摘要
In traditional framework,mandatory access control(MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system(OS) is comprised since malwares are running in ring 0 level. In this paper,we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management(PM),security server(SS) and policy enforcement(PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache(AVC) between SS and PE in the guest OS,in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implementthe system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.Keywords: hypervisor; virtualization; memo-
In traditional framework,mandatory access control(MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system(OS) is comprised since malwares are running in ring 0 level. In this paper,we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management(PM),security server(SS) and policy enforcement(PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache(AVC) between SS and PE in the guest OS,in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implementthe system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.Keywords: hypervisor; virtualization; memo-
基金
supported by the National 973 Basic Research Program of China under grant No.2014CB340600
the National Natural Science Foundation of China under grant No.61370230 and No.61662022
Program for New Century Excellent Talents in University Under grant NCET-13-0241
Natural Science Foundation of Huhei Province under Grant No.2016CFB371
作者简介
Jinan Shen, received his MS degree from computerschool of Wuhan University, China, in 2009. Currently he is a PhD candidate at Huazhong University of Sci- ence and Technology (HUST). His research interests are in the area of security in cloud computing, focus- ing on privacy preserving in the cloud. Email:jnsh- en@hust.edu.cn.Deqing Zou. is a Professor of Computer Science at Huazhong University of Science and Technology (HUST), Wuhan, China. He received his PH.D at HUST in 2004. His main research interests include system security, trusted computing, virtualization and cloud security. He has been the leader of one "863" project of China and three NSFC (National Natural Science Foundation of China) projects, and core member of several important national projects, such as National 973 Basic Research Program of China. He has applied almost 20 patents, published two books (one is enti- tled "Xen virtualization Technologies" and the other is entitled "Trusted Computing Technologies and Principles") and more than 50 High-quality papers, including papers published by IEEE Transactions on Dependable and Secure Computing, IEEE Symposium on Reliable Distributed Systems and so on. He has always served as a reviewer for several prestigious Journals, such as IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Comput- ers, IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Cloud Computing, and so on. He is on the editorial boards of four in- ternational journals, and has served as PC chair/PC member of more than 40 international conferences. The corresponding author, email: deqingzou@hust. edu.cn.blai Jin, received the PhD degree in computer en- gineering from the Huazhong University of Science and Technology (HUST), China, in 1994. He is cur- rently a Cheung Kung Scholars Chair Professor of computer science and engineering at HUST. He is also the dean of the School of Computer Science and Technology at HUST. He worked at the University of Hong Kong between 1998 and 2000 and as a visit- ing scholar at the University of Southern California between 1999 and 2000. He is the chief scientist of China- Grid, the largest grid computing project in China, and the chief scientist of the National 973 Basic Research Program Project of Virtualization Technology of Computing System. He is the member of Grid Forum Steering Group. He has coauthored 15 books and published more than 400 research papers. His research interests include computer architecture, virtualization technology, cluster computing and grid computing, peer-to-peer computing, network stor- age, and network security. He is the steering com- mittee chair of the International Conference on Grid and Pervasive Computing, the AsiaPacific Services Computing Conference, the International Conference on Frontier of Computer Science and Technology, and the Annual ChinaGrid Conference. He is a mem-bet of the steering committee of the IEEE/ACM Inter- national Symposium on Cluster Computing and the Grid, the IFIP International Conference Network and Parallel Computing, and the International Conference Grid and Cooperative Computing, the International Conference Autonomic and Trusted Computing, and the International Conference Ubiquitous Intelligence and Computing. He was awarded the Excellent Youth Award from the National Science Foundation of China in 2001. In 1996, he was awarded a German Academic Exchange Service Fellowship to visit the Technical University of Chemnitz, Germany. He is a senior member of the IEEE and a member of the ACM. Email: hjin@hust.edu.cn.Kai Yang, received the MS degree in computer sci- ence and technology from the Huazhong University of Science and Technology (HUST), Wuhan, China, in 2011. His research interests include security in Parallel Computing and cloud computing. Email: young ky2008@gmail.com.Bin Yuan, received the BS degree in computer sci- ence and technology from the Huazhong University of Science and Technology (HUST), Wuhan, China, in 2013, where he is currently working toward the PhD degree in computer science and technology. His research interests include security in SDN and cloud computing. Email: yuanbin@hust.edu.cn.Weiming Li, received the PhD degree in computer science from Huazhong University of Science and Technology (HUST), Wuhan, China in 2006. He is cur- rently an associate professor at Network and Com- puting Center in Huazhong University of Science and Technology. His current research focuses on system security, especially malware analysis and detection using binary analysis techniques. He also has inter- ests in network security. He has published over 30 refereed papers and won the first prize of the Hubei province science and technology progress in 2011.
