• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2008, Vol. 30 ›› Issue (4): 1-4.

• 论文 •    下一篇

基于本地虚拟化技术的安全虚拟执行环境

温研 刘波 王怀民   

  • 出版日期:2008-04-01 发布日期:2010-05-19

  • Online:2008-04-01 Published:2010-05-19

摘要:

程序隔离执行是一种将非可信代码的执行效果与其他应用隔离的安全机制。但是,目前的相关研究无法兼顾强隔离(即操作系统隔离)与被隔离代码的可用性(需要通过计算  环境的重现与提交隔离执行环境的执行效果来完成)。本文提出一种基于本地虚拟化技术的安全虚拟执行环境SVEE,并在Windows下实现了SVEE的原型系统。SVEE借助系统级虚拟化技术有效地实现了SVEE内程序与宿主操作系统的强隔离。SVEE的关键特性是利用本地虚拟化技术实现了宿主机计算环境在SVEE内的重现,使得程序在SVEE中与在宿主操 操作系统内的执行效果一致。此外,SVEE还支持SVEE与宿主操作系统的差异对比,并利用比较结果选择合适的方法将SVEE内程序的执行效果提交到宿主操作系统。

关键词: 入侵隔离 隔离执行 虚拟执行环境 安全 虚拟机

Abstract:

Isolation is a mechanism that has been applied to allow untrusted code to run while isolating their effects Irom nt isolation technologies cannot achieve both the strong isolation (i. e. , operating system isolation) and the functionality of isolated applications  s (accomplished via reproducing the computing environment and committing changes within the isolated environment). In this paper, we propose a safe vi  irtual execution environment (SVEE) based on the local virtualization technology and implement it on Windows. Via systematic virtualization,SVEE fulfi  ills strong isolation, thus completely isolates the effects of untrusted code execution within SVEE from the underlying host operating system. The key f eature of SVEE is that it provides the capability to reproduce the computing environment of the host operating system, therefore it can reproduce the be    havior of applications, as if it were running natively within the host operating system. This is  oreover, SVEE provides a convenient way to compare the changes within SVEE and the host operating system. Using these comparison results for reference,    SVEE will select a proper method to commit these changes.

Key words: intrusion isolation, isolated execution, virtual execution environment, security, virtual machine