Design And Implementation Of Nitro-based Virtual Machine Introspection Framework

The rapid development of Cloud computing has attracted an increasing number of IT applications to migrate Cloud data centers. Although cloud computing has brought many benefits, cloud security has become the main concerns for IT application providers and IT users. As system virtualization is a key technology for cloud computing, the security of virtualization is closely related to the security of cloud computing. According to the characteristics of virtualization environment, virtual machine introspection (VMI) technology has many advantages in protecting the security of virtualized environments. Therefore, security monitoring based on VMI has great value and significance for virtualization and cloud computing. For the security issues of virtualization in Cloud, most of current virtual machine introspection technologies are commercial and difficult to be migrated to open source virtualized environment. Moreover, although some of them could be applied to open source virtualization technology, they rely on the client operating system kernel information closely. However the kernel information changes with the operating system version and there is a version of the operating system may not be made public.This thesis aims to build a virtual machine introspection framework NBVF using VMI on KVM virtualization platform. NBVF mainly captures internal information of the virtual machine using Nitro and it resides in the host. NBVF can avoid attacks from malicious software without installing any agent monitoring module inside the virtual machine, which improves the security of computer systems. Furthermore, the system architecture of NBVF combines the active and passive monitoring design scheme. Firstly, the process monitoring is designed to work in a proactive manner, and use virtual machine introspection tool to capture the internal processes call sequence of target virtual machine system; J48 classification algorithm is used to determine whether the process is malicious or not; Secondly, the kernel loadable modules and file monitoring are designed to work in a passive manner. When the two modules trigger conditions are met, virtual machine introspection tool is used to capture the target virtual machine’s memory, CPU and other resources. After semantic reconstruction, more information of the kernel loadable modules and files can be attained. Experiment results show that:1) the NBVF can not only quickly and accurately for a virtual machine monitor, and less impact on the performance of the target virtual machine, such as the performance loss of memory read/write tests is lower than 2%, the performance loss of file encryption decryption tests is lower than 1%; 2) a single physical host running a virtual machine, NBVF minimum average response time is 0.18 milliseconds, and in the relatively heavy load (a physical machine to run five virtual machine) maximum average response time is 4.13 milliseconds, so NBVF has achieved expected effect of monitoring.