CN105512553A - Access control method for preventing virtual machine from escaping and attacking - Google Patents

Abstract

The invention discloses an access control method for preventing a virtual machine from escaping and attacking. The method comprises following four steps of: step 1, setting a corresponding model element; step 2, setting and introducing a monitor; step 3, operating a Learning model for preventing the virtual machine from escaping and attacking and recording system data; and step 4, operating an Enforce model for preventing the virtual machine from escaping and attacking and pre-judging the escaping and attacking of the virtual machine.The access control method for preventing the virtual machine from escaping and attacking has following beneficial effects: system call and resources utilization of between the virtual machine and Hypervision can be managed on a virtualized platform in order to effectively prevent the virtual machine from switching in the illegal access state; and the purpose of preventing the virtual machine from escaping and attacking is fulfilled.

Description

A kind of access control method preventing virtual machine escape to attack

Technical field

The present invention relates to computer operating system and Intel Virtualization Technology, specifically a kind of access control method preventing virtual machine escape to attack.

Background technology

Cloud computing as one service, is supplied to user by network using IT resource, data, application, and this is the change of method of service, is the change of shared data schema.At present, the cloud that oneself was formulated and issued to global each IT enterprises is one after another strategic, as Google, Amazon, IBM etc. have formed the cloud computing platform providing extensive globalization calculation services.The maintenance of the advantages such as cloud computing platform dirigibility, reliability, extensibility must depend on some new technologies, but the use of these new technologies also brings some new security risks while bringing guarantee to cloud computing.

The COS of cloud computing is different, and its technical support is not identical yet, the technical risk that often kind of COS faces also difference to some extent.The service that cloud computing provides can be divided into laaS (InfrastructureasaService), PaaS (PlatformasaService) and SaaS (SoftwareasaService) three aspects.The applying virtual technology of the Intel Virtualization Technology of laaS, the distributed proccessing of PaaS and SaaS is the gordian technique building cloud computing core architecture, is also the main source facing technical risk required for cloud computing platform.Because upper layer techniques inherits underlying technique, so cloud service also has the feature of succession, and Information Security Risk problem also has the characteristic of succession, so upper layer cloud service is except existing technical risk in the cloud service of succession lower floor, also have newly-increased technical risk.The technical risk inheritance of this three stratus service can be expressed as Fig. 1 by we.

In 2008, the Workstation product of VMWare company occurs that virtual machine is escaped first and attacks, Workstation version is on 6.0.2 or 5.5.4, and assailant can utilize leak (CVE-2008-0923) that virtual machine is escaped on virtual machine manager.

The concept that virtual machine escape is attacked can trace back to 2007 the earliest, but the concept of authority is put forward in 2009 by KenOwens relatively.Due to the security risk of attacking and belonging to laaS layer of escaping, and the potential safety hazard that laaS layer exists can cause the avalanche of whole cloud computing platform security system, if therefore there is virtual machine escape in cloud computing environment to attack, then can to the infringement of whole bringing on a disaster property of cloud platform.

The hardware of Intel assists Intel Virtualization Technology (VirtualizationTechnology, VT) to be that a kind of design is simpler, the more efficient and reliable method of enforcement, is that virtualization solution assisted by the hardware of first x86 platform in the world.X86 processor has 4 different priorities (Ring0, Ring1, Ring2, Ring3).The priority of Ring0 is the highest, and Ring3 is minimum.Ring0 is used for operating system nucleus, Ring1 and Ring2 is used for operating system service, and Ring3 is used for application program.

In virtualized environment, system kernel must run on Ring0, and the GuestOS under Hypervisor and management thereof can not run on Ring0 (otherwise just effectively cannot managing all virtual machines, just as Cooperative Multitasking operating system in the past cannot ensure the sound and stable operation of system).Therefore, under not having hardware to assist virtualized situation, difficulty is how to adopt the grade outside Ring0 to run GuestOS.

The solution of current main flow utilizes RingDeprivileging (prerogative grade decline), and have two kinds of selection: GuestOS and run on Ring1 (0/1/3 model), or Ring3 (0/3/3 model).No matter be which kind of model, GuestOS cannot run on Ring0.As shown in Figure 2, Hypervisor runs on the Ring0 under root mode, the application program of virtual machine simulator and host runs on the Ring3 under root mode, and the Kernel in virtual machine runs on the Ring0 under non-root mode, and the application program in virtual machine runs on the Ring3 under non-root mode.

Escape in attack at virtual machine, assailant utilizes malicious application to obtain the highest weight limit of this virtual machine, namely be upgraded to the Ring0 authority of non-root mode from the Ring3 authority of non-root mode, then can replace all operations that this virtual machine execution Hypervisor gives.Owing to being undertaken alternately by the instruction of I/O control simulation between virtual machine simulator and Hypervisor, assailant now just can simulate pseudo-I/O operation and obtain Ring3 authority under root mode, assailant's leak that Hypervisor itself just can be utilized to exist or attack code is injected into Hypervisor afterwards, cause the problem such as the stack overflow of Hypervisor, default command amendment, Hypervisor now is captured.Obtained the Ring0 authority under root mode due to assailant, Hypervisor and host operating system are in non-secure states, and the data of host and the running status operating in whole virtual machine on this host are all likely attacked or distort.

The access control method that the prevention virtual machine escape that the present invention proposes is attacked is based on BLP model.In access control model, BLP model to be proposed in " Mathematicalfounda-onesandmodel " in 1973 by D.Bell and J.LaPadula and in addition perfect, it designs according to the safety policy of the military, the essential problem solved is the access control to having level of confidentiality division information, namely by making subject, the access rule of object and operating right is ensured to the security of system.BLP model is the angle from " access control ", can ensure that main body effectively accesses object, can ensure that again the security of system is not destroyed.

Summary of the invention

The object of the present invention is to provide the access control method that the escape of a kind of prevention virtual machine based on BLP model is attacked, can escape to attack to virtual machine forms good control identification.

For achieving the above object, the invention provides following technical scheme:

A kind of access control method preventing virtual machine escape to attack, at KVM (Kernel-basedVirtualMachine, based on the fully virtualized virtual machine manager that hardware is auxiliary) design prevention virtual machine is escaped and is attacked (PVME on platform, PreventVirtualMachineEscape) module, this module is by model element, safe axiom, state transition rules three part forms, the scene for virtual machine escape (being mainly the communication between Hypervisor and virtual machine) is adapted to this, realize the identification to virtual machine escape attack and anticipation, thus accomplish that the escape of prevention virtual machine is attacked: described method comprises following four steps:

Step 1: corresponding model element is set;

Step 2: Reference monitor is set;

Step 3: run PVMELearning pattern, register system data;

Step 4: run PVMEEnforce pattern, realizes the anticipation to virtual machine escape attack and identification.

As the further scheme of the present invention: in described step 1, the virtual machine object in attacking of escaping is arranged to the access attribute collection of corresponding Subjective and Objective and correspondence thereof, safe class, object level, access control matrix, request element set, is judged set.

As the further scheme of the present invention: in described step 2, between subject and object access, add Reference monitor, by the visit information synchronized update of Subjective and Objective in access control information storehouse.

As the further scheme of the present invention: in described step 3, the PVME module run under Learning pattern, the visit information between only Subjective and Objective being accessed is recorded in learning matrix and goes.

As the further scheme of the present invention: in described step 4, the PVME module run under Enforce pattern, mates with data in access matrix the visit information between Subjective and Objective, and does and return accordingly.

Below the model element in above-mentioned PVME module, safe axiom and state transition rules are described in detail:

One, model element

Main body (Subject): the masters sending accessing operation, access requirement, normally user, process etc. can make the entity of information flow.The set of main body represents with capitalization S, and small letter s represents single main body, i.e. S={s ₁, s ₂..., s _n.

Object (Object): accessed object, normally can invoked data, file, program, equipment etc.The set of object represents with capitalization O, and small letter o represents single object, i.e. O={o ₁, o ₂..., o _n.

Access attribute collection: access rights integrate as A={r, e, w, a}.Wherein, r represents read (read-only), and e represents execute (not read-write), and w represents write (simultaneously having read and write), and a represents append (only writing).

Safe class: safe class comprises safe level of confidentiality and safe category two concepts.C={c ₁, c ₂..., c _nrepresent the set of safe level of confidentiality, wherein c ₁> c ₂> ... > c _n.K={k ₁, k ₂..., k _mrepresent the set of safe category, wherein k _i(1≤i≤m) represents specific access rights.Safe class set L={l ₁, l ₂..., l _pa paritially ordered set, each l in set _i=(c _i, k _i) represent safe class, wherein a c _i∈ C, k _i∈ K, l≤i≤p.If l _i>=l _jand if only if c _i>=c _j∧ k _i>=k _j, now claim l _idomination l _j. be called the set of safe class vector.Each element in F is f=(f _s, f _o, f _c), f _sfor the safe class function of main body, f _ofor the safe class function of object, f _cfor the current safety rank function of main body.

Access control matrix: access control matrix capitalization M represents, its element m _ij(m _ij∈ M) represent main body s under current state _ito object o _jthe access right had.

Object level: object layered subset capitalization H represents, it represents the subordinate relation between object.In object level, a node has at the most and only has a father node, and level does not exist ring.O _j∈ H (O) represents O in hierarchical structure _jfor leaf node, O is father node.

System state: system state set is a four-tuple v={B × M × F × H}, and the individual element in set represents a state, represents with small letter v, v={B × M × F × H}.Wherein B, M, F, H are respectively the hierarchical structure between the set of system current accessed set, access control matrix, the set of safe class vector and object.Wherein B=P (S × O × A), the individual element in B is b (b ∈ S × O × A), represents current accessed set, has which main body which kind of access attribute can access which object with under being recorded in current state.

Judge collection D={yes, no, error,?, represent the response for request.Wherein, " yes " agrees, " no " represents refusal, and " error " represents mistake, "? " represent that request does not exist.

Request element integrates as RA={g, r}, and wherein g represents the request of get (acquisition) or give (giving), and r represents the request of release release (release) or rescind (cancelling).The set expression of request is R={R ⁽¹⁾, R ⁽²⁾, R ⁽³⁾, R ⁽⁴⁾, R ⁽⁵⁾, its function is as shown in table 1.

Table 1 request set menu

Request set element	Request set element function
		R (1)＝RA×S×O×A	Subject requests obtains or release conducts interviews to object with certain attribute
R (2)＝S×RA×S×O×A	Subject requests gives or cancels the access attribute of another main object
		R (3)＝RA×S×O×L	Subject requests creates object or changes the safe class of object
R (4)＝S×O	Subject requests deletes object
		R (5)＝S×L	Subject requests changes inherently safe grade

Two, safe axiom

The naming method of all safe axiom of PVME module is all for prefix with " PVME-".

PVME-*-characteristic: make S ' be the subset of S, a state v=(b × M × f × H) meets PVME-*-characteristic about S ', and and if only if:

$s\∈S^{\′}\⇒\left\{\begin{array}{c}(O\∈b(S:a\left)\right)\⇒\left(f_o\right(O)\≥f_s(S\left)\right)\\ (O\∈b(S:w,e*,c*\left)\right)\⇒\left(f_o\right(O)=f_s(S\left)\right)\\ (O\∈b(S:r\left)\right)\⇒\left(f_o\right(O)\≤f_s(S\left)\right)\end{array}\right.$

PVME-ds-characteristic: redefined control (c*) attribute and with the addition of execution (e*) attribute in this characteristic.Namely be expressed as: it is right that state v=(b × M × f × H) meets PVME-ds-characteristic (PVME-discretionary security characteristic) and if only if ∈ b ∧ x ∈ M _ijtime, meet x ∈ M _ij, the wherein x one that is read-only (r), only writes (a), read-write (w), perform (e*) or control in (c*) five kinds of access attributes.

Delete PVME-ss-characteristic: if PVME has the ss-characteristic be similar in BLP, be called PVME-ss-characteristic.But because Hypervisor is when managing customer virtual machine, need to communicate with them.And set it and whole access rights (i.e. read-only (r), only write (a), read-write (w), perform (e*) or control (c*)) are had to all guest virtual machines.Therefore, when Hypervisor is as main body, it belongs to trusted subjects collection S _t, and obvious S _tdo not meet PVME-ss-characteristic.But for all guest virtual machines, they meet PVME-*-characteristic, and easily release them and also meet PVME-ss-characteristic.So, due to the existence of Hypervisor, need in PVME module, so-called PVME-ss-characteristic to be deleted.

In PVME module, owing to not having PVME-ss-characteristic, the definition of security of system needs to make corresponding amendment.A state v should meet PVME-ds-characteristic simultaneously and meet PVME-*-characteristic about S*.State transition rules is that safe condition keeps that and if only if it is that PVME-*-characteristic keeps and the maintenance of PVME-ds-characteristic simultaneously.Other concepts are as being consistent in safe condition sequence, security of system appearance and security system and BLP model.

Three, state transition rules

By 2 bar state transformation rules of PVME module, be designated as PVME-R _i, 1≤i≤2.It is right that PVME module status transformation rule is input as one (request, state), and corresponding output corresponding (result, state) is right.

Introduce the composition of PVME module status transformation rule below in detail, be mainly divided into two kinds of situations.

I) be QEMU when main body is Hypervisor object, or when main body be QEMU object is GuestOS, note main body is S _i(when main body is Hypervisor, i=1; (n platform VM is suppose there is), 1≤i≤n when main body is QEMU), object is designated as O _j(1≤j≤n), now main body S _ito object O _jonly have read-only (r), only write (a), read-write (w) three access modes.Being mapped to state transition rules is then 7 bar state transformation rules.And when main body be Hypervisor object is VM, now remember that main body is S _ti(i=1), object is designated as O _j(1≤j≤n).Now because Hypervisor has absolute control to VM, therefore main body S _tito object O _jhave read-only (r), only write (a), read-write (w), perform (e*), control (c*) five kinds of access modes.

PVME-R _iobtain a read-only/Writing/Reading and write/perform/access control (get-read/append/write/execute/control): main body is Hypervisor or QEMU.S _i(when main body is Hypervisor, i=1; When main body is QEMU, 1≤i≤n, n virtual machine) ask O _j(object QEMU or object GuestOS) conducts interviews with (x) access attribute.Or S _ti(main body Hypervisor) is to O _j(object GuestOS) conducts interviews with read-only (x) access attribute.Wherein x is read-only (r), only writes (a), read-write (w), performs the one that (e*) controls (c*) access control scheme.Field of definition domain (PVME-R ₁)={ R _k| (g, S _i, O _j, x) ∈ R ⁽¹⁾, x ∈ being expressed as follows of r, a, w, e*, c*} rule:

$PVME-R_1(R_k,v)=\left\{\begin{array}{cc}(?,v)& ifR\∉domain(PVME-R_1)\\ (yes,(b\∪\left\{\right(S_i,O_j,& if\[R_k\∈domain(PVME-R_1)\]and\[x\∈M_{ij}\]\\ x\left)\right\}M,f,H\left)\right)& and\[f_s\left(S_i\right)\≥f_o\left(O_j\right)or{S}_i\∈S_{\mathrm{\τ}}\]\\ (no,v)& othervise\end{array}\right.$

If it is determined that result is " yes ", current accessed set is by main body S in interpolation _ito object O _jconduct interviews with (x) access attribute.

II) certain access rights of main body release object.Be specially, in rule 2, main body Hypervisor release discharges access right to read-only (r) of object GuestOS/only write (a)/read and write (w)/perform (e*)/control (c*) to object QEMU or QEMU.

PVME-R2 release is read-only/and only to write/perform/control read and write access (release-read/append/write/execute/control): main body is Hypervisor or QEMU.S _i(when main body is Hypervisor, i=1; When main body is QEMU, 1≤i≤n, n virtual machine) ask release to O _j(object QEMU or object GuestOS) conducts interviews with (x) access attribute.Or S _ti(main body Hypervisor) request release is to O _j(object VM) conducts interviews with (x) access attribute.Wherein x is read-only (r), only writes (a), read-write (w), performs the one that (e*) controls (c*) access control scheme.Field of definition domain (PVME-R ₂)={ R _k| (g, S _i, O _j, x) ∈ R ⁽¹⁾, x ∈ r, a, w, e*, c*}, being expressed as follows of rule:

$PVME-R_2(R_k,v)=\left\{\begin{array}{cc}(yes,(b\∪\left\{\right(S_i,O_j,& if\[R_k\∈domain(PVME-R_2)\]\\ x\left)\right\}M,f,H\left)\right)& and\[x\∈\{a,r,w,e*,c*\}\]\\ (no,v)& othervise\end{array}\right.$

If it is determined that result is " yes ", current accessed set is by main body S in interpolation _ito remove object O _jconduct interviews with corresponding access attribute (x), x ∈ { r, a, w, e*, c*}.

Compared with prior art, the invention has the beneficial effects as follows:

The present invention, based on BLP model, from the angle of " access control ", can ensure that main body effectively accesses object, can ensure that again the security of system is not destroyed.Prevention virtual machine escape attack model in the present invention can manage system call in virtual platform between virtual machine and Hypervisor and resource uses, the illegal rights state conversion of effective containment virtual machine, reaches the object that the escape of prevention virtual machine is attacked.

In actual production environment, PVME module can be designed, namely utilize the design concept of PVME module, realize the module of preventing virtual machine to escape in virtualized environment.

Accompanying drawing explanation

Fig. 1 is the technical risk inheritance of cloud service;

Fig. 2 is based on the auxiliary fully virtualized solution rights state of hardware;

Fig. 3 is the virtual machine access mechanism under fully virtualized framework;

Fig. 4 is PVME module rack composition;

Fig. 5 is PVME block flow diagram.

Embodiment

Below in conjunction with the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

Refer to Fig. 3, coherent element in PVME module and corresponding browsing process are all based on fully virtualized platform, from figure from lower to upper, HostOS represents host operating system: Hypervisor represents corresponding fully virtualized virtual machine manager: because the virtual machine simulator of current main flow is mostly based on QEMU, and therefore we represent the virtual machine simulator in fully virtualized framework with QEMU; GuestOS represents VME operating system; VM, i.e. VirtualMachine, this is overall to be mainly used in representing QEMU and GuestOS in framework.

PVME module designs for the virtual machine escape problem in dummy machine system.As shown in the flow process of Fig. 3, the hardware command that GuestOS sends is simulated by QEMU, then gives Hypervisor to process, namely 1., 2. flow process, and 3., 4. process be namely respond the hardware requests of GuestOS.Escape for virtual machine, mainly for preventing GuestOS to attack Hypervisor or host, and do not need consider Hypervisor on the impact of GuestOS, therefore in PVME module by 3., 4. process merge into the communication between Hypervisor and VM, namely process is 5..PVME module mainly consider in full virtual architecture 1., 2., 5. process.

In the environment that we study, communication party relates to Hypervisor, VM, QEMU and GuestOS.Wherein main body is Hypervisor or QEMU only, and object can be Hypervisor, GuestOS, VM or QEMU.When virtual machine communicates with Hypervisor, comprise traditional read-only (r), only write the mode of (a), read-write (w), redefine execution (e*) access mode in addition, and with the addition of control (c*) access mode.Due in BLP model, execution (e) access mode of existence is redefined completely in PVME module, therefore distinguishes with e*.Perform (e*) and control (c*) two kinds operation and be only present in the operation of Hypervisor to virtual machine.Therefore, access attribute set is A={r, a, w, e*, c*}.

In the running status of virtual machine, following three class State Transferring can be divided into: the 1) change of virtual machine state, such as: start shooting, shut down, suspend, restart: the 2) adjustment of resources of virtual machine, such as: the memory size, hard disk size etc. of adjustment virtual machine; 3) virtual machine internal send system call, application resource, such as: virtual machine creating/deleted file, read daily record etc.The state transition rules of itself and PVME is as shown in table 2:

Table 2 virtual machine state mapping table

In table 2, " time-out virtual machine " makes virtual machine be in unactivated state, but continue on backstage to run; It is standby that " hang-up virtual machine " is equivalent to virtual machine: " soft reboot virtual machine " is the special state be present in virtual machine, is equivalent to restart virtual machine fast, namely the data in internal memory, buffer memory is all loaded into again; " firmly restart virtual machine " with normally to restart machine the same: " amendment virtual machine " comprises adjustment virutal machine memory, hard disk size, adds/delete the equipment such as network interface card, hard disk.

Definition for meeting the host complex of *-characteristic in BLP, S _t=S-S* represents trusted subjects set.On host, Hypervisor is used for managing other virtual machine, and it has definitely higher than the authority of virtual machine.When Hypervisor is as main body, be defined as trusted subjects, it belongs to trusted subjects collection S _t, and trusted subjects can only be Hypervisor.When as object, Hypervisor is as the root node in object, i.e. OR.Like this when guest virtual machine is as object, in object level, they are the child nodes of Hypervisor (root node), and are arranged in the same layer of object level.Obviously, in PVME module, object level maintains the important character of two of BLP model object level, and namely in object level, a node only has a father node at the most, and does not have ring in level.

Access matrix is placed in Hypervisor by us, and file layout is binary file.For the sake of security, in HostOS, also the access matrix file of a backup will be deposited.The fundamental element structure of access matrix is:

[SID，OID，R，A，W，E*，C*，Flag]

Wherein SID and OID represents No. ID of subject and object respectively, and we are set to 13 bits.R, A, W, E*, C* represent read-only respectively, only write, read and write, perform and access control attribute, representing (when representing permission for time " 1 ", when representing refusal for time " 0 ") respectively, needing 5 bits altogether to represent with 1 bit.Last Flag is used for representing whether this rule comes into force, and " 1 ", for coming into force, " 0 " is for invalid.Therefore, the every bar record in access matrix is represented by 32 (13+13+5+1=32) bit, is made up of 4 bytes.

Such as, one in access matrix is recorded as:

10010110111011100110010010010101

Represent that main body " 1001011011101 " is to object " 1100110010010 ", has the access rights that " 01010 " is namely only write, performed, and this rule is effective.

Safe class is made up of safe level of confidentiality and safe category, PVME module installation 8 safe levels of confidentiality, i.e. safe level of confidentiality set C={c ₁, c ₂..., c ₈, due to c ₁> c ₂> ... > c ₈, so wherein c ₁rank is the highest, c ₈rank is minimum.One has 8 safe levels of confidentiality, like this, just can use 3 bits to represent, that is: represent c with " 111 " ₁, " 110 " represent c ₂, the like, " 000 " just represents c like this ₈.Define 16 kinds of safe categories in the present invention, that is, also can be called 16 kinds of access rights.Work as k _iwhen (1≤i≤16) are " 1 ", show that main object has access rights k _i.Therefore, the basic structure body of an information (main body or object) is 32 (13+3+16=32), is made up of 4 bytes.

Such as, an information is recorded as:

00101100111010101101000000000000

Represent that the ID of main body (or object) is " 0010110011101 ", safe level of confidentiality is c ₆(" 010 "), safe category is (" 1101000000000000 ").

Fig. 4 is the PVME module detailed architecture figure of the theory design adopting Reference monitor.The module of empty wire frame representation is new module of adding, and comprises QEMU_Compliance module and Hy_PVME module.Wherein, the main task of QEMU_Compliance module is that compliance inspection is carried out in the request of being sent by GuestOS, filters by illegal or with malicious data request, only has the request of closing rule just can be sent to Hypervisor by QEMU.Hy_PVME module comprises four parts: PVME_Hook, Running_Model, VisitMatrix and LearningMatrix, represents PVME Hook Function, operational mode detection, access rule matrix and learning matrix respectively.The message received from QEMU is mainly carried out the inspection of PVME rule module by PVME Hook Function, namely by mating with the data in VisitMatrix: if meet the regular Sys_Call (system call) just returned in Hypervisor: if do not meet rule, then detect the operational mode (passing through Running_Model) of current PVME module, if be in " Enforce " (pressure) pattern, directly return " Error " and record detailed solicited message, if be in " Learning " (study) pattern, return Sys_Call and record information to LearningMatrix.Wherein, " Enforce " pattern is that Hy_PVME module enforces pattern, and namely all operations must meet the rule in access matrix." Learning " pattern is used for by the use to virtual machine under simulation actual environment, record the access rule of corresponding main object to LearningMatrix, then LearningMatrix is concluded, analyze, and add rational rule to VisitMatrix, the detailed process of the access rule PVME module of gradual perfection PVME module is as shown in Figure 5: the request that GuestOS initiates will by QEMU_Compliance module and Hy_PVME module, if do not meet the rule defined in PVME module, then can enter " ERROR " state: otherwise, to " Sys_Call " that give tacit consent in Hypervisor be passed to.

In the embodiment of the present invention, a kind of access control method preventing virtual machine escape to attack, comprises the following steps:

Step 1: Essential Environment is built.The hardware device used is a physics PC computer, and hardware configuration is: CPU:Pentium (R) Dual-CoreE5700, dominant frequency 3.00GHz; Memory size: 4GB; Hard-disk capacity: 500GB.Adopt KVM as basic fully virtualized environment, the operating system of selection is CentOS.Use instrument " qemu-kvm " (qemu version is 0.12.1) creates virtual machine, and uses VNC (VirtualNetworkComputing) as RDP to be connected to virtual machine.

Step 2:PVME module initialization.When PVME module is run, be divided into two states: " Enforce " and " Learning ", i.e. compulsory mode and mode of learning.By mode of learning, we can carry out corresponding initialization to PVME module.Namely, under original state, VisitMatrix and LearningMatrix is empty.

Step 3: run PVMELearning pattern.Now all operations of virtual machine will all cannot find this solicit operation whether to meet PVME rule module in rule base, but but the operation of all virtual machines all can be recorded in LearningMatrix.We carry out a series of normal running in virtual machine, comprise establishment/deleted file, browse webpage, access the operations such as Shared Folders, afterwards to the data analysis in LearningMatrix, add to after record duplicate removal wherein, merging, analysis in VisitMatrix afterwards.

Step 4: run PVMEEnforce pattern." Enforce " pattern is that Hy_PVME module enforces pattern, and namely all operations must meet the rule in access matrix, if do not meet the rule defined in PVME module, then can enter " ERROR " state.

Be described with an example below.In KVM environment, there is the leak of external equipment, it has initiated to go beyond one's commission for researcher in BlackHat utilizes " use-after-free " leak to carry out GuestOS to HostOS attacks, and namely virtual machine is escaped attack.The present embodiment will carry out the experiment of PVME module prophylactic function with this attack means.

For the CVE-2011-1751 leak of KVM, KVM can not process in time external equipment illegally or unexpected to extract, cause cleaning out immediately the damaged condition or dangerous pointer of deleting external equipment.Utilize and implant malicious code in the external equipment of special chip, the malice such as the network stack in virtual machine, physical memory mappings are distorted, second_timer2 is made to return end-state, and then cause rtc_update_second function to be in the state of waiting indefinitely, RTC on Hypervisor (Real-TimeClock, real-time clock) state is finally caused normally to upgrade.Attack for prevention RTCState the virtual machine escape caused to attack, first the present embodiment adds the safe class as table 3.

The safe class that table 3 is attacked for RTCState

Master/object	ID	Safe level of confidentiality	Safe category
				RTC	0000 0000 0000 1	100	1111 0000 0000 0000
next_second_time	0000 0000 0001 0	011	1110 0000 0000 0000
				rtc_update_second	0000 0000 0001 1	010	1110 0000 0000 0000
second_timer	0000 0000 0010 0	001	1010 0000 0000 0000
				second_timer2	0000 0000 0010 1	001	1010 0000 0000 0000

As table 3, newly add master/object totally 5, convenient in order to describe, so the ID arranging them is followed successively by 1,2,3,4,5.Wherein RTC is in Hypervisor, so safe level of confidentiality is set to c ₄; Next_second_time, for dispatching rtc_update_second, finally realizes the normal renewal of RTC, and arranging its safe level of confidentiality is c ₅: the state that rtc_update_second is used for returning according to virtual machine facility operates, and arranging its safe level of confidentiality is c ₆: second_timer and second_timer2 is in virtual machine facility, so safe level of confidentiality is relatively low, is c ₇.

Table 4 is for the access matrix of RTCState

Table 4 for prevention RTCState attack access matrix, can be summarized as: what safe class was high can read the low attribute of safe class, safe class low can reading and writing safe class high.

Run the environment of (be in " Enforce " pattern, and load the existing and new access matrix added) in PVME module under, start virtual machine, and access external equipment on host, we use USB flash disk as external equipment.With malicious code in this USB flash disk, then USB flash disk is redirected to virtual machine, makes USB flash disk as the exclusive equipment of virtual machine, virtual machine can be read and write USB flash disk content.Now, " placement " step that virtual machine escape is attacked is completed.

After placing successfully, the malicious code section in USB flash disk is performed in virtual machine, then on host, illegally USB flash disk is extracted, simulate RTCState and attack sight, namely make the RTC in Hypervisor cannot obtain next_second_time more new state, finally cause virtual machine successfully to change the RTC state of Hypervisor.Now, " information extraction " step that virtual machine is escaped in attack is namely completed.Under PVME module operational mode, perform said extracted information operating, the information extraction stage that PVME module can be attacked at RTCState, effective prevention malicious code is to its network stack overflow operation, and effective protection RTC state is not modified.The access rule of PVME module can prevent the malicious code of RTCState attack, such as network stack spilling etc., finally after USB flash disk is illegally extracted, the malice pointer impact that system can be made to be left over, ensures that RTC state is not affected.

To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit of the present invention or essential characteristic, the present invention can be realized in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, scope of the present invention is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the present invention.

In addition, be to be understood that, although this instructions is described according to embodiment, but not each embodiment only comprises an independently technical scheme, this narrating mode of instructions is only for clarity sake, those skilled in the art should by instructions integrally, and the technical scheme in each embodiment also through appropriately combined, can form other embodiments that it will be appreciated by those skilled in the art that.

Claims (5)

1. the access control method preventing virtual machine escape to attack, on KVM platform, design prevention virtual machine is escaped and is attacked module, this module is made up of model element, safe axiom, state transition rules three part, realize the identification to virtual machine escape attack and anticipation, thus accomplish that the escape of prevention virtual machine is attacked: it is characterized in that, described method comprises following four steps:

Step 1: corresponding model element is set;

Step 2: Reference monitor is set;

Step 3: run the escape of prevention virtual machine and attack Learning pattern, register system data;

Step 4: operation prevention virtual machine is escaped and attacked Enforce pattern, realizes the anticipation to virtual machine escape attack and identification.

2. the access control method of prevention virtual machine escape attack according to claim 1, it is characterized in that, in described step 1, the virtual machine object in attacking of escaping is arranged to the access attribute collection of corresponding Subjective and Objective and correspondence thereof, safe class, object level, access control matrix, request element set, is judged set.

3. the access control method of prevention virtual machine escape attack according to claim 1, it is characterized in that, in described step 2, between subject and object access, add Reference monitor, by the visit information synchronized update of Subjective and Objective in access control information storehouse.

4. the access control method of prevention virtual machine escape attack according to claim 1, it is characterized in that, in described step 3, the prevention virtual machine run under Learning pattern is escaped and is attacked module, and the visit information between only Subjective and Objective being accessed is recorded in learning matrix and goes.

5. the access control method of prevention virtual machine escape attack according to claim 1, it is characterized in that, in described step 4, the prevention virtual machine run under Enforce pattern is escaped and is attacked module, visit information between Subjective and Objective is mated with data in access matrix, and does and return accordingly.