(3.232.129.123) 您好!臺灣時間:2021/02/26 21:06
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:李士暄
研究生(外文):Shih-Hsuan Lee
論文名稱:基於虛擬機器內省記憶體檢測之虛擬化執行保護
論文名稱(外文):Enabling VMI-based Memory Inspection for Runtime Protection in KVM
指導教授:孫雅麗孫雅麗引用關係
口試委員:李育杰陳孟彰李漢銘謝錫堃
口試日期:2016-07-28
學位類別:碩士
校院名稱:國立臺灣大學
系所名稱:資訊管理學研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2017
畢業學年度:105
語文別:中文
論文頁數:75
中文關鍵詞:虛擬機器虛擬機器內省記憶體檢測API側錄語意鴻溝
外文關鍵詞:Virtual MachineVirtual Machine IntrospectionMemory InspectionAPI ProfilingSemantic Gap
相關次數:
  • 被引用被引用:0
  • 點閱點閱:69
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
在雲端計算的時代中,虛擬化技術的出現不僅大大節省建設伺服器的成本,同時也給予資安研究者在系統安全上一個新的契機,他們利用虛擬機器來架設安全且獨立的環境進行惡意軟體的分析,大部分現有的VMI系統只提供對於instruction或system call等低階的系統資訊,這讓資安專家很難即時獲取虛擬機器內部高階執行的語意行為,此外VMI系統在進行側錄時常產生大量的系統負擔,導致執行效率低落。本論文所提出的VMI-based Malware Profiling System能對虛擬機器中執行的程式側錄下其呼叫的Windows API call以及API參數值與回傳值,以彌補VMI技術中的semantic gap問題,本系統不同以往採用強制觸發VMExit的方式進行側錄的行為,我們利用 VMI的方式將API Profiling的機制實作在guest mode中,在側錄時不觸發額外的VMExit,同時本系統能在不安裝任何driver或program的情況下,以最乾淨的guest OS進行惡意軟體行為的側錄,我們也設計in-memory logging的機制,大幅減少系統進行檔案IO讀寫的動作,從實驗數據中可以發現本論文設計的API Profiling機制帶來的系統負擔是非常的低。總體來說,本系統達到同時兼顧malware profiling system的Transparency與Performance兩大特性,並以VMI-based的方式來完成惡意軟體Windows API call的側錄。
The emergence of virtualization technology not only saves the cost of building servers in cloud computing but also provides a good instrumentation point for security experts to implement the profiling system. They use the virtual machine to build the secure and isolate environment for analyzing malwares. Many existing VMI systems only provide instruction or system call level execution sequence logging. But it is difficult for security experts to learn and grasp the high-level semantics of the runtime execution state of an application in guest VM. Moreover, most of the VMI systems incur huge overhead during profiling that results in low system performance. In this thesis, we proposed a novel VMI-based malware profiling system that profiles a target process running in VM with Windows API call parameters and return value to bridge the semantic gap. Our system leverages the VMI technique to implement the profiling mechanism in guest mode to avoid additional virtualization overhead (i.e., VMExit) whiling profiling. Our system also provides a clean VM with no modification and no additional driver installed to guest OS. In addition, we design a in-memory logging mechanism to reduce the overhead incurred from IO operations. The experiment results show that our system has the minimum system overhead while profiling a process in guest VM. Overall, our system achieves the properties of transparency and low performance and leverages VMI-based techniques to log the Windows API call.
誌謝 I
中文摘要 II
ABSTRACT III
目錄 IV
圖目錄 VII
表目錄 X
Chapter 1 介紹 1
1.1 研究背景 1
1.2 研究問題 1
1.3 研究貢獻 2
Chapter 2 文獻探討 4
2.1 背景知識 4
2.1.1 QEMU 4
2.1.2 Hardware Assisted Virtualization 4
2.1.3 KVM 5
2.1.4 Memory Translation in OS 8
2.1.5 MMU Virtualization 11
2.1.6 Intel Extended Page Table 12
2.1.7 QEMU/KVM Memory Architecture 13
2.1.8 LibVMI 14
2.1.9 Volatility 16
2.2 相關研究 18
2.2.1 Dual VM-based Approach 18
2.2.2 Emulation-based Approach 19
2.2.3 Hardware Assisted-based Approach 20
Chapter 3 系統設計 24
3.1 Command Line Interface 25
3.2 VMI Process Handler 25
3.3 VMI MMU Modifier 26
3.4 VMI Log Handler 26
3.5 API Hooking Design 28
3.6 Hooked Windows API 30
3.7 Log Buffer Design 34
Chapter 4 虛擬機內省記憶體檢測技術 36
4.1 Locate Kernel Symbol 36
4.2 Process List 38
4.3 DLL List 39
4.4 API Address 42
4.5 File Object 45
Chapter 5 Windows API呼叫慣例與記憶體布局 48
5.1 Stack frame 48
5.2 Windows Calling Convention 50
5.3 Windows API Instructions 51
5.4 x64 API Instruction and Calling Convention 52
Chapter 6 系統實作 55
6.1 VMI Commands 55
6.1.1 Kdbgscan 56
6.1.2 Pslist 57
6.1.3 Dlllist 57
6.1.4 Filescan 58
6.1.5 Api_addr 59
6.1.6 Enable_profile 60
6.1.7 Stop_profile 60
6.1.8 Volatility 60
6.2 Process Activated Monitoring 61
6.3 API Hooking 62
6.4 Profiling Code 64
6.5 Discussion 66
Chapter 7 實驗 68
7.1 Execution Time of VMI Command 68
7.2 Overhead of Monitoring Target Process Activation 69
7.3 Overhead of Windows API and Profiling Code 70
7.4 Overhead of API Profiling and System Resources 71
Chapter 8 結論 73
參考文獻 74
[1]T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, 2003, pp. 191-206.
[2]B. D. Payne, M. De Carbone, and W. Lee, "Secure and flexible monitoring of virtual machines," in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, 2007, pp. 385-397.
[3]X. Jiang, X. Wang, and D. Xu, "Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction," in Proceedings of the 14th ACM conference on Computer and communications security, 2007, pp. 128-138.
[4]J. Pfoh, C. Schneider, and C. Eckert, "Nitro: Hardware-based system call tracing for virtual machines," in Advances in Information and Computer Security, ed: Springer, 2011, pp. 96-112.
[5]B. D. Payne, M. Carbone, M. Sharif, and W. Lee, "Lares: An architecture for secure active monitoring using virtualization," in Security and Privacy, 2008. SP 2008. IEEE Symposium on, 2008, pp. 233-247.
[6]C. Willems, T. Holz, and F. Freiling, "Toward automated dynamic malware analysis using cwsandbox," IEEE Security & Privacy, pp. 32-39, 2007.
[7]A. More and S. Tapaswi, "Virtual machine introspection: towards bridging the semantic gap," Journal of Cloud Computing, vol. 3, pp. 1-14, 2014.
[8]F. Bellard, "QEMU, a Fast and Portable Dynamic Translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.
[9]A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, "kvm: the Linux virtual machine monitor," in Proceedings of the Linux Symposium, 2007, pp. 225-230.
[10]G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, "Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization," Intel Technology Journal, vol. 10, 2006.
[11](December 19). Page table. Available: https://en.wikipedia.org/wiki/Talk:Page_table
[12]C. Wei-Ren. (December 19). kvm - 韋任的維基百科. Available: http://people.cs.nctu.edu.tw/~chenwj/dokuwiki/doku.php?id=kvm
[13]"Intel® 64 and IA-32 Architectures," in Software Developer s : System Programming Guide,. vol. Manual Volume 3B, ed.
[14]B. D. Payne, "Simplifying virtual machine introspection using libvmi," Sandia Report, 2012.
[15](December 18). Volatility Foundation. Available: http://www.volatilityfoundation.org/
[16]Y. Fu and Z. Lin, "Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery," ACM SIGPLAN Notices, vol. 48, pp. 97-110, 2013.
[17]D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., "BitBlaze: A new approach to computer security via binary analysis," in Information systems security, ed: Springer, 2008, pp. 1-25.
[18]S.-W. Hsiao, Y.-N. Chen, Y. S. Sun, and M. C. Chen, "A cooperative botnet profiling and detection in virtualized environment," in Communications and Network Security (CNS), 2013 IEEE Conference on, 2013, pp. 154-162.
[19]A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: malware analysis via hardware virtualization extensions," in Proceedings of the 15th ACM conference on Computer and communications security, 2008, pp. 51-62.
[20]M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, "Secure in-vm monitoring using hardware virtualization," in Proceedings of the 16th ACM conference on Computer and communications security, 2009, pp. 477-487.
[21]S. Vogl and C. Eckert, "Using hardware performance events for instruction-level monitoring on the x86 architecture," in Proceedings of the 2012 European Workshop on System Security EuroSec, 2012.
[22]C. Willems, R. Hund, and T. Holz, "Cxpinspector: Hypervisor-based, hardware-assisted system monitoring," Ruhr-Universitat Bochum, Tech. Rep, 2013.
[23](May 22). Volatility - CommandReferenceWiki. Available: http://www.volatilityfoundation.org/
[24](July 18). Passmark. Available: https://www.passmark.com/
[25](July 18). Netperf. Available: http://www.netperf.org/netperf/
[26](July 18). diskbench. Available: https://www.nodesoft.com/diskbench
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔