Research On Memory Protection Of Windows Process Based On Virtualization

There are two points of security issues about the confidential information stored in computers:one is the security issue when it is stored in disk and the other is the security issue when it is loaded to memory. The confidential information can be encrypted when it stored in disk to ensure the security. But when the confidential information is accessed and manipulated by the application it will be loaded to memory and exist in the form of plaintext, so it may be stolen by the malware. Thus, research on memory security of process has important significance.To solve the problem of memory security, we proposes a virtual machine monitor (VMM) based memory protection system of process through researching the memory management mechanism of Windows. The memory protection system can prevent the memory space of specified process which needs to operate confidential information accessing by other processes, even kernel codes in the operating system. Our main works are as follows:1. We analyze the memory management mechanism of Windows, and summarize the threats of memory security of processes into two types:cross-process memory access and code injection attack. Cross-process memory access means accessing memory space of protected process by modifying CR3 register. Code injection attack includes both user mode injection and kernel mode injection. Then we introduce some existing memory protection solutions and analyze the advantages and disadvantages of these solutions.2. This paper proposes using VMM to monitor the behavior of modifying CR3 register to defense cross-process memory access. CR3 is a sensitive register, so the change of it can be intercepted by VMM.3. This paper proposes using shadow page table mechanism and data execution prevention to defense code injection attack. A user mode shadow page table and a kernel mode shadow page table are maintained for protected process to prevent kernel mode code injection attacks. The pages of data of protected process are set to non-executable by using data execution prevention technology to prevent user mode code injection attacks.