【作者】 温研；

【导师】 王怀民；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2008， 博士

【摘要】 随着网络技术的发展和硬件性价比的不断提高,网络应用模式发生了深刻变化,个人用户越来越频繁地从Internet上下载和执行软件,个人计算平台逐渐由终端设备变为参与网络计算的基本元素。这一变化造成了网络上非可信软件对个人计算平台更为严峻的安全威胁,对当前个人计算平台的防护机制提出了新的挑战。构造一个透明的隔离运行环境,使其能够隔离非可信软件的潜在安全威胁,同时保证被隔离软件的有效运行,并监控其行为,成为个人计算平台抵御下载执行的非可信软件安全威胁的重要技术途径。隔离运行环境的构造面临两大问题:一是如何在充分隔离的前提下保证被隔离软件正确执行并且性能可以接受;二是如何在充分隔离的前提下鉴别或抑止非可信软件的恶意行为。本文借鉴虚拟机技术,提出了隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性的概念,在确保操作系统隔离的前提下,通过重现宿主操作系统软件环境来提高隔离运行环境的功能完整性,通过优化隔离运行环境性能来提升其性能适应性,并提出了一种在虚拟层监控被隔离软件行为的通用机制。本文的主要贡献有以下几点:1.提出了一种新的基于硬件抽象层虚拟机技术的隔离运行模型(Safe Virtual Execution Environment,简称SVEE)。SVEE能够在支持操作系统隔离的前提下重现宿主计算环境,并满足Bell-LaPadula机密性模型和Biba完整性模型。同时,在该模型下,被保护的宿主环境的容侵能力也得到了有效提升。SVEE在执行非可信软件所需的安全隔离性、功能完整性、性能适应性与行为可监控性之间找到了合适的平衡点。基于此模型,本文提出了独立于操作系统的SVEE体系结构,该体系结构具有很好的可移植性。2.针对计算环境重现带来的文件系统冲突问题和操作系统迁移带来的软硬件配置不兼容问题,本文提出了以卷快照技术和动态操作系统迁移技术为核心的本地虚拟化技术,有效实现了可配置的计算环境重现,显著提升了隔离运行环境的功能完整性。测试结果证明SVEE能够有效支持多种不同软硬件配置的运行环境。3.为了提高SVEE隔离运行环境的性能,本文提出了针对指令虚拟化的动态指令转换优化技术和针对内存虚拟化的动态物理内存分配技术,提升了隔离运行环境的性能适应性。SPEC 2006的测试结果显示SVEE隔离运行环境的性能接近于直接在宿主环境运行的性能(平均性能下降仅为4.41%);而动态物理内存分配技术则平均减少内存消耗6.82%,同时处理器开销平均增加不到3%。4.为了支持在虚拟层有效地监视和分析隔离运行环境内非可信软件的行为,针对虚拟层只能获取硬件层的相关数据而无法直接获取操作系统层语义信息的问题,本文提出并实现了隐式操作系统信息重构平台,使得SVEE及其它相关应用都能够在不借助操作系统API的情况下,利用硬件层的信息重构出操作系统层的语义信息,有效提升了隔离运行环境的行为可监控性。基于此平台,构造了自隐藏恶意代码检测系统,该系统能够有效的检测出比现有检测机制更多的自隐藏恶意代码。5.针对能够感知虚拟机存在并隐藏自身恶意行为的所谓“虚拟机感知”恶意代码,本文建立了基于硬件虚拟化技术的防御模型,该模型通过模拟已有虚拟机的各种指纹故意使此类恶意代码感知到虚拟机的存在,进而使其主动放弃恶意行为的执行。测试结果证明原型系统MiniVMM能够将运行中的操作系统动态地在本地模式和虚拟化模式间切换,并能准确模拟各类虚拟机指纹,进一步提高了对恶意代码行为的抑止能力。综上所述,本文针对隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性提出了有效的解决方案,对于提高个人计算平台抵御非可信软件安全威胁的能力具有重要的理论意义和应用价值。更多还原

【Abstract】 With the continuous development of the network technology and the significant raising of the hardware’s performance-price ratio, the application patterns of the network have changed greatly. The users of the personal computing platforms are willing to download and execute freeware/shareware on the Internet. The personal computing platforms are changing from the terminal devices to serve as the basic components of the network computing. However, this evolvement incurs more serious security threats to the personal computing platforms. Consequently, these threats come up with several new challenges to the existing protecting mechanisms. Constructing a transparent isolated execution environment, which can confine the potential threats of the untrusted software and monitor the behavior of this software without negating its functionality benefits, will serve as the important technology approach to protect the personal computing platforms against the security threats of the untrusted software.Building such an isolated execution environment has to be faced with two challenges. The first challenge is how to achieve both the full isolation and the functionality benefits of the isolated software while the performance overhead is acceptable. The second challenge is how to identify and confine the potential malicious behavior of the untrusted software while guaranteeing the full isolation. This dissertation introduces the virtual machine technology and proposes four concepts, exploring security isolation, functional integrity, performance adaptability and behavior inspectability. In addition, this dissertation makes an in-depth study on how to improve the functional integrity and performance adaptability while guaranteeing the security isolation. Besides, a new technology is proposed to inspect and analyze the isolated software’s behavior at the virtualization layer. Having solved the challenges arising in the whole lifetime of untrusted code, exploring introduction, execution, verification and submission to the host environment, this dissertation makes five contributions as follows:1. Existing isolation execution technology cannot achieve both the OS isolation and execution environment reproduction. To address the dilemma, this dissertation proposes a new virtual machine based isolation model - Safe Virtual Execution Environment (SVEE). This model supports both OS isolation and execution environment reproduction. In addition, this dissertation proves in theory that SVEE isolation model satisfies the Bell-LaPadula confidentiality model and the Biba integrity model. Besides, this model will notablely improve the intrusion-tolerant ability of the host execution environment which is just the protecting concern for the personal users. SVEE achieves the balance among security isolation, functional integrity, performance adaptability and behavior inspectability of the isolated execution environment. Based on this model, an OS-independent architecture is built for SVEE.2. To resolve the file system confliction induced by the execution environment reproduction and the software/hardware incompatibility caused by the OS migration, SVEE comes up with a so-called local virtualization technology which is composed of volume snapshot technology and dynamic OS migration technology. By dint of them, SVEE effectively accomplishes the configurable execution environment reproduction, so it improves the functional integrity of the isolated code. The evaluation results show that SVEE can run on various PCs definitely well.3. In order to improve the performance of SVEE, SVEE introduces the dynamic instruction translation technology and dynamic physical memory allocation technology. These two technologies enhance the performance integrity of the isolated code. The evaluation results of SPEC 2006 illustrate that the computing-intensive benchmarks run essentially at native speed on SVEE (suffering a slowdown of 4.41% on average). Experimental data of the dynamic physical memory allocation technology shows an overall performance improvement of 6.82% while exacting an overhead of 3% to CPU.4. For providing the ability to inspect and analyze the behavior of untrusted code at the virtualization layer, SVEE brings forward a new implicit OS information reconstruction technology. In virtue of this technology, SVEE is capable of reconstructing the OS layer semantic information from the collected hardware layer information without the help of OS APIs. Consequently, this technology effectively improves the inspectability of the isolated code. SVEE also constructs a stealth malware detection system. The evaluation results with real-world rootkits, which are widely used by stealth malware, demonstrate that this system can detect more stealth malware than existing detectors.5. With security researchers relying on the virtual machine (VM) in their analysis work, so-called VM-aware malware has a significant stake in detecting the presence of a virtual machine to avoid executing its vicious behavior. But hiding the virtualization from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This dissertation proposes a new approach called MiniVMM from another perspective: hiding the“real”machine from the VMM-aware malware. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. Ulteriorly, MiniVMM enhances the inspectability of the isolated code.As a summary, this dissertation proposes a feasible approach which provides security against potential malware along with untrusted code while improving the functional integrity, performance adaptability and behavior inspectability of this isolated software. In the point of view of improving the personal computing platforms’security, this approach owns desirable theoretic value and application significance.更多还原