【作者】 刘谦；

【导师】 李明禄；

【作者基本信息】 上海交通大学 ， 计算机系统结构， 2012， 博士

【摘要】 云计算平台通过Internet提供各种服务，这种开放式的模式在方便用户访问的同时，也带来了潜在的安全隐患。云计算平台通常以虚拟机系统作为底层架构，因此虚拟机系统的安全是云计算安全的核心。针对这一背景，本文围绕云计算平台中虚拟机系统安全的三个方面进行了研究。在云计算平台，尤其是私有云和社区云中，虚拟机之间通常需要进行交互和通信。然而这种交互为攻击和恶意软件的传播提供了可能，需要有一种机制来保证虚拟机通信场景下的安全。为此，本文提出了Virt-BLP模型，它是一个针对虚拟机系统定制的关于多级安全的强制访问控制模型。为了实现这一目标，它定义了一系列的模型元素、安全公理和状态转换规则。云计算平台中，客户虚拟机负责向用户提供服务，而特权虚拟机和虚拟机监控器一般由云服务供应商管理，根据这一特征，当特权虚拟机作为主体时，Virt-BLP模型将其定义为可信主体。模型中的一些状态转换规则只能由可信主体来执行，这样实现了特权虚拟机对客户虚拟机之间访问和通信进行管理和控制的目的。于是在提供强制访问控制的同时，Virt-BLP模型也实现了部分的自主访问控制，很好地适应了虚拟机系统的特点。基于Virt-BLP模型，在Xen虚拟机系统中设计和实现了关于多级安全的强制访问控制框架VMAC，验证实验表明它成功地在Xen系统中映射了Virt-BLP模型的功能。Virt-BLP模型是一个通用的模型，其它虚拟机系统可以在它的基础上设计自己的强制访问控制框架。客户虚拟机在云计算平台中为用户提供服务，保证它的安全才能使用户有一个安全地获取云计算服务的环境。本文分别针对客户虚拟机用户级应用程序的运行时安全和内核的运行时安全进行了研究。在应用级安全方面，提出了虚拟机内度量框架Hyperivm，它用于判断客户虚拟机应用程序运行时的状态。度量模块对运行在客户虚拟机中的可执行文件进行度量并产生度量值，这些度量值通过虚拟机间通信机制传递到特权虚拟机，保存在度量列表中。参照列表中保存的可信度量值用于在验证时与度量列表中的对应值进行比较，以判断可执行文件的状态。可信平台模块(Trusted Platform Module, TPM)被用来保证度量列表和参照列表的完整性。此外，框架中的内存监视模块用于判断度量模块的状态，以保证度量过程的安全性。在半虚拟化Xen系统中实现了一个Hyperivm虚拟机内度量框架的原型，在保护应用程序安全的基础上，它在性能评估中表现出良好的效率。相比客户虚拟机应用程序的安全，其内核的运行时安全更为重要。本文提出了虚拟机动态监控框架Hyperchk，目标是确保客户虚拟机内核的运行时安全。整个框架部署在特权虚拟机中，并借助虚拟机监控器对客户虚拟机的内核内存进行监控。特权虚拟机和虚拟机监控器在云计算平台中对外界是透明的，因此具有较高的安全性，这一特点保证了Hyperchk框架获取内存过程的可靠性，进而也确保了监控过程的安全性。通过搜索客户虚拟机内核内存来获取监控过程中所需关键值的做法，大大提高了监控过程的健壮性。根据CPU负载自调整监控频率的策略，在提高检测率的同时，也减少了不必要的性能开销。策略中心作为Hyperchk框架的驱动，它的可定制化特性使得本虚拟机动态监控框架具有良好的扩展性和灵活性。在半虚拟化Xen中实现的Hyperchk框架原型系统，不仅能有效地检测针对客户虚拟机的内核rootkit攻击，同时在不同负载情况下均有良好的性能表现。更多还原

【Abstract】 Cloud computing platform provides services to users through Internet. This open modenot only facilitates the access by users, but also brings potential security risks. Usually, cloudcomputing platform utilizes virtual machine system as its underlying architecture. Conse-quently, the security of virtual machine system is of paramount importance to the security ofcloud computing. According to this background, this thesis studies three aspects of securityof virtual machine system in cloud computing.In cloud computing platform, especially in private cloud and community cloud, thecommunications between virtual machines (VMs) are necessary. However, this interactionprovides a possible channel for the propagation of attacks and malicious softwares. For thisreason, a mechanism is needed to guarantee the security when virtual machine communicateswith each other. In this thesis, we propose Virt-BLP model, which is a mandatory accesscontrol (MAC) model tailored to virtual machine system. It well satisfies the requirement ofmulti-level security (MLS) in virtual machine system. A series of elements, security axioms,and state transition rules are defined in Virt-BLP model. In cloud computing platform, guestvirtual machines (guest VMs) are used to provide services to users, while privileged virtualmachine (privileged VM) and virtual machine monitor (VMM) are managed by cloud serviceprovider. According to this property, Virt-BLP model defines privileged VM as the trustedsubject when it acts as subject. Some state transition rules could only be enforced by trustedsubject. As a result, privileged VM can manage and control the communications betweenVMs. That is to say, Virt-BLP model supports MAC and partial discretionary access control(DAC). Based on Virt-BLP model, we design and implement a MAC framework applicableto MLS in Xen, which is called VMAC. The experimental results show that the functions ofVirt-BLP model are mapped into the VMAC framework successfully. Moreover, Virt-BLPmodel is a versatile model, based on which other virtual machine systems could establishtheir own MAC frameworks.As guest VMs provide services to users, their security is of significant importance toprovision of secure cloud computing services. This thesis studies the security of user levelapplications and OS kernel in guest VMs respectively. We propose an in-VM measuring framework called Hyperivm, to determine the status of user level applications in guest VMs.The measurement module (MM) measures running executables in guest VMs. All measure-ment values are transferred to privileged VM through inter-VMs communications mecha-nism, and are stored in measurement table (MT). Reference table (RT) containing the trustedmeasurement values of running executables is used for verifying the status of executables.The trusted platform module (TPM) is leveraged to guarantee the integrity of MT and RT.Moreover, we design a module called memory watcher (MW) to determine the status of MM.A working prototype of this in-VM measuring framework is implemented on paravirtualizedXen, which could guarantee the security of user level applications in DomU. Meanwhile, itshows good efciency in performance evaluation.Compared to the security of user level applications in guest VMs, the security of OSkernel in guest VMs is more important. For this reason, we propose a dynamic monitoringframework called Hyperchk to guarantee the runtime security of OS kernel in guest VMs.This framework is deployed in privileged VM, and monitors the kernel memory of guestVMs via VMM. For privileged VM and VMM are transparent to the outside, they run withhigh security. As a result, the process of retrieving kernel memory of guest VMs is security,and furthermore the monitoring results are reliable. The key values used in Hyperchk frame-work are retrieved by searching the kernel memory of guest VMs, which largely increasesthe robustness of monitoring process. Besides, Hyperchk framework adopts the schemeof self-adjusting monitoring frequency according to the runtime CPU load. This schemeincreases the detection rate, and also decreases unnecessary overhead. With customizablepolicy center, Hyperchk framework is scalable and flexible. Moreover, a working prototypeof Hyperchk framework is implemented on paravirtualized Xen. This prototype presents ef-fectiveness of detecting kernel rootkits, and just incurs acceptable overhead under diferentworkload conditions.更多还原