虚拟机自省中一种消除语义鸿沟的方法

崔超远; 乌云; 李平; 张晓明

doi:10.11959/j.issn.1000-436x.2015103

您当前的位置：

首页 >

文章列表页 >

虚拟机自省中一种消除语义鸿沟的方法

学术论文 | 更新时间：2024-06-05

- 虚拟机自省中一种消除语义鸿沟的方法
- Narrowing the semantic gap in virtual machine introspection
- 通信学报 2015年36卷第8期页码：31-37
- 作者机构：
  
  1. 中国科学院合肥智能机械研究所，安徽合肥 230031
  2. 中国科学院安徽循环经济技术工程院，安徽合肥 230088
  3. 中国科学技术大学自动化系，安徽合肥 230027
- 作者简介：
  
  [ "崔超远（1972-），男，内蒙古呼和浩特人，博士，中国科学院合肥智能机械研究所副研究员、硕士生导师，主要研究方向为虚拟化、信息安全。" ]
  [ "乌云（1974-），女，内蒙古呼和浩特人，博士，中国科学院安徽循环经济技术工程院副研究员、硕士生导师，主要研究方向为人工智能、虚拟化。" ]
  [ "李平（1989-），男，安徽安庆人，中国科学技术大学硕士生，主要研究方向为虚拟化技术。" ]
  [ "张晓明（1979-），男，山东济南人，中国科学院合肥智能机械研究所副研究员、硕士生导师，主要研究方向为智能决策、智能计算、知识工程。" ]
- 基金信息：
  
  中国科学院合肥物质科学研究院院长基金资助项目(YZJJ201329);国家自然科学基金资助项目(31171456);国家自然科学基金资助项目(61203373)
- DOI：10.11959/j.issn.1000-436x.2015103
  中图分类号： TP391
- 网络出版日期：2015-08，
  
  纸质出版日期：2015-08-25
- 稿件说明：
移动端阅览
崔超远, 乌云, 李平, 等. 虚拟机自省中一种消除语义鸿沟的方法[J]. 通信学报, 2015,36(8):31-37.

Chao-yuan CUI, Yun WU, Ping LI, et al. Narrowing the semantic gap in virtual machine introspection[J]. Journal on communications, 2015, 36(8): 31-37.
崔超远, 乌云, 李平, 等. 虚拟机自省中一种消除语义鸿沟的方法[J]. 通信学报, 2015,36(8):31-37. DOI： 10.11959/j.issn.1000-436x.2015103.

Chao-yuan CUI, Yun WU, Ping LI, et al. Narrowing the semantic gap in virtual machine introspection[J]. Journal on communications, 2015, 36(8): 31-37. DOI： 10.11959/j.issn.1000-436x.2015103.

摘要

虚拟机自省技术已经广泛应用于入侵检测和恶意软件分析等领域。但是由于语义鸿沟的存在，获取虚拟机内部信息时会导致其通用性和执行效率降低。通过分析现有语义鸿沟修复技术的不足，提出了一种称为ModSG的语义鸿沟消除方法。ModSG 是一个模块化系统，将语义修复分为 2 部分：与用户直接交互的在线语义视图构建和与操作系统知识交互的离线高级语义解析。二者以独立的模块实现且后者为前者提供语义重构时必要的内核语义信息。针对不同虚拟机状态和不同内核版本操作系统的实验表明，ModSG 在消除语义鸿沟上是准确和高效的。模块化设计和部署也使ModSG容易扩展到其他操作系统和虚拟化平台上。

Abstract

Virtual machine introspection(VMI)has been widely used in areas such as intrusion detection and malware analysis.However

due to the existence of semantic gap

the generality and the efficiency of VMI were partly influenced while getting internal information of a virtual machine.By analyzing the deficiencies of existing technology of semantic gap restoration

a method called ModSG was proposed to bridge the semantic gap.ModSG was a modularity system

it divided semantic restoration into two parts.One was online phase that interact directly with user to construct semantic views

the other was offline phase that only interact with operating system to parse high-level semantic knowledge.Both were implemented via independent module

and the latter provided the former with necessary kernel information during semantic view construction.Experiments on different virtual machine states and different kernel versions show that the ModSG is accurate and efficient in narrowing semantic gap.The modular design and deployment also make ModSG easily to be extended to other operating systems and virtualization platforms.

关键词

Keywords

references

GARFINKEL T , ROSENBLUM M . A virtual machine introspection based architecture for intrusion detection [A ] . Network and Distributed System Security Symposium [C ] . 2003 .

JIANG X , WANG X , XU D . Stealthy malware detection through VMM-based “out-of-the-box” semantic view reconstruction [A ] . Computer and Communication Security [C ] . New York,USA , 2007 . 128 - 138 .

JIANG X , WANG X . Out-of-the-box monitoring of VM-based high-interaction honeypots [A ] . Recent Advances in Intrusion Detection [C ] . Australia , 2007 . 198 - 218 .

HAY B , NANCE K . Forensics examination of volatile system data using virtual introspection [J ] . ACM Sigops OS Review , 2008 , 42 ( 3 ): 74 - 82 .

DOLAN-G B , PAYNE B , LEE W . Leveraging forensic tools for virtual machine introspection [R ] . GT-CS-11-05 , 2011 .

CHEN P M , NOBLE B . When virtual is better than real [J ] . Hot Topics in Operating Systems(HOTOS '01) , 2001 , 8 : 133 - 138 .

JONES S T,A C , ARPACI D , A C , ARPACI D , R H . Antfarm:tracking processes in a virtual machine environment [A ] . Proc of the 2006 USENIX Annual Technical Conference [C ] . 2006 .

LKCD . Linux Kernel Crash Dump [EB/OL ] . http://lkcd.sourceforge.net/ http://lkcd.sourceforge.net/ .

康华 . 从 VMM 中识别 GUEST OS 中的用户进程 [EB/OL ] . http://blog.csdn.net/kanghua/article/details/1820785 http://blog.csdn.net/kanghua/article/details/1820785 .

KANG H . Identify the user process in GUEST OS from VMM [EB/OL ] . http://blog.csdn.net/kanghua/article/details/1820785 http://blog.csdn.net/kanghua/article/details/1820785 .

PFOH J , SCHNEIDER C , ECKERT C . A formal model for virtual machine introspection [A ] . Proceedings of the 2nd Workshop on Virtual Machine Security(VMSec’09) [C ] . Chicago,Illinois,USA , 2009 . 1 - 10 .

DOLAN G B , LEEK T , ZHIVICH M . Virtuoso:narrowing the semantic gap in virtual machine introspection [A ] . Proceedings of the 33rd IEEE Symposium on Security and Privacy [C ] . 2011 , 32 : 297 - 312 .

FU Y , LIN Z . Space traveling across VM:automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection [A ] . Proceedings of the 33rd IEEE Symposium on Security and Privacy [C ] . 2012 . 586 - 600 .

The Xen project power [EB/OL ] . http://www.xenproject.org/ http://www.xenproject.org/ .

KVM [EB/OL ] . http://www.linux-kvm.org/page/Main_Page http://www.linux-kvm.org/page/Main_Page .

QEMU [EB/OL ] . http://wiki.qemu.org/Main_ Page http://wiki.qemu.org/Main_ Page .

石磊 , 邹德清 , 金海 . Xen 虚拟化技术 [M ] . 武汉 : 华中科技大学出版社 , 2009 .

SHI L , ZOU D Q , JIN H . Xen Virtualization Technology [M ] . Wuhan : Huazhong University of Science and Technology Press , 2009 .

英特尔开源软件技术中心 , 复旦大学并行技术处理研究所 . 系统虚拟化:原理与实现 [M ] . 北京 : 清华大学出版社 , 2009 .

Intel Open Source Software Technology Center , Parallel Processing Institute,Fudan University . System Virtualization:Principle and Implementation [M ] . Beijing : Tsinghua University Press , 2009 .

ROBERT L . Linux Kernel Development [M ] . New York : MacMillan Computer PublicationPress , 2005 .

Suterusu [EB/OL ] . https://github.com/dschuermann/suterusu https://github.com/dschuermann/suterusu .

浏览量

1718

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于改进期望值决策法的虚拟机可信审计方法