請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/59556
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 孫雅麗 | |
dc.contributor.author | Shih-Hsuan Lee | en |
dc.contributor.author | 李士暄 | zh_TW |
dc.date.accessioned | 2021-06-16T09:27:47Z | - |
dc.date.available | 2019-06-12 | |
dc.date.copyright | 2017-06-12 | |
dc.date.issued | 2017 | |
dc.date.submitted | 2017-05-08 | |
dc.identifier.citation | [1] T. Garfinkel and M. Rosenblum, 'A Virtual Machine Introspection Based Architecture for Intrusion Detection,' in NDSS, 2003, pp. 191-206.
[2] B. D. Payne, M. De Carbone, and W. Lee, 'Secure and flexible monitoring of virtual machines,' in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, 2007, pp. 385-397. [3] X. Jiang, X. Wang, and D. Xu, 'Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction,' in Proceedings of the 14th ACM conference on Computer and communications security, 2007, pp. 128-138. [4] J. Pfoh, C. Schneider, and C. Eckert, 'Nitro: Hardware-based system call tracing for virtual machines,' in Advances in Information and Computer Security, ed: Springer, 2011, pp. 96-112. [5] B. D. Payne, M. Carbone, M. Sharif, and W. Lee, 'Lares: An architecture for secure active monitoring using virtualization,' in Security and Privacy, 2008. SP 2008. IEEE Symposium on, 2008, pp. 233-247. [6] C. Willems, T. Holz, and F. Freiling, 'Toward automated dynamic malware analysis using cwsandbox,' IEEE Security & Privacy, pp. 32-39, 2007. [7] A. More and S. Tapaswi, 'Virtual machine introspection: towards bridging the semantic gap,' Journal of Cloud Computing, vol. 3, pp. 1-14, 2014. [8] F. Bellard, 'QEMU, a Fast and Portable Dynamic Translator,' in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46. [9] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, 'kvm: the Linux virtual machine monitor,' in Proceedings of the Linux Symposium, 2007, pp. 225-230. [10] G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, 'Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization,' Intel Technology Journal, vol. 10, 2006. [11] (December 19). Page table. Available: https://en.wikipedia.org/wiki/Talk:Page_table [12] C. Wei-Ren. (December 19). kvm - 韋任的維基百科. Available: http://people.cs.nctu.edu.tw/~chenwj/dokuwiki/doku.php?id=kvm [13] 'Intel® 64 and IA-32 Architectures,' in Software Developer s : System Programming Guide,. vol. Manual Volume 3B, ed. [14] B. D. Payne, 'Simplifying virtual machine introspection using libvmi,' Sandia Report, 2012. [15] (December 18). Volatility Foundation. Available: http://www.volatilityfoundation.org/ [16] Y. Fu and Z. Lin, 'Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery,' ACM SIGPLAN Notices, vol. 48, pp. 97-110, 2013. [17] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., 'BitBlaze: A new approach to computer security via binary analysis,' in Information systems security, ed: Springer, 2008, pp. 1-25. [18] S.-W. Hsiao, Y.-N. Chen, Y. S. Sun, and M. C. Chen, 'A cooperative botnet profiling and detection in virtualized environment,' in Communications and Network Security (CNS), 2013 IEEE Conference on, 2013, pp. 154-162. [19] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, 'Ether: malware analysis via hardware virtualization extensions,' in Proceedings of the 15th ACM conference on Computer and communications security, 2008, pp. 51-62. [20] M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, 'Secure in-vm monitoring using hardware virtualization,' in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 477-487. [21] S. Vogl and C. Eckert, 'Using hardware performance events for instruction-level monitoring on the x86 architecture,' in Proceedings of the 2012 European Workshop on System Security EuroSec, 2012. [22] C. Willems, R. Hund, and T. Holz, 'Cxpinspector: Hypervisor-based, hardware-assisted system monitoring,' Ruhr-Universitat Bochum, Tech. Rep, 2013. [23] (May 22). Volatility - CommandReferenceWiki. Available: http://www.volatilityfoundation.org/ [24] (July 18). Passmark. Available: https://www.passmark.com/ [25] (July 18). Netperf. Available: http://www.netperf.org/netperf/ [26] (July 18). diskbench. Available: https://www.nodesoft.com/diskbench | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/59556 | - |
dc.description.abstract | 在雲端計算的時代中,虛擬化技術的出現不僅大大節省建設伺服器的成本,同時也給予資安研究者在系統安全上一個新的契機,他們利用虛擬機器來架設安全且獨立的環境進行惡意軟體的分析,大部分現有的VMI系統只提供對於instruction或system call等低階的系統資訊,這讓資安專家很難即時獲取虛擬機器內部高階執行的語意行為,此外VMI系統在進行側錄時常產生大量的系統負擔,導致執行效率低落。本論文所提出的VMI-based Malware Profiling System能對虛擬機器中執行的程式側錄下其呼叫的Windows API call以及API參數值與回傳值,以彌補VMI技術中的semantic gap問題,本系統不同以往採用強制觸發VMExit的方式進行側錄的行為,我們利用 VMI的方式將API Profiling的機制實作在guest mode中,在側錄時不觸發額外的VMExit,同時本系統能在不安裝任何driver或program的情況下,以最乾淨的guest OS進行惡意軟體行為的側錄,我們也設計in-memory logging的機制,大幅減少系統進行檔案IO讀寫的動作,從實驗數據中可以發現本論文設計的API Profiling機制帶來的系統負擔是非常的低。總體來說,本系統達到同時兼顧malware profiling system的Transparency與Performance兩大特性,並以VMI-based的方式來完成惡意軟體Windows API call的側錄。 | zh_TW |
dc.description.abstract | The emergence of virtualization technology not only saves the cost of building servers in cloud computing but also provides a good instrumentation point for security experts to implement the profiling system. They use the virtual machine to build the secure and isolate environment for analyzing malwares. Many existing VMI systems only provide instruction or system call level execution sequence logging. But it is difficult for security experts to learn and grasp the high-level semantics of the runtime execution state of an application in guest VM. Moreover, most of the VMI systems incur huge overhead during profiling that results in low system performance. In this thesis, we proposed a novel VMI-based malware profiling system that profiles a target process running in VM with Windows API call parameters and return value to bridge the semantic gap. Our system leverages the VMI technique to implement the profiling mechanism in guest mode to avoid additional virtualization overhead (i.e., VMExit) whiling profiling. Our system also provides a clean VM with no modification and no additional driver installed to guest OS. In addition, we design a in-memory logging mechanism to reduce the overhead incurred from IO operations. The experiment results show that our system has the minimum system overhead while profiling a process in guest VM. Overall, our system achieves the properties of transparency and low performance and leverages VMI-based techniques to log the Windows API call. | en |
dc.description.provenance | Made available in DSpace on 2021-06-16T09:27:47Z (GMT). No. of bitstreams: 1 ntu-106-R03725019-1.pdf: 4458054 bytes, checksum: d648216682d262136741b016514bc35f (MD5) Previous issue date: 2017 | en |
dc.description.tableofcontents | 誌謝 I
中文摘要 II ABSTRACT III 目錄 IV 圖目錄 VII 表目錄 X Chapter 1 介紹 1 1.1 研究背景 1 1.2 研究問題 1 1.3 研究貢獻 2 Chapter 2 文獻探討 4 2.1 背景知識 4 2.1.1 QEMU 4 2.1.2 Hardware Assisted Virtualization 4 2.1.3 KVM 5 2.1.4 Memory Translation in OS 8 2.1.5 MMU Virtualization 11 2.1.6 Intel Extended Page Table 12 2.1.7 QEMU/KVM Memory Architecture 13 2.1.8 LibVMI 14 2.1.9 Volatility 16 2.2 相關研究 18 2.2.1 Dual VM-based Approach 18 2.2.2 Emulation-based Approach 19 2.2.3 Hardware Assisted-based Approach 20 Chapter 3 系統設計 24 3.1 Command Line Interface 25 3.2 VMI Process Handler 25 3.3 VMI MMU Modifier 26 3.4 VMI Log Handler 26 3.5 API Hooking Design 28 3.6 Hooked Windows API 30 3.7 Log Buffer Design 34 Chapter 4 虛擬機內省記憶體檢測技術 36 4.1 Locate Kernel Symbol 36 4.2 Process List 38 4.3 DLL List 39 4.4 API Address 42 4.5 File Object 45 Chapter 5 Windows API呼叫慣例與記憶體布局 48 5.1 Stack frame 48 5.2 Windows Calling Convention 50 5.3 Windows API Instructions 51 5.4 x64 API Instruction and Calling Convention 52 Chapter 6 系統實作 55 6.1 VMI Commands 55 6.1.1 Kdbgscan 56 6.1.2 Pslist 57 6.1.3 Dlllist 57 6.1.4 Filescan 58 6.1.5 Api_addr 59 6.1.6 Enable_profile 60 6.1.7 Stop_profile 60 6.1.8 Volatility 60 6.2 Process Activated Monitoring 61 6.3 API Hooking 62 6.4 Profiling Code 64 6.5 Discussion 66 Chapter 7 實驗 68 7.1 Execution Time of VMI Command 68 7.2 Overhead of Monitoring Target Process Activation 69 7.3 Overhead of Windows API and Profiling Code 70 7.4 Overhead of API Profiling and System Resources 71 Chapter 8 結論 73 參考文獻 74 | |
dc.language.iso | zh-TW | |
dc.title | 基於虛擬機器內省記憶體檢測之虛擬化執行保護 | zh_TW |
dc.title | Enabling VMI-based Memory Inspection for Runtime Protection in KVM | en |
dc.type | Thesis | |
dc.date.schoolyear | 105-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 李育杰,陳孟彰,李漢銘,謝錫? | |
dc.subject.keyword | 虛擬機器,虛擬機器內省,記憶體檢測,API側錄,語意鴻溝, | zh_TW |
dc.subject.keyword | Virtual Machine,Virtual Machine Introspection,Memory Inspection,API Profiling,Semantic Gap, | en |
dc.relation.page | 75 | |
dc.identifier.doi | 10.6342/NTU201603062 | |
dc.rights.note | 有償授權 | |
dc.date.accepted | 2017-05-09 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-106-1.pdf 目前未授權公開取用 | 4.35 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。