虚拟化技术[精选].docVIP

基于本地虚拟化技术的隔离执行模型研究(? 温研+，王怀民 (国防科学技术大学 计算机学院，湖南 长沙 410073) A Safe Virtual Execution Environment based on Local Virtualization Technology Wen Yan+, Wang Huaimin (School of Computer, National University of Defense Technology, Changsha 410073, China) + Corresponding author: Phn +86-731-4574606, E-mail:celestialwy@126.com, Abstract: Isolation is a mechanism that has been applied to allow the isolated code running while shields the rest of the system from their effects. However, under the PC platforms, existing isolated execution approaches cannot achieve both the OS isolation and the functionality benefits of the isolated untrusted applications. To address this problem, this paper proposes a novel isolated execution model called Secure Virtual Execution Environment (SVEE). There are two key features in SVEE. Firstly，it fulfills the OS isolation by implementing a hosted virtual machine as the container of untrusted programs. Secondly，it can reuse the preinstalled applications of the host OS and faithfully reproduce the behavior of the isolated applications, as if they were running on the underlying host OS natively. As a result, SVEE guarantees security against potential malicious code without negating the functionality benefits provided by benign programs. Functional evaluation illustrates the effectiveness of our approach, while the performance evaluation shows that compute-intensive benchmarks run essentially at native speed on SVEE virtual machine, reaching 91.23-97.88%. Key words: intrusion isolation; isolated execution; virtual execution environment; security; virtual machine. 摘 要: 程序隔离执行是一种将被隔离代码的执行效果与其他应用隔离的安全机制。但是目前的相关研究无法在PC平台下兼顾操作系统隔离与被隔离代码的可用性。针对这个问题，本文提出并实现了一种新的名为SVEE（Safe Virtual Execution Environment）的隔离执行模型。SVEE具有两个关键特性：一是借助基于本地虚拟化技术的系统级虚拟机（SVEE VM）有效实现了非可信代码与宿主操作系统的隔离；二是利用本地虚拟化技术实现了宿主机计算环境在SVEE VM内的重现，保证了被隔离程序在SVEE VM中与在宿主操作系统内的执行效果的一致性。因此，SVEE在保护了宿主操作系统安全的同时，兼顾了隔离执行代码的可用性。测试证明对于计算密集型应用SVEE虚拟机的性能达到了本地性能的91.23-97.88%，具有很好的可用性。 关键词: 入侵隔离；隔离执行；虚拟执