| Virtual machine security is the basis of information security,and is the major concern of cloud security.In virtualization environment,traditional security problems also exist.Moreover,new problems are caused by virtualization,that makes the security situation more complex.However,the features of virtualization also provide new ways to solve the problems.This dissertation embarks from the actual problems,and focuses on the security protection techniques and related performance optimizations about code security monitoring,DMA security and network security of virtual machine.The main contributions are as follows:1)Propose the “First-Fetch” event based security monitoring on executables in virtual machine.The “First-Fetch” event indicates that a piece of binary that has been loaded into memory is going to be executed on CPU.The event triggers a EPT violation which can be captured by VMM,and then security checking is performed on the binary code in memory page.It solves the semantic gap problem in the external monitoring framework.Furthermore,we propose an agentless runtime antivirus for virtual machine,and developed a prototype—Virt AV.It solves the security vulnerabilities in traditional environment and the new antivirus storm and rollback vulnerability problem.Experimental results show that the function of Virt AV is verified by finding 100% of the 3546 sample viruses,and the overhead on application performance is acceptable.2)Propose IOMMU para-virtualization based DMA security and performance optimization for virtual machine.We point out the DMA security issue on simulated virtual devices and the reasons behind that.We developed the prototype—PVIOMMU for IOMMU para-virtualization,which provides general IOMMU functionalities especially DMA security guarantees,such as I/O virtual address space isolation and memory access control,for both directly assigned devices and simulated devices.To reduce the overhead of para-virtualization,optimizations including reverse-translation-cache,pre-allocated page pool and caching pointer to the last referenced page table are adopted.Experimental evaluations on 3 kinds of network interfaces show that,it introduces little overhead on DMA transactions,and the I/O performance is close to that in the native KVM implementation without IOMMU virtualization.3)Propose VM-centered network security framework and performance optimizations for NFV environments.In the framework,per-VM network security service function chain is placed between the virtual network interface of guest VM and corresponding virtual port of virtual switch,that prevents inner-network attacks.Furthermore,itadopts a macro view on optimization of packet forwarding on the chain.It eliminates repeated TCP/IP stack processing on the VNFs and the guest VM by employing TCP/IP offload technique.Performance evaluations on the prototype—TOSEC show that it significantly improves the efficiency of packet forwarding and reduces the CPU utilization of the chain.Specifically,with one security VM deployed,the communication latency of the guest VM is reduce to 68%~48% of that in the general NFV deployment,while with two security VMs,the latency is reduce to 33%~22%. |
PDF Full Text Request