【作者】 孟江涛；

【导师】 卢显良；

【作者基本信息】 电子科技大学 ， 计算机系统结构， 2010， 博士

【摘要】 Xen是运行于x86体系结构上的虚拟机监控器,它支持多个客户操作系统以高性能和强隔离性同时运行。Xen是遵循GNU许可的开源软件。随着现代计算机的发展和Intel x86体系结构的流行,Xen成为一个研究热点。本文系统地总结和分析前人的研究成果。对基于Xen的虚拟机在操作系统安全性、可靠性、面向特定应用的性能、面向特定应用的部署等方面进行了深入细致的研究。本文的主要内容为:1.提出了一个优化Xen虚拟机操作系统安全性的模型。新模型中,利用保护环和安全内核的功能,虚拟机监控器Xen中被用来保护运行时安全内核。虚拟机监控器运行在有最高特权级的保护环上,安全内核和用户进程分别运行在次高特权级和最低特权级的保护环上。当次高特权级的安全内核试图写某些关键的系统资源时,写操作必须经过运行于最高特权级的Xen的验证和许可。结果,该模型能够阻止恶意代码修改并绕过运行时安全内核。2.提出了一种用形式化方法优化Xen虚拟机块设备IO可靠性的方法。用通信顺序进程和软件体系结构等形式化方法描述了Xen的块设备IO体系结构,增加了约束其构件并发交互行为的设计准则,理论上确保了并发交互的不死锁,提高了系统的可靠性。以这些设计准则为指导,重新优化了相关程序。实验表明优化带来了IO吞吐量的一些降低。但系统的可靠性得到了增强,优化仍具有价值。3.提出了一种记录Xen虚拟机操作系统系统调用日志的原型。原型让客户操作系统以非特权模式运行在虚拟机监控器Xen上,在Xen中增加了重定向模块和日志记录模块,当一个应用程序调用系统调用时,它从最低特权级被重定向到处于最高特权级的虚拟机监控器Xen,完成日志记录后,返回到处于较高特权级的客户操作系统以完成系统调用;与传统的记录系统调用日志的方法相比,原型使攻击者毁坏或篡改这些日志更加困难。4.提出了一个基于Xen的入侵检测系统原型。SNARE是Linux操作系统的一个著名的入侵检测系统,然而,它也是易受攻击的。一个新的方法被用来保护它免受攻击,运用虚拟机监控器的功能,SNARE被移植到运行在虚拟机监控器Xen上的两个虚拟机中,SNARE的两个主要部分(内核补丁和审计后台进程)被分隔而分别放入两个被Xen强隔离的虚拟机。Xen提供了两个虚拟机间共享内存的机制,运用这一机制,运行在一个虚拟机上的内核补丁记录并转移审计日志到运行在另一个虚拟机上的审计后台进程。与传统的SNARE相比,新方法使攻击者毁坏或篡改这些日志更加困难。5.针对一类流行的IP网络应用,提出了一个性能优化的虚拟机网络原型。多个虚拟机运行在虚拟机监控器Xen上,Xen创建和管理这些虚拟机。优化原型的核心是一个新的虚拟网卡,所有的虚拟机通过它被互连成一个网络,用于虚拟机间的通信。与Xen的标准相应模型相比,实验和分析表明该原型改善了虚拟机间的通信性能,减少了约42%的用户请求响应时间。6.针对一个特定的应用场景(制造业产业链上企业的协同商务),提出了基于Xen虚拟机的三层协同商务服务部署体系结构。该体系结构能够支持制造业产业链上的多个企业组成一个虚拟企业,共享数据库,方便、灵活、安全地实现虚拟企业内的成员企业间的商务协同。应用服务器的Xen虚拟机部署方式不仅明显降低了服务部署的TCO成本,而且也方便了应用服务的部署。更多还原

【Abstract】 Xen is a virtual machine monitor for x86 that supports execution of multiple guest operating systems with high performance and strong resource isolation. Xen is open source software released under the terms of the GNU General Public license. With the development of modern computer and the popularity of Intel x86 architecture, more researches are focused on Xen.In this thesis, the previous researches are surveyed and analyzed comprehensively. For virtual machine based on Xen, we present deep and elaborate research on few topics such as secure operating system, system reliability, performance and deployment for specific application.The main results are as follows:1. A novel model for enhancing security of operating system is proposed. In the model, Xen is used to protect the runtime security kernel. The virtual machine monitor runs in the most-privileged ring, security kernel and user process runs respectively in the much-privileged and least-privileged ring. When the much-privileged security kernel attempts to write some critical system resources, it is mandatory for the write permission to be verified and approved by Xen. So, the model can prevent malicious code from modifying and then bypassing the runtime security kernel.2. A formal method is proposed to optimize reliability of IO architecture of block device in Xen. Theories such as CSP and software architecture are utilized to formalize the architecture. Design rules are proposed to constrain concurrent interactions among components of architecture for block device. So, deadlocks are prevented in theory and reliability is improved. With the guide of the design rules, related programs are overhauled. Preliminary experiments indicated that overhead aroused by the revise is increased little. However, reliability of the system is enhanced. So, the overhaul is still worth.3. A novel prototype for logging system call is designed. In the design, guest operating system runs on the top of Xen as non-privileged mode. The redirecting and monitoring modules are added into Xen. When a guest application is calling a system call, it is trapped and redirected from the least privileged level into the virtual machine monitor running in the most privileged level. After logging is finished, it returns to guest operating system running in the more privileged level and starts the system call. Compared to the traditional methods for logging system call, the novel method makes it is more difficult to destroy or tamper the logs.4. An intrusion detection system based on Xen is designed. SNARE is a well-known intrusion detection system for the Linux. However, it is also vulnerable. A novel approach is designed to protect SNARE from being tampered. SNARE is ported on two virtual machines running over the Xen. The SNARE kernel patch and audit daemon, which are two principal components of SNARE, are separated into two virtual machines isolated strongly by Xen. The mechanism for sharing memory between virtual machines is provided by Xen. By the mechanism, SNARE kernel patch running on one virtual machine records and transfers the audit logs into the audit daemon running on another virtual machine. Compared to the traditional SNARE, the novel method makes it is more difficult to destroy or tamper the audit logs.5. For a class of popular IP network applications, a prototype of optimized computer network for virtual machines is proposed. A few virtual machines run on the top of Xen. Xen creates and manages these virtual machines. A new virtual network card is the core of the prototype. All virtual machines are interconnected by the device into a network, which is designed for communicating between the virtual machines. Compared to default model of Xen, the prototype improved the communication performance and reduced the response time for request by 42% which is supported by preliminary experiments and evaluations.6. For a specific application scenario (collaborative business service of one manufacturing industrial chain), the 3-tier architecture for deploying the service based on Xen is presented to group enterprises of the chain into one virtual enterprise. For membership enterprises of one virtual enterprise,the virtual enterprise is used to support sharing database and running collaborative business service easily, flexibly and securely. Because Xen is used to deploy the application servers, the total cost of ownership is reduced sharply and it is easier to deploy the application servers.更多还原