Research On Security Enhancement In Virtual Computing Environment

With the wide application of computers and the continuous development of information technology, the computer system plays a vital role in the human society. However, in the information-globalization days, the security situation is still not optimistic. More and more security threats show that traditional security mechanisms are unable to meet the requirements of the increasing complexity of computer systems and high-speed development of network software. Moreover, it will be more difficult to guarantee information system’s security if only depend on the internal security mechanism. Therefore, it is urgent to break the limitations of the system itself, and seek new approaches to enhance system’s security.The virtualization technology can provide an isolated execution environment, as well as the virtual machine monitor can take complete control over all of virtual machines in its upper level, which makes it possible to find new approaches for the research on enhancing system’s security. However, in fact the virtualization technology itself doesn’t provide any security mechanisms and methods, the traditional security threats still exist in the virtual machine. Fortunately, the aim of trusted computing is to ensure the security of computing systems on the terminal. Therefore, the combination of virtualization technology and trusted computing will not only be in favor of protecting the integrity of the platform, but also be conducive to the extension of virtual computing environment to the trusted network. In addition, as the virtualization technology creates a powerful opportunity for system security enhancements at the same time, it also brings potential security trouble on systems. Therefore, making research on the mainstream virtualization platform security will further promote the improvement of the overall system security.Due to stupendous security advantages in the trusted virtual platform, this thesis will focus on the method of establishing trusted virtual execution platform and the key technologies about security monitoring for virtual computing environment. Based on this work, this thesis will further analysis the weakness of the Xen architecture and propose relevant solutions. The overall contribution of those works makes some benefits on further development of security enhancements technology.1、Research of Constructing Trusted Virtual Execution Environment Based on Trust ExtensionBecause the linear trust chain in the existing trusted computing is not suitable for the requirements of virtual platform, this thesis propose a novel "tree" trust extension which can support multiple vms, to build the complete trust and certificate chain. Meantime, this thesis designs a remote attestation model and a transparent encryption method for this specific case. This contribution will enhance the security of virtual execution environment, and extend the trusted relations from the stand-alone system to the network.2、Research on Security Monitoring in Trusted Virtual Computing EnvironmentIn existing security monitoring framework, the target objects are insufficient that will limit the application, such as detection of malicious behavior in DKOM mode. And these works don’t build the bridge from the network packet to the sending process. Due to above reasons, this thesis will focus on the methods of runtime security monitoring, and design a monitoring platform including system call monitoring, module monitoring, network monitoring and process monitoring in the HVM mode and PV mode, which can supply a loosely-coupled interface for security services.3、Research on Security Services Technology Based on System Security MonitoringIn order to overcome the problem that current hidden process detection methods cannot manage hidden process, this thesis proposes a novel one which can supply a trusted interface for hidden process termination and suspension in different virtual modes. Meantime, due to the current mode for constructing TVD is inflexible which is limited on hardware conditions, a method for building TVD is designed based on network moitoring, which can support dynamic configuration of security policy and selection of encryption algorithms, furthermore provide a flexible border security control for TVD users.4、Research on Privilege Disaggregation and Memory Privacy Protection in Virtual MachinesDue to some weakness existing in the Xen architecture, this thesis will mitigate the security pressure via privilege disaggregation, and propose a novel scheme to protect application’s memory privacy in DomU. These contributions can supply better protection of user system’s integrity and privacy in virtual platform, meantime don’t influence the function of security monitor.