| Controlled-channel attack is a kind of side channel attack that causes process data leakage through accessed memory traces.The attacker mainly uses a malicious operating system to collect the access address flow of the user process,and restores the user's input data from the sequence of the code page and the data page.For example,an attacker steals a user's private image content by attacking the Libjpeg library.The most commonly used public libraries,Open SSL and Libgcrypt,were also attacked during encryption and decryption.The key information of multiple algorithms was restored,which seriously undermined the confidentiality of data transmission and constituted a serious threat to the protection of private data in cloud computing environments.It has also received common attention in the field of information security.The attack has the characteristics of high concealment,low transmission noise and high attack authority.In order to defend against this attack,it is necessary to correctly identify the user's access behavior,and need to bypass the malicious operating system for verification,which greatly increases the difficulty of defense detection,making traditional data protection methods difficult to work.This paper proposes a feasible detection and defense scheme for this attack.According to the characteristics of the attack model,this paper studies the detection scheme based on virtual machine monitor(Hypervisor),successfully overcomes the problem that the bottom layer is difficult to identify the upper layer's attack behavior,and achieves the detection effect.In addition,this paper proposes a defense method for the random layout of process address space,which confuses the address content that can be obtained by the malicious operating system and blocks the source of the sensitive information.Compared with the existing methods,the scheme proposed in this paper has strong innovation.The specific work contribution is as follows:1.A Hypervisor-based detection method is proposed,which identifies the controlled-channel attack successfully.This paper monitors the guest process page table and the system IDT table.By monitoring the changes in the guest page table and the system IDT table,the system can effectively detect the suspicious behavior of the attacker.Compared with existing methods,the method is easy to deploy and the time overhead is significantly reduced.2.A Hypervisor-based process address space layout randomization method is established.In response to the attacker's behavior of recording the process control flow and the data flow,the code block and the data block are randomly distributed.Thus the information obtained by the attacker is different each time,eliminating such attacks.Compared with the existing randomization method,the method in this paper has less changes to the process itself and reduces unnecessary overhead.3.A more comprehensive experimental verification scheme was designed.In the benchmark test,in order to demonstrate the key to the performance bottleneck,this paper focuses on the page table related detection examples,including process creation,address mapping and page faults.In the application test,this paper uses the commonly used Web-server framework to demonstrate the feasibility of the method in practical applications.This paper proposes an effective mitigation scheme for the controlled-channel attack,and carries out experimental for verification.It extends the existing secure Hypervisor system and is of great significance to the application data security of the cloud platform. |
PDF Full Text Request