Research On Security Isolation Test Of KVM Virtual Machines

As virtual machines play an increasingly important role in the fields of cloud computing and so on,their own security has also received much attention.Although virtual machine software has been widely integrated into operating systems,the existing operating system security testing tools lack research on virtual machine security.Because virtual machines reuse the physical device resources of host machines,they should be isolated safely first.In response to this problem,a set of components is designed and developed to test the security isolation of virtual machines.Taking the widely used KVM virtual machine as an example,from the perspective of virtual machine security isolation,the security isolation tests of the virtual machine's CPU,memory,storage and network are studied.By studying the realization principle of system virtualization,combined with the operation mechanism of KVM virtual machines,the system infrastructure program is written to fully control the virtual machine.The program directly obtains the status of the privileged registers used when the virtual machine is running,and completes the automatic test of CPU security isolation of virtual machine through the synchronization measures between virtual machines.By judging whether virtual machines will share real physical memory pages,whether virtual machine data is encrypted in real physical memory pages,and whether virtual machines can obtain the remaining information in real physical memory,the automatic test of virtual machine memory security isolation is completed.A sciphertext detection scheme based on keyword matching is used to determine whether the virtual machine storage is encrypted,and to observe whether two virtual machines can use the storage file at the same time,to complete an automated test for virtual machine storage security isolation.In the virtual machine network security isolation test,the security of the virtual network device is tested based on the principles of various network protocols,and the communication data of the physical network card is obtained based on the network packet collection technology to test the virtual machine communication encryption and virtual machine LAN safety isolation.A test on the KVM virtual machine show that this test solution and the test module can complete the test task well,and the test results show that the KVM virtual machine does not implement virtual machine memory encryption in the memory security isolation,and its data can be obtained by the host.There is a risk of data leakage.