检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:马乐乐[1,2] 岳晓萌[1,2] 王玉庆[1,2] 杨秋松[1,2]
机构地区:[1]中国科学院软件研究所,北京100190 [2]中国科学院通用芯片与基础软件研究中心,上海201210
出 处:《计算机应用》2015年第6期1555-1559,共5页journal of Computer Applications
基 金:中国科学院知识创新工程重要方向性项目(KGCX2-YW-12);核高基国家重大项目(2014ZX01029101-002)
摘 要:针对在传统特权虚拟机中利用虚拟机内省实时监测其他虚拟机内存安全的方法不利于安全模块与系统其他部分的隔离,且会拖慢虚拟平台的整体性能的问题,提出基于轻量操作系统实现虚拟机内省的安全架构,并提出基于内存完整性度量的内存安全监测方案。通过在轻量客户机中实现内存实时检测与度量,减小了安全模块的可攻击面,降低了对虚拟平台整体性能的影响。通过无干涉的内存度量和自定义的虚拟平台授权策略增强了安全模块的隔离性。基于Xen中的小型操作系统Mini-OS实现了虚拟机内省与内存检测系统原型,评估表明该方案比在特权虚拟机中实现的同等功能减少了92%以上的性能损耗,有效提高了虚拟机内省与实时度量的效率。The method of utilizing Virtual Machine Introspection (VMI) in a traditional privileged Virtual Machine (VM) to monitor the memory security of other VMs may weaken the isolation between the security module and other parts of the system, and slows down the total performance of the virtualization platform. In order to mitigate these disadvantages, a security architecture based on implementing VMI in a light-weight operating system was proposed, along with a security checking scheme based on memory integrity measurements. By monitoring and checking other VMs' runtime memory in a light-weight VM, the attack surface as well as the performance overhead was reduced. By non-intrusive checking and personalized authentication policy of the virtualization platform, the isolation of the security module was strengthened. A prototype system of VMI and memory detection was implemented based on Mini-OS of Xen. Compared with achieving the same function in privileged VM, the proposed scheme can reduce performance loss by more than 92% . It is proved that the proposed scheme can significantly improve the performance of VMI and reahime checking.
关 键 词:虚拟机内省 XEN Mini-OS 内存监控 完整性度量 入侵检测
分 类 号:TP309[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.117