虚拟机自省中一种消除语义鸿沟的方法
Narrowing the semantic gap in virtual machine introspection
- 通信学报 2015年36卷第8期 页码:31-37
- 作者机构:
1. 中国科学院 合肥智能机械研究所,安徽 合肥 230031
2. 中国科学院 安徽循环经济技术工程院,安徽 合肥 230088
3. 中国科学技术大学 自动化系,安徽 合肥 230027
- 作者简介:
[ "崔超远(1972-),男,内蒙古呼和浩特人,博士,中国科学院合肥智能机械研究所副研究员、硕士生导师,主要研究方向为虚拟化、信息安全。" ]
[ "乌云(1974-),女,内蒙古呼和浩特人,博士,中国科学院安徽循环经济技术工程院副研究员、硕士生导师,主要研究方向为人工智能、虚拟化。" ]
[ "李平(1989-),男,安徽安庆人,中国科学技术大学硕士生,主要研究方向为虚拟化技术。" ]
[ "张晓明(1979-),男,山东济南人,中国科学院合肥智能机械研究所副研究员、硕士生导师,主要研究方向为智能决策、智能计算、知识工程。" ]
- 基金信息:中国科学院合肥物质科学研究院院长基金资助项目(YZJJ201329);国家自然科学基金资助项目(31171456);国家自然科学基金资助项目(61203373)
DOI:10.11959/j.issn.1000-436x.2015103
中图分类号: TP391-
网络首发:2015-08,
纸质出版:2015-08-25
- 稿件说明:
移动端阅览
崔超远, 乌云, 李平, 等. 虚拟机自省中一种消除语义鸿沟的方法[J]. 通信学报, 2015,36(8):31-37.
Chao-yuan CUI, Yun WU, Ping LI, et al. Narrowing the semantic gap in virtual machine introspection[J]. Journal on Communications, 2015, 36(8): 31-37.
崔超远, 乌云, 李平, 等. 虚拟机自省中一种消除语义鸿沟的方法[J]. 通信学报, 2015,36(8):31-37. DOI: 10.11959/j.issn.1000-436x.2015103.
Chao-yuan CUI, Yun WU, Ping LI, et al. Narrowing the semantic gap in virtual machine introspection[J]. Journal on Communications, 2015, 36(8): 31-37. DOI: 10.11959/j.issn.1000-436x.2015103.
摘要
虚拟机自省技术已经广泛应用于入侵检测和恶意软件分析等领域。但是由于语义鸿沟的存在,获取虚拟机内部信息时会导致其通用性和执行效率降低。通过分析现有语义鸿沟修复技术的不足,提出了一种称为ModSG的语义鸿沟消除方法。ModSG 是一个模块化系统,将语义修复分为 2 部分:与用户直接交互的在线语义视图构建和与操作系统知识交互的离线高级语义解析。二者以独立的模块实现且后者为前者提供语义重构时必要的内核语义信息。针对不同虚拟机状态和不同内核版本操作系统的实验表明,ModSG 在消除语义鸿沟上是准确和高效的。模块化设计和部署也使ModSG容易扩展到其他操作系统和虚拟化平台上。
Abstract
Virtual machine introspection(VMI)has been widely used in areas such as intrusion detection and malware analysis.However
due to the existence of semantic gap
the generality and the efficiency of VMI were partly influenced while getting internal information of a virtual machine.By analyzing the deficiencies of existing technology of semantic gap restoration
a method called ModSG was proposed to bridge the semantic gap.ModSG was a modularity system
it divided semantic restoration into two parts.One was online phase that interact directly with user to construct semantic views
the other was offline phase that only interact with operating system to parse high-level semantic knowledge.Both were implemented via independent module
and the latter provided the former with necessary kernel information during semantic view construction.Experiments on different virtual machine states and different kernel versions show that the ModSG is accurate and efficient in narrowing semantic gap.The modular design and deployment also make ModSG easily to be extended to other operating systems and virtualization platforms.
关键词
Keywords
references
GARFINKEL T , ROSENBLUM M . A virtual machine introspection based architecture for intrusion detection [A ] . Network and Distributed System Security Symposium [C ] . 2003 .
JIANG X , WANG X , XU D . Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction [A ] . Computer and Communication Security [C ] . New York,USA , 2007 . 128 - 138 .
JIANG X , WANG X . Out-of-the-box monitoring of VM-based high-interaction honeypots [A ] . Recent Advances in Intrusion Detection [C ] . Australia , 2007 . 198 - 218 .
HAY B , NANCE K . Forensics examination of volatile system data using virtual introspection [J ] . ACM Sigops OS Review , 2008 , 42 ( 3 ): 74 - 82 .
DOLAN-G B , PAYNE B , LEE W . Leveraging forensic tools for virtual machine introspection [R ] . GT-CS-11-05 , 2011 .
CHEN P M , NOBLE B . When virtual is better than real [J ] . Hot Topics in Operating Systems(HOTOS '01) , 2001 , 8 : 133 - 138 .
JONES S T,A C , ARPACI D , A C , ARPACI D , R H . Antfarm:tracking processes in a virtual machine environment [A ] . Proc of the 2006 USENIX Annual Technical Conference [C ] . 2006 .
LKCD . Linux Kernel Crash Dump [EB/OL ] . http://lkcd.sourceforge.net/ http://lkcd.sourceforge.net/ .
康华 . 从 VMM 中识别 GUEST OS 中的用户进程 [EB/OL ] . http://blog.csdn.net/kanghua/article/details/1820785 http://blog.csdn.net/kanghua/article/details/1820785 .
KANG H . Identify the user process in GUEST OS from VMM [EB/OL ] . http://blog.csdn.net/kanghua/article/details/1820785 http://blog.csdn.net/kanghua/article/details/1820785 .
PFOH J , SCHNEIDER C , ECKERT C . A formal model for virtual machine introspection [A ] . Proceedings of the 2nd Workshop on Virtual Machine Security(VMSec’09) [C ] . Chicago,Illinois,USA , 2009 . 1 - 10 .
DOLAN G B , LEEK T , ZHIVICH M . Virtuoso:narrowing the semantic gap in virtual machine introspection [A ] . Proceedings of the 33rd IEEE Symposium on Security and Privacy [C ] . 2011 , 32 : 297 - 312 .
FU Y , LIN Z . Space traveling across VM:automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection [A ] . Proceedings of the 33rd IEEE Symposium on Security and Privacy [C ] . 2012 . 586 - 600 .
The Xen project power [EB/OL ] . http://www.xenproject.org/ http://www.xenproject.org/ .
KVM [EB/OL ] . http://www.linux-kvm.org/page/Main_Page http://www.linux-kvm.org/page/Main_Page .
QEMU [EB/OL ] . http://wiki.qemu.org/Main_ Page http://wiki.qemu.org/Main_ Page .
石磊 , 邹德清 , 金海 . Xen 虚拟化技术 [M ] . 武汉 : 华中科技大学出版社 , 2009 .
SHI L , ZOU D Q , JIN H . Xen Virtualization Technology [M ] . Wuhan : Huazhong University of Science and Technology Press , 2009 .
英特尔开源软件技术中心 , 复旦大学并行技术处理研究所 . 系统虚拟化:原理与实现 [M ] . 北京 : 清华大学出版社 , 2009 .
Intel Open Source Software Technology Center , Parallel Processing Institute,Fudan University . System Virtualization:Principle and Implementation [M ] . Beijing : Tsinghua University Press , 2009 .
ROBERT L . Linux Kernel Development [M ] . New York : MacMillan Computer PublicationPress , 2005 .
Suterusu [EB/OL ] . https://github.com/dschuermann/suterusu https://github.com/dschuermann/suterusu .
0
浏览量
3155
下载量
4
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:582255 今日访问量:71