| 题名 | 基于硬件虚拟化的软件安全沙盒技术研究 |
| 作者 | 姜军 |
| 学位类别 | 硕士 |
| 答辩日期 | 2013-05 |
| 授予单位 | 中国科学院大学 |
| 授予地点 | 北京 |
| 导师 | 苏璞睿 ; 冯登国 |
| 关键词 | 硬件虚拟化 虚拟云计算 云安全 面向返回编程 沙盒 Xen |
| 学位专业 | 信息安全 |
| 中文摘要 | 近几年来,云计算已经成为了信息产业界最热门的词汇之一。同时,作为云计算关键支撑技术之一的虚拟化技术也取得了令人瞩目的发展。然而,在虚拟云计算环境下,传统安全问题仍然存在,并且危害更大。这些问题随着云计算的广泛应用呈现越来越严重的态势。其中,软件安全一直是信息安全中的一项中心议题,是很多其它安全问题的根本,因此不容小觑。软件安全通常被分为相辅相成的两个方面:一是防止软件的执行对操作系统或其它程序造成破坏,二是保护软件的执行免受来自外界环境的攻击。传统上,沙盒机制可以被用于解决软件安全问题,但它们在虚拟化环境下却呈现出一些重要缺陷:一是传统沙盒的定义只关注软件安全的第一方面,而忽略了第二方面;二是已有沙盒机制在设计、实现上存在缺陷,容易被攻击者绕过甚至利用;三是运行于操作系统内的沙盒在虚拟云计算环境中部署和适用时存在困难。 鉴于此,研究虚拟化环境下的软件安全问题迫在眉睫。本文从上述软件安全的两个方面入手:在第一方面,研究将传统沙盒机制加入虚拟机监视器层以提供更强的健壮性和易部署性;在第二方面,研究针对当前软件攻击方面最具威胁性的面向返回编程的解决方案。本文的主要贡献和创新点包括: 1.扩充了沙盒的概念并将软件执行保护列入其中。传统的沙盒机制只防止软件执行过程对系统造成破坏。然而,作为一个软件执行环境,沙盒可以并且应当同时保护软件执行时不受外部攻击。这两个方面的相辅相成的,即有些软件表现出破坏系统的行为(是施害者),正是因为它受到了外界攻击(同时也是被害者),一种典型的情况是:存在缓冲区溢出的程序被攻击者利用其高权限来执行恶意代码。 2.提出了一种全新的防御面向返回编程的算法。利用面向返回编程的一项本质特征,即需要在栈上放置大量库中返回地址并由ret指令触发,本文中提出了一种全新的针对该类攻击的防御算法。通过在运行时分析每个ret指令执行前栈上元素占库中返回地址的比例,并将其与特定的阈值比较,可以识别并提前预警攻击的发生。该算法适合在虚拟环境下运行,并具有性能开销少、误报漏报率低等优势。 3.提出了一项基于虚拟化环境的应用程序沙盒架构。通过将沙盒机制部署在具有系统最高权限的虚拟机监视器中,可以防止诸如“检查时刻到使用时刻”之类的竞争条件的攻击。本文首次使用了动态加载代码到虚拟机监视器内核中的设计方法,以避免频繁的上下文切换降低性能开销,同时创新性地利用一种简化的程序设计语言作为策略描述语言以提供极高的灵活性。 4.设计、实现并评估了两项验证性原型系统。基于开源的Xen虚拟机监视器,本文设计并实现了面向返回编程攻击防御系统HyperCrop和用于虚拟云计算环境的沙盒VCCBox两项原型系统,并对它们进行了有效性和性能实验。实验结果表明,两项原型系统均能有效实现保护目标,并只引入可接受的性能开销,从而可用于真实生产环境。 |
| 英文摘要 | In recent years, cloud computing has become one of the most heated terms in the information industry. Meanwhile, as a key supportive technique of cloud computing, virtualization technology has achieved incredible development. However, legacy security issues still exist in virtual cloud computing environment and become more harmful, and the wide adoption of cloud computing renders these problems increasingly serious. Among them, software security has always been a central topic that underlies many other security problems and deserves great attention. Software security can usually be divided into two complementary aspects: the first is to prevent software execution from causing damage to operating systems or other applications, while the second is to protect the execution of software against attacks from the external environment. Conventionally, sandbox mechanisms can be used to resolve software security issues. However, they suffer from several notable deficiencies under the virtualized environment: firstly, the definition of conventional sandbox only pays attention to the first aspect of software security, and ignores the second aspect; secondly, existing sandbox mechanisms could be bypassed or even exploited by attackers due to some flaws in their design and implementation; finally, it is inherently difficult to deploy and adapt sandboxes that run inside the operating systems for virtual cloud computing environment. Therefore, it is an urgent task to resolve software security issues under virtualized environment. Therefore, it is an urgent task to resolve software security issues under virtualized environment. This dissertation targets the two aspects of software security that are mentioned above: the investigation in the first aspect integrates conventional sandbox mechanisms in virtual machine monitor to provide better robustness and ease-of-adoption, and the research in the second aspect provides a solution to return oriented programming, the most threatening attack to software nowadays. The main contribution and novelty of this dissertation include: 1. Extension of the sandbox concept to include software execution protection. Traditional sandbox mechanisms only prevent software execution from harming the system. However, as an execution environment, sandboxes could and should also protect software execution against external attacks. These two aspects are complementary. Namely, some applications behave maliciously (as attackers) just because they have been attacked by external adversaries (as victims). A typical example is that an attacker exploits the higher privilege of a program that unfortunately has a buffer overflow vulnerability for malware execution. 2. A novel algorithm to defend return oriented programming. Harnessing an essential feature of return oriented programming, i.e., putting a host of library return addresses on stack and triggering the attack with ret instruction, this dissertation proposes a novel countermeasure for this attack. By means of analyzing the ratio of stack elements within the library range before each ret instruction is executed and comparing the ratio to a specified threshold, it is feasible to recognize a potential attack and make alarms beforehand. This approach is suitable for virtualized environment and has small performance overhead and low false positive/negative rate. 3. An application sandbox framework based on virtualized environment. By deploying sandbox mechanisms inside the virtual machine monitor which has the highest privilege, the framework prevent attacks such as "time of check to time of use" race conditions. This dissertation first uses a design pattern that dynamically load executable code to hypervisors at runtime, which avoids performance degradation caused by frequent context switches, and creatively utilizes a simplified programming language for policy description to provide high flexibility. 4. Design, implementation and evaluation of two proof-of-concept systems. Based on the open source Xen virtual machine monitor, this dissertation has designed and implemented two prototype systems for the above work, HyperCrop and VCCBox respectively, and has performed effectiveness and efficiency experiments on them. The results of evaluation demonstrate that both systems can reach their protection goals and only introduce accepted performance overhead, rendering their usefulness in real production workload. |
| 语种 | 中文 |
| 学科主题 | 数据安全与计算机安全 ; 计算机系统设计 ; 操作系统与操作环境 ; 程序设计及其语言 ; 编译系统 ; 软件工程 |
| 公开日期 | 2013-05-22 |
| 内容类型 | 学位论文 |
| 源URL | [http://ir.iscas.ac.cn/handle/311060/14769]  |
| 专题 | 软件研究所_信息安全国家重点实验室_学位论文 |
| 推荐引用方式 GB/T 7714 | 姜军. 基于硬件虚拟化的软件安全沙盒技术研究[D]. 北京. 中国科学院大学. 2013. |
| 个性服务 |
| 查看访问统计 |
| 相关权益政策 |
| 暂无数据 |
| 收藏/分享 |
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论