請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49955完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 孫雅麗(Yea-Li Sun) | |
| dc.contributor.author | Yih-Der Lee | en |
| dc.contributor.author | 李奕德 | zh_TW |
| dc.date.accessioned | 2021-06-15T12:26:45Z | - |
| dc.date.available | 2019-08-31 | |
| dc.date.copyright | 2016-08-31 | |
| dc.date.issued | 2016 | |
| dc.date.submitted | 2016-08-09 | |
| dc.identifier.citation | [1] P. Padala, X. Zhu, Z. Wang, S. Singhal, and K. G. Shin, 'Performance evaluation of virtualization technologies for server consolidation,' HP Labs Tec. Report, 2007.
[2] R. P. Goldberg, 'Survey of virtual machine research,' Computer, vol. 7, pp. 34-45, 1974. [3] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, 'Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,' in 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), 2008, pp. 177-186. [4] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., 'BitBlaze: A new approach to computer security via binary analysis,' in International Conference on Information Systems Security, 2008, pp. 1-25. [5] L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. C. Mitchell, 'A layered architecture for detecting malicious behaviors,' in International Workshop on Recent Advances in Intrusion Detection, 2008, pp. 78-97. [6] H. Xiong, Z. Liu, W. Xu, and S. Jiao, 'Libvmi: a library for bridging the semantic gap between guest OS and VMM,' in Computer and Information Technology (CIT), 2012 IEEE 12th International Conference on, 2012, pp. 549-556. [7] M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, 'Secure in-vm monitoring using hardware virtualization,' in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 477-487. [8] Y. Fu and Z. Lin, 'Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection,' in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 586-600. [9] B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee, 'Virtuoso: Narrowing the semantic gap in virtual machine introspection,' in 2011 IEEE Symposium on Security and Privacy, 2011, pp. 297-312. [10] R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. Martins, A. V. Anderson, et al., 'Intel virtualization technology,' Computer, vol. 38, pp. 48-56, 2005. [11] A. M. D. corporation, AMD64 Virtualization Codenamed“Pacifica” Technology Secure Virtual Machine Architecture Reference Manual: Advanced Micro Devices corporation, 2005. [12] F. Bellard, 'QEMU, a fast and portable dynamic translator,' in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46. [13] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, 'kvm: the Linux virtual machine monitor,' in Proceedings of the Linux symposium, 2007, pp. 225-230. [14] T. Garfinkel and M. Rosenblum, 'A Virtual Machine Introspection Based Architecture for Intrusion Detection,' in NDSS, 2003, pp. 191-206. [15] J. Pfoh, C. Schneider, and C. Eckert, 'Nitro: Hardware-based system call tracing for virtual machines,' in International Workshop on Security, 2011, pp. 96-112. [16] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, 'Ether: malware analysis via hardware virtualization extensions,' in Proceedings of the 15th ACM conference on Computer and communications security, 2008, pp. 51-62. [17] C. Willems, R. Hund, and T. Holz, 'Cxpinspector: Hypervisor-based, hardware-assisted system monitoring,' Ruhr-Universitat Bochum, Tech. Rep, p. 12, 2013. [18] Z. Deng, X. Zhang, and D. Xu, 'Spider: Stealthy binary program instrumentation and debugging via hardware virtualization,' in Proceedings of the 29th Annual Computer Security Applications Conference, 2013, pp. 289-298. [19] I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer, 'A secure environment for untrusted helper applications: Confining the wily hacker,' in Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, 1996, pp. 1-1. [20] M. Bailey, E. Cooke, F. Jahanian, and D. Watson, 'The blaster worm: Then and now,' IEEE Security & Privacy, vol. 3, pp. 26-31, 2005. [21] P. M. Chen and B. D. Noble, 'When virtual is better than real [operating system relocation to virtual machines],' in Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on, 2001, pp. 133-138. [22] Y.-N. Chen, '結合動態被動分析與主動探測之有效虛擬環境殭屍軟體及時偵測,' 臺灣大學資訊管理學研究所學位論文, pp. 1-33, 2012. [23] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, et al., 'Xen and the art of virtualization,' in ACM SIGOPS Operating Systems Review, 2003, pp. 164-177. [24] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, 'A survey on automated dynamic malware-analysis techniques and tools,' ACM Computing Surveys (CSUR), vol. 44, p. 6, 2012. [25] D. Sgandurra and E. Lupu, 'Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems,' ACM Computing Surveys (CSUR), vol. 48, p. 46, 2016. [26] A. Velte and T. Velte, Microsoft virtualization with Hyper-V: McGraw-Hill, Inc., 2009. [27] I. Corporation, Intel® 64 and IA-32 Architectures Software Developer's Manual vol. Combined Volumes:1, 2A, 2B, 2C, 3A, 3B and 3C: Intel Corporation, 2015. [28] P. J. Denning, 'Virtual memory,' ACM Computing Surveys (CSUR), vol. 2, pp. 153-189, 1970. [29] I. vmware, 'Virtualization: Architectural Considerations And Other Evaluation Criteria,' 2005. [30] S. Sparks and J. Butler, 'Shadow walker: Raising the bar for rootkit detection,' Black Hat Japan, vol. 11, pp. 504-533, 2005. [31] K. Chiang and L. Lloyd, 'A Case Study of the Rustock Rootkit and Spam Bot,' HotBots, vol. 7, pp. 10-10, 2007. [32] S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, et al., 'Dksm: Subverting virtual machine introspection for fun and profit,' in Reliable Distributed Systems, 2010 29th IEEE Symposium on, 2010, pp. 82-91. [33] H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, 'On the effectiveness of address-space randomization,' in Proceedings of the 11th ACM conference on Computer and communications security, 2004, pp. 298-307. [34] 李士暄, '基於虛擬機器內省記憶體檢測之虛擬化執行保護,' 2016. | |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49955 | - |
| dc.description.abstract | 雲端產業的蓬勃發展使得企業傾向於使用此項科技來輔助企業的發展,伺服器整合已是無法抵禦的潮流。隨著伺服器的集中使用,集中點成為明顯的攻擊目標。了解程式行為會是一個很好的開始,透過了解程式行為方能過濾何者為高風險之行動,針對其作高精確度的防禦。本論文之最終目標為實作一套具彈性的實時程式行為側錄系統,其結果可基於安全的需要作為行為分析之用。
為了反制當代惡意程式所發展的反偵測技術,本論文透過使用虛擬化技術來使此監控行為不容易被發覺。如同許多過去的研究一般,屬於Virtual Machine Introspection (VMI) 技術之一類。隨著近代虛擬化技術的發展,硬體輔助虛擬化技術已成為標準配備之一。硬體輔助虛擬化技術帶來了顯著的效能增益,但改變了整體執行的架構與流程。 因此,本論文致力於在硬體輔助虛擬化機制下製造可有效的執行監控程式之空間,來協助程式行為監控的進行。為了要讓理解程式行為更簡單本論文將監測的基本單位至於較接近程式開發者熟悉的API call等級。API call等級的程式執行行為描繪比起傳統的系統呼叫(system call)具更高的語意價值,可更精確的了解程式行為,降低推論的複雜度。 由於API call的種類繁多並且功能豐富,本論文之系統可支援使用者自行設計之監控程式來因應API call的多樣性。並且提供API call執行前、後兩個執行時間點來幫助使用者取得API call之傳入參數以及其回傳值。此舉可使所錄製之行為描繪更貼近事實並且易於分析。 除了基本功能之外,本論文於系統設計時便將三個重點列入考慮:Transparency、Performance、Bridging the semantic gap。Transparency的兩個面向使得本系統不會受制於監控對象之作業系統選擇、不需安裝任何額外軟體,亦不會輕易的被作業系統內的防護機制查覺。執行本論文之系統不會使效能大幅度的下降,可享受硬體輔助虛擬化機制帶來的效能增益。最後,選擇API call作為觀察對象可使未來分析者更簡易但清楚地了解程式行為。 | zh_TW |
| dc.description.abstract | As cloud computing prospers, server consolidation becomes a trending topic. In the mean time, it brought attention of attackers. In order to provide protection to cloud technology users, we must understand how these malicious activities function. This thesis presents a way to record program behavior through API redirection.
While traditional IDS can provide protection against sophisticated attacks, it is also vulnerable to anti-detection mechanisms like anti-debugging and anti-instrumentation developed by attackers. Virtual machine introspection (VMI) technology moves IDS out of operating system to avoid such anti-detection mechanisms. With the aid of hardware-assisted virtualization technology, virtualization’s performance has increased significantly. However, the adaptation of such technology brings significant change to how virtualization functions. The change affected many existing VMI-based system, making it impossible to work as it was designed. This thesis aimed to solve this and build a VMI-based API redirection system on 64-bit hardware-assisted technology enabled machine. Additionally, three more aspects are considered throughout the design: Transparency, Performance, and bridging the semantic gap. By achieving all goals, we will have a system that requires no additional software installation, incur low performance overhead, and generates execution traces with higher semantic value. The results can be further analyzed to understand program behavior. | en |
| dc.description.provenance | Made available in DSpace on 2021-06-15T12:26:45Z (GMT). No. of bitstreams: 1 ntu-105-R03725037-1.pdf: 1306203 bytes, checksum: 9f5987c0fdcd2dd57f39436f75be5ed9 (MD5) Previous issue date: 2016 | en |
| dc.description.tableofcontents | 口試委員會審定書 ii
誌謝 iii 中文摘要 iv ABSTRACT v 目錄 vi 圖目錄 ix 表目錄 xi Chapter 1 研究動機 1 Chapter 2 文獻探討 6 2.1 VMI技術基礎 6 2.2 軟體模擬虛擬化(software-based emulation) 6 2.3 雙虛擬機器方法(dual VM approach) 7 2.4 硬體輔助虛擬化(hardware-assisted virtualization) 8 2.5 系統差異比較與討論 9 Chapter 3 背景知識 10 3.1 虛擬化技術 10 3.1.1 Binary Translation 12 3.1.2 Hardware-assisted Virtualization 13 3.1.3 Quick Emulator (Qemu) 16 3.1.4 Kernel Virtual Machine (KVM) 17 3.2 虛擬記憶體 (Virtual Memory) 及位址轉換(Address Translation) 19 Chapter 4 VMI Profiling Mechanism 24 4.1 威脅模型 24 4.2 設計目標 25 4.3 Method 27 4.3.1 檢查目前正要被執行的執行程序是否是側錄目標 27 4.3.2 虛擬化執行環境下的address translation 28 4.3.3 將側錄程式碼嵌入系統。 28 4.3.4 取得空間安置側錄程式碼及紀錄(logging)碼及資料紀錄區 29 4.3.5 in-memory紀錄架構 29 4.4 系統設計 30 4.4.1 偵測下一個執行的程式為何 30 4.4.2 虛擬化執行環境下的address translation 30 4.4.3 將側錄程式碼嵌入系統 31 4.4.4 取得空間安置側錄程式碼及紀錄(logging)碼及資料紀錄區 31 Chapter 5 系統實作 33 5.1 從開機到開始偵測 34 5.2 安插空間與程式碼 35 5.2.1 Reverse mapping 35 5.2.2 API redirection 38 5.3 正常執行 39 Chapter 6 實驗 42 6.1 實驗一、創造可使用空間 42 6.2 實驗二、不影響非指定之程式 44 Chapter 7 結論 46 Chapter 8 參考文獻 47 | |
| dc.language.iso | zh-TW | |
| dc.subject | 虛擬化 | zh_TW |
| dc.subject | 硬體輔助虛擬化 | zh_TW |
| dc.subject | API重導 | zh_TW |
| dc.subject | 程式行為側錄 | zh_TW |
| dc.subject | 虛擬記憶體 | zh_TW |
| dc.subject | 虛擬化 | zh_TW |
| dc.subject | 硬體輔助虛擬化 | zh_TW |
| dc.subject | API重導 | zh_TW |
| dc.subject | 程式行為側錄 | zh_TW |
| dc.subject | 虛擬記憶體 | zh_TW |
| dc.subject | program profiling | en |
| dc.subject | API redirection | en |
| dc.subject | hardware-assisted virtualization | en |
| dc.subject | API redirection | en |
| dc.subject | hardware-assisted virtualization | en |
| dc.subject | Virtualization | en |
| dc.subject | virtual memory | en |
| dc.subject | Virtualization | en |
| dc.subject | program profiling | en |
| dc.subject | virtual memory | en |
| dc.title | 基於虛擬機內省API重導之執行防禦系統核心 | zh_TW |
| dc.title | VMI based API redirection for run time protection | en |
| dc.type | Thesis | |
| dc.date.schoolyear | 104-2 | |
| dc.description.degree | 碩士 | |
| dc.contributor.oralexamcommittee | 陳孟彰(Meng-Chang Chen),李漢銘(Hahn-Ming Lee),李育傑(Yuh-Jye Lee),謝錫(方方土) | |
| dc.subject.keyword | 虛擬化,虛擬記憶體,程式行為側錄,API重導,硬體輔助虛擬化, | zh_TW |
| dc.subject.keyword | Virtualization,virtual memory,program profiling,API redirection,hardware-assisted virtualization, | en |
| dc.relation.page | 48 | |
| dc.identifier.doi | 10.6342/NTU201602165 | |
| dc.rights.note | 有償授權 | |
| dc.date.accepted | 2016-08-10 | |
| dc.contributor.author-college | 管理學院 | zh_TW |
| dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
| 顯示於系所單位: | 資訊管理學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-105-1.pdf 未授權公開取用 | 1.28 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。