| Virtual Machine Introspection?VMI?technology is an important choice for protecting the security of virtualized environment due to its good "isolation" and "visibility",which attracts a wide range of attention and research.Multiple VMI-based security tools and systems have been developed in succession.However,these virtual machine tools or systems are designed based on a common assumption: Assuming that the virtual machine operating system being monitored uses the standard kernel data template in the prescribed way and the original content provided by its memory page or the events reported by the virtual machine manager are correct.But this is not absolute in practice,in order to deceive the virtual machine tool and achieve the goal of attack,the attacker can use a variety of technical ways to modify the bottom of the kernel data of the client operating system and the implementation of flow to change the client kernel data templates.Based on the analysis of the VMI system assumptions and the finding of its loopholes.the paper attack the static monitoring and dynamic monitoring of VMI system respectively.When attacking the static monitoring function of VMI,the paper chooses LibVMI as attacking experiment system which is an open source virtual machine introspection tool.Attacking It's capabilities of monitor virtual machine processes and kernel module lists in static.Specifically,by modifying the specific field of process and the kernel module structure we can change any process and kernel module name inside and outside of virtual machine in the same time.By changing the getdents64 system call and removing a specific node from the Two-way circular list of virtual machine process We can hide a specific process inside and outside of the virtual machine.By removing a specific node from the Two-way circular list of virtual machine kernel module We can hide a specific kernel module inside and outside of the virtual machine.These attacks will cause Lib VMI to provide an incorrect static monitoring function.When attacking the dynamic monitoring function of VMI,the paper chooses Nitro as attacking experiment system.Attacking It's capabilities of monitor virtual machine systemcall.Specifically,the paper designed and implemented three kinds of attacks against Nitro:?1?Change a normal system call function content to malicious system call content in original system call table directly.?2?Use jmp instruction jump to a default malicious code segment when entering a system call function which we want to attack through the inline hook.After the implementation of malicious operation,It continue the original system call function.?3?Modify the system call table address in entrySYSCALL64 and save the real system call table,and replace it with the false table.Swap the position of the malicious system call service routine address with a normal system call service routine address in the false table at the same time.When this two system calls occurred,adjust the value that is pushed into eax register by the encapsulation routine in the standard library.The program can be a good way to avoid the integrity check of the system call table,and ensure that malicious system calls are executed without discovery.All of the above attacks will cause Nitro to provide an failure dynamic monitoring function for system call.The design and implementation of the various attacks can achieve the desired target in this paper,and meet the design requirements on the whole.These attacks have a positive effect on the further refinement and development of VMI tools. |
PDF Full Text Request