| Nowadays, cloud computing technology has become the hottest topic in the field of information technology. As a new kind of computing models based on the internet with public participation and provided via service, cloud computing is dynamic and flexible. Cloud computing can not only bring a large amount of computing resources required to individuals and the users in small and medium scale, but also provide more flexible IT solutions for enterprise users. With the rapid development of technology and the continuous emergence of various attacks, people are increasing their focus on the security problems of cloud computing.System virtualization technology is one of the fundamental techniques for building the cloud computing environment, which achieves a lot of advantages such as high availability and rapid deployment by segmenting and integrating the computer resources. The representative products of virtualization include VMware, Xen, KVM and so on. Among them, KVM is the virtualization solution officially recommended by Linux and has been favored by the cloud computing providers and the majority of individual users. However, the high-risk vulnerability problem of KVM has become increasingly prominent due to the use of traditional QEMU device emulation. According to NVD vulnerability database, there exist a large number of vulnerabilities in KVM virtualized environment which could threaten the security of virtual machine, involving local privilege escalation, virtual machine escape and buffer overflow etc. These vulnerabilities in the virtualized environment bring great hidden danger to the environment of cloud computing. It is an urgent problem to deal with the vulnerabilities in KVM virtualized environment.This paper collects and analyzes the vulnerabilities in KVM virtualized environment, also proposes and designs several triggering-based verification and exploit methods of important high-risk vulnerabilities by focusing on three hardware emulation vulnerabilities, and also presents several mitigation methods. I firstly present a deep study on the relevant knowledge of KVM virtual machine and QEMU hardware emulation, including the process of device virtualization, memory management and security threats. On this basis, this paper describes the principle analysis and triggering condition research of three typical high-risk vulnerabilities including hot-pluggable vulnerability in emulation chip PIIX4, FIFO overflow vulnerability in virtual floppy disk controller and buffer overflow vulnerability in virtual pcnet network device. Then the verifying methods on each of the vulnerabilities as well as the exploit means for some of them are given with further protection and hazard mitigation measures with ASLR technology against these security vulnerabilities proposed and followed by related tests and sums up the deficiencies of current work and latter work orientation at the end of this paper. |
PDF Full Text Request