A Virtual Machine Kernel Integrity Protection Method Based On Hardware Virtualization

The good isolation in the virtualized architecture,the higher abstraction level relative to the operating system,and the smaller trusted computing base provide new ideas for solving the old problems in the field of security.Virtualization technology providing convenience for users,but also provides more attacks.The problem of virtualization security needs to be solved urgently.The Rootkit attack is one of the major security threats to virtualization security.Malicious programs use Rootkit technology to hide themselves and use the system's flaws to continuously penetrate deep into the system and avoid the monitoring of security tools.The kernel-level Rootkit runs in the kernel space and has higher authority.It tries to control the entire system by destroying the integrity of the virtual machine kernel,which seriously threatens the security of the virtual machine kernel.Aiming at the problem of virtual machine kernel integrity,a virtual machine kernel integrity protection and detection method is proposed based on hardware virtualization,it can protect the kernel data,code,and registers by using hardware virtualization extensions.On the one hand,a separate page table is created for important kernel data and code,and the access permissions is set for the page table to run in an isolated address space.On the other hand,the use of hardware virtualization "trap" mechanism makes the registers drop to VMM when they are ampered.In virtual machine kernel integrity detection,this paper proposes a method to detect hidden process.Monitoring the kernel data ‘s allocation and release to build a kernel object mapping.Intercepting the system calls to build a virtual machine's process view,then find hidden process by cross-view.The kernel data integrity protection module and kernel data integrity detection module proposed in this paper protect the integrity of the virtual machine kernel data from the two aspects of passive monitoring and active detection.The experimental results show that this method can detect the common kernel-level Rootkits and prevent them from tampering withthe system.The final performance cost is controlled within 6%.As a result,this method gets promoted of security and will not have a significant impact on performance.