虚拟化安全：机遇，挑战与未来

doi:10.11959/j.issn.2096-109x.2016.00091

摘要/Abstract

摘要：

随着云计算的流行，虚拟化安全问题受到了广泛的关注。通过引入额外的一层抽象，虚拟化技术为整个系统提供了更强级别的隔离机制，并为上层软件提供了一系列自底向上的安全服务。另一方面，抽象的引入所带来的复杂性提升和性能损失，都对虚拟化安全的研究带来了巨大的挑战。介绍了上海交通大学并行与分布式系统研究所近几年来在虚拟化安全领域所做的一系列具有代表性的工作，包括利用虚拟化提供可信执行环境、虚拟机监控、域内隔离等一系列安全服务，以及对虚拟化环境的可信计算基和跨域调用等方面进行优化的成果，并对当前和未来虚拟化安全领域的问题和探索方向进行了总结。

关键词: 虚拟化安全, 可信执行环境, 虚拟机自省, 域内隔离, 可信计算基, 跨域调用

Abstract:

The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Key words: virtualization security, trusted execution environment, virtual machine introspection, intra-domain isolation, trusted computing base, cross-world call

中图分类号:

TP309.2

刘宇涛,陈海波. 虚拟化安全：机遇，挑战与未来[J]. 网络与信息安全学报, 2016, 2(10): 17-28.

Yu-tao LIU,Hai-bo CHEN. Virtualization security:the good,the bad and the ugly[J]. Chinese Journal of Network and Information Security, 2016, 2(10): 17-28.

图/表 8

图1

图2

图3

图4

图5

图6

图7

图8

参考文献 32

[1]	SPINELLIS D.Another level of indirection . Beautiful code[M]. CA:O′Reilly. 2007.
[2]	CHEN H , CHEN J , MAO W ,et al. Daonity-grid security from two levels of virtualization[J]. Information Security Technical Report, 2007,12(3): 123-138.
[3]	CHEN H , ZHANG F , CHEN C ,et al. Tamper-resistant execution in an untrusted operating system using a virtual machine monitor[R].FDUPPITR-2007-0801.
[4]	LIU Y , XIA Y , GUAN H ,et al. Concurrent and consistent virtual machine introspection with hardware transactionalmemory[C]// 2014 IEEE 20th International Symposium on High Performance Computer Architecture. 2014: 416-427.
[5]	LIU Y , ZHOU T , CHEN K ,et al. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation[C]// The 22th ACM Conference on Computer and Communications Security. 2015.
[6]	ZHANG F , CHEN J , CHEN H ,et al. CloudVisor:retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization[C]// The 23rd ACM Symposium on Operating Systems Principles. 2011: 203-216.
[7]	XIA Y , LIU Y , CHEN H . Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks[C]// IEEE 19th International Symposium on High Performance Computer Architecture. 2013: 246-257.
[8]	XIA Y , LIU Y , GUAN H ,et al. Secure outsourcing of virtual appliance[J].2015:1.IEEE Transactions on Cloud Computing, 2015:1.
[9]	LI W , XIA Y , CHEN H ,et al. Reducing world switches in virtualized environment with flexible cross-world calls[C]// The 42nd Annual International Symposium on Computer Architecture,ACM. 2015: 375-387.
[10]	CHEN X , GARFINKEL T , LEWIS E C ,et al. Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems[C]// ASPLOS. 2008.
[11]	CHECKOWAY S , SHACHAM H . Iago attacks:why the system call API is a bad untrusted RPC interface[C]// The 18th International Conference on Architectural Support for Programming Languages and Operating Systems. 2013.
[12]	HOFMANN O S , KIM S , DUNN A M ,et al. Inktag:secure applications on an untrusted operating system[C]// ASPLOS. 2013.
[13]	XIA Y , LIU Y , CHEN H ,et al. Defending against VM Rollback Attack[C]// The 2nd International Workshop on Dependability of Clouds Data Centers and Virtual Machine Technology. 2012.
[14]	CHEN H , WU X , YUAN L ,et al. Practical and efficient information flow tracking using speculative hardware[C]// The 35th International Symposium on Computer Architecture. 2008.
[15]	CHEN H , YUAN L , WU X ,et al. Control flow obfuscation with information flow tracking[C]// The 42nd International Conference on Microarchitecture. 2009.
[16]	YUAN L , XING W , CHEN H ,et al. Security Breaches as PMU deviation:detecting and identifying security attacks using performance counters[C]// ACM SIGOPS Asia-pacific Workshop on Systems. 2011.
[17]	XIA Y , LIU Y , CHEN H ,et al. CFIMon:detecting violation of control flow integrity using performance counters[C]// The 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2011.
[18]	GARFINKEL T , ROSENBLUM M , et al . A virtual machine introspection based architecture for intrusion detection[C]// NDSS. 2003.
[19]	PAYNE B D , DE CARBONE M , LEE W . Secure and flexible monitoring of virtual machines[C]// ACSAC. 2007: 385-397.
[20]	SRINIVASAN D , WANG Z , JIANG X ,et al. Processout-grafting:an efficient out-of-vm approach for fine-grained process execution monitoring[C]// CCS. 2011: 363-374.
[21]	STEINBERG U , KAUER B . NOVA:a micro-hypervisorbased secure virtualization architecture[C]// The 5th European Conference on Computer Systems,ACM. 2010: 209-222.
[22]	WU C , WANG Z , JIANG X . Taming hosted hypervisors with (mostly) deprivileged execution[C]// NDSS. 2013.
[23]	WANG Z , WU C , GRACE M ,et al. Isolating commodity hosted hypervisors with hyperlock[C]// The 7th ACM European Conference on Computer Systems. 2012: 127-140.
[24]	COLP P , NANAVATI M , ZHU J ,et al. Breaking up is hard to do:security and functionality in a commodity hypervisor[C]// The 23rd ACM Symposium on Operating Systems Principles. 2011: 189-202.
[25]	TAN C , XIA Y , CHEN H . TinyChecker:transparent protection of VMs against hypervisor failures with nested virtualization[C]// The Second International Workshop on Dependability of Clouds Data Centers and Virtual Machine Technology. 2012.
[26]	OSVIK D A , SHAMIR A , TROMER E . Cache attacks and countermeasures:the case of aes[C]// Topics in Cryptology-CT-RSA 2006. 2006: 1-20.
[27]	YAROM Y , FALKNER K . Flush+ reload:a high resolution,low noise,l3 cache side-channel attack[C]// The 23rd USENIX Security Symposium (USENIX Security 14). 2014: 719-732.
[28]	SHI J , SONG X , CHEN H ,et al. Limiting cache-based side- channel in multi-tenant cloud using dynamic page coloring[C]// The 7th Workshop on Hot Topics in System Dependability. 2011: 194-199.
[29]	LIU F , GE Q , YAROM Y ,et al. CATalyst:Defeating last-level cache side channel attacks in cloud computing[C]// IEEE Symposium on High-Performance Computer Architecture. 2016.
[30]	ZHANG Y , REITER M K . Düppel:retrofitting commodity operat ing systems to mitigate cache side channels in the cloud[C]// The 20th ACM Conference on Computer and Communications Security. 2013: 827-837.
[31]	XIA Y , LIU Y , TAN C ,et al. TinMan:eliminating confidential mobile data exposure with security-oriented offloading[C]// The 10th European Conference on Computer Systems. 2015.
[32]	LI W , LI H , CHEN H ,et al. AdAttester:secure online advertisement attestation on mobile devicesusing trustzone[C]// The 13th International Conference on Mobile Systems,Applications,and Services. 2015.