| Virtual machine technology about hardware and software has been proposed since 1960s. As the speed of CPU becomes faster, the volume of memory bigger, the technology of virtual machine becomes more maturity . Virtualization, in a rather loose denition, is a framework of dividing the resources of a computer into multiple execution environments. More specic it is a layer of software that provides the illusion of a real machine to multiple instances of virtual machines.Since a virtual machine exists in the host in the form of a file, if there is something wrong with it, the virtual machine is closed or reboot by closing the file but not rebooting the host, which is of importance, especially for Server Virtualization. Also, there are many other advantages of virtual machine, for example, replaying. Many virtualizations such as VMWare, XEN and Virtual PC have been applied in many companies, which not only reduce cost, but also bring many interests in aspect of security and etc.User-Mode Linux (short of UML) is a kind of virtual machine open-code and locates in host OS and a kind of method of porting Linux kernel into Linux host OS. UML is used to the debugging of kernel, hunepot and as Server. UML has been created by Dike Jeff from 2000 earlier, and improving since then. Whaterver speed and security, UML is more and more maturity.Although virtual machine is more security than before virtualized, it is unavoidable to be compromised once it is connected to Internet. So it is necessary for virtual machine to find a way of network security.This paper put forwards a way of HIDS based on system call for UML. Every virtualization technology must solve system call, besides, VMM or hypervisor or host OS has provide the first gate for virtual machine at which point we can give NIDS, so we choose HIDS based on system call as the way of UML.The way of HIDS is maturity in host OS, which consists of three parts: collecting data (system call numbers), analyzing data and responsing modules. In this paper, we will replant the mode on UML. There are two ways. One is replanted inside UML virtual machine and the other is into VMM outside of UML virtual machine.The first way is easy; we can implement it by running it as a process of UML virtual machine. But it is unacceptable. For reasons: firstly: if the virtual machine is compromised, the process will be ended. Secondly: if HIDS lies inside UML virtual machine, every virtual machine will have a HIDS. If the host has ten virtual machine, then there are ten HIDS in this host aside from the HIDS in the host OS, which will be a huge cost.For the reasons above, we decide to choose the second way of running the HIDS in UML VMM. For UML virtual machine, its VMM is UML Arch and host OS. We intend to replant the analyzing data and responsing module on host OS as its user space .There are many products about these two modules in host OS such as STIDE.In this paper, collecting data is a key module; we deside to put it into UML Arch which is another part of UML VMM by adding code of collecting syscall numbers in one of four processes.Because UML Arch is consists of four proceses under SKAS mode, one of which is responsible for dealing with system calls by int 0x80. We will use this character to collect data. The concret will be depicted in the following chapters.Finally we verified the datas from theory and by experiment.This paper introduces the architectures of Virtual Machine and the development of intrusion and detection, writes the programmes of collecting datas under UML, analyze and verify the result. |
PDF Full Text Request