电子科技大学学报2018,Vol.47Issue(1):80-87,8.DOI:10.3969/j.issn.1001-0548.2018.01.012
基于影子内存的无代理虚拟机进程防护
Shadow Memory-Based Agentless Virtual Machine Process Protection
摘要
Abstract
To improve security of process in virtual machine (VM) and avoid system service descriptor table (SSDT) and system call execution path being hooked, a agentless method based on shadow memory of protecting process security in VM is proposed. First, a block of shadow memory is constructed in nonpaged pool of VM by using of high privilege level of virtual machine manager (VMM), then new system service descriptor table (SSDT) and system call execution path are injected to shadow memory. The process sensitive behavior is detected by using of characteristic of hardware virtualization and hook technology, and the invalid operation to targeted process is filtered in VMM so as to implement protecting process security without agent in VM. Analysis and test results show that almost all the attacks from rootkits can be prevented, and the targeted process in VM can be protected well with almost no performance loss.关键词
无代理/进程/系统调用/虚拟机/VMMKey words
agentless/process/system call/virtual machine/VMM分类
信息技术与安全科学引用本文复制引用
陈兴蜀,陈蒙蒙,金鑫..基于影子内存的无代理虚拟机进程防护[J].电子科技大学学报,2018,47(1):80-87,8.基金项目
国家自然科学基金(61272447) (61272447)
