虛擬平台上系統呼叫攔截機制之設計與開發

Abstract

虛擬化技術被廣泛使用在建置資料中心而為了在虛擬化環境中建構安全監測機制，我們提出了一個新的攔截系統呼叫的機制，並且不需要在客戶端虛擬機器中安裝額外的驅動程式。除此之外，我們提出了In-VM Idle Loop機制將被攔截的系統呼叫程序導入預先準備好的迴圈來提升系統在多執行緒環境下的效能。而在解析客戶端系統內記憶體內容時，隨選分頁(demand paging)造成了解析上的困難，所以我們提出了延後解析的技術來解決。最後我們實作了一個即時病毒監測系統的原型，實驗結果顯示系統的效能與客戶端系統內的系統呼叫產生頻率有極大的關係 (頻率每秒產生128個系統呼叫會產生1%的額外負擔)。總體來說，我們提出了在虛擬化環境中的安全監測機制而且運行效能不差。

The widespread use of virtualization technology in today’s datacenter environment has provided a new opportunity for supporting security monitoring mechanism at the infrastructure level. In view of this, we develop a new technique for the interception of guest virtual machine (Guest VM) system call directly from the virtualization layer, which does not require any special driver preinstalled within the guest VM to be monitored. We also design an In-VM idle loop mechanism to improve the system call interception performance in multithreading environments. The use of demand paging in guest VM can affect the accuracy the system call interception. We propose the deferred introspection technique to address the issue. A prototype online virus scanning system is built based on the proposed system call interception mechanism. Our experimental results show that the overhead of the interception mechanism is closely related to the invocation rate of system calls. For a guest system with an average number of 128 system invocations per second, the overheard is a bare amount of 1%. Overall, the proposed mechanism helps realize security monitoring at the datacenter infrastructure layer and has a decent performance overhead