Research And Implementation Of Virtual Machine Security Framework In Cloud Platform

In today's world,various cloud services emerge in an endless stream,and major Internet manufacturers have launched their own cloud platforms.However,with the popularity of cloud computing technology,the security of cloud platforms has also begun to be controversial.Since users need to upload their own data and even privacy keys to the cloud,or perform critical and private tasks in the cloud,with various attack methods emerging in an endless stream today,the security of these data in cloud tasks and key tasks being executived correctly are not guaranteed,which become two major challenges.Since the virtual machine's kernel generally adopts open source Linux,its open source features and large code size inevitably lead to some unknown vulnerabilities in the Linux system.These vulnerabilities make the execution of tasks in the cloud environment more unreliable,because attackers may use these vulnerabilities to attack The kernel of the virtual machine,even attack the host and other virtual machines,or tamper with some key data.In response to the above problems,this paper uses hardware and virtualization extensions to implement the security framework for task execution security and data security in virtual machines on the cloud.In terms of the security of virtual machine task execution,although Linux has page table protection,the page table itself is not protected,so it cannot effectively protect the execution of internal tasks of the virtual machine.This thesis studies the hardware mechanism and page table permissions under the Intel x86 architecture,and analyzes and summarizes three architectures for protecting virtual machine security,including PGT-PT page table permission protection,EPT-PT page table permission protection,and MIX-PT permissions protection.This thesis finds that the permissions of the second-stage page table depend on the first-stage page table to a certain extent.Thus this thesis summarizes some deficiencies in hardware design,and designs the permission bit control for page table protection,using the Hypervisor to protect the virtual machine page table,and using The mechanism of VMFUNC speeds up the page table modification process and eliminates the overhead of trapping caused by the kernel modifying the page table.Subsequently,this paper proves through experiments that the MIX-PT architecture based on VMFUNC has better performance than the architecture based on Hypercall,which is manifested in an improvement of about 30% in the process creation related tests.In addition to the execution of virtual machine tasks in the cloud environment,attackers may also attack the task data,which contains personal information,keys and other important content.This paper uses the SPP hardware mechanism to implement a set of data protection based on SPP hardware on Linux and KVM.In the virtual machine,the SPP hardware mechanism can be used for a segment of memory through system calls.In addition,since the SPP mechanism is for protection of 128 bytes,the former provides write protection at a finer granularity than 4K bytes.However,the test results found that the overhead of the SPP mechanism on the hardware will inevitably increase due to the addition of an extra layer of page tables,and the extra overhead is about 300 times that without SPP protection,but since the SPP mechanism is only used to protect some small amount of critical data,so SPP is worth considering in terms of security,even if its performance overhead.