基于硬件虚拟化的内核同层多域隔离模型  被引量：3

作　　者：钟炳南 邓良 曾庆凯[1,2] ZHONG Bing-Nan;DENG Liang;ZENG Qing-Kai(State Key Laboratory for Novel Software Technology(Nanjing University),Nanjing 210023,China;Department of Computer Science and Technology,Nanjing University,Nanjing 210023,China;Huawei Technology Co.,Ltd.,Shanghai 201206,China)

机构地区：[1]计算机软件新技术国家重点实验室(南京大学),江苏南京210023 [2]南京大学计算机科学与技术系,江苏南京210023 [3]华为技术有限公司,上海201206

出　　处：《软件学报》2022年第2期473-497,共25页Journal of Software

基　　金：国家自然科学基金(61772266,61431008)。

摘　　要：为了解决内核不可信带来的问题,很多工作提出了同层可信基的架构,即,在内核同一硬件特权水平构建可部署安全机制的唯一保护域.但是,实际过程中往往面临多样化的安全需求,将多种对应的安全机制集中于唯一的保护域必然导致只要其中任何一个安全机制被攻陷,同一个保护域内其他所有安全机制都可能被攻击者恶意篡改或者破坏.为了解决上述问题,提出了内核同层多域隔离模型,即在内核同一硬件特权水平构建多个保护域实现了不同安全机制的内部隔离,缓解了传统方法将所有安全机制绑定在唯一保护域带来的安全风险.实现了内核同层多域隔离模型的原型系统Decentralized-KPD,其利用硬件虚拟化技术和地址重映射技术,将不同安全机制部署在与内核同一特权水平的多个保护域中,并不会引起较大的性能开销.总体而言,实验结果展示了内核同层多域隔离模型的安全性和实用性.In order to solve the problem caused by untrusted kernel,the trusted base architecture at the same privilege of the kernel has been proposed by a lot of works.It provides the only one protection domain to deploy security mechanism at the same hardware privilege level of the kernel.However,in practice,it is often faced with diversified security requirements.Moreover,it is high risk to make multiple corresponding security mechanisms concentrated into a single protection domain.All other security mechanisms in the same pro tection domain may be maliciously tampered or destructed,as long as any one of the security mechanisms is compromised by the attacke r.To address this problem,a kernel-level multi-domain isolation model isproposed in this study,which constructs multiple protection domains at the same hardware privilege level with the kernel to achieve internal isolation of different security mechanisms,and it will alleviate the security risks of traditional method which bind all security mechanisms into a single protection domain.This study has implemented the decentralized-KPD prototype system of the kernel-level multi-domain isolation model,which uses hardware virtualization technology and address remapping technology to deploy different security mechanisms in multiple prot ection domains at the kernel privilege level and it will not cause a large performance overhead.Overall,the experimental results demonstrate the security and utility of the kernel-level multi-domain isolation model.

关 键 词：硬件虚拟化 内存隔离 多域隔离 

分 类 号：TP306[自动化与计算机技术—计算机系统结构]