Design And Implementation Of Virtual Environment Security Mechanism Based On Virtual Machine Introspection

Virtualization technology is considered to be the cornerstone technology of cloud computing and has been applied more and more widely,because of it can simplifying service deployment,reducing management complexity and improving resource utilization.However,users enjoy the convenience of this technology,always facing a variety of intrusion attacks at the same time,security issues become increasingly serious.Virtual machine introspection technology is considered to have great potential in virtual machine security applications because of its advantages of visibility and isolation in virtualized environment,and has been widely studied.In this paper,the four representative VMI-based security framework has been deeply researched,and then combined with the main security problems in the virtualized environment and the characteristics of virtual machine introspection technology,putting forward the main security problem to be solved in this paper--Malware issues in virtualized environment.The solution to installing security software in traditional environment is not applicable in virtualized environment,and the way to build trusted virtualization platform is limited by the hardware architecture.To this end,this paper designed a virtualized environment security mechanism based on the virtual machine introspection technology.The mechanism is divided into three modules: data acquisition,data detection and record response.The data acquisition module uses the existing memory forensic analysis framework and the virtual machine image mounting technology to provide some operating system knowledge,combined with the virtual machine introspection library,achieving the transformation from semantics of the bottom layer to semantics of the operating system layer,this method simplify the data acquisition module build process,and can get complete virtual machine operating system layer semantics.The data acquisition module calls the data acquisition module to obtain the virtual machine key location data,detecting the malware traces,and submits the test result to the record response module.The module mainly includes ARP cache detection module,network information detection module,proc file system detection module,interrupt descriptor table detection module,loadable kernel module detection module,system call table detection module,TTY detection module,network interface card promiscuous mode detection module,process illegal authority improvement detection module and rootkit detection module;The recording response module records the detection results as log and responds to the detection results.In this paper,the KVM is used to implement the prototype system based on the above security mechanism,and the functions of the system are tested by creating virtual machine instances on Open Stack open source cloud computing platform,installing malware in virtual machine.The test results show that the system can effectively detect malware in a virtualized environment and respond to the detection results.Compared with the existing scheme,the system construction process is simpler,having good applicability and not limited by the hardware architecture.