限獲取等威脅。VMware代碼不開(kāi)源,給其漏洞檢測(cè)帶來(lái)各種困難。本文提出了VMware漏洞檢測(cè)模型,闡述了模型的總體結(jié)構(gòu)、業(yè)務(wù)流程及架構(gòu)設(shè)計(jì),并以VMware的目錄遍歷漏洞、弱口令漏洞、格式化字符串漏洞、權(quán)限提升漏洞為例闡述了模型的具體設(shè)計(jì)與實(shí)現(xiàn)。首先,本文介紹了漏洞相關(guān)背景知識(shí),包括漏洞原理以及漏洞觸發(fā)條件等,并給出了漏洞檢測(cè)模型的設(shè)計(jì)原理及實(shí)現(xiàn)；在VMware方面,本文介紹了該平臺(tái)及其工作特征。同時(shí),論文介紹了虛擬化技術(shù)的分類以及虛擬化環(huán)境下的安全威脅以及應(yīng)對(duì)方式等背景知識(shí),并分析了已有的漏洞檢測(cè)工具及其利弊,給出了用現(xiàn)有工具檢測(cè)VMware漏洞的結(jié)果。本文搭建相應(yīng)版本的服務(wù)器作為實(shí)驗(yàn)環(huán)境,首先掃描服務(wù)器開(kāi)放的端口和服務(wù),然后構(gòu)造相應(yīng)攻擊方式對(duì)目錄遍歷等相關(guān)漏洞進(jìn)行驗(yàn)證。本文實(shí)驗(yàn)針對(duì)目錄遍歷漏洞,通過(guò)構(gòu)造一些特殊的攻擊模型,成功獲取到了虛擬機(jī)相關(guān)配置文件,并在本地還原出虛擬機(jī),獲取用戶敏感信息。另外,本文也針對(duì)VMware弱口令漏洞、格式化字符串漏洞、權(quán)限提升漏洞的檢測(cè)模型進(jìn)行了分析與研究。測(cè)試實(shí)驗(yàn)取得了理想的效果,成功再現(xiàn)了VMware相關(guān)漏洞。實(shí)驗(yàn)表明VMware中的這些漏洞確實(shí)給服務(wù)器帶來(lái)很大的安全隱患,需要提高重視并加以修復(fù)。本文最后討論了VMware相關(guān)漏洞防范措施。
[Abstract]:Virtualization technology has been widely used in enterprises by making full use of host resources, rapid deployment, high availability and other advantages.In recent years, with the continuous expansion of enterprise informatization, the deployment of virtual servers is also expanding. Compared with traditional enterprise IT solutions, cloud computing migrates applications and databases to servers in large data centers.Raises many security challenges.Since cloud computing has been put forward, security issues have been puzzling cloud service providers and consumers. Therefore, paying attention to cloud computing security and enhancing cloud computing security has become a growing concern.The development of software and hardware technology and the popularization of network application promote the development of virtualization software.In terms of market share, VMware accounts for a large proportion of the market.As the representative of system virtualization software, VMware platform has a variety of vulnerabilities, including directory traversal vulnerability, weak password vulnerability, format string vulnerability, privilege promotion vulnerability and so on.These vulnerabilities may cause unauthorized information disclosure, unauthorized information modification, administrator access rights acquisition and other threats. VMware code is not open source, which brings various difficulties to its vulnerability detection.In this paper, the VMware vulnerability detection model is proposed, and the overall structure, business process and architecture design of the model are described. The VMware directory traversal vulnerability, weak password vulnerability, format string vulnerability are used.The specific design and implementation of the model are described as an example.Firstly, this paper introduces the background knowledge of vulnerability, including vulnerability principle and vulnerability trigger condition, and gives the design principle and implementation of vulnerability detection model. In VMware, this paper introduces the platform and its working characteristics.At the same time, this paper introduces the classification of virtualization technology, the security threats and coping methods in virtualized environment, analyzes the existing vulnerability detection tools and their advantages and disadvantages, and gives the results of using existing tools to detect VMware vulnerabilities.This paper builds the corresponding version of the server as the experimental environment, first scanning the server open ports and services, and then construct the corresponding attack to verify the directory traversal and other related vulnerabilities.Aiming at the directory traversal vulnerability, this paper constructs some special attack models, obtains the virtual machine related configuration file successfully, and restores the virtual machine locally to obtain the sensitive information of the user.In addition, this paper also analyzes and studies the detection model of VMware weak password vulnerability, format string vulnerability and privilege enhancement vulnerability.The test results are satisfactory, and the VMware loophole is reproduced successfully.Experimental results show that these vulnerabilities in VMware do bring great security risks to the server, which need to be paid more attention to and fixed.At the end of this paper, the preventive measures of VMware vulnerabilities are discussed.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP309

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 蔡永新;;淺談VMWare在公安系統(tǒng)中的應(yīng)用[J];計(jì)算機(jī)時(shí)代;2008年12期

2 高巍;;虛擬化技術(shù)的下一個(gè)浪潮[J];程序員;2009年09期

3 岳璐;鐘聯(lián)炯;;VMWare虛擬化遷移技術(shù)的研究[J];科技信息;2012年36期

4 張靜;張慶芳;;VMWare虛擬化技術(shù)在高職教學(xué)中的應(yīng)用[J];福建電腦;2014年02期

5 于淑云;;基于VMWare的Windows server 2003教學(xué)環(huán)境[J];科技資訊;2006年32期

6 包敬海;周小珠;樊東紅;;基于VMWare構(gòu)建虛擬網(wǎng)絡(luò)實(shí)驗(yàn)室的研究[J];計(jì)算機(jī)技術(shù)與發(fā)展;2010年06期

7 封斌;朱楷;;基于虛擬軟件VMWare的計(jì)算機(jī)實(shí)驗(yàn)教學(xué)設(shè)計(jì)[J];廣州航海高等�？茖W(xué)校學(xué)報(bào);2011年04期

8 李佳;;基于VMWare軟件的虛擬化架構(gòu)及企業(yè)解決方案簡(jiǎn)析[J];計(jì)算機(jī)與網(wǎng)絡(luò);2011年01期

9 曹畋;;VMware虛擬化技術(shù)構(gòu)建“云”圖書館初探[J];農(nóng)業(yè)圖書情報(bào)學(xué)刊;2013年12期

10 陸璐;;在VMWare中配置網(wǎng)絡(luò)[J];鄭州鐵路職業(yè)技術(shù)學(xué)院學(xué)報(bào);2006年01期

相關(guān)重要報(bào)紙文章 前10條

1 陳中才;利用VMWare建立多操作系統(tǒng)學(xué)習(xí)服務(wù)器[N];中國(guó)電腦教育報(bào);2003年

2 婁辛研;一個(gè)虛擬化的紀(jì)實(shí)派報(bào)告[N];中國(guó)計(jì)算機(jī)報(bào);2007年

3 ;VMware修復(fù)嚴(yán)重安全漏洞[N];網(wǎng)絡(luò)世界;2013年

4 本報(bào)記者 鄒大斌;VMware躋身大數(shù)據(jù)市場(chǎng)[N];計(jì)算機(jī)世界;2012年

5 謝濤;VMware精耕渠道[N];電腦商報(bào);2010年

6 電腦商報(bào)記者 謝濤;VMware抓伙伴頻出動(dòng)作[N];電腦商報(bào);2008年

7 ;業(yè)界承諾開(kāi)放虛擬化標(biāo)準(zhǔn)[N];計(jì)算機(jī)世界;2005年

8 ;虛擬化大熱 VMware怒斥甲骨文[N];計(jì)算機(jī)世界;2007年

9 ;英特爾攜手VMware加速虛擬化進(jìn)程[N];人民郵電;2008年

10 本報(bào)記者 毛江華;思科攜手VMware推動(dòng)虛擬化創(chuàng)新[N];計(jì)算機(jī)世界;2008年

相關(guān)碩士學(xué)位論文 前3條

1 王巍;基于VMWare ESXi的圖客分享云系統(tǒng)設(shè)計(jì)[D];復(fù)旦大學(xué);2014年

2 夏蘭;基于VMware自動(dòng)化運(yùn)維平臺(tái)的設(shè)計(jì)與實(shí)現(xiàn)[D];吉林大學(xué);2015年

3 白媛媛;面向VMware的漏洞檢測(cè)模型的設(shè)計(jì)與實(shí)現(xiàn)[D];北京交通大學(xué);2016年

，

本文編號(hào)：1733573