您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2014, Vol. 49 ›› Issue (09): 135-141.doi: 10.6040/j.issn.1671-9352.2.2014.438

• 论文 • 上一篇    下一篇

虚拟域内访问控制系统的保护机制研究

邹德清1, 杨凯1, 张晓旭2, 苑博阳2, 冯明路2   

  1. 1. 华中科技大学计算机科学与技术学院, 湖北 武汉 430074;
    2. 中电华通通信有限公司, 北京 100022
  • 收稿日期:2014-06-24 修回日期:2014-08-28 出版日期:2014-09-20 发布日期:2014-09-30
  • 作者简介:邹德清(1975-),男,教授,博士,研究方向为系统安全和容错计算.E-mail:deqingzou@hust.edu.cn
  • 基金资助:
    国家高技术研究发展计划项目(2012AA012600)

Protection mechanism research of access control system in virtual domain

ZOU De-qing1, YANG Kai1, ZHANG Xiao-xu2, YUAN Bo-yang2, FENG Ming-lu2   

  1. 1. School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, Hubei, China;
    2. CECT-ChinaCOMM Communications Co., Ltd, Beijing 100022, China
  • Received:2014-06-24 Revised:2014-08-28 Online:2014-09-20 Published:2014-09-30

摘要: 为有效提高系统的安全等级,利用虚拟机管理程序的隔离性和高特权性,提出了一种新的保护操作系统内核完整性和虚拟域内访问控制系统的安全的方案。在该方案中,访问控制系统分为三个部分:安全策略管理模块、安全服务器模块和策略执行模块。虚拟域内访问控制系统保护机制的原型系统SEVD(security-enhanced virtual domain,SEVD)通过修改Xen虚拟机管理程序,在该虚拟化平台上实现。测试结果表明SEVD系统能够有效保护客户操作系统中访问控制系统的安全,能够抵御流行的Rookit攻击;在性能方面,与SELinux访问控制系统相比,SEVD性能开销也是没有增加,并实现了虚拟环境下安全策略集中配置,有效降低了安全策略管理的复杂度。

关键词: 虚拟机管理程序, 虚拟化, 内存保护, 访问控制系统

Abstract: In order to improve the safety level of the system effectively, a kind of mechanism scheme of access control system in virtual domain that uses hypervisors to protect kernel integrity and access control system in commodity operating systems was put forward. Access control system was separated into three parts: Policy Management (PM), Security Server (SS) and Policy Enforcement (PE). Prototype system SEVD (security-enhanced virtual domain) was implemented and evaluated by modified Xen hypervisor. Test results show that SEVD can secure the security of access control system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux. Our system also can centralized security policy for virtual domains in virtual machine environment.

Key words: memory protection, access control system, hypervisor, virtualization

中图分类号: 

  • TP316
[1] ENGLAND P, LAMPSON B, MANFERDELLI J,et al. A trusted open platform[J]. IEEE Computer Society, 2003, 36(7):55-62.
[2] TA-MIN R, LITTY L, LIE D. Splitting interfaces: making trust between applications and operating systems configurable [C]//Proceedings of the 7th Symposium on Operating Systems Design and Implementation.Berkeley: USENIX Association, 2006: 279-292.
[3] LIE D, THEKKATH C, Mitchell M. Architectural support for copy and tamper resistant software [C]//Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2000: 168-177.
[4] VEDVYAS S, RAVI S, UDAY S. Virtualization enabled integrity services (VIS) architecture overview[R]. Intel Corporation, 2008: 1-10.
[5] CHEN Xiaoxin,GARFINKEL T,LEWIS E,et al. Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems [C]//Proceedings of the 13th Conference on Architectural Support for Programming Languages and Operating Systems.New York: ACM Press, 2008: 2-13.
[6] TRENT J. EDWARDS A, ZHANG Xiaolan. Consistency analysis of authorization hook placement in the Linux security modules framework [C]//Proceedings of ACM Transactions on Information and System Security (TISSEC). New York: ACM Press, 2004: 175-205.
[7] ZHANG Xiaolan, Suzanne Mclntosh, Pankaj Rohatgi, et al. XenSocket: a high-throughput interdomain transport for virtual machines[C]//Proceedings of the ACM/IFIP/USENIX 2007 International Conference on Middleware. Newport Beach: Springer-Verlag, 2007: 184-203.
[8] KIM K, KIM C, JUNG S-I, et al. Inter-domain socket communications supporting high performance and full binary compatibility on Xen [C]//Proceedings of Virtual Execution Environments.New York: ACM Press, 2008: 11-20.
[9] WANG Jian, WRIGHT K-L, GOPALAN K. XenLoop: a transparent high performance inter-VM network loopback[C]//Proceedings of the 17th International Symposium on High Performance Distributed Computing.New York: ACM Press, 2008: 109-118.
[1] 杨淑棉,王连海,张淑慧,徐淑奖,刘广起. 一种IaaS模式下的实时监控取证方法[J]. 山东大学学报(理学版), 2017, 52(6): 84-91.
[2] 陈广瑞,陈兴蜀,王毅桐,葛龙. 一种IaaS多租户环境下虚拟机软件更新服务机制[J]. 山东大学学报(理学版), 2017, 52(3): 60-67.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!