請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70800
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 孫雅麗 | |
dc.contributor.author | HUNG-JUN LI | en |
dc.contributor.author | 李鴻鈞 | zh_TW |
dc.date.accessioned | 2021-06-17T04:38:58Z | - |
dc.date.available | 2020-08-13 | |
dc.date.copyright | 2018-08-13 | |
dc.date.issued | 2018 | |
dc.date.submitted | 2018-08-07 | |
dc.identifier.citation | [1]. Payne B.D., “Virtual Machine Introspection”, Encyclopedia of Cryptography and Security, 2011.
[2]. More and S. Tapaswi, “Virtual machine introspection: towards bridging the semantic gap”, Journal of Cloud Computing, vol. 3, pp. 1-14, 2014. [3]. Tal Garfinkel, and Mendel Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection”, NDSS Symposium, 2003. [4]. F. Bellard, “QEMU, a Fast and Portable Dynamic Translator”, in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46. [5]. Waldemar Graniszewski, Adam Arciszewski, “Performance analysis of selected hypervisors”, INTL Journal of ELECTRONICS AND TELECOMMUNICATION, VOL. 62, NO. 3, PP. 231–236, 2016. [6]. Charles David Graziano, “A performance analysis of Xen and KVM hypervisors for hosting the Xen Worlds Project”, Iowa State University Digital Repository, 2011. [7]. G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization”, Intel Technology Journal, vol. 10, 2006. [8]. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, “kvm: the Linux virtual machine monitor”, in Proceedings of the Linux Symposium, 2007, pp. 225-230. [9]. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, et al., “Xen and the art of virtualization”, in ACM SIGOPS Operating Systems Review, 2003, pp. 154-177. [10]. A. Velte and T. Velte, “Microsoft virtualization with Hyper-V”, McGraw-Hill, Inc., 2009. [11]. B. D. Payne, M. Carbone, M. Sharif, and W. Lee, “Lares: An architecture for secure active monitoring using virtualization”, in Security and Privacy, 2008. SP 2008. IEEE Symposium on, 2008, pp. 233-247. [12]. Y. Fu and Z. Lin, “Exterior: Using a dual-vm based external shell for guest os introspection, configuration, and recovery”, ACM SIGPLAN Notices, vol. 48, pp. 97-110, 2013. [13]. Willems, T. Holz, and F. Freiling, “Toward automated dynamic malware analysis using cwsandbox”, IEEE Security & Privacy, pp. 32-39, 2007. [14]. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., “BitBlaze: A new approach to computer security via binary analysis”, in Information systems security, ed: Springer, 2008, pp. 1-25. [15]. Freescale Semiconductor Inc., “Hardware and Software Assists in Virtualization”, Freescale Semiconductor White Paper, 2009. [16]. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, “Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection”, in 2011 IEEE Symposium on Security and Privacy, 2011, pp.297-312. [17]. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: malware analysis via hardware virtualization extensions”, in Proceedings of the 15th ACM conference on Computer and communications security, 2008, pp. 51-62. [18]. J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines”, in Advances in Information and Computer Security, ed: Springer, 2011, pp. 96-112. [19]. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, “Secure in-vm monitoring using hardware virtualization”, in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 477-487. [20]. S. Vogl and C. Eckert, “Using hardware performance events for instruction-level monitoring on the x86 architecture”, in Proceedings of the 2012 European Workshop on System Security EuroSec, 2012. [21]. Willems, R. Hund, and T. Holz, “Cxpinspector: Hypervisor-based, hardware-assisted system monitoring”, Ruhr-Universitat Bochum, Tech. Rep, 2013. [22]. Dongyang ZHAN, Lin YE, Binxing FANG, Xiaojiang DU, Zhikai XU, “CFWatcher: A Novel Target-based Real-time Approach to Monitor Critical Files using VMI”, IEEE Communication and Information Systems Security Symposium, 2016. [23]. Koen Koning, Herbert Bos and Cristiano Giuffrida, “Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization”, IEEE/IFIP International Conference on Dependable Systems and Networks, 2016. [24]. P. Hosek and C. Cadar, “VARAN the unbelievable: An efficient Nversion execution framework”, in ASPLOS, 2015. [25]. B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser, “N-variant systems: a secretless framework for security through diversity,” in USENIX SEC, 2006. [26]. Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun, “Using Hardware Features for Increased Debugging Transparency”, IEEE Security and Privacy, 2015. [27]. Intel.co, “Intel® 64 and IA-32 Architectures Software Developer’s Manual”, October 12, 2016. [28]. M. Seaborn. “Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges”, In Black Hat USA,BH-US’15, 2015. [29]. Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu, “Flipping Bits in Memory Without Accessing Them:An Experimental Study of DRAM Disturbance Errors”, ACM/IEEE 41st International Symposium on Computer Architecture, 2014. [30]. Jun Seung Lee, Hyoung Min Ham, In Hwan Kim and Joo Seok Song, “POSTER: Page Table Manipulation Attack”, 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015. [31]. Stephan van Schaik, Kaveh Razav, Ben Gras., Herbert Bos and Cristiano Giuffrida, “Reverse Engineering Hardware Page Table Caches Using Side-Channel Attacks on the MMU”, Technical Report IR-CS-51, Vrije Universiteit Amsterdam, 2017. [32]. Simon Sharwood: AWS adopts home-brewed KVM as new hypervisor, Nov 2017. https://www.theregister.co.uk/2017/11/07/aws_writes_new_kvm_based_hypervisor_to_make_its_cloud_go_faster/ [33]. Abid Shahzad and Alan Litchfield, “Virtualization Technology: Cross-VM Cache Side Channel Attacks make it Vulnerable”, Australasian Conference on Information Systems, 2015. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70800 | - |
dc.description.abstract | 雲端服務的蓬勃發展使得愈來愈多的企業傾向於使用這項科技來輔助企業的發展。雲端服務的發展使得伺服器中心化成為無法抵抗的潮流。在伺服器逐漸轉為中心化的同時,雲端服務也將成為惡意攻擊者的明顯目標,因此雲端服務上的資訊安全將成為一項重大的議題。虛擬化技術因為能夠為在雲端平台上的使用者們提供一個獨立而不受其他使用者干擾的虛擬環境而廣泛地受到雲端服務提供者的採用,然而當虛擬化技術提供這些優勢的同時,也讓虛擬機器成為一個黑盒子,雲端服務的管理者無法掌握每台客戶虛擬機是否正在執行惡意行為並可能造成跨虛擬機之間的資訊安全問題。本論文以目前主流的虛擬化平台kernel based virtual machine (KVM)作為研究的案例,並透過修改KVM記憶體管理機制 (extended page table, EPT)的方式,將客戶虛擬機的執行導向到一塊自定義的記憶體空間,開發者可以這個自訂的空間中加入自行設計的應用程序,提出一套可用於管理客戶虛擬機的機制。為了證明該機制的可行性,我們同時實做了一套針對Windows7環境的客戶虛擬機側錄系統用於監控在客戶虛擬機內部的活動。除了基本的側錄功能外,本論文於系統設計時也將下列三項重點列入實作目標: 高效能 (high performance)、提供高階語意分析資訊 (high level semantic information) 及 高度隱匿性 (high Transparency)。因此本論文提出的系統在執行時不會大幅地降低原本服務的執行效率並且能夠提供windows API information作為高階語意分析資訊讓管理者能夠有效率地理解分析報告的內容。此外,本論文提出的側錄系統無須對客戶虛擬機內部環境做出改變,在客戶虛擬機中的惡意程式不容易察覺本側錄系統的存在,藉此提高了系統的隱匿性。最後,本論文中也針對所提出機制討論各種應用的可能性。例如,透過記憶體重導機制可以幫助管理人員可以在不關閉重要服務的前提下,更新重要服務的功能。同時也點出這項技術可能受到惡意利用的可能性。 | zh_TW |
dc.description.abstract | With the development of hardware and virtualization technologies, modern computing architecture gradually becomes more centralized. With virtualization technology, cloud service providers can make use of hardware resources more efficiently. The hypervisor can manage the shared resource pool and ensure that the guest virtual machines (VMs) are isolated from each other while using the shared resources (so that none of them can affect each other). Therefore, more and more companies have migrated their services from physical servers to virtual machines provided by cloud service providers in order to reduce the management effort. However, service providers still need a management mechanism in the hypervisor to protect the VMs. Because of existing of the virtualization layer, a guest machine is just like a black box and the purpose of the hypervisor merely manages the resources and does not know what happened in the guest machine. Recently, more and more threats emerge on virtual machine and one of the latest threat is cross-VM side channel attack which results in side channel data leakage, such as cryptographic keys. Malicious users can make use of this attack to gain access to other guest virtual machines or hosts in an infrastructure. In this paper, we develop a management mechanism to redirect the in-guest memory to a controlled, self-defined memory space in the hypervisor by modifying the extended page table, EPT. Based on this mechanism, we propose a prototype system, ANTS to prove the feasibility of the proposed mechanism. ANTS is an efficient and effective VMI based profiling system for Windows guest machine. To develop such an efficient and effective profiling system, we have to reach the following goals: high performance (average performance degradation is about 2.32%), high transparency (hiding existence of our system) and high-level semantic information observation (human readable). In addition to the profiling system, we also provide some new ideas to make use of the proposed mechanism to implement variety of applications. For example, IT managers can use this concept to perform system hot-patching for the important services that can’t suspended. Furthermore, we also remind that such mechanism can also be used to perform malicious behaviors, such as information theft. | en |
dc.description.provenance | Made available in DSpace on 2021-06-17T04:38:58Z (GMT). No. of bitstreams: 1 ntu-107-R05725023-1.pdf: 1794310 bytes, checksum: 1cfdba48b5adf2568f7fe27b83a01718 (MD5) Previous issue date: 2018 | en |
dc.description.tableofcontents | 誌謝 i
中文摘要 ii ABSTRACT iii CONTENTS v LIST OF FIGURES vii LIST OF TABLES viii Chapter 1 Introduction 1 Chapter 2 Background 4 2.1 Hardware Assisted Virtualization 4 2.2 Extended Page Table 5 2.3 Kernel based Virtual Machine (KVM) 7 Chapter 3 Related Work 10 3.1 MMU Manipulation 10 3.2 Sandbox 11 3.3 Dual VM based Approach 12 3.4 Emulation based Approach 13 3.5 Hardware Assisted Approach 13 Chapter 4 System Design 17 4.1 MMU Redirection 18 4.2 System Architecture 20 Chapter 5 Implementation 27 5.1 VMI Process Handler 27 5.2 Enable in-host profiling code access in guest mode 28 5.3 API Hooks Implementation 31 5.4 MMU Modifier 32 5.5 Hooked Windows APIs 34 5.6 Collection of API Call Trace 36 5.7 Transparency 37 Chapter 6 Evaluation 40 6.1 Code Size 40 6.2 Macro-Benchmarking 41 6.3 Latency of invoking hooked APIs 43 Chapter 7 Discussion 46 7.1 System Portability 46 7.2 System Scalability 46 7.3 Potential Applications 47 Chapter 8 Conclusion 48 REFERENCE 50 | |
dc.language.iso | en | |
dc.title | 用於客戶虛擬機API調用監控與側錄之硬體輔助MMU重導技術 | zh_TW |
dc.title | Hardware-Assisted MMU Redirection for In-guest API Invocation Monitoring and Profiling | en |
dc.type | Thesis | |
dc.date.schoolyear | 106-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 陳孟璋,李育杰,李漢銘,蕭舜文 | |
dc.subject.keyword | KVM,MMU 重導,EPT,硬體輔助虛擬化,虛擬機內省, | zh_TW |
dc.subject.keyword | KVM,MMU redirection,EPT,Hardware Assisted Virtualization,Virtual machine introspection, | en |
dc.relation.page | 53 | |
dc.identifier.doi | 10.6342/NTU201802655 | |
dc.rights.note | 有償授權 | |
dc.date.accepted | 2018-08-07 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-107-1.pdf 目前未授權公開取用 | 1.75 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。