虚拟域内访问控制系统的保护机制研究
허의역내방문공제계통적보호궤제연구
Protection mechanism research of access control system in virtual domain
  • 万方数据
    山东大学学报(理学版) 산동대학학보(이학판)
    JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
    2014年 9期 135-141 ,共7页

    邹德清%杨凯%张晓旭%苑博阳%冯明路

    추덕청%양개%장효욱%원박양%풍명로

    虚拟机管理程序%虚拟化%内存保护%访问控制系统 虛擬機管理程序%虛擬化%內存保護%訪問控製繫統
    허의궤관리정서%허의화%내존보호%방문공제계통
    hypervisor%virtualization%memory protection%access control system
    为有效提高系统的安全等级,利用虚拟机管理程序的隔离性和高特权性,提出了一种新的保护操作系统内核完整性和虚拟域内访问控制系统的安全的方案。在该方案中,访问控制系统分为三个部分:安全策略管理模块、安全服务器模块和策略执行模块。虚拟域内访问控制系统保护机制的原型系统SEVD(security-enhanced virtu-al domain,SEVD)通过修改Xen虚拟机管理程序,在该虚拟化平台上实现。测试结果表明SEVD系统能够有效保护客户操作系统中访问控制系统的安全,能够抵御流行的Rookit攻击;在性能方面,与SELinux访问控制系统相比,SEVD性能开销也是没有增加,并实现了虚拟环境下安全策略集中配置,有效降低了安全策略管理的复杂度。
    위유효제고계통적안전등급,이용허의궤관리정서적격리성화고특권성,제출료일충신적보호조작계통내핵완정성화허의역내방문공제계통적안전적방안。재해방안중,방문공제계통분위삼개부분:안전책략관리모괴、안전복무기모괴화책략집행모괴。허의역내방문공제계통보호궤제적원형계통SEVD(security-enhanced virtu-al domain,SEVD)통과수개Xen허의궤관리정서,재해허의화평태상실현。측시결과표명SEVD계통능구유효보호객호조작계통중방문공제계통적안전,능구저어류행적Rookit공격;재성능방면,여SELinux방문공제계통상비,SEVD성능개소야시몰유증가,병실현료허의배경하안전책략집중배치,유효강저료안전책략관리적복잡도。
    In order to improve the safety level of the system effectively,a kind of mechanism scheme of access control system in virtual domain that uses hypervisors to protect kernel integrity and access control system in commodity operat-ing systems was put forward.Access control system was separated into three parts:Policy Management (PM),Securi-ty Server (SS)and Policy Enforcement (PE).Prototype system SEVD (security-enhanced virtual domain)was imple-mented and evaluated by modified Xen hypervisor.Test results show that SEVD can secure the security of access con-trol system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux.Our sys-tem also can centralized security policy for virtual domains in virtual machine environment.
    원문보기 원문다운로드 사이트로이동
저자의 최근 논문