Based On The Full Virtualization Security Monitoring Technology Research

With the rapid development of the computer technology, the issues about security have gradually become more and more serious. There is a fatal shortcoming that exists in the traditional security monitoring tools, because the security monitoring tools are deployed in the center of the monitoring system, if the permissions of the malicious programs are higher than it, then the malicious programs are able to bypass it or even destruct the monitoring tools. The appearance of the virtualization technology changes the architecture of the traditional computer, and at the same time, its properties of isolation and the features of sharing resources also bring new ideas to the monitoring of security.The kernel Rootkit is a very common security threat that exists in the virtual machine, it usually uses the load module as the carrier, tampering with the kernel code and data, infecting the process, in this paper we propose a security monitoring framework based on virtualization technology, in order to meet the comprehensiveness and the safety from the angle of monitoring, we design this monitoring virtual machine system from three ways, they are the kernel, the kernel loadable module and the application processes. Based on this architecture, in this paper, we complete a security monitoring prototype system based on the full virtualization technology, this system is completed based on the intel VT-x technology in the open source KVM platform. From this prototype system, the host machine that runs on the real physical machine can monitor many virtual machines that parasite on the host machine. The main work of this paper are:1) Studying the virtualization technology, and according to the inward vision technology of the virtual machine we can reconstruct the high-level information(such as the kernel critical data, processes) based on the underlying information (such as CPU, the memory page), that we can expediently get some events which occurs in the virtual machines.2) Studying the method of protecting the memory and controlling access to protect the kernel codes and data integrity. The technology of protecting memory sets the pages where the kernel codes exist are read-only, intercepting all kernel data’s access behavior, at the same time according to access controlling technology, we can determine whether this access is legitimate.3) Designing a method that is used to detect the hidden kernel loadable modules based on the cross-view. Constructing two lists of the kernel loadable modules that are in the virtual machine system, one is a credible list from the view of the monitoring machine, the other is a untrustworthy list from the view of the virtual machine. Where a module is in a credible view, rather than in a untrustworthy view, according to the view of the comparison, the hidden module is detected.4) Studying the state machine that shows the process of system calling function, then using this technology to detect the intrusion about the malicious process. Firstly it trains the normal kernel loadable modules from the normal process, and establishes the state machine of system calling function, then tests each process to see whether their actions fall within the state machine that has also been established.Finally we design the experiments to test the functions of every module, and analyse the whole architecture that causes the impact on the virtual machine. The experiment proves that the design of the whole system in this paper is feasible.