VMOffset:虚拟机自省中一种语义重构改进方法  

作　　者：陈兴蜀 蔡梦娟 王伟 王启旭[1,2] 金鑫 CHEN Xing-Shu;CAI Meng-Juan;WANG Wei;WANG Qi-Xu;JIN Xin(School of Cyber Science and Engineering,Sichuan University,Chengdu 610207,China;Cyber Science Research Institute,Sichuan University,Chengdu 610207,China;College of Computer Science,Sichuan University,Chengdu 610065,China)

机构地区：[1]四川大学网络空间安全学院,四川成都610207 [2]四川大学网络空间安全研究院,四川成都610207 [3]四川大学计算机学院,四川成都610065

出　　处：《软件学报》2021年第10期3293-3309,共17页Journal of Software

基　　金：国家自然科学基金(U19A2081,61802270);国家“双创”示范基地之变革性技术国际研发转化平台资助项目(C700011);四川省重点研发项目(2018G20100)。

摘　　要：虚拟机自省是一种在虚拟机外部获取目标虚拟机信息,并对其运行状态进行监控分析的方法.针对现有虚拟机自省方法在语义重构过程中存在的可移植性差、效率较低的问题,提出了一种语义重构改进方法VMOffset.该方法基于进程结构体成员自身属性制定约束条件,可在不知道目标虚拟机内核版本的情况下,自动获取其进程结构体关键成员偏移量,所得偏移量可提供给开源或自主研发的虚拟机自省工具完成语义重构.在KVM(kernel-based virtual machine)虚拟化平台上实现了VMOffset原型系统,并基于不同内核版本操作系统的虚拟机,对VMOffset的有效性及性能进行实验分析.结果表明:VMOffset可自动完成各目标虚拟机中进程级语义的重构过程,具有可移植性与安全性,且仅对目标虚拟机的启动阶段引入0.05%之内的性能损耗.Virtual machine introspection is a method to acquire the information of the target virtual machine,and monitor as well as analyze its running status outside the target virtual machine.Aiming at the problem of poor portability and low efficiency in the process of semantic reconstruction of existing virtual machine introspection method,a sematic reconstruction improvement method is proposed in this study.In this method,constraint conditions are made based on the characteristics of the process structure members,and the offsets of the process structure key members are automatically obtained without knowing the kernel version of the target virtual machine,and the resulting offsets can be provided to the open source or self-developed virtual machine introspection tools to complete the process of semantic reconstruction.The VMOffset prototype system is implemented on the KVM(kernel-based virtual machine)virtualization platform,and the effectiveness and performance of VMOffset are experimentally analyzed based on virtual machines of different kernel version operating systems.The results show that VMOffset can automatically complete the process-level semantic reconstruction process of each target virtual machine,and only introduces the performance loss within 0.05%in the startup phase of the target virtual machine.

关 键 词：虚拟机自省 语义重构 偏移量 虚拟机监视器 可移植性 

分 类 号：TP303[自动化与计算机技术—计算机系统结构]