Research On Key Technologies Of File System Monitoring Based On Virtual Machine Introspection

With the growing popularization of computer applications,cloud computing technology and virtualization technology can simplify service deployments and improve operation and maintenance efficiency,which makes these technologies favored by the market.With the development of these technologies,due to the openness of computer system,the computer users are always faced with a variety of attacks.A large number of user data is stored in the computer file system.Therefore,once the file system is subjected to malicious attacks,the users may suffer irreparable loss.Real-time,high-efficiency,fine-grained file system monitoring is an important technical way to avoid the file system destruction and protect user data.Since most existing file monitoring systems are running in the operating systems of those monitored virtual machines,the monitoring systems and the monitored objects are in the same address space,which means the monitoring systems are easy to be bypassed by an attacker.Therefore,based on VMI(Virtual Machine Introspection,referred to VMI for short)technology,this paper researches on the key technologies of file system monitoring.The main innovations of this dissertation are based on the following observations.Every file operation,including the file opening,closing,reading,writing,deleting,renaming,and so on,is corresponding to a specific system call.Then,from the virtual machine manager layer,by using VMI technology to monitor and analyze the relevant system calls,we can realize the fine-grained monitoring of the virtual machine internal file systems,which avoids that the monitoring system and the monitored object are in an address space,therefore,the security of the monitoring system is higher.Specifically,by adding the hook functions in the virtual machine manager layer,our paper is able to get the internal information of the virtual machine,for example,the memory pages,the states of the processors and register contents,which helps us to capture and analyze the virtual machine internal file system calls.Therefore we can get the real restore of various file system activity information inside the virtual machines.The information that VMI parsed includes system call number,system call name,process PID number,program name,program execution path,system call incoming parameters and system call return value.Using the specific file system activity information,the paper realizes the real-time,fine-grained monitoring of the virtual machine file systems.Based on the virtual machine introspection technology,making use of KVM virtual machine manager,complete interface functions are designed and implemented for real-time,fine-grained monitoring of Linux virtual machine file system.The paper performs function and performance tests carefully and the test results verify the effectiveness and high efficiency of the system.